In order for an internal auditor to assess the risks associated with an activity or a process instituted by management, the internal auditor should do which of the following?
A: Design effective controls to mitigate the risks.
B: Determine how the risks should be managed.
C. Amend and update the risk management process based on the nature and significance of the risks.
D: Provide assurance on the management of the risk.
Let us apply the K-E-C approach in answering this question.
Please note that the K-E-C approach is as follows:
K = Keyword, phrase or stem of the question
E = Eliminate two incorrect options
C = Choose the best answer for the remaining two options, linking the answer to the Key or K.
So let us approach this question. The keyword here is ”
K = The keyword here is “to assess the risks”. The auditor is being asked to assess the risks. Which means we are called to provide our OPINION on whether or not the risks exists, their impact and the mitigating controls in place.
E = When we examine the answer options above, option A talks about designing effective controls. Auditors are not supposed to design controls. This is the job of management. We can eliminate A. Option C talks about amending the risk management process, this is not the function of auditors. We are supposed to be objective and not meddle with management function by implementing or amending controls. Management’s job is to amend controls.
C = We are left with options B and D. Option B says the auditor should determine how the risks should be mitigated while option D says the auditor should provide assurance on the management of the risks. If we link these answers back to our Key (K) which is to provide an opinion, it means that we have to assure stakeholders on the management of these risks.
Note: Internal auditors might be called from time to time to perform a consultative or assurance function. It is important for the internal auditor to determine which role they are called to fulfil. This question is about an internal auditor called to provide ASSURANCE on the risks and control environment.
The correct answer is thus D = Provide assurance on the management of the risk.
I hope this has helped you.