In the three-lines-of-defense model, internal audit occupies the third line primarily because it:
-
A
Manages day-to-day operational risks directly
-
B
Provides independent assurance to senior management and the board
-
C
Sets risk policy and risk appetite for the organization
-
D
Coordinates risk oversight with external regulators