Reasonable assurance represents a high, but not absolute, level of confidence. It is the outcome of a systematic and detailed process, such as an external audit, concluding in a positive form of expression that the subject matter conforms to specific criteria and is free from material misstatement. In contrast, limited assurance provides a lower level of confidence. It results from less extensive procedures, such as a review, and is expressed in a negative form (e.g., "nothing has come to our attention..."). This distinction is critical in GRC for determining the level of reliance that can be placed on different assessments of control effectiveness and compliance.

B. This option incorrectly reverses the typical assurance levels. External audits provide reasonable assurance, which is a higher level than that provided by many internal risk assessment activities.

C. This option misattributes the roles. The Board of Directors consumes or receives assurance reports to perform its oversight function; it does not provide formal assurance itself.

D. This option confuses management functions with assurance activities. Management is responsible for assertions about controls, but formal assurance is an independent assessment of those assertions.

1. OCEG, "GRC Capability Model," Version 3.5, 2021. Section 3.5, "Monitor," discusses the role of assurance providers, including internal and external audit. It states, "Assurance activities may be performed by a variety of parties... The nature and scope of procedures performed will vary, resulting in different levels of assurance." This establishes the context for different assurance levels within the GRC framework.

2. International Federation of Accountants (IFAC), "International Framework for Assurance Engagements," January 2013. Paragraph 11 explicitly defines the two types of assurance engagements:

"In a reasonable assurance engagement, the practitioner reduces assurance engagement risk to an acceptably low level... as the basis for a positive form of expression of the practitioner’s conclusion."

"In a limited assurance engagement, the practitioner reduces assurance engagement risk to a level that is acceptable... but where that risk is greater than for a reasonable assurance engagement, as the basis for a negative form of expression of the practitioner’s conclusion."

3. Pickett, K. H. Spencer. "The Internal Auditing Handbook." 3rd ed., John Wiley & Sons, 2010. Chapter 2, "Assurance and Consulting," explains that reasonable assurance is the highest level and is associated with audit work, while limited assurance is linked to review-type engagements which are narrower in scope. This is a standard text used in university-level auditing courses.