Can a manager authorize a policy violation?

author: AcadiFi Team

• Related article: cia-production-change-policy-exception-controls-map
• Related question-bank placeholders: ["manager-authorization-limits", "policy-exception-required-elements"]
• Question: Can a manager authorize a policy violation?
• Question detail:
• If a manager tells an employee to ignore a strict policy for business reasons, is that approval enough from an internal audit standpoint?
• Answer:
• Not necessarily. The key issue is whether the manager has delegated authority over that policy and the related risk. A supervisor may be able to request an exception, but the policy owner, control owner, risk owner, security function, legal function, or governance body may be the proper approver.
• Internal audit should look for an approved exception process. That process should define who can approve exceptions, what documentation is required, what compensating controls apply, and when the exception expires.
• If a manager asks someone to bypass a policy outside their authority, a strong control response is to pause, document the request through the approved channel, and escalate to the appropriate owner. That preserves both accountability and evidence.