IIA Updated IIA-CIA-Part2 Exam Questions and Answers by wilf

The corporate risk register is a comprehensive document that records identified risks, their assessment in terms of likelihood and impact, and the controls in place to manage them. It reflects the organization’s attitude toward risk and highlights areas where achieving objectives may be difficult. The CAE should consult this resource to align the audit plan with the organization's risk profile and ensure that high-risk areas are appropriately audited. References:

IIA Standards - 2010: Planning

IIA Practice Guide - Risk Management

When a significant risk is identified during a consulting engagement, the most appropriate response is to report the risk to senior management. Even if the engagement is consulting in nature, it is still crucial for the internal audit activity to ensure that significant risks are communicated to those responsible for managing them.

IIA References:

IIA Standard 2120: Risk Management requires that internal auditors evaluate the effectiveness of risk management processes and communicate significant risks to senior management. This applies regardless of whether the engagement is assurance or consulting.

The Practice Guide on Consulting Services advises that internal auditors must ensure that significant risks identified during consulting engagements are brought to the attention of senior management so that they can take appropriate action.

When the board requests consulting services to gain insight regarding external risks, the appropriate engagement objective is to assess the organization's ability to minimize these risks. This involves evaluating the organization's risk management framework, including identifying external risks, assessing their potential impact, and reviewing the effectiveness of the strategies and controls in place to mitigate these risks. By doing so, internal auditors provide valuable insights into how well the organization is prepared to handle external threats and ensure the achievement of its annual objectives.

Institute of Internal Auditors (IIA) Standards: Performance Standards 2110: Governance

COSO Enterprise Risk Management (ERM) Framework: Risk Assessment and Risk Response Components

According to the International Standards for the Professional Practice of Internal Auditing (Standards) set by the Institute of Internal Auditors (IIA), internal audit functions are allowed flexibility in including consulting engagements in their annual plans. Standard 2010 – Planning states that "the chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals." This risk-based plan should consider the potential value-add of consulting engagements. Consulting engagements that are expected to add significant value or align with strategic objectives are often included, but not all requests need to be automatically included unless they meet these criteria.

Institute of Internal Auditors (IIA), International Standards for the Professional Practice of Internal Auditing (Standards), Standard 2010 – Planning.