A
AcadiFi
EV
EvidenceNolan2026-05-20
ciaCIA Part 3Workpaper EvidenceRisk Acceptance

How should auditors document management's acceptance of excessive risk?

60 upvotes
AcadiFi TeamVerified Expert
AcadiFi Certified Professional

author: AcadiFi Team

Answer:

The workpapers should show the risk, affected objective, criteria, evidence, management's explanation, proposed action, residual exposure, and the CAE's basis for concluding that the accepted risk appears above appetite or tolerance. The file should also show the communication path and outcome.

If management agrees to remediate, document the action plan, owner, date, and follow-up method. If management delays, refuses, or accepts exposure beyond tolerance, document that response and the CAE's escalation decision.

The final communication should be accurate, objective, clear, complete, and timely. If management has already taken action, acknowledge it, but do not erase the supported condition or the remaining risk.

🔍

Master CIA Part 3 with our CIA Course

45 lessons · 90+ hours· Expert instruction

View Course — $199All-Access $49/mo
#risk-acceptance#workpapers#action-plans#final-communication

Related Questions

What should an auditor do if a supervisor weakens a supported finding?

cia·CIA Part 2·46 upvotes

How should auditors prepare for a technical exit meeting?

cia·CIA Part 2·35 upvotes

When should audit quality concerns be escalated beyond the engagement team?

cia·CIA Part 2·56 upvotes

How does business knowledge affect internal audit quality?

cia·CIA Part 2·51 upvotes

Where should an auditor begin a full-company internal control audit?

cia·CIA Part 2·51 upvotes

Related Articles

Unacceptable Risk Escalation: When the CAE Goes to Senior Management and the Board

12 min read

Practice Questions

Test your knowledge with our CIA question bank.

Try Practice Questions

Join the Discussion

Ask questions and get expert answers.

Join Now