Internal Auditors should not be involved in the creation of company policies. There are several reasons, based on theory and on situations I have personally faced, which I’ll break down over the course of this post. Bottom line, this is about protecting the independence and objectivity of the audit function at your company.
What Is Your Responsibility?
Let’s start with the exceptions to the rule. Auditors are responsible for the following policy and adjacent documents:
- Internal Audit Policy
- Internal Audit Procedures
- Anti-Fraud and Whistleblower Protection Policy
- Internal Audit Charter
- Audit Committee Charter
If you don’t have these documents in place, move them to the top of your to-do list now, and add document approval to the agenda for your next Audit Committee meeting.
If you have a Quality Assurance Review coming up, you will be expected to provide these documents. But that’s not the reason this is important. When you go into a department, or start looking into a process, what is the first thing you ask for? Policies! Procedures! Instructions! Manuals! Guides! Something official and sanctioned that you can reference, educate yourself with, and build your program from.
Shouldn’t we be as good as our baseline expectations of auditees?
Who Should Own Policies and Policy Management?
Management should own their own policies. Repeat: Management should own their own policies! Say this to yourself, and anyone who challenges you, as many times as necessary.
A well-run company will have a process in place to draft policies and procedures that are comprehensive, logical, and have the proper balance of specificity and ambiguity to be effective. While it’s impossible to address every situation or scenario, the really good policies set out a theoretical framework and the related procedures use examples to illustrate points. If you’re in a highly-regulated industry, there may be specific guidance on what the documents should include.
Keep in mind that putting a detailed or theoretical document together is difficult for many people. A lot of judgment goes into this process, and the average manager is busy handling operations. It can be a challenge to turn off work mode, go into effective writing mode, and keep everything running smoothly. With that said, it’s simply not our place to do it for them.
Why All the Confusion?
Auditors spend an awful lot of time talking about policies, procedures, why they are needed, when they are lacking, where they diverge from other documents, repercussions of not having rules written down, and on and on. Considering how often we deal with policies, it’s really no wonder why the association Auditor = Policy is so often made. If you issue an exception that a policy is non-existent, the auditee will likely ask you to provide a template, or tell them what it should say. It’s a slippery slope!
As auditors, our role is confusing to many people. Have empathy for this confusion, first of all. There are brilliant, educated, business-savvy people out there who just aren’t aware of what we can and can’t do. So, you need to be prepared to educate them, set and enforce your own boundary, and try to leave a confusing situation better for everyone. It isn’t easy, but I’ll try to help you out with examples.
Once, a peer told me that while auditing income, they came across the following in a policy: “Revenue recognition will be determined by John Doe CPAs LLP.” Really? You let your external auditors determine what revenue you recognize as income in a given period? Don’t you execute your own interpretation of that standard, and defend it when faced with audit scrutiny? While the external auditors surely read the policy, perform testing and look for exceptions, it’s not appropriate to say they are determining revenue recognition. So, that was an audit exception, as it should have been.
Once I was added to an email chain, at a point where a group wanted me to weigh in on a policy. What’s a not so nice way to say this? They wanted me to vet it so they didn’t have to, and have receipts if I ever took issue with it down the road! I hit the dreaded “reply all” and said that I had no role in the policy approval process outside of Internal Audit documentation. I had to be a professional and set my ego aside. Let them have their discussions and disagreements, and organically form a consensus.
I’ve also had regulators and external auditors question me about policies. If you find yourself in this scenario, don’t assume anyone knows the boundary. Reiterate that management is the proper owner of policies. You examine them closely during audits, but disagreements and questions should be addressed to the owner.
What About Basic Questions?
Most interactions auditors have regarding policies and procedures are not this black and white. When I was an audit executive, I would often get calls and visits from peers asking me about policies. Did we have a policy for something? Where was it? Did it address a specific issue properly? How did I interpret it? This is a grey area, but I think these conversations are okay. You should feel free to debate, discuss, and ponder with others. Maybe throw in a qualifying statement such as “just my first impressions” or “just my opinion.”
What if you see a really well-written policy online, from a colleague or at a conference? Should you pass it along? Proceed, with caution. The person you give it to might assume they can adopt it, sanctioned by you. They are looking to avoid doing the work themselves, and then use the fact that you passed it along as an arguing point if you ever find issues with it. My advice is only pass templates along when you trust the other person and have a strong existing relationship.
Consequences of Crossing the Line
Not everyone agrees with me about where to draw the line when it comes to audit involvement in policies and procedures. Once, I was assigned to draft a policy for a process, which would then go through a review, editing, and approval process. Well, guess what happened. Those edits never materialized. The staff involved were under the impression that this was the version audit was comfortable with and should not be changed or altered in any way. Leaders at the company became aware of what was happening, and were rightly uncomfortable audit was “preparing” this type of document.
It really didn’t matter how many times I stated that the draft was meant as a starting point, meant to be customized, that I was not providing assurance, or that I was just trying to be helpful. Audit was “writing policies,” and folks knew instinctively that this was not okay. The document was never made official, but the damage was done.
Later, I became the department leader. I drew a boundary between Internal Audit and policy management, and never crossed it again. Honestly, the stain never went away completely. Not something I want any of you to experience!
What Can You Do?
If you go into a situation where policy documentation is sparse or non-existent, use the tools you have available. You can write up an audit exception. Well-written issues/exceptions are made in a spirit of teamwork, to help the auditee improve, to move a task up the to-do list, or to help a struggling group get the resources they need.
In extreme cases, you can discuss with someone higher up that the skill-set to write policies and procedures just isn’t there, and they should outsource this to a third party. If you just have absolutely nothing to go on, perhaps a scope limitation in your report is called for. Tell the reader clearly that with nothing formalized or documented, you can’t provide assurance. If they’re just making it up as they go along, that’s something stakeholders should know!
Have you ever been asked to write a policy or procedure? What did you do? Do you agree with my opinion about the role of audit in this process? Leave a comment, and let’s have a deeper discussion.
In the meantime, thank you for reading and considering this very important issue!