Reporting GRC Issues

Cards (5)

What does the standard 2060 "reporting to senior management and the board" state?
The chief audit executive must report periodically to senior management and the board on:
the IA's purpose, authority, responsibility in the internal audit charter
performance relative to its plan
its conformance with the Code of Ethics and the Standards.
significant governance, risk, and control issues including fraud risks and other matters that require the attention of the senior management and the board
What decides the frequency and content of the reporting to the senior management and the board?
Importance of the information.
Urgency of the related actions to be taken.
The CAE, senior management, and the board may also agree in advance on:
Protocols for the CAE to report important and urgent risk or control events.
Related actions to be taken by senior management and the board.
What are significant risk and control issues for reporting?
Conflicts of interest.
Control weaknesses.
Errors.
Fraud.
Illegal acts.
Ineffectiveness.
Inefficiency.
If the CAE believes that senior management has accepted a level of risk that the organization would consider unacceptable, the CAE should first attempt to resolve the matter with senior management. If that fails, the CAE should communicate the matter to the board.