Full Access IIA IIA-CIA-Part1 Tutorials

An internal audit charter is a formal document that defines the internal audit activity's purpose, authority, and responsibility. According to IIA standards, the charter should also establish the internal audit activity's position within the organization, including the nature of the chief audit executive's functional reporting relationship with the board. This helps ensure that the internal audit activity has sufficient authority and resources, and that there is appropriate oversight by the board.

The Institute of Internal Auditors (IIA) - International Professional Practices Framework (IPPF) - Standards regarding audit charter

The most appropriate response for a chief audit executive (CAE) who has been asked to oversee the organization's insurance function is to report the request to the board and recommend alternate processes to obtain assurance related to insurance activities. Taking on operational responsibilities such as overseeing the insurance function could impair the objectivity and independence of the internal audit activity, making it difficult to audit those activities impartially in the future.

IIA Standards on independence and objectivity, particularly Standard 1130: Impairment to Independence or Objectivity.

===============

According to the Standards, the risk register should include information about identified risks and how these are being managed. Management’s acceptance of inadequate controls for a significant risk such as cybersecurity should be documented as it represents a known risk exposure that the organization has chosen to accept. This helps ensure transparency and informs subsequent audit activities and decisions.

International Standards for the Professional Practice of Internal Auditing, specifically on risk assessment and management.

The organization's risk management practices that were most likely ineffective in the scenario described involve the due diligence review of vendors during the bid review process. Effective due diligence would typically include an assessment of all potential risks associated with a vendor, including reputational and regulatory risks stemming from labor practices. Failure in this area suggests that the due diligence process was not thorough enough to identify these risks.

Risk management frameworks and guidelines that emphasize the importance of comprehensive vendor due diligence as part of an organization’s risk management practices.