Policies and Procedures: a Project for Internal Audit

policy procedure audit risk
Are Policies and Procedures important? We certainly think so, unfortunately many companies have old, outdated Policy and Procedure manuals while some have none at all. As companies and internal audit departments are planning projects, consideration should be given to reviewing and updating the Corporate Policies and Procedures.

Policies and Procedures are a company’s way of documenting and communicating management’s vision into instructions for employees on how to handle issues as they arise and how employees should be executing their job responsibilities in a consistent manner.

Written Policies communicate:

  • Company Rules in simple language
  • Delegation of Authority
  • Enforcement and consequences if not followed
  • Impartial administration of company-wide Policy
  • Evidence for Governance, if legally approved and followed

Procedures communicate:

  • Clear guideline on how to implement a policy
  • Establish boundaries for employees

While Policies are general in nature, Procedures provide the details as to what to do, often with examples and forms. Sometimes procedures include emergency steps.

By creating a Policy and Procedure Manual, the company provides a source for all employees to turn for guidance on standard matters and have management focus on exception handling and not need to waste time on day-to-day operations.

Successful Policy and Procedure Manuals require reviews and updates as laws and company environments change. Their dynamic nature requires work but overall it eliminates the redundant need for repeated instructions through time consuming meetings, memos or other correspondence.

Policies and Procedures should be assigned to a position within the company, for example the Finance Manual should be “owned” by the highest Finance position within the company, such as the CFO, and the Employee Handbook by the highest HR position such as the HR Director, etc. Policies should cover the key activities which need to be customized for each organization.

The objective is to create easy to understand policies and procedures that provide clear guidelines for everyone to follow.

Need a hand? We would be glad to help, just give us a call.


This blog post was authored by Steven Randall. Steve is a Managing Partner with Vonya Global, a premier provider of internal audit co-sourcing, outsourcing, and consulting services; a member of the Institute of Internal Auditors (IIA) Chicago Chapter Board of Governors; a Director of the Adler-Caris Foundation, a not-for-profit dedicated to raising funds for Alzheimer’s Disease research; the President of the Oz Park Baseball Association, a not-for-profit organization dedicated to providing fundamental based baseball in a safe environment in the city of Chicago; and an Advisory Board Member of the Chicago Youth Baseball Initiative, a University of Illinois at Chicago community group dedicated to providing Chicago youth with the opportunity to play baseball in a fun and safe environment, while offering educational experiences on a world-class college campus. If you would like more information about Vonya Global or if you have a question for Steve, you may contact him through this blog, the company website, twitter, or his LinkedIn Profile.