Who Watches the Watchmen?: How to audit your managers

Organisations rely on management systems to maintain structure, enforce controls, and drive strategic objectives. These systems govern everything from financial oversight and risk management to cybersecurity, health and safety, and quality assurance.

Each management system is responsible for overseeing multiple processes. For example:

• A financial management system ensures budgeting, reporting, and fraud prevention processes are followed.

• A risk management system determines how threats are identified, assessed, and mitigated across an organisation.

• A quality management system ensures production, service delivery, and compliance processes maintain consistent standards.

Yet, internal auditors are often called upon only to audit the processes within these systems—checking compliance, reviewing documentation, mapping risky processes and identifying inefficiencies. What is often overlooked is whether the management system itself is actually working, and whether managers are using it as intended.

A management system may appear robust on paper, but if managers misinterpret, bypass, or fail to engage with it, the organisation is left exposed to risks, inefficiencies, and potential failure. Auditing only processes means missing the bigger picture.

This is why internal auditors must go beyond traditional process audits and assess the effectiveness of management systems as a whole—along with how managers interact with them.

INTERNAL AUDITING: ASSESSING THE FRAMEWORK, NOT JUST THE COMPONENTS

Management systems are like the infrastructure of a city. They provide the frameworks that support daily operations, ensuring processes function cohesively. Auditing only the individual processes within these systems is akin to inspecting roads and traffic lights without assessing whether the transport system as a whole is fit for purpose.

Internal auditors must ask fundamental questions about management systems, such as:

• Are these systems designed to achieve their intended objectives, or are they simply bureaucratic exercises?

• Are managers actively using these systems to make informed decisions, or are they bypassing them

  in practice?

• Do these systems provide real oversight, or do they just give the illusion of control?

By shifting the focus from isolated processes to the effectiveness of management systems, internal auditors can provide organisations with meaningful assurance that their frameworks for governance, compliance, and risk management are fit for purpose.

THE IMPACT OF INTERNAL AUDITING ON MANAGEMENT SYSTEMS

Independent internal auditors do not simply check whether individual processes exist. Instead, they evaluate whether the systems managing those processes are effective.

1. Identifying Weaknesses in Management Systems

• Instead of auditing a payroll process, an internal auditor assesses whether the payroll management system contains latencies for bottlenecks, delays and fraud.

• Instead of reviewing how individual complaints are handled, an auditor examines whether the customer service management system ensures consistent, fair, and compliant resolution of complaints.

  
  

2. Providing Assurance That Controls Are Effective

• Internal auditors verify whether controls within management systems actually work in practice, rather than existing only on paper.

• For example, rather than auditing a single data security breach, an auditor examines whether the cybersecurity management system is robust and resilient enough to prevent breaches, initiate contingencies and adapt to changes.

  
  

3. Ensuring Managers Utilise These Systems Properly

• A well-designed management system is only as effective as the managers who implement it.

• Internal auditors assess the degree to which senior leadership is engaging with these systems meaningfully or treating them as a tick-box exercise.

THE HUMAN FACTOR: AUDITING THE GAP BETWEEN MANAGEMENT SYSTEMS AND MANAGERIAL BEHAVIOUR

A management system is only as strong as the managers who use it. Yet, most audits focus on whether systems exist and function on paper, rather than whether managers actually engage with them as they were designed to. This creates a fundamental gap—one that can lead to systemic failures, inefficiencies, or outright contradictions between policy and practice.

Auditing only the existence and functionality of management systems misses the human element. Leaders are not just users of these systems—they are the driving force behind whether they succeed or fail.  Internal auditors must move beyond simply verifying compliance with management systems. They must assess whether leadership aligns with the system’s intended purpose, or whether managerial behaviours, biases, and risk appetites are quietly undermining it.

Internal auditors should:

·        Assess managerial engagement with systems – Are managers using the system as intended, or are they working around it?

·        Measure behavioural alignment – Do managerial actions reflect the standards, principles and controls built into the system?

·        Identify cultural barriers – Are there unspoken norms or incentives that contradict the goals of the management system?

By incorporating the cultural, psychological and behavioural dimensions of management, internal auditors provide deeper, more valuable assurance—not just that systems exist, but that they are genuinely shaping the organisation in the way they were designed to.

Here are key areas where an auditor can evaluate this critical gap between system expectations and managerial execution:

1. Risk Management: Do Managers Truly Understand Their Risk Appetite?

Every risk management system is built around the organisation’s stated risk appetite—how much uncertainty it is willing to tolerate. However, managers often say one thing and do another.

An internal auditor might ask:

• Are business decisions truly aligned with the documented risk appetite, or are managers taking excessive risks without realising it?

• Conversely, is an overly cautious leadership stifling innovation and opportunity due to an aversion to risk?

• Are risk assessments actively used in decision-making, or are they just a formal exercise with little real influence?

For example, a financial institution might state that it has a “moderate” risk appetite, yet its managers routinely approve high-risk loans under pressure to meet targets. This contradiction suggests the risk management system exists, but managerial behaviour does not align with it—a crucial insight that only an auditor assessing leadership engagement would identify.

2. Quality Management: Do Managers Prioritise Quality or Just Metrics?

A well-designed quality management system (QMS) is meant to ensure that products or services meet defined standards. However, managers often subconsciously prioritise KPIs (key performance indicators) over genuine quality.

An internal auditor might investigate:

• Are managers incentivising employees to meet production quotas at the expense of product quality?

• Do managers only take quality seriously during audits, rather than as an ongoing discipline?

• Are corrective actions in response to quality failures resolving root causes to such failures or are they just fixing each problem as they occur?

3. Compliance & Ethics: Do Managers View Policies as Guidelines or Obstacles?

Compliance management systems are meant to safeguard ethical practices and legal adherence. However, in reality, managerial attitudes toward compliance often dictate whether these systems work effectively.

An internal auditor might explore:

• Do managers see compliance as an essential business function, or do they treat it as a virtue that doesn’t go further than the company’s mission statement?

• Are ethical concerns taken seriously, or do managers look for loopholes to justify questionable decisions?

• Are compliance violations flagged and addressed consistently, or is enforcement selective and dependent on who is involved?

   

Ensure Your Management Systems Are Fit for Purpose

Organisations that focus only on auditing processes miss the bigger picture. A well-functioning management system ensures processes are reliable, scalable, and resilient—but only if managers use them properly.

Internal auditing must evolve to provide assurance that management systems are suitable, effective, and being used properly by leadership.

Organisations with in-house audit teams often focus on compliance and risk at the process level. However, independent internal auditors bring a broader perspective, assessing whether management systems themselves are functioning effectively.

Independent audits provide:

1. Unbiased Evaluation – Free from internal pressures, independent auditors provide objective assurance on governance, risk, and compliance frameworks.

2. Expert Knowledge – External auditors bring industry-wide insights, identifying risks that internal teams may overlook.

3. Resource Efficiency – Businesses that lack an internal audit team benefit from expert oversight without the need for full-time audit staff.

An organisation without an internal audit function, for instance, may outsource audits to an independent professional to assess the suitability of its risk management system, ensuring it is robust enough to support business growth.

As an ACCA-qualified accountant and Certified ISO 9001 Lead Auditor, I provide independent internal audit services to help organisations enhance compliance, governance, and operational resilience.

Contact me today to discuss your internal audit needs.