Achilles' heel: management override of internal controls a weak link in fraud prevention.ControlCo.'s audit committee chair was stunned stun tr.v. stunned, stun·ning, stuns 1. To daze or render senseless, by or as if by a blow. 2. To overwhelm or daze with a loud noise. 3. when the company's counsel informed him that the prior year's revenue and earnings may have been overstated o·ver·state tr.v. o·ver·stat·ed, o·ver·stat·ing, o·ver·states To state in exaggerated terms. See Synonyms at exaggerate. o . "How could that happen?," the audit committee chair asks. "We have good internal controls and management, and the auditors both signed off that they were effective." And that's when it became apparent: those who design and implement internal controls--management--also can override An arrangement whereby commissions are made by sales managers based upon the sales made by their subordinate sales representatives. A term found in an agreement between a real estate agent and a property owner whereby the agent keeps the right to receive a commission for the sale of or bypass those controls. Many financial statement frauds have been perpetrated by senior management's intentional in·ten·tion·al adj. 1. Done deliberately; intended: an intentional slight. See Synonyms at voluntary. 2. Having to do with intention. override of what might otherwise appear to be effective internal controls. Among other methods, management may override internal controls to intentionally in·ten·tion·al adj. 1. Done deliberately; intended: an intentional slight. See Synonyms at voluntary. 2. Having to do with intention. misstate mis·state tr.v. mis·stat·ed, mis·stat·ing, mis·states To state wrongly or falsely. mis·state  ment n. the nature or time of revenue by recording fictitious Based upon a fabrication or pretense.A fictitious name is an assumed name that differs from an individual's actual name. A fictitious action is a lawsuit brought not for the adjudication of an actual controversy between the parties but merely for the purpose of business transactions or changing the timing of legitimate transactions; establishing or reversing reserves to manipulate results; and altering records related to significant or unusual transactions. So how can audit committees address the risk of management override of internal controls as part of their oversight of the financial reporting process? MAINTAINING SKEPTICISM An audit committee should exercise an appropriate level of skepticism when considering the risk of management override of internal controls. The committee should begin by acknowledging that fraud risks, including the risk of management override, exist in every entity. Skepticism requires an alertness to potential fraud risk factors and a willingness to ask the sometimes difficult, and perhaps even embarrassing, questions. This stance also requires an environment that encourages open discussion among audit committee members and sufficient time to consider "what if" scenarios related to fraud possibilities. The audit committee should set aside any beliefs about the integrity of management because override most often is committed by "good executives gone bad" rather than consistently dishonest people. Additionally, an open display of skepticism, in itself, can be a deterrent de·ter·rent adj. Tending to deter: deterrent weapons. n. 1. Something that deters: a deterrent to theft. 2. to management override of controls. UNDERSTAND THE BIZ Audit committees need a solid knowledge of the industry and business to form the foundation for effective oversight. Most businesses plan legitimate reactions to variances from expected financial performance. But when a business is unable to achieve desired results legitimately, the temptation to override internal controls to manipulate reported results can become too great to overcome. Understanding key earnings drivers and management's planned reactions to variations from expected performance can help audit committees identify situations in which management's actions may have crossed the line. A key in identifying fraud risks involves the audit committee's understanding of what may threaten management's ability to accomplish its objectives and strategies, including competition, capital constraints or regulatory change, to name a few. It's important for audit committees to understand the financial reporting environment (for example, attitudes, ethics, motives and pressures) affecting those involved in the entity's financial reporting. The internal reporting process between key segments of the business (across lines of business, divisions and geographic segments) and senior management also may be important and worthy of audit committee inquiry. It's also useful to understand the process of developing, reviewing and revising budgets, as well as the company's "budget mentality." An early challenge to an unrealistic budget by a well-informed audit committee can be an effective deterrent against management override of controls to reach unrealistic targets. [ILLUSTRATION OMITTED] BRAINSTORMING IDENTIFIES RISKS Another way for audit committee members to increase their effectiveness in dealing with the potential for management override is by discussing among themselves the potential for fraud. A brainstorming session about how and where they believe the entity may be susceptible to fraud; what might motivate management to perpetrate per·pe·trate tr.v. per·pe·trat·ed, per·pe·trat·ing, per·pe·trates To be responsible for; commit: perpetrate a crime; perpetrate a practical joke. fraud; how management might override controls to engage in and conceal fraudulent financial reporting; and how entity assets could be misappropriated mis·ap·pro·pri·ate tr.v. mis·ap·pro·pri·at·ed, mis·ap·pro·pri·at·ing, mis·ap·pro·pri·ates 1. a. To appropriate wrongly: misappropriating the theories of social science. can be helpful. Other brainstorming agenda items include the results of whistle-blower whis·tle·blow·er or whis·tle-blow·er or whistle blower n. One who reveals wrongdoing within an organization to the public or to those in positions of authority: "The Pentagon's most famous whistleblower is . . hotline calls, fraud risk assessments performed by the company's independent auditors Independent Auditor An external auditor with a certified public accounting designation that qualifies him or her to provide an auditor's report. Notes: These auditors aren't affiliated with the company being audited. , and fraud risk factors or concerns identified by the audit committee. A brainstorming session's effectiveness is increased if conducted, at least partially, in closed or executive session without management present. Audit committee discussions with everyone from internal and independent auditors and counsel, to the compensation committee, human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. and business unit leadership can provide important input. And an antifraud specialist, working with the audit committee, often can enhance the session's effectiveness. USING THE CODE OF CONDUCT Most organizations have a code of conduct, though the mere existence of it is not sufficient to reduce the likelihood of management override of controls. But an audit committee can use the code to assess whether the entity's culture--or "tone at the top"--and management's actions are those required to maintain the highest levels of integrity under pressure and opportunity to commit fraud. The code also facilitates the reporting of inappropriate conduct by outlining the types of conduct the organization deems unacceptable. The audit committee should be routinely furnished fur·nish tr.v. fur·nished, fur·nish·ing, fur·nish·es 1. To equip with what is needed, especially to provide furniture for. 2. with the results of any employee survey regarding corporate behavior and similar information received from external parties, such as customers or vendors. Perceptions of management's commitment to uphold up·hold tr.v. up·held , up·hold·ing, up·holds 1. To hold aloft; raise: upheld the banner proudly. 2. To prevent from falling or sinking; support. 3. the code influence the degree to which employees and other parties follow the code or report violations. An evaluation by the audit committee of how management communicates information about the code and motivates employees to comply also provides insight into the entity's attitudes about ethical behavior. WHISTLE-BLOWER PROGRAM A whistle-blowing whistle-blowing, exposure of fraud and abuse by an employee. The federal law that legitimated the concept of the whistle-blower, the False Claims Act (1863, revised 1986), was created to combat fraud by suppliers to the federal government during the Civil War. process incorporating a telephone hotline can be a defense against management override of internal controls. Although the Sarbanes-Oxley Act See SOX. requires that confidential reporting mechanisms be made available only to employees, opening the system to suppliers, customers and others can increase the number of reports. The submission to the audit committee of all complaints involving senior management (without filtering by management or other personnel) is essential. Tests and evaluations by internal auditors Internal auditor An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. of whether or not protocols established for forwarding information to the audit committee have been followed are important. A checklist of issues for audit committees to consider when evaluating the design and operating effectiveness of the whistle-blower process can be found in the AICPA's Audit Committee Effectiveness Center, www.aicpa.org/audcommctr/homepage.htm. INFORMATION, FEEDBACK NETWORK Identifying situations where management has overridden internal controls is difficult because those actions are not obvious and are not expected of a trusted management team. To respond to that challenge, the development of an extensive information network beyond senior management can increase the audit committee's ability to detect management override. In addition to the financial reporting process, the network often includes internal auditors, independent auditors, compensation committee and key employees. The audit committee may consider meeting periodically with representatives from each of the above groups to discuss the financial reporting process, including significant estimates, fraud risks, key internal controls and any other items of concern. Inconsistencies in information from these sources may signal that management override of internal controls is present. CONCLUSION The risk of management override of internal controls is present in every entity. Although this guidance can't guarantee that the audit committee will prevent, deter or detect fraud through management override, the implementation of these suggestions should result in more effective audit committee oversight of management. BY JOHN MORROW For the football player of the same name see John Morrow (football player). John Morrow (April 19, 1865 - February 25, 1935) was a United States Representative from New Mexico. He was born born near Darlington, Wisconsin. , CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. John Morrow, CPA is AICPA vice president of The New Finance. For more information, visit the AICPA's Audit Committee Effectiveness Center at www.aicpa.org/audcommctr/homepage.htm. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion