Which of the following actions should the chief audit executive take when senior management decides to accept risks by choosing to do business with a questionable vendor?
A.
Persuade senior management to take appropriate action.
B.
Cancel issuing the engagement report due to the assumed risks.
C.
Accept senior management’s assumption of the risks.
D.
Discuss the issue with the board for them to take appropriate action.
If senior management decides to accept risks, such as doing business with a questionable vendor, and the chief audit executive (CAE) believes this poses a significant risk to the organization, the CAE should escalate the issue to the board. The board has the ultimate responsibility for overseeing risk management and can decide on the appropriate action to take in response to the risk.
IIA References:
IIA Standard 2600: Communicating the Acceptance of Risks states that when the CAE believes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the CAE must discuss the matter with senior management. If the decision regarding risk remains unchanged, the CAE must inform the board.
The Practice Guide on Risk Management highlights the importance of the CAE keeping the board informed of significant risks that management has chosen to accept, particularly when these risks could have a material impact on the organization.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit