Final answer:
The Chief Audit Executive should report residual risk to management promptly when such risks exceed the organization's risk appetite. The exact timing is based on the organization's policies and audit plan. Reporting is part of the internal audit's role in ensuring effective risk management and controls.
Step-by-step explanation:
When it comes to residual risk, the Chief Audit Executive (CAE) should report to management as part of the internal audit function's role in providing independent assurance that an organization's risk management, governance, and internal control processes are operating effectively. The timing of reporting typically depends on the organization's policies and the agreed-upon audit plan. However, it is generally expected that significant findings regarding residual risk, which could impact the organization's objectives, should be reported promptly.
CAEs should employ a risk-based approach to determine the priority of audit findings and the urgency of reporting. Risk assessments are used to evaluate the potential impact and likelihood of identified risks. When residual risks exceed the organization's risk appetite, they warrant immediate attention and communication with management and potentially the board of directors.