Question

While conducting a control self-assessment project in an IT division, an internal auditor asks managers to rate the severity of each identified risk and the strength of each related control. Which of the following represents the most significant disadvantage of this exercise?

A. The internal audit activity will be viewed as responsible for controls.
B. Budget hours expended will exceed any tangible benefits.
C. Management may omit important control weaknesses.
D. Subsequent audits of the division may not be conducted.

Answer 1

The most significant disadvantage of having managers rate the severity of risks and the strength of related controls during a control self-assessment project is that management may omit important control weaknesses due to bias or lack of objectivity. The correct option is C.

Step-by-step explanation:

While conducting a control self-assessment project in an IT division, an internal auditor asks managers to rate the severity of each identified risk and the strength of each related control. The most significant disadvantage of this exercise would be C. Management may omit important control weaknesses.

This is because managers may have a natural bias to under-report issues or may not see all the control weaknesses, either due to lack of objectivity or because they are too close to the processes they oversee.

Internal audits are meant to provide an independent assessment of risks and controls. If management is asked to self-assess, the objectivity of the exercise may be compromised. Additionally, managers may not possess the specialized knowledge or perspective that an independent auditor would have, which might lead to inadequate risk evaluation.