When prioritizing the audit universe, the CAE typically uses a risk-factor approach. This includes a combination of likelihood, impact, control effectiveness, and other relevant criteria. Solely relying on impact (Option C) or likelihood (Option B) is insufficient. Heat maps (Option D) may be tools used within the process, but they are not the actual method of prioritization.
Thus, the correct description is the risk-factor approach (Option A).
[Reference:, IIA Practice Guide – Developing a Risk-based Internal Audit Plan., , , ]
Submit