IIA Updated IIA-CIA-Part2 Exam Questions and Answers by kylo

A risk that is deemed "unacceptable" to the organization is one where the residual risk (the remaining risk after controls are applied) exceeds the organization's risk tolerance level. This means that despite controls in place, the level of risk remains higher than what the organization is willing to accept. Identifying such risks is critical for ensuring appropriate management action to mitigate them further. References:

The IIA’s Practice Guide on Risk Management.

COSO’s Enterprise Risk Management – Integrating with Strategy and Performance.

When determining the level of staff and resources for an assurance engagement, the most relevant factor for the chief audit executive (CAE) is the availability of resources with the specific skill set required for that particular engagement. This is because assurance engagements often involve complex and specialized areas that necessitate specific expertise to effectively evaluate controls, risks, and processes.

IIA References:

IIA Standard 2230: Engagement Resource Allocation states that internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources. The emphasis is on ensuring that the team assigned to the engagement possesses the necessary skills and knowledge.

The Practice Advisory 2230-1 further suggests that the CAE should consider the complexity and risks associated with the engagement and ensure that the assigned team has the appropriate experience and technical skills.

Key performance indicator (KPI) reports are essential tools for tracking and evaluating the performance of various processes and activities within an organization. By reviewing these reports in detail during monthly staff meetings, operational management in the IT department aims to identify any discrepancies or issues promptly. This continuous monitoring helps to prevent a "monitoring gap," which is the failure to adequately oversee and assess operations, potentially leading to undetected problems or inefficiencies

The best possible engagement objectives are those derived from a comprehensive risk assessment that incorporates inputs from both senior management and the company's risk function experts. This approach ensures that the internal audit objectives are aligned with the organization's strategic priorities and risk landscape. By combining insights from senior management with the technical expertise of risk function experts, the internal audit activity can develop well-rounded and relevant engagement objectives that address the most significant risks facing the organization.

The Institute of Internal Auditors (IIA) Standard 2010 – Planning: "The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization’s goals."

IIA Practice Guide on "Internal Audit Planning"