Home / Resources / News and Trends / Newsletters / AtIsaca / 2022 / Volume 31 / Do Your Policy Documents Represent Current Practices

Do Your Policy Documents Represent Current Practices?

Author: Veronica N. Rose, CISA, CDPSE - Board Director at ISACA Foundation and Digital Trust Professional
Date Published: 3 August 2022

Process owners are subject matter experts who understand processes, procedures and controls in place, whether documented or not. However, auditors usually go by the maxim that “If it’s not documented, it does not exist.” Process owners may be performing their role efficiently, yet no supporting documentation of the process is available. But how about findings where controls are well documented but not functional? Does this mean documentation of controls is becoming ceremonial?

Is documentation done for the sake of passing an audit or compliance requirement?

When auditing documentation, a quick indication of potential trouble spots is to look at the last reviews, change management, approvals and authorization process in the organization: questions can pile up when you realize that business processes contradict the defined procedures and policies and are not in any way related to the controls in place. This raises many questions in how organizations are managing this discrepancy.

Do organizations have dedicated teams that formulate policies, develop standards and procedures, and review policies periodically? Should this be a departmental assignment? Or should every process owner find their way on how to do it?

Who is ultimately accountable for the policies in the organization? Does your board approve policies?

Do policy procedures reflect the current state and are there controls that need to be relaxed? How often are the policies reviewed?

How often are your business processes re-engineered?

How about ensuring assurance for organizations without documentation that are high performers?

As a process owner, or whatever line of defense you are at, here are some key considerations to think through:

  • Development, implementation, continuous monitoring of effectiveness, and review of policy documents differentiate one organization from the rest. Therefore, ensure that you have a greater understanding of the types of controls and be specific on what each control mitigates.
  • The documentation does not reflect actual operations in most organizations. Thus, it is vital to check if the policies and procedures match the legal requirements.
  • Check for relevancy of the controls vs. the risks they are supposed to mitigate, and document the actual findings.
  • Consistently review documentation as per the scheduled timelines and communicate the changes made to the policy to everyone in the organization.
  • When auditing documentation, a quick indication that things are not perfect is to look at the last reviews, change management and authorization process. A document that was not updated as per the set timelines (e.g., in the last two years) does not look particularly promising to mitigate emerging risks.
  • Check whether there are compensating controls if what is implemented is contradictory to what is documented. However, even compensating controls need to be documented.
  • Determine how much information that is documented is different from what is actually taking place. Yes, reviewing documentation is hectic but having a dysfunctional control policy is very harmful to the health of your control objectives. In this case, process owners should avoid just changing the last review dates or having the board approve a document for the sake of compliance, and instead ensure it has been thoroughly reviewed.
  • Have a dedicated team that is accountable for formulating policies, developing standards and procedures, and reviewing policies periodically.
  • Ensure that policies are approved by the pertinent authorities.
  • New risks require new controls – ensure that the documented controls reflect the current state and if some controls need to be relaxed, update the documentation accordingly.
  • Depending on how often your business processes are re-engineered, ensure the right parties are involved in the process.
  • Ensure your documentation is aligned to industry best practices, standards and frameworks. Reference your documentation to applicable industry standards or frameworks.
  • Involve a consultancy agency to assist in the development of your documentation if you lack internal expertise.
  • Train stakeholders and share updates on any changes made to the documentation (don’t assume everyone is aware!) Too often, authors simply email the document to colleagues with a message like “I’ve written this. What do you think?” If they don’t hear anything back, they assume it’s all OK. But a review process like this rarely provides confidence that the document will communicate effectively.
  • Pay attention to documentation versioning, including the last revision history highlighting areas reviewed and approval dates.

With a thoughtful and strategic approach, documentation of controls can be more than perfunctory and instead add real value for auditors’ stakeholders.