The chief audit executive (CAF) determined that the residual risk identified in an assurance engagement is acceptable. When should this be communicated to senior management?
A.
When the CAE reports the audit outcome to senior management.
B.
When the residual risk is identified before the engagement is complete.
C.
Immediately, as residual risk should be communicated as soon as possible
D.
When management of the area under review has resolved and mitigated the residual risk
The chief audit executive (CAE) has the responsibility to communicate audit results, including residual risks, to senior management. According to IIA Standard 2410 - Criteria for Communicating, the CAE should communicate the engagement’s objectives, scope, conclusions, recommendations, and action plans. Residual risk, being a part of the audit outcome, should be reported at the same time as the audit results to ensure that senior management is fully informed of all aspects of the engagement. This allows senior management to understand the remaining risks after control measures have been applied.References:
The Institute of Internal Auditors (IIA) - Standards for the Professional Practice of Internal Auditing, Standard 2410 - Criteria for Communicating
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit