Which of the following actions is the most appropriate response for an internal auditor to take when a significant risk is identified during a consulting engagement?
A.
Report the risk identified from the consulting engagement to senior management.
B.
Do not include the risk in the assessment of risk management processes, as that is management's responsibility.
C.
Do not report the risk, as it is out of scope for the consulting engagement.
D.
Include the risk identified from the consulting engagement in the next annual risk assessment only if it is part of the consulting engagement objectives.
When a significant risk is identified during a consulting engagement, the most appropriate response is to report the risk to senior management. Even if the engagement is consulting in nature, it is still crucial for the internal audit activity to ensure that significant risks are communicated to those responsible for managing them.
IIA References:
IIA Standard 2120: Risk Management requires that internal auditors evaluate the effectiveness of risk management processes and communicate significant risks to senior management. This applies regardless of whether the engagement is assurance or consulting.
The Practice Guide on Consulting Services advises that internal auditors must ensure that significant risks identified during consulting engagements are brought to the attention of senior management so that they can take appropriate action.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit