Certified Internal Auditor (CIA) Part 1: Business Acumen — Question 212

A chief audit executive is also responsible for some risk management activities, including consolidated risk reporting to senior management and the board. According to IIA guidance, which of the following would be the most appropriate way for these activities to be audited?

Answer options

• A. The engagement is overseen by an independent outside party.
• B. Internal auditors who perform the engagement are not involved in any risk management services.
• C. The chief financial officer is appointed by the board to conduct the review with the assistance of the internal audit activity.
• D. A consulting engagement may be performed by the internal audit activity, but not an assurance engagement.

Correct answer: B

Explanation

The correct answer is B because internal auditors must maintain independence and objectivity, which means they should not be involved in risk management services when auditing these activities. Options A, C, and D do not align with the need for internal auditors to remain independent from risk management functions, making them inappropriate choices.