Then after checking that for completeness and sufficiency start checking if its communicated to staff and if its followed.
Since policy defines how an organization is to be run, this is the top-down approach. Its why bottom up things like pen testing are a waste of time. The policy-driven approach ensures that there are processes and procedures in place, it allows for metrics and for improvement of both the compliance and the details processes themselves.
See also “Who Ya Gonna Call?”