The chief audit executive must establish and maintain a system to monitor the disposition of results
communicated to management.
2500.A1 – The chief audit executive must establish a follow-up process to monitor and ensure that
management actions have been effectively implemented or that senior management has accepted the risk
of not taking action.
2500.C1 – The internal audit activity must monitor the disposition of results of consulting engagements to
the extent agreed upon with the client.
2600 – Communicating the Acceptance of Risks
When the chief audit executive concludes that management has accepted a level of risk that may be
unacceptable to the organization, the chief audit executive must discuss the matter with senior
management. If the chief audit executive determines that the matter has not been resolved, the chief
audit executive must communicate the matter to the board.