Internal auditors may uncover evidence that their organization is not complying with relevant regulations. Learn the proper way for auditors to handle sensitive evidence like photos to ensure it is protected and escalated appropriately.
Table of Contents
Question
During a review to verify the organization’s compliance with relevant health, safety, and environmental regulations, an internal auditor noted that waste oil was not being stored and safeguarded as required. The auditor captured evidence of this on his mobile phone. How should this evidence be handled?
A. The internal auditor should ensure the phone is password protected to restrict access to the evidence.
B. The pictures should be sent to relevant regulatory authorities as evidence of the breach.
C. The internal auditor should transfer the pictures to the chief audit executive to be tied as evidence.
D. The pictures should be sent to the CEO and senior management as evidence of the breach.
Answer
According to IIA standards and best practices, the correct way for the internal auditor to handle the photographic evidence of the organization improperly storing waste oil is:
C. The internal auditor should transfer the pictures to the chief audit executive to be tied as evidence.
Explanation
The internal auditor has a responsibility to safeguard sensitive information and evidence. Simply keeping the photos on a password-protected phone is not sufficient – the evidence needs to be properly documented and tied to the audit findings.
However, the auditor should not send the evidence directly to regulators or senior executives like the CEO. The proper chain of custody is for the auditor to provide the evidence to the Chief Audit Executive (CAE). The CAE can then determine appropriate next steps, such as discussing the issue with management and potentially disclosing it to the board and/or regulators if warranted based on the severity.
Sending evidence of non-compliance directly to parties outside of Internal Audit without following proper protocols could compromise the independence and credibility of the audit function. The CAE needs to be made aware of the issue first to provide oversight and ensure it is handled correctly.
So in summary, to maintain a secure chain of custody and adhere to Internal Audit standards, the auditor should transfer the photographic evidence to the CAE to be formally tied to the audit observation. The CAE can then determine appropriate escalation and disclosure based on the organization’s policies and the severity of the compliance breach.
IIA-CIA-Part2 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the IIA-CIA-Part2 exam and earn IIA-CIA-Part2 certification.