Internal auditors are often viewed as the guardians of good governance, compliance, and accountability. Yet, despite the temptation to pull them into the process of drafting company policies, this role is one they should carefully avoid. Writing policies, while important, can blur the lines of responsibility and compromise the very independence that makes internal audit valuable. Instead, their focus should remain on evaluating, questioning, and offering assurance—not on building the frameworks themselves.
Practical Example
Consider a company where management asks the internal auditor to draft a new procurement policy due to time constraints. Months later, during an audit review, weaknesses are discovered in the same policy. However, management resists the findings, arguing that audit helped create the document. This situation blurs accountability and weakens audit independence, showing why auditors should review policies objectively rather than write them.
The Distinction Between Auditing and Policy Writing
The work of an internal auditor is built on independence and objectivity. Their primary responsibility is to evaluate how effectively policies and procedures are designed and followed, not to create those very documents. If auditors step into the role of drafting company-wide policies, they begin to lose the neutrality necessary to test them later.
It’s similar to a referee in sports suddenly writing the rules of the game—once they’ve shaped the framework, it becomes impossible for them to fairly enforce it. By allowing management to write policies and auditors to assess them, the organization creates a healthy separation of powers that ensures both oversight and accountability.
Exceptions to the Rule
There are a few specific documents that auditors are expected to prepare, and these are directly tied to the functioning of the audit department. These include:
- The Internal Audit Charter
- The Internal Audit Policy
- Audit Procedures and Methodology
- Anti-Fraud and Whistleblower Protections
- Audit Committee Charter
These documents serve to define the scope, role, and independence of the audit function itself. Without them, auditors cannot operate effectively or defend their mandate. Beyond these, however, auditors should resist the urge to write policies, no matter how well-intentioned.
Why Policy Ownership Belongs to Management
Policies define how a business functions on a daily basis, from compliance with laws to how employees perform tasks. Because policies govern the execution of work, they must be owned by management—the individuals who carry the responsibility of delivering results.
When management takes ownership, policies are aligned with operational realities and strategic goals. If auditors assume this role, they step outside their purpose and risk diluting accountability. A strong company culture is one where management takes responsibility for building and maintaining the frameworks, while auditors hold them accountable for how well those frameworks are followed.
Why the Confusion Exists
The misunderstanding is easy to explain. Auditors frequently request policies and procedures during audits, analyze them for completeness, and highlight their absence when gaps exist. This regular interaction with policies creates a false impression: if auditors are experts in identifying weaknesses, surely they can draft stronger versions?
But that assumption ignores the essential conflict. If auditors design the documents, they will later be evaluating their own work. That defeats the purpose of independent assurance. Instead, auditors must clarify their boundaries—explaining that while they can point out deficiencies, templates or direct drafting should remain off-limits.
When Management Looks to Auditors for Shortcuts
Many managers, overwhelmed by daily operations, may see auditors as an easy solution when asked to create or revise policies. They might send draft documents for auditors to “review,” or even request templates outright. In reality, this often masks a desire to shift responsibility. By placing auditors in the driver’s seat, managers not only reduce their own accountability but also undermine the impartiality of the audit process.
It is crucial for auditors to push back politely but firmly. Their role is to examine, not to approve or create. Management must accept that the work of drafting policies is theirs, even if it is time-consuming or requires additional training and resources.
Illustrative Scenarios
There have been cases where the confusion has created problematic outcomes. In one situation, a financial policy stated that an external audit firm would determine how the company recognized revenue. This statement was not only incorrect but dangerous. External auditors review and challenge financial decisions; they do not make them. That responsibility lies with management, and the policy had to be corrected.
In another instance, auditors were added into an email chain to “sign off” on a policy draft. The implicit expectation was that audit approval would act as protection for management if issues later arose. This misuse of audit involvement highlights the slippery slope—if auditors validate the policy, they can no longer objectively criticize it during an audit.
Navigating Everyday Grey Areas
Not all interactions are so clear-cut. Often, colleagues approach auditors with basic questions: Does a policy exist for a specific issue? Where can it be found? Does it adequately address a particular scenario? In these cases, auditors can and should participate in discussions. Providing guidance or opinions is not the same as drafting official documents.
Similarly, auditors may encounter strong examples of policies at conferences or within professional networks. Sharing these resources can be useful, but it must be done with caution. If a colleague adopts a template that an auditor shared, they may later claim it has audit’s “endorsement.” For that reason, sharing examples should be limited to trusted relationships where responsibilities are clearly understood.
The Risks of Crossing the Line
When auditors take on the responsibility of writing policies, even temporarily, the consequences can be long-lasting. Once, an auditor drafted a policy with the intention of having management edit and finalize it. Instead, the draft was accepted without revision, and the company treated it as if audit had fully endorsed it. The fallout was damaging. Audit independence was questioned, and management assumed they no longer needed to challenge or own the content.
Even with clarifications, once the perception takes hold that auditors “write policies,” trust and credibility erode. The audit department risks losing the respect of both management and external regulators, who may see this as a violation of professional standards.
Strategies for Maintaining Boundaries
So, what should auditors do when confronted with weak or missing policies? Several options preserve their independence without stepping into management’s shoes.
- Raise an audit finding. Document the absence or weakness of a policy as an issue in your audit report. Framed constructively, this motivates management to take action.
- Encourage accountability. When managers struggle with drafting, suggest training, tools, or external consultants who specialize in policy writing. This ensures the work is done without compromising audit neutrality.
- Use scope limitations. If no documentation exists and assurance cannot reasonably be provided, state this clearly in the audit report. Stakeholders need to know when a lack of policies prevents a full evaluation.
- Support without ownership. It is acceptable to brainstorm, share high-level insights, or point out examples, but always clarify that the responsibility for authorship lies firmly with management.
Protecting the Integrity of the Audit Function
At its core, the debate is about preserving what makes internal audit uniquely valuable: independence, objectivity, and the ability to challenge without bias. Once auditors cross the boundary into authorship, they compromise the very qualities that stakeholders rely on.
Audit’s credibility rests on being separate from operational decision-making. While auditors may face pressure to help, their refusal to write policies is not obstinacy but professionalism. They serve the organization best by keeping their role clear: to evaluate, question, and recommend—not to create.
Conclusion
Policies are the lifeblood of an organization, guiding employees and ensuring compliance. But they must remain the responsibility of management, not internal auditors. When auditors avoid writing policies, they protect the impartiality that gives their work meaning.
The best auditors draw a firm line, balancing empathy for confused colleagues with a strong commitment to professional boundaries. By doing so, they safeguard both their independence and the credibility of the entire audit function.
Frequently Asked Questions
Who is responsible for creating company policies?
Policy ownership belongs to management, since they are directly responsible for operations and must ensure procedures align with business goals and regulatory requirements.
Can auditors ever be involved in policy documents?
Yes, but only for audit-related materials like the Internal Audit Charter, Audit Procedures, and Anti-Fraud Policies. Beyond that, their role is to review, not author.
What risks arise if auditors draft policies?
It blurs accountability, reduces audit credibility, and can mislead regulators or stakeholders into thinking auditors endorse operational practices they should only evaluate.
How should auditors respond to weak or missing policies?
They can raise audit findings, recommend management action, suggest external expertise, or note scope limitations—without stepping into policy creation themselves.
