Learn the essential initial step a chief audit executive (CAE) must take when management hasn’t implemented measures to address high risks identified in an internal audit report. Ensure proper escalation and communication to protect the organization.
Table of Contents
Question
Upon completing a follow-up audit engagement, the chief audit executive (CAE) noted that management has not implemented any mitigation measures to address the high risks that were reported in the initial audit report. What initial step must the CAE take to address this situation?
A. Communicate the issue to senior management.
B. Discuss the issue with members of management responsible for the risk area.
C. Report the situation to the external auditors.
D. Escalate the issue to the board.
Answer
A. Communicate the issue to senior management.
Explanation
According to IIA Standard 2600 – Communicating the Acceptance of Risks, when the CAE concludes that management has accepted a level of risk that may be unacceptable to the organization, the CAE must discuss the matter with senior management. If the CAE determines that the matter has not been resolved, the CAE must communicate the matter to the board.
In this scenario, the CAE noted during a follow-up audit that management has not taken any steps to mitigate the high risks reported in the initial audit. The correct initial action for the CAE is to communicate the issue to senior management (option A).
Discussing the issue only with the management responsible for the risk area (option B) is insufficient given the serious nature of the unmitigated high risks. Reporting the situation to external auditors (option C) is not the CAE’s immediate responsibility and would be premature at this stage. Escalating directly to the board (option D) should only occur after senior management has first been made aware of the issue and given a chance to address it.
By promptly communicating unmitigated high risks to senior management, the CAE fulfills their duty to the organization and upholds the International Standards for the Professional Practice of Internal Auditing. This step allows senior management an opportunity to take corrective action before further escalation to the board becomes necessary.
IIA-CIA-Part2 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the IIA-CIA-Part2 exam and earn IIA-CIA-Part2 certification.