An organization does not have a formal risk management function. According to the Standards, which of the following are conditions where the internal audit activity may provide risk management consulting?

1. There is a clear strategy and timeline to migrate risk management responsibility back to management

2. The internal audit activity has the final approval on any risk management decisions

3. The internal audit activity gives objective assurance on all parts of the risk management framework for which it is responsible

4. The nature of services provided to the organization is documented in the internal audit charter

a. 1 and 4 only

b. 2 and 4 only

c. 1 and 3 only

d. 2 and 3 only

An organization relies on external auditors primarily to accomplish which of the following objectives?

a. Strategic

b. Operational

c. Reporting

d. Compliance