The chief audit executive (CAE) notes during review of the final report of an assurance engagement that management has decided to accept the risks of two significant exposures identified by the audit. Which of the following actions by the CAE would be least prudent in these circumstances?
The least prudent action for the chief audit executive would be to implement follow-up procedures to monitor the potential impact of those risks. Once management has decided to accept the risks, it is usually understood that they have assessed the situation and determined that the benefits of accepting the risks outweigh the potential negatives. The responsibility of internal audit, in this case, would not typically extend to ongoing monitoring of accepted risks but rather ensuring that management's risk acceptance decision is well-documented and justified.
management has decided to accept the risks of two significant exposures identified by the audit, so the is no need to follow up on the observation.
Management, not senior management... The steps are incomplete. Also, it is not the responsibility of internal audit to (decide to) monitor the risk.
It seems it should be D
To accept risks = Not implementing controls?