When a chief audit executive holds responsibility for risk management beyond internal auditing, which of the following scenarios would allow the organization’s internal audit activity to provide services related to risk management?
A.
Entrusting assurance to competent professionals within the compliance function.
B.
Transferring assurance to competent professionals within the risk management function.
C.
Consolidating within the internal audit activity the responsibilities of developing the risk management function and assessing its effectiveness.
D.
Ensuring the internal audit activity only provides consulting services related to risk management.
When a Chief Audit Executive (CAE) holds management responsibilities beyond internal auditing, such as leading the risk management function, the independence and objectivity of the internal audit activity in providing assurance over risk management are impaired.
IIA Standards allow the internal audit activity to:
Provide consulting services related to risk management.
But cannot provide independent assurance over areas where the CAE has direct responsibility.
Consulting services may include:
✅ Offering advice, facilitation, training, or insight.
✅ Assisting in improving processes, without taking on decision-making authority.
This ensures that internal audit adds value without compromising independence.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Kozy
1 week ago