Certified Internal Auditor (CIA) Part 1: Business Acumen — Question 201

A new internal audit activity is considering the adoption of a risk and control framework. Which of the following is the most appropriate consideration during this process?

Answer options

• A. The framework should not be developed by the internal audit activity.
• B. The framework should apply to individual projects rather than the organization as a whole.
• C. The framework should always be tailored to the organization.
• D. The framework should require fewer resources to implement.

Correct answer: C

Explanation

The correct answer is C because a risk and control framework needs to be customized to fit the specific needs and context of the organization, ensuring its effectiveness. Options A and B are incorrect as they suggest inappropriate approaches to framework development and applicability. Option D is misleading because implementing a tailored framework may require more resources to ensure it meets organizational needs.