Certified Internal Auditor (CIA) Part 1: Business Acumen — Question 150

The board asked the chief audit executive (CAE) to assume responsibility for a newly formed risk management function while retaining responsibility for the internal audit activity. The new function is comprised of both risk and compliance activities. How should next year's internal audit of the risk management function be performed?

Answer options

• A. It should be performed by a competent assurance provider external to the internal audit activity.
• B. It should be performed by a qualified audit team in the internal audit activity and overseen by the most senior auditor other than the CAE.
• C. It should be conducted by a team of internal auditors under the supervision of risk and compliance managers.
• D. It should be performed by a team of the most experienced internal auditors, without oversight or direct involvement from the CAE.

Correct answer: B

Explanation

The correct answer is B because it ensures that the audit of the risk management function is conducted by a qualified team within the internal audit activity, maintaining independence from the CAE while still allowing for appropriate oversight. Option A is incorrect as it removes the internal audit team from the process, which could lead to lack of internal insights. Option C is not appropriate as it places the audit under the control of risk and compliance managers, compromising independence. Option D lacks necessary oversight from the CAE, which is essential for maintaining the integrity of the audit process.