During the planning stage of an assurance engagement, an internal auditor has been assigned to prepare a risk matrix. Which of the following should the internal auditor consider when attempting to identify process-level risks?
A risk matrix maps risks based on likelihood and impact. To identify risks at the process level, the auditor should consider possible scenarios (B) that may threaten the achievement of objectives. Examples include fraud scenarios, compliance failures, or operational breakdowns. Possible controls (C) are identified after risks, as mitigations. Possible tests (A) and samples (D) relate to audit procedures, not risk identification. According to Standard 2210.A1, objectives of an engagement must consider risks, and this starts with scenario analysis. Thus, the correct choice is Option B.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit