Which of the following should be the PRIMARY role of an internal audit function in the management of identified business risks?
Which of the following should be the PRIMARY role of an internal audit function in the management of identified business risks?
The primary role of an internal audit function in the management of identified business risks is to provide independent assurance on the effectiveness of the risk management processes. This includes validating enterprise risk management (ERM) to ensure that risks are properly identified, assessed, and managed. Internal audit does not establish or operate the risk management framework, nor does it establish a risk appetite; these tasks typically fall under the responsibilities of management.
C. Operating the risk management framework
The PRIMARY role of an internal audit function in the management of identified business risks is to validate enterprise risk management (ERM). Internal audit validates the effectiveness of the organization's risk management processes, including the identification, assessment, and mitigation of risks.
While operating the risk management framework (Option C) is an important responsibility, it is typically the responsibility of management and the risk management function within the organization. Internal audit's role is to provide independent assurance and validation of the effectiveness of these processes, rather than directly operating them.