Certified Internal Auditor (CIA) Part 2: Practice of Internal Auditing — Question 5

When setting the scope for the identification and assessment of key risks and controls in a process, which of the following would be the least appropriate approach?

Answer options

• A. Develop the scope of the audit based on a bottom-up perspective to ensure that all business objectives are considered.
• B. Develop the scope of the audit to include controls that are necessary to manage risk associated with a critical business objective.
• C. Specify that the auditors need to assess only key controls, but may include an assessment of non-key controls if there is value to the business in providing such assurance.
• D. Ensure the audit includes an assessment of manual and automated controls to determine whether business risks are effectively managed.

Correct answer: A

Explanation

The correct answer is A because a bottom-up approach may overlook broader business objectives and strategic risks, which are crucial for a comprehensive audit. Options B, C, and D focus on critical aspects of the audit process, including managing risks effectively, which aligns better with the goals of risk assessment.