According to IIA guidance, which of the following individuals should receive the final audit report on a compliance engagement for the organization's cash disbursements process?

----
Which of the following is correct with respect to roles within an enterprise-wide risk management process?
The board provides oversight to the risk management process.
Executive management owns the risk management framework.
Senior management is assigned ownership of risks.
Internal audit modifies the risk assessment determined by management.

Which of the following situations justifies the release of an interim report to management and the board?
* The internal auditor is convinced that the audit observations require immediate attention.
* The internal auditor would like to communicate a change in engagement scope for the activity under review.
* The internal auditor notes that the engagement may extend over a longer time period.
* The audit supervisor believes that issuing interim reports eases supervisory review and controls over working papers.

An audit of a Web-based third-party payment processor determined that a programming error enabled customers to create multiple accounts for each mailing address. This caused problems during the processing of credit card transactions. Management agreed to correct the program and notify customers with multiple accounts that the accounts would be consolidated. What should the auditor do in response?
I. Amend the scope of the subsequent audit to verify that the program was corrected and that accounts were consolidated.
II. Evaluate the adequacy and effectiveness of the corrective action proposed by management.
III. Schedule a follow-up review to verify that the program was corrected and the accounts were consolidated.
IV. Do nothing because management has agreed to address the problem.

An internal auditor recommended that an organization implement computerized controls in its sales system in order to prevent sales representatives from executing contracts in excess of their delegated authority levels. A follow-up review found that the sales system had not been modified, but a process had been implemented to obtain written approval by the vice president of sales for all contracts in excess of $1 million. The chief audit executive (CAE) would be justified in reporting this situation to the organization's board iF.
I.In the opinion of the CAE, the level of residual risk assumed by senior management is too high.
II.
Testing of compliance with the new process finds that all new contracts in excess of $1 million have been approved by the vice president of sales.
III.
The cost of modifying the sales system to include a preventive control is less than $100,000.