The auditor asks for the procedure. You hand it over.
That’s the audit. The audit is not the control.
A control is the thing that actually catches the failure. The reconciliation that flags the discrepancy. The alert that fires before the loss is real.
The procedure describes what should happen. The control proves it does.
Twenty years on both sides of this table. The gap is always the same. Organizations document the process and assume that proves it works. It doesn’t. It proves someone wrote it down.
The regulator doesn’t audit your intentions. It measures what your controls catch.
Most exposures aren’t hidden. They live in the gap between the documented control and the working one. Nobody tested it. The procedure said it was fine.
Build the control first. Test it. Document what it found. The procedure is the story you tell afterward.