What is the best course of action for a chief audit executive if an internal auditor identifies in the early stage of an audit that some employees have inappropriate access to a key system?
A.
Contact the audit committee chair to discuss the finding
B.
Obtain verbal assurance from management that the inappropriate access will be removed
C.
Issue an interim audit report so that management can implement action plans
D.
Ask the auditor to create a ticket with the IT help desk requesting to revoke the inappropriate access
If an internal auditor identifies that some employees have inappropriate access to a key system in the early stage of an audit, the best course of action is to issue an interim audit report so that management can implement action plans. This approach ensures that the identified issue is formally communicated to management promptly, allowing them to take immediate corrective action to mitigate the risk. It also documents the auditor's findings and recommendations, providing a clear audit trail and supporting accountability. Obtaining verbal assurance or creating a ticket might address the issue temporarily but lacks the formal documentation and follow-up mechanisms inherent in an interim audit report.
IIA Standard 2440: "Disseminating Results"
IIA Practice Advisory 2440-1: "Communicating Interim Engagement Results"
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit