4.2 Core Workflows and Decision Points

Organizational Governance

Governance is the combination of processes and structures implemented by the board (the governing body) to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. The exam treats governance as broader than a single committee or policy — it includes the organization's ethics and values, its strategic direction, accountability mechanisms, and how it assigns authority and responsibility.

Under the 2025 Global Internal Audit Standards, internal audit is expected to evaluate and contribute to improving governance, specifically the organization's processes for setting strategy, making decisions, promoting appropriate ethics and values, ensuring accountability, communicating risk and control information, and coordinating activities among the board, external/internal auditors, and management.

Two modern governance areas appear with growing frequency:

• IT governance — whether the organization's information-technology decisions, structures, and processes support and sustain the organization's strategies and objectives. Internal audit assesses whether IT governance is aligned with enterprise goals.
• ESG / sustainability governance — environmental, social, and governance considerations are increasingly embedded in oversight; internal audit may provide assurance over ESG reporting and the controls behind it.

The board may delegate oversight of internal audit to an audit committee, but ultimate accountability for governance stays with the board.

Governance also drives the direct interactive relationship between the chief audit executive and the board that the 2025 Standards emphasize. The board approves the internal audit charter, approves the audit plan and budget, and is consulted on the appointment, removal, and compensation of the CAE — these safeguards exist so that internal audit can evaluate governance without being compromised by the very managers it oversees.

When a question describes weak board oversight, missing ethical tone, or unclear accountability, it is signaling a governance deficiency, and the internal auditor's role is to identify and report it, recommending improvement to the board's processes.

The Three Lines Model (2020)

In 2020 the IIA replaced the "Three Lines of Defense" with the Three Lines Model. The change matters for the exam: the new model is principles-based and role-focused rather than a rigid defensive structure, and it emphasizes collaboration and alignment instead of pure separation. Memorize the roles:

Key exam points: the first and second lines are management roles; the third line (internal audit) must remain independent of management to preserve objectivity. Internal audit reports functionally to the board and administratively to senior management. The model stresses that all roles must coordinate so assurance is neither duplicated nor gapped — but coordination must never compromise internal audit's independence.

The 2020 update abandoned defensive, siloed language because the old "defense" framing implied the lines worked in isolation. The current model presents the lines as collaborating roles aligned to organizational objectives. A subtle exam point: external assurance providers — external auditors, regulators — sit outside the three internal lines. When a stem asks where a new compliance function belongs, the answer is the second line; when it asks which role gives the board assurance with the highest objectivity, the answer is the third line, internal audit, because of its independence from management.

The COSO ERM 2017 Risk-Management Workflow

COSO ERM (2017) — Enterprise Risk Management – Integrating with Strategy and Performance — reframed risk management around value creation. It comprises five interrelated components supported by 20 principles:

1. Governance & Culture — sets tone, oversight, values, and desired behaviors.
2. Strategy & Objective-Setting — integrates ERM into strategy and defines risk appetite.
3. Performance — identifies, assesses, prioritizes, and responds to risks that affect objectives.
4. Review & Revision — reviews performance and revises the ERM approach as needed.
5. Information, Communication & Reporting — captures and shares risk information across the organization.

The Performance component contains the workflow the exam tests most: identify risks, assess their severity (likelihood and impact), prioritize, and select a risk response. The four responses are:

• Accept — take no action; the risk already falls within appetite/tolerance.
• Avoid — exit or do not begin the activity that creates the risk.
• Reduce (mitigate) — implement controls to lower likelihood and/or impact.
• Share (transfer) — shift part of the risk to a third party (insurance, outsourcing, joint venture).

Management selects responses so that residual risk aligns with risk appetite and the relevant risk tolerance. Internal audit assesses whether this process is sound — it does not choose the responses.

A point the exam tests is internal audit's role in risk management. Internal audit must evaluate the effectiveness of, and contribute to improving, the organization's risk-management processes — whether significant risks are identified and assessed, whether appropriate responses align risk with appetite, and whether risk information is communicated in a timely way. Internal audit may facilitate management's risk assessment or advise on design, but it must not own the process, set appetite, or make risk-response decisions for management.

If a question asks the auditor's primary objective when reviewing risk management, the answer is to provide assurance that the process is effective — never to perform it. Anchor every risk-management answer to this principle.