Through meetings with management, an organization's chief audit executive (CAE) learns of a risk that exceeds the established risk tolerance. What would be an appropriate next action for the CAE to take?
A.
Design and recommend an appropriate response to the risk
B.
Discuss the risk and the implications of the risk with management responsible for the risk area
C.
Schedule an audit of the risk area to assess the risk likelihood and impact
The CAE should first discuss the risk and its implications with the responsible management. This provides management the opportunity to reassess, take corrective action, or explain their position. If the issue remains unresolved and the risk is still deemed excessive, then escalation to senior management or the board may follow.
Option A (designing response) is management’s role. Option C (scheduling an audit) may be relevant later, but immediate discussion is the first step. Option D is premature without first engaging management.
[Reference:, IIA Standards – Standard 2600: Communicating the Acceptance of Risks., , ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit