Fields
- Certification: CIA
- Level: Core
- Topic: Advisory Services, Objectivity, and Internal Audit Charter
- Article slug: `cia-policy-drafting-advisory-boundary-map`
- Title: `Policy Drafting Requests: How Internal Audit Can Help Without Owning Management's Work`
- Tags: `["advisory-services", "management-responsibility", "objectivity", "internal-audit-charter", "policy-governance", "consulting-engagements"]`
- Related Q&A slugs:
- `can-internal-audit-write-management-policies` - `how-can-a-solo-internal-auditor-push-back-on-policy-drafting` - `what-is-the-advisory-boundary-for-policy-work` - `how-should-internal-audit-protect-objectivity-after-policy-advice`
- Related question-bank public slug placeholders:
- `policy-drafting-management-responsibility` - `advisory-template-vs-policy-owner` - `solo-internal-auditor-charter-boundary` - `future-assurance-after-policy-advice` - `management-signoff-policy-ownership` - `objectivity-threat-policy-approval` - `consulting-engagement-scope-documentation`
Article Body
Policy Drafting Requests: How Internal Audit Can Help Without Owning Management's Work
Internal auditors are often asked to "just write the policy" because they understand risks, controls, and documentation. That request can be practical, especially in a smaller organization, but it can also blur the line between advisory service and management responsibility.
For CIA candidates, the right answer is rarely "never help" and rarely "own the policy." The right answer defines what internal audit can provide, what management must decide, and how future assurance work will be protected.
The Boundary: Advice Is Not Ownership
Internal audit can provide insight, structure, examples, risk questions, control criteria, and review comments. Management must own the policy objective, select the requirements, approve the final policy, maintain it, train users, and operate the controls embedded in it.
A useful CIA phrase is: internal audit may advise on governance, risk management, and control, but it should not assume management responsibility.
What Internal Audit Can Do
Provide Criteria
Internal audit can identify what a strong policy normally addresses: purpose, scope, owner, authority, roles, required controls, exception handling, monitoring, evidence retention, review cycle, and approval authority.
This is advisory because internal audit is helping management understand risk and control expectations. It becomes a threat when internal audit decides the policy requirements or becomes the owner of the process.
Facilitate a Workshop
Internal audit can facilitate a discussion among finance, operations, legal, compliance, and IT. The facilitator may ask risk questions, document decisions, and identify control gaps. The facilitator should not make management's decisions.
Review a Draft
Reviewing a management draft is usually cleaner than writing from a blank page. Internal audit can say whether the draft has clear ownership, control points, evidence expectations, escalation rules, and monitoring. Management still approves and maintains the policy.
Provide a Template
A blank template can be helpful if it leaves management decisions open. The template might include headings such as "Policy Owner," "Approval Authority," "Required Evidence," and "Exception Process." Internal audit should avoid filling in thresholds, approvals, or operating rules unless management makes and owns those decisions.
What Internal Audit Should Avoid
Internal audit should avoid:
- approving the policy as owner
- selecting management's risk appetite or thresholds
- operating the control created by the policy
- training users as the accountable policy owner
- maintaining the policy calendar for management
- auditing its own policy design without safeguards
- allowing management to treat internal audit as the policy department
The threat is not word processing. The threat is decision ownership.
Worked Example: Delegated Authority Policy
Assume Meridian Transit asks its solo internal auditor to write a delegated authority policy after a procurement review found inconsistent approval thresholds. The CFO wants the auditor to set final dollar limits for department managers, executives, and board approvals.
The auditor can help by giving management a policy template and facilitating a workshop. The template can include sections for spending categories, approval tiers, emergency exceptions, evidence retention, and periodic review. During the workshop, internal audit can ask whether thresholds align with procurement risk, budget authority, fraud risk, and system workflows.
But management must choose the thresholds. The CFO, procurement lead, legal counsel, and executive sponsor should own the final requirements. The board or relevant committee may approve the policy if the policy affects governance-level authority.
If internal audit later audits procurement approvals, the prior advisory role should be considered. Safeguards might include assigning a different auditor, using external quality review, narrowing the audit objective, or disclosing the earlier advisory involvement to the appropriate oversight body.
The Charter Matters
A recurring request to write policies may reveal a charter problem. The internal audit charter should clarify internal audit's mandate, reporting line, authority, assurance role, advisory services, and limits on management responsibility.
If leadership keeps assigning policy ownership to internal audit, the CAE or solo auditor should discuss the mandate with senior management and the board or audit committee. A clear charter helps the auditor stay helpful without becoming management's substitute process owner.
Exam Framing
When a CIA question asks whether internal audit can help draft a policy, ask:
- Who owns the risk and final decision?
- Is internal audit advising or making management choices?
- Will internal audit later provide assurance over the same policy or controls?
- Are safeguards documented before work begins?
- Does the charter authorize this advisory service?
The best answer preserves value and objectivity. Internal audit can be practical, collaborative, and useful. It just cannot become the owner of the thing it may later need to audit.