Which of the following is true regarding the use of a formal risk management framework?
1. It facilitates a methodical approach to risk mitigation.
2. It defines and standardizes the terminology used in risk communication.
3. It establishes the risk tolerance levels to be accommodated in the strategy.
4. It facilitates the alignment of risk mitigation strategies with management priorities.

According to IIA guidance, which of the following statements are true regarding the internal audit plan?
1. The audit plan is based on an assessment of risks to the organization.
2. The audit plan is designed to determine the effectiveness of the organization's risk management process.
3. The audit plan is developed by senior management of the organization.
4. The audit plan is aligned with the organization's goals.

Which of the following is not included in the process of user authentication?

Faced with a complex, highly technical construction audit engagement, the chief audit executive (CAE) considered complementing the current internal audit resources by engaging the services of a civil engineer.
Which of the following should the CAE consider in determining whether the engineer possesses the necessary skills to perform the engagement?
1. Professional certification, license, or other recognition of the engineer's competence in the relevant discipline.
2. Experience of the engineer in the type of work being considered.
3. Compensation or other incentives that the engineer may receive.
4. The extent of other ongoing services that the engineer may be performing for the organization.

A draft internal audit report that cites deficient conditions generally should be reviewed with which of the following groups?
1. The client manager and her superior.
2. Anyone who may object to the report's validity.
3. Anyone required to take action.
4. The same individuals who receive the final report.