If senior management decides to accept risks, such as doing business with a questionable vendor, and the chief audit executive (CAE) believes this poses a significant risk to the organization, the CAE should escalate the issue to the board. The board has the ultimate responsibility for overseeing risk management and can decide on the appropriate action to take in response to the risk.
IIA References:
* IIA Standard 2600: Communicating the Acceptance of Risks states that when the CAE believes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the CAE must discuss the matter with senior management. If the decision regarding risk remains unchanged, the CAE must inform the board.
* The Practice Guide on Risk Management highlights the importance of the CAE keeping the board informed of significant risks that management has chosen to accept, particularly when these risks could have a material impact on the organization.

Adding invoices to the computer program to assess the reliability and effectiveness of the review process and whether controls work best describes an internal auditor's use of test data. This approach involves introducing test data into the system to evaluate how well the system processes invoices and whether it effectively identifies and prevents questionable invoices from being processed for payment.
:
IIA Standards: 1220.A2 - Proficiency and Due Professional Care
IIA Practice Guide: Use of Technology in Auditin

Non-assurance engagements, such as consulting activities, involve providing advisory services that add value to management without the auditor expressing a formal opinion or providing assurance on the effectiveness of controls or processes.
* IIA Definition of Non-Assurance (Consulting) Services:
* Non-assurance services, as defined by the IIA, are advisory and related client service activities.
These activities are intended to provide advice and insight into specific issues, such as potential risks in new initiatives, without the internal audit function expressing an assurance opinion.
* Consulting Engagements:
* In a consulting engagement, the internal audit activity provides information and recommendations to management, allowing them to make informed decisions. In this case, informing management about potential risks of moving the data warehouse to a cloud server is an advisory role, typical of a non-assurance engagement.
* IIA Standard 2120 - Risk Management:
* While this standard relates to risk management assurance, in a consulting role, the internal audit activity would inform management of risks, allowing them to manage these risks proactively.
* Option A (Assessing effects of changes in maintenance strategy): This is more aligned with an assurance engagement where the auditor evaluates the impact of changes.
* Option C (Ascertaining data center security compliance): This is an assurance activity focused on compliance.
* Option D (Ensuring equipment downtime risks are managed): This implies an assurance role, as it involves verifying compliance with internal policy.
Detailed Explanation:Why Not Other Options?Conclusion: Option B is correct as it reflects a typical non- assurance engagement where the internal audit function provides advisory services on risk without providing formal assurance.

For internal audit findings and recommendations to be effectively implemented and to ensure that they receive adequate consideration, formal follow-up procedures are essential. According to IIA guidance, it is important that the internal audit activity not only reports the results to management but also ensures that corrective actions are taken or that management consciously accepts the associated risks.
* IIA Standard 2500 - Monitoring Progress:
* This standard requires that the chief audit executive (CAE) establish a process to monitor and ensure that management actions are effectively implemented or that risks are appropriately accepted. Follow-up is crucial for verifying that management has taken the recommended actions or has acknowledged and accepted the risk of not doing so.
* Formal Follow-Up Procedures:
* These procedures involve tracking the status of management's responses to audit recommendations, checking if actions were implemented as planned, and determining whether the intended outcomes were achieved. If management decides not to act, the CAE must ensure that the decision is documented and the associated risks are understood and accepted by senior management.
* IIA Practice Advisory 2500-1:
* This advisory emphasizes the importance of follow-up to ensure that significant audit findings and recommendations are addressed. Without this follow-up, there is a risk that important issues might be neglected or forgotten.
* Option A (Reporting results with recommendations): While reporting is important, it does not ensure that recommendations are acted upon.
* Option C (Quarterly reporting on audit plan focus): This is related to audit planning, not to ensuring that specific findings and recommendations are considered.
* Option D (Discussing findings with independent auditors): This might be useful, but it does not directly influence whether management considers and acts on the internal audit findings.
Detailed Explanation:Why Not Other Options?

An internal audit procedures manual typically includes detailed information on the methodologies, tools, and techniques used during audits. It also outlines the protocols and guidelines for auditors to follow, including their authority and the scope of their work. Clearly defining the extent of the auditor's authority to collect data from management ensures that auditors understand their rights and limitations, which is essential for carrying out effective and efficient audits.
:
The Institute of Internal Auditors (IIA), Practice Guide on Developing the Internal Audit Manual
"Internal Auditing: Assurance and Advisory Services" by Urton L. Anderson, Michael J. Head, Sridhar Ramamoorti, Chris A. Bailey, and David A. Sarens