An internal audit activity plans its engagements based on an organization-wide risk assessment. According to IIA guidance, which of the following statements is true regarding the required frequency of the risk assessment?
A.
The risk assessment must be performed at least quarterly.
B.
The risk assessment must be performed at least annually.
C.
The risk assessment must be performed at least once every five years, in alignment with the internal audit activity's quality assurance and improvement program.
D.
There is no specific requirement; a risk assessment should be performed as needed to account for changes in the business environment.
According to IIA guidance, there is no specific frequency mandated for conducting organization-wide risk assessments. Instead, the internal audit activity should perform risk assessments as necessary to reflect significant changes in the organization's business environment, risk profile, and operations. This flexibility allows the internal audit activity to remain responsive and relevant in a dynamic risk landscape.
IIA References:
IIA Standard 2010: Planning requires the CAE to establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization’s goals. The frequency and timing of risk assessments should be adapted to the organization’s changing conditions.
The IIA Practice Guide on Risk Assessment in Audit Planning emphasizes that risk assessments should be updated as needed, particularly when there are significant changes in the organization or external environment.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit