Prioritizing risks for management would cause the internal auditor to assume a management responsibility because this action involves making decisions that are typically the responsibility of management. Assessing management's acceptance of risk, reviewing a cybersecurity risk report issued by management, and developing a list of emerging risks for management are all activities that support management without taking on their decision-making role.