Achilles' heel: management override of internal controls a weak link in fraud prevention

ControlCo.'s audit committee chair was stunned when the company's counsel informed him that the prior year's revenue and earnings may have been overstated.

"How could that happen?," the audit committee chair asks. "We have good internal controls and management, and the auditors both signed off that they were effective."

And that's when it became apparent: those who design and implement internal controls--management--also can override or bypass those controls.

Many financial statement frauds have been perpetrated by senior management's intentional override of what might otherwise appear to be effective internal controls.

Among other methods, management may override internal controls to intentionally misstate the nature or time of revenue by recording fictitious business transactions or changing the timing of legitimate transactions; establishing or reversing reserves to manipulate results; and altering records related to significant or unusual transactions.

So how can audit committees address the risk of management override of internal controls as part of their oversight of the financial reporting process?

MAINTAINING SKEPTICISM

An audit committee should exercise an appropriate level of skepticism when considering the risk of management override of internal controls.

The committee should begin by acknowledging that fraud risks, including the risk of management override, exist in every entity. Skepticism requires an alertness to potential fraud risk factors and a willingness to ask the sometimes difficult, and perhaps even embarrassing, questions.

This stance also requires an environment that encourages open discussion among audit committee members and sufficient time to consider "what if" scenarios related to fraud possibilities. The audit committee should set aside any beliefs about the integrity of management because override most often is committed by "good executives gone bad" rather than consistently dishonest people.

Additionally, an open display of skepticism, in itself, can be a deterrent to management override of controls.

UNDERSTAND THE BIZ

Audit committees need a solid knowledge of the industry and business to form the foundation for effective oversight.

Most businesses plan legitimate reactions to variances from expected financial performance. But when a business is unable to achieve desired results legitimately, the temptation to override internal controls to manipulate reported results can become too great to overcome.

Understanding key earnings drivers and management's planned reactions to variations from expected performance can help audit committees identify situations in which management's actions may have crossed the line.

A key in identifying fraud risks involves the audit committee's understanding of what may threaten management's ability to accomplish its objectives and strategies, including competition, capital constraints or regulatory change, to name a few.

It's important for audit committees to understand the financial reporting environment (for example, attitudes, ethics, motives and pressures) affecting those involved in the entity's financial reporting. The internal reporting process between key segments of the business (across lines of business, divisions and geographic segments) and senior management also may be important and worthy of audit committee inquiry.

It's also useful to understand the process of developing, reviewing and revising budgets, as well as the company's "budget mentality." An early challenge to an unrealistic budget by a well-informed audit committee can be an effective deterrent against management override of controls to reach unrealistic targets.

[ILLUSTRATION OMITTED]

BRAINSTORMING IDENTIFIES RISKS

Another way for audit committee members to increase their effectiveness in dealing with the potential for management override is by discussing among themselves the potential for fraud.

A brainstorming session about how and where they believe the entity may be susceptible to fraud; what might motivate management to perpetrate fraud; how management might override controls to engage in and conceal fraudulent financial reporting; and how entity assets could be misappropriated can be helpful.

Other brainstorming agenda items include the results of whistle-blower hotline calls, fraud risk assessments performed by the company's independent auditors, and fraud risk factors or concerns identified by the audit committee.

A brainstorming session's effectiveness is increased if conducted, at least partially, in closed or executive session without management present.

Audit committee discussions with everyone from internal and independent auditors and counsel, to the compensation committee, human resources and business unit leadership can provide important input. And an antifraud specialist, working with the audit committee, often can enhance the session's effectiveness.

USING THE CODE OF CONDUCT

Most organizations have a code of conduct, though the mere existence of it is not sufficient to reduce the likelihood of management override of controls. But an audit committee can use the code to assess whether the entity's culture--or "tone at the top"--and management's actions are those required to maintain the highest levels of integrity under pressure and opportunity to commit fraud.

The code also facilitates the reporting of inappropriate conduct by outlining the types of conduct the organization deems unacceptable.

The audit committee should be routinely furnished with the results of any employee survey regarding corporate behavior and similar information received from external parties, such as customers or vendors. Perceptions of management's commitment to uphold the code influence the degree to which employees and other parties follow the code or report violations.

An evaluation by the audit committee of how management communicates information about the code and motivates employees to comply also provides insight into the entity's attitudes about ethical behavior.

WHISTLE-BLOWER PROGRAM

A whistle-blowing process incorporating a telephone hotline can be a defense against management override of internal controls. Although the Sarbanes-Oxley Act requires that confidential reporting mechanisms be made available only to employees, opening the system to suppliers, customers and others can increase the number of reports.

The submission to the audit committee of all complaints involving senior management (without filtering by management or other personnel) is essential. Tests and evaluations by internal auditors of whether or not protocols established for forwarding information to the audit committee have been followed are important.

A checklist of issues for audit committees to consider when evaluating the design and operating effectiveness of the whistle-blower process can be found in the AICPA's Audit Committee Effectiveness Center, www.aicpa.org/audcommctr/homepage.htm.

INFORMATION, FEEDBACK NETWORK

Identifying situations where management has overridden internal controls is difficult because those actions are not obvious and are not expected of a trusted management team. To respond to that challenge, the development of an extensive information network beyond senior management can increase the audit committee's ability to detect management override.

In addition to the financial reporting process, the network often includes internal auditors, independent auditors, compensation committee and key employees.

The audit committee may consider meeting periodically with representatives from each of the above groups to discuss the financial reporting process, including significant estimates, fraud risks, key internal controls and any other items of concern. Inconsistencies in information from these sources may signal that management override of internal controls is present.

CONCLUSION

The risk of management override of internal controls is present in every entity. Although this guidance can't guarantee that the audit committee will prevent, deter or detect fraud through management override, the implementation of these suggestions should result in more effective audit committee oversight of management.

BY JOHN MORROW, CPA

John Morrow, CPA is AICPA vice president of The New Finance. For more information, visit the AICPA's Audit Committee Effectiveness Center at www.aicpa.org/audcommctr/homepage.htm.

COPYRIGHT 2005 California Society of Certified Public Accountants
COPYRIGHT 2005 Gale Group