What should be done when an internal auditor identifies a significant risk?

When an internal auditor identifies a significant risk, promptly communicating it to senior management and the audit committee is essential. This action ensures that those in positions of authority are aware of potential vulnerabilities that could impact the credit union's operations, financial health, and compliance with regulations. Such communication enables the organization to take timely and appropriate actions to mitigate the risk, ensuring that risk management processes are aligned with the institution's overall strategy.

By informing senior management and the audit committee, the internal auditor facilitates discussions and decisions around risk management strategies, provides context for prioritizing risk responses, and aids in the overall governance process. This collaborative approach is vital for maintaining an effective internal control environment and enhancing the organization’s ability to manage risks.

The other options do not adequately address the immediate need for action required when a significant risk is identified. For example, simply documenting the risk without taking further action does not contribute to risk mitigation or internal control improvement. Assessing the risk on an annual basis and consulting with external auditors might be part of ongoing risk management strategies, but these actions do not provide the immediate response necessary to address significant risks as they arise.