Certified Internal Auditor (CIA) Part 2: Practice of Internal Auditing — Question 275

After being assigned to lead an internal audit of identity and access management, which of the following should be the auditor's next step?

Answer options

• A. Assess the process-level risks associated with the identity and access management business area.
• B. Document the scope and objectives of the audit and communicate them to management of the area under review.
• C. Understand why the audit of identity and access management was included on the annual internal audit plan.
• D. Estimate the number of hours required to complete the audit and assign audit staff accordingly.

Correct answer: C

Explanation

The correct answer is C because understanding the rationale for including the audit in the annual plan provides context and importance to the auditor's work. Options A and B are premature steps that should follow after understanding the audit's purpose, while D focuses on logistical planning that is secondary to grasping the audit's significance.