Addressing the risk of management override in an ISA audit

In any entity, management and those charged with governance need to implement a system of internal control designed to provide reasonable assurance about the achievement of the entity’s objectives with regard to the reliability of financial reporting.

Why is it important?

The ability to override controls puts management in a unique position to perpetrate or conceal the effects of fraud. This may take a number of forms such as falsifying accounting entries in order to conceal misappropriation of assets or other manipulation of accounting entries intended to result in the production of financial statements which give a misleading view of the entity’s financial position or performance.

Although the risk of management override of controls will vary from entity to entity, the risk is nevertheless present in all entities.

While ISA 240 refers to “management”, the term includes those charged with governance in situations where they take an active part in the management of the entity, having the ability either to override controls directly or to instruct management to do so.

In considering management override, the auditor therefore needs to be alert to the possibility that:

• those involved in management are perpetrating fraud for their own purposes and are attempting to conceal what they are doing from those charged with governance; and
• those charged with governance (who may also be owners of the entity) are perpetrating fraud in order to misrepresent the entity’s financial position or performance.

Requirements and challenges

How do auditors assess the risk of management override?

The risk of management override of controls is considered to be a fraud risk and is therefore always a “significant” risk as defined in ISA 315 (Revised) [ISA 240.31].

The auditor needs to consider whether the entity has any controls to prevent, or detect and correct, such override. By definition, it is virtually impossible for an entity to have controls in this area that will be totally effective. Entities should nevertheless have controls that minimise the risk, such as controls over the authorisation and processing of journals and other adjustments to the financial statements. The auditor needs to evaluate the design and implementation of these controls as part of the risk assessment process carried out in accordance with ISA 315 (Revised).

The auditor also needs to consider whether there are any particular risk factors that would affect the risk of management override. These may include incentives or pressures for individuals to misrepresent the results or financial position of the entity such as:

• for personal gain (salary, promotion, bonuses, continued employment, etc);
• for gain on disposal of the entity or its business;
• to meet expectations or targets;
• to avoid tax; or
• to obtain finance or to satisfy the requirements of lenders or other third parties.

How do auditors respond to the risk of management override?

Irrespective of the auditor’s assessment of the risks of management override of controls, ISA 240 requires that the auditor design and perform audit procedures:

• to test the appropriateness of journal entries recorded in the general ledger and other adjustments made in the preparation of the financial statements;
• to review accounting estimates for bias and evaluate whether the circumstances producing any bias represent a risk of material misstatement due to fraud; and
• for significant transactions that are outside the normal course of business or that otherwise appear to be unusual, evaluate whether the business rationale (or the lack thereof) suggests that they may have been entered into for the purposes of fraudulent financial reporting or to conceal misappropriation of assets [ISA 240.32].

The auditor is also required to determine whether there is a need to perform other audit procedures where there are specific additional risks of management override that are not covered by the procedures above [ISA 240.33].

How do auditors test the appropriateness of journal entries and other adjustments?

Material misstatement of financial statements due to fraud often involves making inappropriate or unauthorised journal entries or other adjustments to the financial statements, such as reclassification or consolidation adjustments. This may occur throughout the year or at the period end.

ISA 240 requires the auditor to make inquiries of individuals involved in the financial reporting process about inappropriate or unusual activity relating to the processing of journal entries and other adjustments. For example, this could include whether they have been asked to process journals or amend accounting estimates without appropriate documentation or explanation. The auditor performs specific tests on journal entries and other adjustments made at the end of the reporting period. Such adjustments are often used to introduce bias into accounting estimates or to manipulate results by, for example, accelerating or deferring the recognition of income.

Where the number of such journals or adjustments is substantial, the auditor may test items on a sample basis but will usually focus on items that appear to be particularly large or unusual. The auditor is also required to consider the need to test journal entries and other adjustments throughout the period. Such journals may be used to conceal fraud, particularly fraud involving the misappropriation of assets. Again this may be done on a sample basis, but will also usually involve consideration of specific items that appear to be particularly large or unusual [ISA 240.32(a)].

When selecting items for testing, the auditor needs to consider:

• whether there are any fraud risk factors that may help the auditor identify specific classes of journal entries and other adjustments for testing;
• the effectiveness of controls over the preparation and posting of journal entries and other adjustments. This may reduce the extent of substantive testing necessary, provided that the auditor has tested the operating effectiveness of the controls;
• the entity’s financial reporting process and nature of evidence that can be obtained. Many entities may use a combination of manual and automated steps and procedures and journal entries and other adjustments may only exist in electronic form;
• the characteristics of fraudulent journal entries or other adjustments. Indicators of inappropriate journal entries may include entries:
• made to unrelated, unusual, or seldom-used accounts or without identifying account numbers;
• made by individuals who typically do not make journal entries;
• recorded at the end of the period or as post-closing entries that have little or no explanation or description; and
• containing round numbers or consistent ending numbers.
• the nature and complexity of the accounts. Inappropriate journal entries or adjustments may be applied to accounts that:
• contain transactions that are inherently complex or unusual in nature;
• contain significant estimates and period-end adjustments;
• have been prone to misstatements in the past;
• have not been reconciled on a timely basis or contain unreconciled differences;
• contain inter-company transactions; and
• are otherwise associated with an identified risk of material misstatement due to fraud
• journal entries or other adjustments processed outside the normal course of business. Non-standard journals may not be subject to the same level of internal control as those processed regularly.

How do auditors perform a review for management bias?

Fraudulent financial reporting often involves intentional misstatement of accounting estimates. This could be done by, for example, understating or overstating all provisions or reserves in a manner intended either to smooth earnings over several accounting periods, or to achieve a particular level of income, profit or assets in order to mislead users of the financial statements.

The auditor needs to be alert to the possibility that the view given by the financial statements may be affected by management bias. The auditor is required by ISA 240 to evaluate whether the judgements and decisions made by management in making the accounting estimates, even if they are individually reasonable, indicate a possible bias that may represent a risk of material misstatement due to fraud. If so, the auditor is required to re-evaluate accounting estimates as a whole.

The auditor is also required to perform a retrospective review of management judgements and assumptions related to significant accounting estimates reflected in the financial statements of the prior period and consider whether the outcome of estimates made previously by management provide an indication of the ability of management to make reliable estimates or highlight a tendency to bias in one direction or the other [ISA 240.32(b)].

A review of accounting estimates for management bias and a retrospective review of the outcome of previous accounting estimates are also required by ISA 540 Auditing accounting estimates including fair value accounting estimates, and related disclosures. As a practical matter, the reviews required by ISA 240 may be carried out in conjunction with those required by ISA 540 [ISA 540.9 and ISA 540.21].

Why do auditors consider transactions outside the normal course of business?

Significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual, may involve fraudulent financial reporting or concealing misappropriation of assets. Recording such transactions may involve an element of management override or circumvention of normal controls. Indicators that may suggest this include instances in which:

• the form of the transaction appears overly complex (such as multiple entities within a group or with multiple unrelated third parties);
• management has not discussed the nature of and accounting for such transactions with those charged with governance of the entity, and there is inadequate documentation;
• management or those charged with governance place more emphasis on the need for a particular accounting treatment than on the underlying economics of the transaction; and
• transactions involve non-consolidated related parties, previously unidentified related parties or parties that do not have the financial strength to support the transaction without assistance from the audited entity.

Are there any other matters to consider?

When assessing the risk of management override and the auditor’s response to this risk, including the nature and extent of testing to be performed, it is important to ensure that the audit working papers record the significant judgements made and the rationale for the auditors’ response (in accordance with the requirements of ISA 230 Audit documentation). 

ISA 260 (Revised) Communication with those charged with governance suggests that the auditor’s communication with those charged with governance regarding the planned scope and timing of the audit may include how the auditor proposes to address the significant risks of material misstatement, whether due to fraud or error. Such risks include the risk of management override. The auditor needs to be careful not to compromise the effectiveness of the audit by providing too much detail regarding the nature and timing of audit procedures to be performed. In communicating the fact that management override represents a significant risk of fraud, the auditor also needs to be sensitive to the fact that, in most cases, the people with whom the auditor is communicating are the very people who are in a position to perpetrate fraud.

ISAs 240, 315, 260 (Revised) and 265 Communicating deficiencies in internal control also require the auditor to make those charged with governance and management aware, at an appropriate level of responsibility, of matters related to fraud and deficiencies in the design or implementation of internal control which have come to their attention.

Unlike other significant risks, the absence of effective controls to prevent management override will not necessarily represent a significant deficiency in internal control, especially where those charged with governance and management are effectively the same people. Before concluding that there is a deficiency in internal control, the auditor considers whether there are any effective controls that could be applied. They must also consider whether or not any controls that do exist are appropriate for the size and nature of the entity.