IIA IIA-CIA-Part2 Online Access

Inherent risk is the susceptibility of an activity to material error, fraud, or noncompliance before considering controls. For an AI program in development, the immediate and significant risk lies in copyright and intellectual property violations if the program captures and uses images owned by others. This risk exists inherently and could lead to lawsuits, reputational damage, and regulatory sanctions.

Options A and B represent possible outcomes but not immediate risks. Option D is a compliance issue but not immediate, as the regulation comes into force later. The most urgent and inherent risk is Option C, the unauthorized use of third-party content.

According to the International Standards for the Professional Practice of Internal Auditing, the Chief Audit Executive (CAE) has a responsibility to ensure that the results of both assurance and consulting engagements are communicated to the appropriate parties. This ensures that the observations and recommendations are acknowledged and acted upon by those who have the authority to implement necessary changes or take corrective actions. This communication is crucial for ensuring that the findings of the internal audit are effectively utilized to improve governance, risk management, and control processes.

The Institute of Internal Auditors (IIA) Standard 2440 – Disseminating Results: "The chief audit executive must communicate results to the appropriate parties."

IIA Practice Guide on "Communicating Results"

According to IIA guidance, if management refuses to accept audit recommendations and implement corrective actions, the chief audit executive (CAE) has a responsibility to ensure that the audit committee or the board is aware of the unresolved risks. The CAE should escalate the matter to senior management first. If senior management still does not take action, the CAE should then inform the board. This escalation process ensures that the board is fully informed about significant risks that management has decided to accept and can take appropriate action if necessary.

The Institute of Internal Auditors (IIA) - Standards for the Professional Practice of Internal Auditing, Standard 2600 - Communicating the Acceptance of Risks

According to IIA guidance, a newly promoted chief audit executive (CAE) should prioritize the review of audit reports based on the significance of the findings indicated by the opinion statements. A graded positive opinion (1) suggests that the audit found strong controls with no significant issues, while a third-party opinion (4) typically involves external assessments that may not require immediate internal action. Therefore, these opinions would receive the lowest review priority. In contrast, negative assurance opinions (2) and limited assurance opinions (3) indicate potential issues or limitations in the effectiveness of controls, necessitating higher priority review to address any significant concerns promptly. References: IIA Standard 2410 – Criteria for Communicating, IIA Practice Advisory 2410-1