On Wed, 7 Jan 2009 06:59:45 -0600, Chase, John <jch...@ussco.com> wrote: >Indeed. If management merely "rubber-stamps" whatever recommendations >or suggestions auditors make, it certainly can create the appearance >that the auditors are "running the show". That doesn't change the facts >that management makes policy and auditors report on compliance with >policy, and that if the policy is "wrong" it's not the auditors' heads >that will roll.
While I generally support the position that auditors should not "make policy", having worked at a national bank previously I think there is an aspect of this discussion that no one has mentioned yet. There can be different levels of "policy". For example, when the national bank examiners (aka, "auditors") visited us they conducted audits according to the policies established by the national body that chartered/insured our bank. (That was a long time ago, so I'm not sure what body they were representing, but the idea is right, I think.) When they made findings based on thse national policies, we could (and did) argue some of them, but primarily we had to comply or demonstrate how we had some compensating factor that addressed their concerns. Thus, it was not -our- management making that policy, but an outside body making the policy, and we had to adhere to it or show why it should not apply to us. Our internal auditors, on the other hand, did audit us according to our management-specified policies. Of course, I suppose one could argue that one of our management's policies was "comply to the national examiners' policies", and in that sense it was still our management setting the policy. But they had little choice in that, nor in what that externally applied policy required. The same applies today with policies set by Visa, Mastercard, etc. -- Walt Farrell (speaking as a former banker, not in my usual role as an IBMer) ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html