State Internal Audit Advisory Board
Internal Auditing Standards and Requirements in the State of Illinois Review Course
Based on 2017 IIA Standards

IIA Performance Standards 2500 and 2600

Monitoring Progress and Resolution of Senior Management’s Acceptance of Risks

2500 – Monitoring Progress
The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management.

2500.A1 – The chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.

2500.C1 – The internal audit activity must monitor the disposition of results of consulting engagements to the extent agreed upon with the client.

2600 – Communicating the Acceptance of Risks
When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board.

Interpretation:
The identification of risk accepted by management may be observed through an assurance or consulting engagement, monitoring progress on actions taken by management as a result of prior engagements, or other means. It is not the responsibility of the chief audit executive to resolve the risk.

SIAAB Requirements:

The chief internal auditor establishes procedures to include:

  • The timeframe within which management’s response to the engagement observations and recommendations is required.
  • Evaluation of management’s response.
  • Verification of the response (if appropriate).
  • Performance of a follow-up engagement (if appropriate).
  • A communications process that escalates unsatisfactory responses/actions, including the assumption of risk, to the appropriate levels of senior management or the board.

The internal audit activity’s charter should define the responsibility for follow-up. The chief internal auditor determines the nature, timing, and extent of follow-up, considering the following factors:

  • Significance of the reported observation or recommendation.
  • Degree of effort and cost needed to correct the reported condition.
  • Impact that may result should the corrective action fail.
  • Complexity of the corrective action.
  • Time period involved.

Where the chief internal auditor judges that management’s oral or written response indicates that action taken is sufficient when weighed against the relative importance of the observation or recommendation, internal auditors may follow-up as part of the next engagement.

From: The IIA’s International Professional Practices Framework Copyright 2017 by The Institute of Internal Auditors, Inc., 1035 Greenwood Blvd, Suite 401, Lake Mary, FL 32746. Reprinted with permission

Please close this window to return to Ability LMS to take the quiz for this lesson.