Certified Internal Auditor (CIA) Part 2: Practice of Internal Auditing — Question 281

According to IIA guidance, which of the following is the first step the internal audit activity undertakes in determining the effectiveness of an organization's risk management process?

Answer options

• A. Assess the appropriateness of the organization's risk responses.
• B. Assess the alignment of the organization's vision and objectives.
• C. Identify the organization's significant risks.
• D. Understand the organization's risk appetite.

Correct answer: C

Explanation

The correct answer is C, as identifying significant risks is the foundational step that allows auditors to understand what they need to manage. The other options, while important, occur after significant risks have been identified and are not the first step in this process.