Learn the appropriate steps a chief audit executive (CAE) should take when a third-party service provider requests a copy of an internal audit report containing control deficiencies related to their processes.
Table of Contents
Question
An internal auditor was assigned to review controls in the accounts payable function. Most of the accounts payable processes are performed by a third-party service provider. The auditor included in the audit report a number of control deficiencies involving processes performed by the service provider. The service provider requested a copy of the report. Which of the following would be the most appropriate response from the chief audit executive (CAE)?
A. The CAE would automatically send a copy of the report to the service provider, as many of the findings relate to the area managed by the service provider.
B. The CAE may distribute the report to the service provider at no cost, after consulting with legal counsel and the chief compliance officer.
C. The CAE may provide a copy of the audit report to the service provider if an agreement is signed and the service provider agrees to reimburse the cost of the audit.
D. The CAE should benchmark with other organizations in the industry by consulting with colleagues and distribute the report only if it is an acceptable practice in the industry.
Answer
B. The CAE may distribute the report to the service provider at no cost, after consulting with legal counsel and the chief compliance officer.
Explanation
The chief audit executive (CAE) should not automatically send a copy of the internal audit report to the third-party service provider, even if many of the findings relate to areas managed by the provider. Distributing the report without proper consultation could potentially expose the organization to legal risks or violate compliance policies.
The most appropriate response is for the CAE to consult with the organization’s legal counsel and chief compliance officer before deciding whether to share the report with the service provider. This consultation will help ensure that distributing the report does not breach any contractual obligations, confidentiality agreements, or regulatory requirements.
If, after consultation, it is deemed appropriate to share the report, the CAE may provide a copy to the service provider at no cost. Charging the service provider for the report or requiring them to sign an agreement to reimburse audit costs would be unnecessary and could strain the working relationship between the organization and the provider.
Benchmarking with other organizations in the industry is not the most appropriate action in this situation, as each organization’s policies, contracts, and legal obligations may differ. The CAE should focus on their own organization’s specific circumstances and consult with the appropriate internal stakeholders to determine the best course of action.
IIA-CIA-Part2 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the IIA-CIA-Part2 exam and earn IIA-CIA-Part2 certification.