Risk of management override of internal controls

Incentives and pressures increase the risk of management overrides which requires a strong oversight from the Audit Committee.

Blind trust of the Board and those who are charged with Governance, in the management, coupled with inadequate control functions increases the risk of management override of internal controls.

It is not uncommon for the management to challenge the control function’s recommendation to strengthen the internal controls, as they may think that it weakens the employee empowerment to make decisions.

Little they know, that lack of oversight on management actions may result in high probability to commit fraud.

It is already established that Management of the Company is responsible for designing, implementing and monitoring the internal controls within its various processes and flows. However, the risk of overrides of controls is inherently high to mispresent the financial statements and impress the shareholders or to commit fraud.

Override of internal controls is due to pressures or incentives to meet the business objectives or perhaps an opportunity for the management to engage in fraudulent activities and misuse their authority to cover up in the financial statements.

It has been found that senior management and executives are involved in the override of internal controls and commit fraud.

But who is responsible for this potential weakness?

The oversight of internal controls and management actions rests with the Board of directors and Audit Committee. This is achieved through the formation of a strong and resourceful Audit Committee and Control functions within the Company. Such Control functions may include Compliance and Risk Management functions, along with an independent internal audit department.

The Board sets the tone at the top through the implementation of various policies and procedures, power of attorney, a delegation of authorities, rigorous reporting, independent internal and external audits and training.

But is this enough?

I don't think so.

Even with diligent control functions, limitations still exist and the senior management and their subordinates may override the authority and control procedures to commit fraud, which may go undetected, and may result in the frequent override of internal controls.

What the Board and Audit Committee shall do?

The roles and responsibilities of the Board and their sub-committees including the Audit Committee shall be clearly defined in their respective charters. Collectively the Board is responsible to assess the following:

  1. Whether adequate policies and procedures are defined for key business processes?
  2. Whether effective oversight of compliance and ethics exists and how frequently the reporting is made to the Board?
  3. Whether delegation of authorities are reviewed by auditors, compliance, and risk management functions to assess the risk of misuse of such delegation? Think of collusion by management to commit fraud.
  4. Whether employees are aware of compliance, ethics, and code of conduct policies?
  5. Whether internal auditors review such compliance and ethics programs for their effectiveness?
  6. Whether violations are properly addressed?
  7. Whether lessons learned from such violations are part of bringing reforms in policymaking, in order to improve the tone at the top?

What's Next

The Audit Committee can further perform the following actions to address the risk of management override of internal controls:

  • Built and enhance their business and market understanding, when the business does not meet its targets, the management may override the controls to portray desired financial results. If the Audit Committee is not aware of critical success factors on which the Company’s performance is measured, then it may lose oversight of management actions.
  • Identifying fraud, Audit Committee may seek input from the internal and external auditors, compliance, risk management, and other functions to understand the potential areas prone to error or fraud. This may include internal and external factors that create incentives or pressures for the management to commit fraud and alter the financial statements. A questioning attitude by Audit Committee may unearth significant control weaknesses. Therefore, it is important that the Audit Committee may include subject matter experts, fraud, and industry specialists, who have knowledge related to fraud and financial statement misstatements.
  • Whistleblowing, the Audit Committee shall promote the culture of whistleblowing by articulating a clear policy to protect and incentivize the whistleblower. Audit Committee shall appoint someone independent within the Company or perhaps the Internal auditor to act as a whistleblowing agent; however, if needed, the staff can directly approach the Chairman of the Audit Committee.
  • Skepticism, Audit Committee shall possess an attitude of Skepticism where the risk of management override of internal controls is always taken into consideration when assessing the risks of material misstatements and fraud. By using their knowledge, the Audit Committee can ask awful questions and challenge senior management, giving a tough time, which can be a deterrent for the management to override controls.
  • Tone at the top, the Audit Committee can assess the integrity of the management by comparing the management’s actions with the Code of Conduct policies. This may also include a survey from Company employees, customers, vendors, and third parties regarding the Company’s ethical behaviour towards them.

Therefore, awareness of the Company’s Code of Conduct with employees, customers, vendors, and third parties is vital and can be created through various onsite and off-site training, seminars, marketing collateral, giving them awareness about the control environment and their role. In addition, the whistleblowing culture will further strengthen the control environment of the Company, therefore minimizing the risk of management override of internal controls.

Conclusion

The first question which comes into the mind after the fraud is exposed, where were the Board, Audit Committee, and control functions?

The risk of management override of internal controls is inherently high; however, if the Board and Audit Committee challenge the senior management and status quo, then internal control weakness may be identified and timely rectified. Perhaps the control functions may adopt an effective risk management approach to identify internal control weaknesses.

Photo by Tobias Tullius on Unsplash

Share your comments and below and share this post.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

©2019-2021-Usama Zulfiqar-All Rights Reserved

Pin It on Pinterest

Share This
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram