Certified Internal Auditor (CIA) Part 2: Practice of Internal Auditing — Question 89

During engagement planning, an internal auditor assessed risks related to achieving business objectives in the area under review. Next, the auditor will identify criteria for evaluating controls. What is the proper action for the auditor to take if such criteria has not been established by management or the board?

Answer options

• A. The auditor must note the lack of criteria as a deficiency and include it in the audit report.
• B. The auditor must develop criteria aligned with the engagement objective.
• C. The auditor must identity criteria through discussion with management and the board.
• D. The auditor must not use criteria if they do not exist.

Correct answer: C

Explanation

The correct answer is C because it emphasizes the importance of collaboration with management and the board to identify appropriate evaluation criteria. Option A incorrectly suggests noting the deficiency without seeking input, while option B implies the auditor should independently create criteria, which may not reflect management's intentions. Option D is incorrect as it suggests not using any criteria, which can undermine the evaluation process.