Certified Internal Auditor (CIA) Part 2: Practice of Internal Auditing — Question 237

An internal auditor was assigned to review controls in the accounts payable function. Most of the accounts payable processes are performed by a third-party service provider. The auditor included in the audit report a number of control deficiencies involving processes performed by the service provider. The service provider requested a copy of the report. Which of the following would be the most appropriate response from the chief audit executive (CAE)?

Answer options

• A. The CAE would automatically send a copy of the report to the service provider, as many of the findings relate to the area managed by the service provider.
• B. The CAE may distribute the report to the service provider at no cost, after consulting with legal counsel and the chief compliance officer.
• C. The CAE may provide a copy of the audit report to the service provider if an agreement is signed and the service provider agrees to reimburse the cost of the audit.
• D. The CAE should benchmark with other organizations in the industry by consulting with colleagues and distribute the report only if it is an acceptable practice in the industry.

Correct answer: B

Explanation

The correct response is B because it ensures that the CAE consults with legal counsel and the chief compliance officer before sharing sensitive information, which is crucial for compliance and risk management. Option A is incorrect as it lacks the necessary consultation, while C incorrectly implies that a cost reimbursement is a requirement for disclosure, and D unnecessarily complicates the decision-making process by introducing benchmarking instead of adhering to legal and compliance protocols.