Certified Information Systems Auditor (CISA) — Question 586

Which of the following should be the PRIMARY role of an internal audit function in the management of identified business risks?

Answer options

• A. Validating enterprise risk management (ERM)
• B. Establishing a risk management framework
• C. Operating the risk management framework
• D. Establishing a risk appetite

Correct answer: A

Explanation

The correct answer is A, as the primary role of the internal audit function is to validate the effectiveness of the enterprise risk management (ERM) process. The other options, while important, do not represent the main focus of internal audit; they are generally responsibilities of management or risk management teams.