What is Domain III's biggest change in internal audit governance?

The main idea here is that governance relies on clear ownership at the top. The biggest change in Domain III’s approach to internal audit governance is to require explicit responsibilities for the board and senior management. This means clearly defining who owns what in governance, risk management, and internal control—who sets risk appetite, who approves policies, who ensures controls are effective, and who supervises the overall governance framework. When these duties are clearly stated, it strengthens accountability and ensures top-level oversight aligns with what internal audit does, making assurance and advisory work more relevant and impactful. Other options relate to how much or where internal audit works rather than who is responsible for governance. Expanding IT auditing scope changes the focus area of audits, not who owns governance. Increasing the number of audits per year affects workload, not governance structure. Centralizing reporting to an external regulator would undermine independence and is not how governance ownership is typically defined.