According to the International Professional Practices Framework, the internal audit activity's decision to defer follow-up of recommendations and management's corrective actions until the next scheduled engagement for the area is justified when:
A.
The reported findings or recommendations are significant enough to require immediate action by management.
B.
The action taken by management to address the recommendation is sufficient when weighed against the importance of the finding.
C.
Management has adequately understood and appropriately accepted the risk of not taking action to implement the recommendation.
D.
The significance of the finding or recommendation will allow auditors to perform monitoring by receiving periodic updates from management on corrective
"The action taken by management to address the recommendation is sufficient when weighed against the importance of the finding."
This sounds like the recommendation was already addressed — meaning no deferral is needed.
If the action is already sufficient, there's nothing left to follow up on, so this option doesn't actually justify deferring follow-up — it just ends the loop.
Correct: C - This aligns with the IIA Standard 2500 – Monitoring Progress, specifically the interpretation, which states:
"When management has accepted the risk of not taking action, internal auditors must consider whether the risk is acceptable to the organization. If it is, the CAE may decide not to follow up until the next engagement."
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Kozy
2 weeks ago