When assessing the risk associated with an activity, an internal auditor should:

A. Determine how the risk should best be managed.

B. Provide assurance on the management of the risk.

C. Modify the risk management process based on risk exposures.
D. Design controls to mitigate the identified risks.