Can internal audit write management policies?

author: AcadiFi Team

• Related article: cia-policy-drafting-advisory-boundary-map
• Related question-bank placeholders: ["policy-drafting-management-responsibility", "management-signoff-policy-ownership"]
• Question: Can internal audit write management policies?
• Question detail:
• My company wants internal audit to draft policies because we understand controls. I know internal audit can advise, but I am worried this crosses into management's responsibility.
• Answer:
• Internal audit may help with policy structure, risk questions, control criteria, facilitation, and review comments, but management should own the policy decision, final approval, maintenance, training, and control operation.
• The line is crossed when internal audit decides the requirements, approves the policy as owner, maintains it for management, or later audits its own design without safeguards. The strongest CIA answer is to define the advisory scope in advance and document that management owns the final policy.
• A helpful compromise is to provide a blank template or criteria checklist. For example, internal audit can suggest that a policy include scope, owner, approval authority, evidence retention, exception handling, and review cycle. Management should fill in the actual thresholds, responsibilities, and approvals.