When resources are insufficient, what must CAEs communicate to governance?

When resources are insufficient, the CAE must communicate to governance how the lack of resources will affect audit coverage. This means detailing which audits may be deferred or scaled back, how the audit plan’s timing may shift, and what residual or unaddressed risks could remain. Framing the situation this way gives governance a clear view of potential assurance gaps and supports informed decision-making about prioritization, resource reallocation, or budget adjustments. This approach is the best because it maintains transparency about risk exposure and ensures governance can approve appropriate responses rather than leaving gaps in coverage or making unilateral changes. Increasing the budget or changing scope without governance input, canceling audits unnecessarily, or reporting only to external regulators would bypass essential oversight and fail to address the identified risks within the organization.