A large investment organization hired a chief risk officer (CRO) to be responsible for the organization's risk management processes. Which of the following people should prioritize risks to be used for the audit plan?
A.
Operational management, because they are responsible for the day-to-day management of the operational risks.
B.
The CRO, because he is responsible for coordinating and project managing risk activities based on his specialized skills and knowledge.
C.
The chief audit executive, although he is not accountable for risk management in the organization.
D.
The CEO, because he has ultimate responsibility for ensuring that risks are managed within the agreed tolerance limits set by the board.
The chief audit executive (CAE) should prioritize risks to be used for the audit plan. Although the CAE is not accountable for managing risks, he is responsible for ensuring that the internal audit activity provides assurance on the effectiveness of the risk management processes. The CAE must understand the organization's risk landscape and determine which areas require audit attention based on their significance and potential impact. References: IIA Standard 2010 – Planning, IIA Practice Guide – Coordinating Risk Management and Assurance
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit