A
AcadiFi
RE
ReportBoundaryOwen2026-05-20
ciaCIA Part 3Audit CommunicationConfidentiality

Can internal audit share audit reports with risk management?

51 upvotes
AcadiFi TeamVerified Expert
AcadiFi Certified Professional

author: AcadiFi Team

Answer:

Sometimes, but it should be governed by a protocol. The CAE should consider the report's intended audience, confidentiality, legal sensitivity, board or audit committee expectations, and whether risk management needs the full report or only risk themes.

Often the best compromise is structured sharing: issue categories, ratings, themes, remediation aging, and risk-register implications, with full reports limited to those who need them. If risk management has a formal role in tracking enterprise risks, audit themes can be very useful.

The key is that sharing information does not transfer ownership of the audit conclusion. Internal audit still controls its final communication and assurance opinion.

🔍

Master CIA Part 3 with our CIA Course

45 lessons · 90+ hours· Expert instruction

View Course — $199All-Access $49/mo
#report-sharing#confidentiality#risk-management#cae

Related Questions

What should an auditor do if a supervisor weakens a supported finding?

cia·CIA Part 2·46 upvotes

How should auditors prepare for a technical exit meeting?

cia·CIA Part 2·35 upvotes

When should audit quality concerns be escalated beyond the engagement team?

cia·CIA Part 2·56 upvotes

How does business knowledge affect internal audit quality?

cia·CIA Part 2·51 upvotes

Where should an auditor begin a full-company internal control audit?

cia·CIA Part 2·51 upvotes

Related Articles

Risk Management and Internal Audit: How to Coordinate Without Blurring the Three Lines

12 min read

Practice Questions

Test your knowledge with our CIA question bank.

Try Practice Questions

Join the Discussion

Ask questions and get expert answers.

Join Now