What is the advisory boundary for policy work?

author: AcadiFi Team

• Related article: cia-policy-drafting-advisory-boundary-map
• Related question-bank placeholders: ["advisory-template-vs-policy-owner", "objectivity-threat-policy-approval"]
• Question: What is the advisory boundary for policy work?
• Question detail:
• I keep seeing examples where internal audit helps management with policies. What separates acceptable advisory work from taking over the policy?
• Answer:
• The boundary is decision ownership. Internal audit may provide advice, criteria, questions, examples, and facilitation. Management should choose the policy requirements, approve the policy, own the controls, train users, monitor compliance, and maintain the document.
• Acceptable advisory support: creating a template with blank sections, reviewing a draft for missing control elements, facilitating a workshop, or documenting risks for management to consider. Problematic ownership: selecting final approval thresholds, approving the policy as owner, maintaining the policy calendar, or operating the control created by the policy.
• If internal audit later audits the policy area, the earlier advisory role should be disclosed or safeguarded. The goal is to add value without becoming the process owner.