When dealing with the communication of audit results to external parties, the internal auditor must adhere to IIA standards regarding confidentiality, approval processes, and the appropriate handling of sensitive information.
Detailed Explanation:
IIA Standard 2440 - Disseminating Results:
This standard outlines that the chief audit executive (CAE) must approve the communication of engagement results to parties outside the organization. The CAE is responsible for ensuring that the distribution of audit findings is appropriate and does not compromise confidentiality or integrity.
Confidentiality and Authorization:
The internal auditor must protect the confidentiality of the information obtained during the audit. Sharing this information with external parties, such as an advertising agency, should only occur with proper authorization, typically from the CAE.
IIA Code of Ethics - Confidentiality:
The Code of Ethics requires auditors to respect the value and ownership of information they receive and to not disclose information without appropriate authority. In this case, if the audit client requests the report to be shared with an external party, the internal auditor must first obtain approval from the CAE to ensure this disclosure is appropriate.
Why Not Other Options?
Option B (May not communicate results): While confidentiality is crucial, the CAE can authorize the sharing of information with external parties if it is deemed appropriate.
Option C (Include instructions for limited distribution): While limiting further distribution is a good practice, the initial sharing still requires the CAE's approval.
Option D (Verbal communication only): This restricts the auditor unnecessarily. The key is obtaining proper authorization, not limiting the form of communication.
Conclusion: Option A is correct as it ensures that the results can be communicated to the external party with the appropriate approval from the CAE, in line with IIA standards on dissemination and confidentiality.