Blind trust of the Board and those who are charged with Governance, in the management, coupled with inadequate control functions increases the risk of management override of internal controls.

It is not uncommon for the management to challenge the control function’s recommendation to strengthen the internal controls, as they may think it weakens employee empowerment to make decisions.

Little do they know that a lack of oversight on management actions may result in a high probability of committing fraud.

It is already established that the Management of the Company is responsible for designing, implementing and monitoring the internal controls within its various processes and flows. However, the risk of overriding controls is inherently high to mispresent the financial statements and impress the shareholders or commit fraud.

Override of internal controls is due to pressures or incentives to meet the business objectives or perhaps an opportunity for the management to engage in fraudulent activities and misuse their authority to cover up in the financial statements.

It has been found that senior management and executives are involved in the override of internal controls and commit fraud.

Who is responsible for internal control weakness?

The oversight of internal controls and management actions rests with the Board of directors and Audit Committee. This is achieved by forming a strong and resourceful Audit Committee and Control functions within the Company. Such Control functions may include Compliance and Risk Management and an independent internal audit department.

The Board sets the tone at the top by devising various policies and procedures, power of attorney, a delegation of authorities, rigorous reporting, independent internal and external audits and training.

But is this enough?

I don't think so.

Even with diligent control functions, limitations still exist, and the senior management and their subordinates may override the authority and control procedures to commit fraud, which may go undetected. They may result in the frequent override of internal controls.

What are the roles and responsibilities of the Board and Audit Committee?

The Board's roles and responsibilities and sub-committees, including the Audit Committee, shall be clearly defined in their respective charters. Collectively the Board is responsible for assessing the following:

1. Whether adequate policies and procedures are defined for key business processes?
2. Whether effective oversight of compliance and ethics exists, and how frequently is the reporting made to the Board?
3. Whether delegation of authorities are reviewed by auditors, compliance, and risk management functions to assess the risk of misuse of such delegation? Think of collusion by management to commit fraud.
4. Are employees aware of compliance, ethics, and code of conduct policies?
5. Whether internal auditors review such compliance and ethics programs for their effectiveness?
6. Whether violations properly addressed?
7. Whether lessons learned from such violations are addressed in policymaking?

What actions shall the audit committee take to address the risk of overriding management controls?

The Audit Committee can perform the following actions to address the risk of management override of internal controls:

• Built and enhance their business and market understanding: when the business does not meet its targets, the management may override the controls to portray desired financial results. If the Audit Committee is unaware of critical success factors on which the Company’s performance is measured, it may lose oversight of management actions.
• Identifying fraud: Audit Committee may seek input from the internal and external auditors, compliance, risk management, and other functions to understand the potential areas prone to error or fraud. This may include internal and external factors that incentivise the management to commit fraud and alter the financial statements. A questioning attitude by Audit Committee may unearth significant control weaknesses. Therefore, it is important that the Audit Committee may include subject matter experts, fraud, and industry specialists, who have knowledge related to fraud and financial statement misstatements.
• Whistleblowing: The Audit Committee shall promote the whistleblowing culture by articulating a clear policy to protect and incentivize the whistleblower. Audit Committee shall appoint someone independent within the Company or perhaps the Internal auditor to act as a whistleblowing agent; however, if needed, the staff can directly approach the Chairman of the Audit Committee.
• Skepticism: Audit Committee shall possess an attitude of Skepticism where the risk of management override of internal controls is always considered when assessing the risks of material misstatements and fraud. Using their knowledge, the Audit Committee can ask questions and challenge senior management, which may deter the management from overriding internal controls.
• Tone at the top: The Audit Committee may assess the integrity of the management by comparing the management’s actions with the Code of Conduct policies. This may also include a survey from Company employees, customers, vendors, and third parties regarding the Company’s ethical behaviour towards them.

Therefore, awareness of the Company’s Code of Conduct with employees, customers, vendors, and third parties is vital. It can be created through various onsite and off-site training, seminars, and marketing collateral, giving them awareness about the control environment and their role. In addition, the whistleblowing culture will further strengthen the Company's control environment, therefore minimizing the risk of management override of internal controls.

Conclusion

The first question which comes into the mind after the fraud is exposed is, where were the Board, Audit Committee, and control functions?

The risk of management override of internal controls is inherently high; however, if the Board and Audit Committee challenge the senior management and status quo, internal control weakness may be identified promptly. Perhaps the control functions may adopt an effective risk management approach to identify internal control weaknesses.

Photo by Tobias Tullius on Unsplash