Certified Internal Auditor (CIA) Part 2: Practice of Internal Auditing — Question 235

Which of the following statements is true regarding risk assessments, including the evaluation and prioritization of risk and control factors?

Answer options

• A. A risk-by-process matrix enables the user to determine associations between any of the processes and the risks.
• B. The risk-factor approach for linking business processes and risks is more direct than the use of a risk-by-process matrix.
• C. Internal risk factors are built into the environment and the nature of the process itself.
• D. A risk map is used primarily to depict which risks will be reduced and which will be shared.

Correct answer: C

Explanation

The correct answer is C because internal risk factors are indeed intrinsic to the environment and the processes in question. Option A is incorrect as a risk-by-process matrix does help in identifying associations, but it doesn't directly relate to the inherent nature of risks. Option B mistakenly claims a more straightforward approach, and option D misrepresents the primary function of a risk map, which is broader than just reduction and sharing.