The internal audit activity must assess and make appropriate recommendations for improving the governance process.

The internal audit activity must assess and make appropriate recommendations to improve the organization’s governance processes for:

1. Making strategic and operational decisions;

2. Overseeing risk management and control;

3. Promoting appropriate ethics and values within the organization;

4. Ensuring effective organizational performance management and accountability;

5. Communicating risk and control information to appropriate areas of the organization; and

6. Coordinating the activities of, and communicating information among, the board, external and internal auditors, other assurance providers, and management (Perf. Std. 2110).T

Answer (D) is correct.
The CAE should consider the following in planning assessments of governance:

1. An audit should address controls in governance processes that are designed to prevent or detect events that could have a negative effect on the organization;

2. Controls within governance processes often are significant in managing multiple risks; and,

3. If other audits assess controls in governance processes, the auditor should consider relying on their results.

Thus, Craig should consider all of the answer choices when planning the assessment of governance.

A CSR audit of the ethics element typically includes determining whether the organization reflects an anti-corruption culture, as evidenced, for example, in the organization’s risk assessment, code of conduct, or policies.

Operational pressure points (e.g., environmental effects of processes or products) may indicate risks. Risks also result from, for example, not achieving CSR objectives because of inappropriate CSR strategies or overemphasis on CSR strategies.

The GRI has developed a sustainability reporting framework that provides specific guidance on measuring CSR performance against predefined criteria.