3.2 Core Workflows and Decision Points

Functional vs administrative reporting (Standard 7.1)

Organizational independence is achieved through the CAE's dual reporting relationship. You must be able to sort responsibilities into the correct line:

Functional reporting to the board is what makes the function independent: it lets internal audit set its scope, perform engagements, and communicate results without interference. The IIA's leading practice is for the CAE to report administratively to the chief executive officer (CEO) so that the CAE is clearly a senior position and is not buried inside an area that internal audit must audit.

A classic trap: the CAE reports administratively to the chief financial officer (CFO) and is then asked to provide assurance over treasury, which also reports to the CFO. That self-interest creates a potential impairment to independence — the engagement should be performed or supervised by an independent party. The board must also approve any non-audit roles the CAE takes on, and where those roles are subject to audit, alternative assurance (for example, an external provider reporting to the board) must be arranged.

Safeguarding objectivity — gifts and conflicts (Standard 2.2)

Standard 2.2 Safeguarding Objectivity sets bright-line behavioral rules:

• Auditors must not accept any tangible or intangible item — gift, reward, or favor — that may impair or be presumed to impair objectivity. Note the threshold is appearance, not just actual influence.
• Auditors must avoid conflicts of interest and must not be unduly influenced by their own interests or those of senior management, the political environment, or their surroundings.
• Where the internal audit function's gift policy is more restrictive than the organization's general policy, auditors follow the more restrictive one.

A conflict of interest is any competing professional or personal interest that makes impartial work difficult. Examples the Standards list: opposing the organization's interests, creating potential for personal gain, nepotism or favoritism, or financial ties such as owning stock in an auditee or customer.

The CAE must also guard against remuneration designs that erode objectivity — for example, paying auditors based on surveys from the management under review, or rewarding them for the number of findings or cost savings they impose. These structures bias judgment and are themselves impairments.

Decision flow for an objectivity threat

1. Identify the threat (gift, relationship, prior responsibility, financial interest).
2. Disclose to the CAE or a designated supervisor (Standard 2.3).
3. The CAE manages it: reassign the auditor, reschedule or rescope the engagement, or outsource performance/supervision.
4. If the impairment is unavoidable, disclose and mitigate, escalating to the board when the CAE's own objectivity is in question.

Competency and due professional care (Standards 3.1 and 4.2)

Standard 3.1 Competency requires each auditor to possess or obtain the knowledge, skills, and abilities for their role, including knowledge of the Global Internal Audit Standards. Auditors must engage only in services for which they have or can attain the necessary competencies. When a needed competency is missing, the CAE's options are to obtain competent advice and assistance, train or reassign staff, or, for a consulting (advisory) engagement, decline it.

Collectively, the CAE is responsible for ensuring the function has the competencies described in the charter — the IIA Competency Framework organizes these into governance/risk/control knowledge, business acumen, communication, technology and data analytics, and professional ethics.

Standard 4.2 Due Professional Care requires auditors to apply the care and skill expected of a reasonably prudent and competent internal auditor — but due care does not imply infallibility. In planning and performing work, auditors weigh:

• The organization's strategy and objectives and stakeholder interests.
• The adequacy and effectiveness of governance, risk management, and control.
• Cost relative to potential benefits of the work — do not over-test a control that is already known to be poorly designed.
• The extent and timeliness of work, and the complexity, materiality, and significance of risks.
• The probability of significant errors, fraud, or noncompliance.
• The appropriate use of techniques, tools, and technology — the 2024 Standards explicitly push data analysis software and other technology as a due-care expectation, not an optional extra.

Due professional care does not require examining every transaction, but it does require professional skepticism (Standard 4.3): an inquisitive, critically assessing mindset that seeks evidence rather than trusting assertions.

Continuing professional development and skepticism

Standard 3.2 Continuing Professional Development (CPD) makes competency an ongoing obligation, not a one-time hire decision. Auditors must maintain and continually develop their competencies and pursue continuing professional development, and those who hold credentials must follow the continuing professional education (CPE) policies of their certifying body. For the Certified Internal Auditor (CIA), that means meeting The IIA's CPE hour requirements and — importantly — ethics-focused CPE, which The IIA specifically requires of its certification holders.

CPD can take many forms: self-study, on-the-job training, rotational assignments, mentorship, supervisory feedback, conferences, and webinars. The individual auditor owns their development; the CAE owns the function's collective competency and should budget and plan for training.

Standard 4.3 Professional Skepticism rounds out due professional care. Skepticism is the attitude of always questioning or doubting the validity and truthfulness of claims. Practically, auditors must:

• Maintain an inquisitive attitude.
• Critically assess the reliability of information rather than accepting it as true.
• Be straightforward and honest when raising concerns about inconsistent information.
• Seek additional evidence when information appears incomplete, inconsistent, false, or misleading.

Skepticism is the operational expression of objectivity: it is how an unbiased mindset behaves when management presents an assertion. The pairing the exam wants you to see is objectivity (the attitude) → skepticism (the behavior) → evidence (the result). When a stem describes an auditor who accepts a manager's verbal explanation without corroboration, the missing element is professional skepticism.