Which business units are classified as auditable entities?

Auditable entities are typically defined as business units that hold significant responsibility for managing risks and controls within an organization. The correct answer identifies units engaged in the first and second lines of defense, which are essential components of an organization's risk management framework.

The first line of defense consists of operational management, which is responsible for identifying and managing risks as part of their everyday activities. The second line includes functions that set standards for risk management and compliance monitoring, such as risk management teams or compliance departments. These units are crucial for ensuring that appropriate controls are in place and that risks are adequately managed and reported.

In contrast, while financial audit units and those performing risk analysis are important for overall governance, they are often considered more specialized functions rather than primary auditable entities. Compliance units that do not handle compliance directly may lack the necessary oversight and engagement in the risk management processes, making them less relevant as direct auditable units. Thus, the emphasis on the first and second lines of defense underlines their central role in effective governance and risk management, which is why they are classified as auditable entities.