An internal auditor is updating the risk register for risks identified during a recent organizational risk assessment. According to the Standards, which of the following would the auditor include in the risk register?
A.
Management’s acceptance of inadequate controls for cybersecurity risk.
B.
Discussions with senior management relating to a new revenue stream.
C.
Mitigating controls implemented by the engagement supervisor
D.
Project manager planned hours versus time spent for all prior year projects
According to the Standards, the risk register should include information about identified risks and how these are being managed. Management’s acceptance of inadequate controls for a significant risk such as cybersecurity should be documented as it represents a known risk exposure that the organization has chosen to accept. This helps ensure transparency and informs subsequent audit activities and decisions.
International Standards for the Professional Practice of Internal Auditing, specifically on risk assessment and management.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit