For most Chief Audit Executives (CAEs), determining audit scope appears straightforward. Typically, one assesses organizational risks, evaluates team capacity and time constraints, aligns coverage with priorities, and develops an audit plan. These are widely recognized professional fundamentals.

The audit universe you define signals what matters to you. The gaps show what you choose not to protect.

The problem of too-narrow scope is well known. If your universe consistently covers the same processes, business units, and risk categories year after year — regardless of how the organization's risk profile is shifting — you are not auditing the organization. You are auditing your comfort zone. The audit committee will eventually ask the question no CAE wants to answer: why did we not audit this before it became a problem?

The too-wide scope problem is less discussed but equally damaging. A CAE who sets an expansive universe without resources to cover it meaningfully is not demonstrating ambition — they are creating a structural credibility problem. Stakeholders who were promised coverage but never received it remember. That erosion of trust is slow to build and takes years to recover.

"The scope decision also has a forward-looking dimension most audit plans don't capture: emerging risks appear in the operating environment before they appear in the formal risk assessment cycle."

A distinguishing practice among effective CAEs is the annual, explicit discussion with the audit committee regarding coverage trade-offs, not solely coverage plans. While a coverage plan details the audit projects to be executed, a coverage trade-off discussion clarifies what the audit team will not address, the rationale for these omissions, and the associated risks the organization accepts. Although more challenging to prepare, this conversation significantly enhances the governance relationship.

Set your scope at the level your resources can cover well — not at the level your ambitions wish they could reach. Transparency about the gap is not a weakness. It is how CAEs earn the resource conversations that close the gap over time.

Worth reflecting on: Does your audit committee know what risk areas your function is not covering this year — and why? If not, that is a governance conversation worth having before the next planning cycle, not after the next incident.