Certified Government Auditing Professional (CGAP) 2025 – 400 Free Practice Questions to Pass the Exam

The definition of "residual risk" as provided by the Institute of Internal Auditors (IIA) pertains to the risk that remains after management has implemented controls and mitigation strategies. In this context, the chief audit executive (CAE) has the vital responsibility to engage with management regarding this residual risk, particularly when it is deemed to be at an excessively high level.

The CAE's discussions with management are important as they help ensure that there is awareness and transparency about the risks that remain after management's efforts. This dialogue also allows for a collaborative approach to addressing any significant concerns regarding risk exposure that could affect the organization's objectives. Engaging in such discussions can lead to better risk management strategies and further improvements in internal controls.

In contrast, the other choices either misrepresent the auditor's responsibilities towards residual risk or do not align with standard practices. The assertion that auditors have no responsibility (as mentioned in the first and third options) overlooks the fundamental role of auditors in evaluating and communicating about risks that may affect the organization's goals. The claim in the fourth option that all residual risks should be reported to the board annually without a strategic focus on discussion and assessment could lead to information overload without fostering understanding and action from management.

Overall, the correct choice emphasizes the