An internal auditor is trying to evaluate what could go wrong after determining that a risk management technique is operating effectively. What type of risk is the auditor assessing?
Residual risk is the remaining risk after management has implemented risk responses. The auditor is assessing what could still go wrong despite the effectiveness of the risk management technique in place, which is evaluating the remaining exposure to risk. References:
IIA Standard 2120: Risk Management.
COSO Enterprise Risk Management Framework.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit