In this situation, the internal auditor has identified a significant risk related to the failure to maintain air quality monitoring equipment. Since the CEO and the manager have acknowledged the risk but decided not to take corrective action due to cost concerns, the chief audit executive (CAE) should escalate the issue to the board. This step is necessary to ensure that the board is fully informed of the potential regulatory and reputational risks.

IIA Standard 2600 – Communicating the Acceptance of Risks:

This standard requires the CAE to communicate to senior management and the board when management has accepted a level of risk that the CAE believes is unacceptable. The board needs to be made aware of the situation to ensure they can take appropriate action if needed.

Risk Communication:

The CAE’s responsibility includes ensuring that all significant risks are communicated to the highest level of the organization. In this case, the potential for regulatory sanctions and reputational damage due to inaccurate air quality monitoring is a significant risk that the board should be aware of.

IIA Practice Advisory 2600-1:

The advisory emphasizes that when the CAE believes that management has accepted a level of risk that could be detrimental to the organization, it is the CAE’s duty to escalate the matter to the board.

Option A (Implement corrective actions): It is not the CAE's role to implement corrective actions; this responsibility lies with management.

Option C (Discuss with external auditors): While external auditors can provide additional perspectives, the CAE should directly communicate significant risks to the board.

Option D (Contact the regulatory agency): This is an extreme step that should only be considered if the organization fails to address the issue after internal escalation.

Detailed Explanation:Why Not Other Options?