About Me

So, I'm trapped in audit. At least for the time being. Whilst I'm here I may as well make constructive use of my time. So I'll share some of my thoughts and experiences

Sunday, June 19, 2011

Auditing an organisation's policies and policy framework

In my experience, I have seen an organisation's policies in two forms: standalone documents (in Word, PDF  or [rarely] Excel format); or on the intranet as inter-linked documents. There are advantages to both: the former is more portable and archivable; the latter allows an understanding of the interrelationships between policy. On balance, I would prefer the latter, particularly where there is a robust mechanism to create a portable offline copy using website downloading tools (if these are permitted by your organisation's IT team!).

Some criteria for assessing policies and the policy framework:

  • Is it complete? Does it cover every eventuality?
  • Is is up-to-date? All policy documents should note a last review date.
  • Is there ownership in place? All policy documents should note an owner (which should be up-to-date)
  • Are archived copies kept when (major) changes are made?
  • Does the policy comply with the relevant legislation?
  • Is the policy strong enough to address the risk?
  • Is the policy understandable? Is there only one possible interpretation?
  • Are all hyperlinks current?
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)