How can a solo internal auditor push back on policy drafting without sounding unhelpful?

author: Verified Expert

• Related article: cia-policy-drafting-advisory-boundary-map
• Related question-bank placeholders: ["solo-internal-auditor-charter-boundary", "consulting-engagement-scope-documentation"]
• Question: How can a solo internal auditor push back on policy drafting without sounding unhelpful?
• Question detail:
• I am the only internal auditor and leadership keeps assigning policy writing to me. How do I protect the audit role while still supporting the business?
• Answer:
• Frame the response around role clarity, not refusal. You can say that internal audit can facilitate, provide a template, review drafts, identify risk/control criteria, and help management understand what a complete policy should address. Then state that management must own the final content and approval because it owns the process and risks.
• For a solo auditor, the charter is especially important. If the organization has not clearly defined internal audit's authority, advisory services, reporting line, and limits on management responsibility, this request is a good reason to update the charter with senior management and the board or audit committee.
• The practical script is: "I can help structure the policy and challenge whether it addresses the risks. The policy owner needs to make the operating decisions, approve the final version, and maintain it. That keeps the policy credible and keeps internal audit available for independent assurance later."