Final answer:
The internal auditor should test for compensating controls and if necessary, refine the design to effectively mitigate risks before documenting this process in the audit report as part of communicating the results and processes. The best fit of choice is b. Test compensating controls in other (adjacent) processes to see if the impact of the design inadequacy is reduced to an acceptable level.
Step-by-step explanation:
If an internal auditor determines that the process is not designed adequately to reduce the underlying risks to an acceptable level, the internal auditor should first consider whether there are any compensating controls in other areas that may mitigate the risks posed by the design inadequacy. Testing these controls can help to determine whether they sufficiently reduce risk. It might be necessary to refine the design based on the testing and evaluation findings. If there are significant weaknesses in the design, a more in-depth review or a re-design might be needed to ensure that the process meets its objectives and reduces risk to an acceptable level.
Once the design is refined and adequately mitigates the risks, the auditor should document the process and results in the audit report. This is essential for communicating processes and results, which is an integral part of ensuring that all stakeholders are informed about the controls in place and the level of risk they mitigate. If during the process the auditor finds that the design improvements have no further potential enhancements or the design is considered a good design, then the implementation phase can begin.