What should internal audit do when management knows about a control failure and does nothing?
Internal audit should document the issue, preserve the supporting evidence, and escalate according to the severity of the risk. If the breakdown affects financial-reporting reliability, involves repeated tolerance, or implicates senior management, the CAE may need to raise it to the audit committee or equivalent governance body.
The key is not to substitute internal audit for management. Internal audit can recommend corrective actions and verify remediation later, but management remains responsible for fixing the control environment.
Master part-2 with our CIA Course
45 lessons · 90+ hours· Expert instruction
Related Questions
What should an auditor do if a supervisor weakens a supported finding?
How should auditors prepare for a technical exit meeting?
When should audit quality concerns be escalated beyond the engagement team?
How does business knowledge affect internal audit quality?
Where should an auditor begin a full-company internal control audit?
Related Articles
Join the Discussion
Ask questions and get expert answers.