Certified Internal Auditor (CIA) Part 3: Business Knowledge for Internal Auditing — Question 167

According to the International Professional Practices Framework, internal auditors who are assessing the adequacy of organizational risk management processes should not:

Answer options

• A. Recognize that organizations use different techniques for managing risk.
• B. Seek assurance that the key objectives of the risk management processes are being met.
• C. Determine and accept the level of risk for the organization.
• D. Treat the evaluation of risk management processes differently from the risk analysis used to plan audit engagements.

Correct answer: C

Explanation

The correct answer is C because internal auditors should not determine or accept the level of risk on behalf of the organization; this is typically the responsibility of management. Options A, B, and D are valid actions that auditors can take to ensure effective risk management evaluations.