Module: | MODULE B: RISK MANAGEMENT
Q411: Consider the following statements regarding the role of Internal Audit in Operational Risk Management:
1. The Internal Audit function operates as the third line of defense, providing independent assurance to the Board on the effectiveness of the ORM framework.
2. Internal Audit is responsible for the routine drafting and implementation of operational risk policies for the business units.
3. Internal Audit must periodically evaluate whether the business units and the ORMD are functioning effectively within their respective lines of defense.
Which of the statements given above is/are correct?
2. Internal Audit is responsible for the routine drafting and implementation of operational risk policies for the business units.
3. Internal Audit must periodically evaluate whether the business units and the ORMD are functioning effectively within their respective lines of defense.
Which of the statements given above is/are correct?
✅ Correct Answer: B
The correct answer is B. Statement 1 is correct: Internal Audit serves as the critical third line of defense.
Its primary mandate is not operational execution, but providing independent, objective assurance to the Board of Directors and the Audit Committee regarding the overall robustness and effectiveness of the bank's operational risk management framework.
Statement 2 is incorrect: Internal Audit is strictly forbidden from drafting, designing, or implementing risk policies or managing operations directly.
Performing these functions creates a conflict of interest and compromises their independence.
Framework design and policy drafting belong to the ORMD (Second Line). Statement 3 is correct: To fulfill its assurance role, Internal Audit must conduct periodic, independent evaluations to verify that the First Line (business units) is complying with risk controls and that the Second Line (ORMD) is effectively monitoring those risks without bias.
Therefore:
Option A is incorrect because Statement 2 is false.
Option B is correct as both Statement 1 and 3 are true.
Option C is incorrect because Statement 2 is false.
Option D is incorrect because Statement 2 is false.
Its primary mandate is not operational execution, but providing independent, objective assurance to the Board of Directors and the Audit Committee regarding the overall robustness and effectiveness of the bank's operational risk management framework.
Statement 2 is incorrect: Internal Audit is strictly forbidden from drafting, designing, or implementing risk policies or managing operations directly.
Performing these functions creates a conflict of interest and compromises their independence.
Framework design and policy drafting belong to the ORMD (Second Line). Statement 3 is correct: To fulfill its assurance role, Internal Audit must conduct periodic, independent evaluations to verify that the First Line (business units) is complying with risk controls and that the Second Line (ORMD) is effectively monitoring those risks without bias.
Therefore:
Option A is incorrect because Statement 2 is false.
Option B is correct as both Statement 1 and 3 are true.
Option C is incorrect because Statement 2 is false.
Option D is incorrect because Statement 2 is false.