An internal auditor differs from an external auditor primarily in organizational role and engagement level. While both must remain objective and impartial, internal auditors are part of the organization and may actively participate as interested parties in improving risk management processes—provided independence is preserved.

ISO/IEC 27001:2022 Clause 9.2 allows internal audits to be conducted by the organization itself, and ISO 19011 recognizes that internal auditors may provide insight, advice, and feedback to improve management systems. This can include participating in risk identification and assessment discussions, especially where they are not auditing their own work.

Option A is incorrect because internal auditors do more than observe; they evaluate and may recommend improvements.

Option C is incorrect because internal auditors do not defer all risk evaluations to external auditors; they play an active assurance role.

External auditors, by contrast, must remain strictly independent and cannot participate in risk identification or assessment, as this would compromise certification impartiality.