The way I see it you have to have a threat model, otherwise your problem space is way to big.
If I ask a person to do a audit I will tell them what the scope of their audit is, e.g. check the physical security measures of our server rooms. Otherwise they would have to take literally everything into consideration (what if the accountant is a malicous actor, what if the server rooms are attacked by a military, what if our hardware is swapped out during delivery, what if..) and they would never be able to stop.
If you take security seriously you try to defend against likely attack scenarios first. Your way to control that is by choosing the scope of audit.
If I ask a person to do a audit I will tell them what the scope of their audit is, e.g. check the physical security measures of our server rooms. Otherwise they would have to take literally everything into consideration (what if the accountant is a malicous actor, what if the server rooms are attacked by a military, what if our hardware is swapped out during delivery, what if..) and they would never be able to stop.
If you take security seriously you try to defend against likely attack scenarios first. Your way to control that is by choosing the scope of audit.