Certified Internal Auditor (CIA) Part 2: Practice of Internal Auditing — Question 124

An internal auditor is conducting an initial risk assessment of an audit area and wants to assess management's compliance with privacy laws for safeguarding customer information stored on the organization's servers. Which course of action is appropriate for this phase of the engagement?

Answer options

• A. Solicit the services of a specialist information systems auditor.
• B. Obtain the most current approved copies of the organization's privacy policy.
• C. Consult with legal counsel about new privacy laws to establish appropriate criteria.
• D. Consider the detection risk of noncompliance with the laws.

Correct answer: B

Explanation

The correct answer is B because having the most recent approved privacy policy allows the auditor to assess compliance against established standards. Options A and C, while valuable, are not immediately necessary for the initial risk assessment phase. Option D does not provide direct insight into compliance with existing policies.