Abyrint Logo abyrint.
A hand reaching for a dusty manual on a shelf, while a digital screen shows a live, complex workflow.

Auditing the Manual on the Shelf Closing the Gap Between De Jure Policy and De Facto Practice

Published on: Tue Oct 01 2024 by Ivar Strand

Auditing the Manual on the Shelf: Closing the Gap Between De Jure Policy and De Facto Practice

A common finding in financial and compliance audits is a positive one: “The organization has a comprehensive, well-written, and formally approved manual of financial policies and procedures.” For many auditors, the inquiry stops there. The existence of the manual is taken as sufficient evidence of a sound control environment.

This approach is incomplete and can create a significant false sense of security. The critical question is not whether a policy exists, but whether it is implemented. In our work, we consistently find a gap between the formal, de jure policy as written in the manual, and the actual, de facto practices carried out by staff in their daily work. A meaningful audit must assess the process that is actually in effect.

The Inevitability of Organisational Drift

The gap between policy and practice is rarely the result of deliberate non-compliance. It is more often the product of a natural phenomenon we call “organisational drift.”

Policies and procedure manuals are typically written at a single point in time. Over months and years, however, conditions change. New technologies are introduced, staff members find more efficient workarounds to cumbersome procedures, and unforeseen exceptions become routine. These informal, adaptive practices slowly become the new, unwritten standard. The de jure process remains enshrined in the manual on the shelf, while the de facto process evolves and lives in the daily habits of the team.

The Risk of Auditing the De Jure

An audit that limits its scope to a review of the written policies is, in effect, auditing a historical document. It provides assurance on the organization’s intentions, but not on its current operational reality.

If the de facto process for approving a payment has drifted from the de jure process documented in the manual, then the controls specified in that manual—such as the required levels of authorization or the segregation of duties—are not the controls that are actually in place. The organization’s true control environment is undocumented, unexamined, and unaudited. This is a significant vulnerability.

A Framework for Auditing the De Facto Process

The objective of a robust operational audit or a third-party monitoring engagement must be to identify and assess the process as it is truly performed. This requires moving beyond document review and employing more empirical methods.

  1. Direct Observation. The most straightforward technique is to sit with finance and program staff and observe them processing a sample of live transactions from start to finish. This provides direct, qualitative insight into the actual workflow, including any informal steps or workarounds.

  2. The “Show Me” Interview. Rather than asking a manager to describe the official process (“What are you supposed to do?”), the inquiry should be practical (“Please show me how you approved the last five purchase orders.”). This shifts the focus from the theoretical policy to the tangible, recent practice.

  3. Process Reconciliation with System Data. This is the most powerful and objective method. The raw data from the financial system provides an unalterable record of the de facto process. By analyzing the system’s audit trails, we can see exactly which user ID performed each step in a workflow (e.g., creating a vendor, entering an invoice, approving a payment). This data-driven reconstruction of the process can then be compared against the formal approval matrix in the de jure manual, instantly revealing any deviations.

Conclusion

A policy manual is a statement of intent. An organization’s true control environment is defined by the daily actions of its people and the codified logic of its systems.

Effective independent monitoring must always prioritize the verification of the de facto over the review of the de jure. This is why our methodology is so deeply rooted in the analysis of raw transactional data. This data provides an empirical and unbiased record of the process as it is actually executed, allowing us to close the gap between policy and practice and to provide assurance on the reality that truly matters.

Related Perspectives

Field enumerator scanning an id card with a tablet on a paved street in Medellin Colombia with apartment buildings and distant pedestrians in background
DATA

How to Physically Enumerate and Enroll People in the 21st Century

Read More →
A hand holding a sticky note with a password, with a blurred digital workflow in the background.
RISK

The Workaround IS the Workflow Finding Risk in Post-it Notes and Unofficial Spreadsheets

Read More →
Three hands, representing different parties, interact around a clear digital interface of an engagement plan.
MONITORING

Designing for Reality How to Structure a Monitoring Engagement in a Politically Complex World

Read More →