Modern internal auditing, particularly when aligned with risk management frameworks like ISO 31000, has shifted from a transactional or compliance-based focus to a risk-based, process-oriented approach. The primary objective is to provide assurance that an organization's governance, risk management, and internal control processes are effective. Auditors spend the majority of their time evaluating the design and operational effectiveness of business processes to determine if they are achieving strategic objectives and managing key risks. Audits of people, technology, and infrastructure are typically performed within the context of these overarching business processes.

A. People: Audits focus on the systems and processes people operate within, and the controls governing their actions, rather than auditing individuals directly.

C. Technology: While IT auditing is a critical and growing specialty, technology is fundamentally an enabler of business processes. IT audits are often conducted to support broader process-level reviews.

D. Infrastructure: This is too specific and narrow. Auditing physical or IT infrastructure is a component of a larger operational or IT audit, which falls under the umbrella of process auditing.

1. The Institute of Internal Auditors (IIA). (2017). International Standards for the Professional Practice of Internal Auditing. Standard 2100 – Nature of Work. This standard explicitly states, "The internal audit activity must evaluate and contribute to the improvement of the organization’s governance, risk management, and control processes using a systematic, disciplined, and risk-based approach." This establishes "process" as the core subject of internal audit work.

2. International Organization for Standardization. (2018). ISO 31000:2018 Risk management — Guidelines. Clause 6, "Process". The standard itself is structured around the risk management process. The role of internal audit is to provide assurance over this process and its application to the organization's other business processes.

3. Anderson, U. L., Head, M. J., Ramamoorti, S., Riddle, C., & Salamasick, M. (2017). Internal Auditing: Assurance & Advisory Services (4th ed.). The Institute of Internal Auditors Research Foundation. Chapter 1, "Introduction to Internal Auditing," describes the evolution of the profession toward a process-based, risk-oriented, and proactive model, moving away from a purely financial and compliance focus. The textbook frames the audit universe in terms of business processes.