Final answer:
Residual risk is the risk that remains after all internal controls have been implemented by an organization. It reflects the limitations of internal controls in completely eliminating risk exposure. The concept is fundamental to understanding the ongoing vulnerability to potential threats despite control measures. The correct option is b. Residual risk.
Step-by-step explanation:
The question asks about what type of risk remains after an organization implements internal controls. The correct answer is b. residual risk. Internal controls are processes put in place by management to ensure the integrity of financial and accounting information, promote accountability, and prevent fraud. However, no system is perfect, and there is always some level of risk that is not completely eliminated by these controls. This remaining risk is known as residual risk.
Inherent risk refers to the exposure to risk in the absence of any actions by management to control or mitigate that risk. Risk appetite is the amount of risk an organization is willing to accept in pursuit of its objectives before action is deemed necessary to reduce the risk. Risk assessment is the process of identifying risks and evaluating their potential impact, which is typically performed before controls are implemented to help guide what controls should be put in place.
In summary, residual risk is the exposure that exists after all controls are in place and is a reflection of the effectiveness, or lack thereof, of the internal controls implemented. It is an essential concept in risk management because it helps organizations understand and prepare for the level of exposure they have to potential threats even after taking precautionary steps.