Certified Internal Auditor (CIA) Part 2: Practice of Internal Auditing — Question 43

An organization has adopted an enterprise-wide risk management process and has appointed a chief risk officer (CRO) to manage the process. The board has requested that the audit committee have oversight over the risk management function. Which of the following statements is not true regarding this situation?

Answer options

• A. The audit committee should get assurance on the adequacy and effectiveness of the risk management process from the CRO.
• B. The chief audit executive has the mandate to conduct risk assessments and give assurance to the audit committee.
• C. The audit committee, on behalf of the board, has overall responsibility for the risk management process in the organization.
• D. Senior management is accountable to the board for monitoring the system of internal controls.

Correct answer: A

Explanation

The correct answer is A because the audit committee should indeed receive assurance from the CRO about the risk management process. Statement B is true as the chief audit executive does have the authority to conduct risk assessments. Statement C is accurate as the audit committee does hold overall responsibility for risk management on behalf of the board, and statement D is also true since senior management is accountable for internal controls to the board.