Wipfli logo

Bank on Wipfli - Blog and Podcast


That’s how we’ve always done it

Feb 01, 2022
By: Shelley Foster
Financial Institutions

My friend was describing her frustration with her new job. She recently became the head of the accounts payable department and did not understand why it was taking so long to process payables. Although the process had controls built in, there were steps she felt were unnecessary and struggled to determine why they were being done. When she asked her staff about it, she was told, “That’s how we’ve always done it.”

It got me thinking about how many of us do things without thinking about it or understanding why we’re doing it. Maybe it’s the internal auditor in me, but I like to know why things are being done a certain way. When I’m auditing a financial institution, I ask the employees to explain the process and then determine why they’re doing it that way. Is it because it’s a necessary control? Or was it something that was implemented years ago to fix a control issue that no longer exists? Does anyone know why they’re doing it?

The importance of policies and procedures

Most institutions have executed policies for their high-risk functions, such as loans, allowance for loan loss, and wire transfers, and they may have implemented procedures for other areas. Policies and procedures are key to ensuring consistency over the process, mitigating risks by developing controls, as well as a way of keeping employees accountable. One of the first steps in performing an internal audit is to obtain and read policies and procedures and discuss the process with applicable employees. It helps the auditor identify the controls and determine whether employees are adhering to them.

It’s important to note that policies and procedures should not be considered one and done documents; they should be reviewed periodically to ensure they are still meeting managements’ objectives. Although they should generally always be followed, there may be occasions when policy exceptions need to be made. Policies should address exceptions, including what types are allowed, how they are approved and a requirement to track them. If exceptions are being made frequently, management should determine why. Is it because one employee is not complying with the policy? Or is the policy too restrictive, which makes it difficult to comply? If it’s too restrictive and isn’t meeting the objectives, it may need to be revised.


Once policies and procedures are implemented, it’s imperative to train staff on them. Implementing policies and procedures is pointless if employees are not informed of the requirements and trained on how to properly comply.

Training should include a process to ensure employees understand the objectives of the policy and the importance of the procedures. When employees do not understand the purpose, they are more likely to take shortcuts, which could result in control deficiencies.

Tone at the top

Ultimately management and the board are responsible for implementing policies and procedures and for ensuring employees are following them. They set the tone for how employees are expected to act. If they do not follow policies or allow some employees to disregard policies, others will follow suit and risks increase.

Management should have a method to ensure policies and procedures are being followed. Implementing checks and balances helps. For example, if a reconciliation is required to be performed by the 15th of each month, someone should be designated to review the reconciliation to ensure it is being done timely.

Importance of internal audit

One of the objectives of internal audit is to ensure your institution’s policies and procedures are adequate to mitigate risk and are being adhered to. Reading policies and procedures enables the internal auditor to identify the controls, ensure they are appropriate and then test the controls. Your internal auditor should also understand why employees are doing what they’re doing other than it’s just the way it’s always been done.

Wondering if your policies and procedures are meeting management’s objectives and whether sufficient controls are in place? Wipfli can help. Learn more about our internal audit services.

Sign up to receive additional content for financial institutions in your inbox, or continue reading on:


Shelley Foster, CRCM, CCBIA
Senior Manager, Internal Audit and Regulatory Compliance
View Profile
Bank on Wipfli blog
Subscribe to Bank on Wipfli - Blog and Podcast