Certified Internal Auditor (CIA) Part 2: Practice of Internal Auditing — Question 242

The chief audit executive (CAE) determined that the residual risk identified in an assurance engagement is acceptable. When should this be communicated to senior management?

Answer options

• A. When the CAE reports the audit outcome to senior management.
• B. When the residual risk is identified, before the engagement is complete.
• C. Immediately, as residual risk should be communicated as soon as possible.
• D. When management of the area under review has resolved and mitigated the residual risk.

Correct answer: A

Explanation

The correct answer is A because it's appropriate to communicate the acceptable residual risk during the reporting of the audit outcome, ensuring that management has the complete context of the findings. Options B and C suggest premature communication before the audit is finalized, and D implies waiting until after mitigation, which may delay necessary information sharing.