The board is considering outsourcing the internal audit function to an external service provider. Which of the following would always remain the responsibility of the organization?
A.
Ongoing monitoring of the quality of internal audit documents
B.
Defining audit scopes sufficient to achieve the engagements' objectives
C.
Maintaining a quality assurance and improvement program
D.
Assessment of organizational risks for the annual audit plan
Even if the internal audit activity is outsourced, the organization’s senior management and the board retain overall responsibility for governance, risk management, and control processes. Specifically, management must ensure that an annual risk assessment is performed to identify and prioritize organizational risks. This forms the basis of the internal audit plan.
While the external service provider may assist in planning and execution, the assessment of risks to the organization cannot be delegated away because accountability for risk management remains with the organization itself. Activities such as quality assurance programs or audit scope discussions can be supported or executed by the service provider, but responsibility for risk assessment is always with management and the board.
[Reference:, IIA Standards – Standard 2070: External Service Provider and Organizational Responsibility for Internal Auditing., ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit