The correct answer is B. Assessing key controls that support the migration.

ISACA guidance explains that internal audit should be involved in cloud procurement, design, and adoption to identify relevant risks and ensure that appropriate controls are in place and operating effectively. That is an assurance role, not a management or implementation role.

Option A is incorrect because mitigating risk to an acceptable level is a management responsibility, not an internal audit responsibility. Internal audit evaluates and provides assurance, but should not own risk treatment in a way that impairs independence.

Option C is incorrect because implementing security controls is also a management or operational responsibility, not the auditor’s role.

Option D is incorrect because budget and resource impact analysis is primarily a management planning function.

Therefore, the correct answer is B, because internal audit’s proper role is to assess whether the key controls supporting the cloud migration are appropriate and effective.

References (Official ISACA):

ISACA Now Blog, Five Major Auditing Challenges in Cloud Computing and How to Overcome Them — internal audit should identify cloud risks and ensure appropriate controls are in place and operating effectively.

ISACA, Now Is the Time for IT Auditors to Perform Advisory Pre-Implementation Reviews — internal audit provides observations and recommendations to enhance the control environment before deployment.

ISACA Journal, Digital Trust and the Audit Function — audit acts as assurance for implementation of required practices.