When assessing the adequacy of a risk mitigation strategy, an internal auditor should consider which of the following?
1. Managements tolerance for specific risks.
2. The cost versus benefit of implementing a control.
3. Whether a control can mitigate multiple risks.
4. The ability to test the effectiveness of the control.
When assessing the adequacy of a risk mitigation strategy, an internal auditor should consider management's tolerance for specific risks to ensure alignment with risk appetite, the cost versus benefit of implementing a control to ensure economic efficiency, and the ability to test the effectiveness of the control to ensure it is functioning as intended. These considerations ensure a balanced and effective risk management approach.
Isn't cost-benefit not a consideration?
Perhaps it's for management to ascertain that?
Cost-benefit - for me also the right option for the answer.
regarding compliance, it is not the case, controls must exist regardless of cost-benefit balance
Correct. Compliance can be mandatory and/or voluntary, but that has nothing to do with cost.
My exact thoughts NDOndo