Practice Advisory 2060-1: Reporting to Senior Management and the Board Primary Related Standard

2060 Reporting to Senior Management and the Board The chief audit executive must report periodically to senior management and the board on the internal audit activitys purpose, authority, responsibility, and performance relative to its plan. Reporting must also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the board. Interpretation: The frequency and content of reporting are determined in discussion with senior management and the board and depend on the importance of the information to be communicated and the urgency of the related actions to be taken by senior management or the board.

1. The purpose of reporting is to provide assurance to senior management and the board regarding governance processes (Standard 2110), risk management (Standard 2120), and control (Standard 2130). Standard 1111 states: The chief audit executive must communicate and interact directly with the board. 2. The chief audit executive (CAE) should agree with the board about the frequency and nature of reporting on the internal audit activitys charter (e.g., purpose, authority, responsibility) and performance. Performance reporting should be relative to the most recently approved plan to inform senior management and the board of significant deviations from the approved audit plan, staffing plans, and financial budgets; reasons for the deviations; and action needed or taken. Standard 1320 states: The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board. 3. Significant risk exposures and control issues are those conditions that, according to the CAEs judgment, could adversely affect the organization and its ability to achieve its strategic, financial reporting, operational, and compliance objectives. Significant issues may carry unacceptable exposure to internal and external risks, including conditions related to control weaknesses, fraud, irregularities, illegal acts, errors, inefficiency, waste, ineffectiveness, conflicts of interest, and financial viability. 4. Senior management and the board make decisions on the appropriate action to be taken regarding significant issues. They may decide to assume the risk of not correcting the reported condition because of cost or other considerations. Senior management should inform the board of decisions about all significant issues raised by internal auditing. 5. When the CAE believes that senior management has accepted a level of risk that the organization considers unacceptable, the CAE must discuss the matter with senior management as stated in Standard 2600. The CAE should understand managements basis for the decision, identify the cause of any disagreement, and determine whether management has the authority to accept the risk. Disagreements may relate to risk likelihood and potential exposure, understanding of risk appetite, cost, and level of control. Preferably, the CAE should resolve the disagreement with senior management.

Issued: May 2010 2010 The Institute of Internal Auditors

PA 2060-1

6. If the CAE and senior management cannot reach an agreement, Standard 2600 directs the CAE to inform the board. If possible, the CAE and management should make a joint presentation about the conflicting positions. For financial reporting matters, CAEs should consider discussing these issues with the external auditors in a timely manner. ***

Issued: May 2010 2010 The Institute of Internal Auditors

PA 2060-1