Management can override internal controls, resulting in fraudulent financial reporting. Below I provide four ways that management can do so and how you can audit for these potential threats.
Controls can be overridden, even when properly designed and operating. Accounting personnel usually comply with the wishes of management either out of loyalty or fear. So if a trusted C.E.O. asks the accounting staff to perform questionable actions, they will sometimes comply because they trust the leader. Alternatively, management can threaten accounting personnel with the loss of their jobs if they don’t comply. Either way, management gets what it wants by overriding internal controls.
Management Override of Internal Controls
Here are a few ways that management can override controls:
- Booking journal entries to inflate profits or cover up theft
- Using significant transactions outside the normal course of business to dress up the financial statements
- Manipulating estimates
- Transferring company cash to their personal accounts
Auditors consider management override in all audits (or at least, they should). Why? Because it’s always possible. That's why audit standards require that we respond to the risk of management override in all audits.
First, let’s consider how management overrides controls with journal entries.
1. Journal Entry Fraud
Think about the WorldCom fraud. Expenses were capitalized to inflate profits. Income statement amounts were moved to the balance sheet with questionable entries. Once the fraud was discovered, the internal auditors were told the billion-dollar entries were based on what management wanted. The entries were not in accordance with generally accepted accounting principles. And why was this done? To increase stock prices. Management owned shares of WorldCom, so they profited from the climbing stock values. The fraud led to prison sentences and the demise of the company, all because of management override.
Journal entries are an easy way to override controls. Consider this scenario: Management meets at year-end, and they have not met their goals; so they manipulate earnings by recording nonexistent receivables and revenues, or they record revenues before they are earned. For example, management accrues $10 million in fake revenue, or they book January revenues in December.
Journal Entry Testing
Auditors should test journal entries for potential fraud, but how? First, understand the normal process for making journal entries: who makes them, when are they made, and how. Also, inquire about journal entry controls and consider any fraud incentives, such as bonuses related to profits. Then think about where fraudulent entries might be made and test those areas. Fraudulent journal entries are often made at year-end, so make sure you test those. Here are some additional journal entry test ideas:
- Examine entries made to seldom-used accounts
- Review consolidating entries (also known as top-side entries)
- Test entries made at unusual hours (e.g., during the night)
- Vet entries made by persons that don’t normally make journal entries
- Look at suspense account entries
- Review round-dollar entries (e.g., $100,000)
- Test entries made to unusual accounts
You don’t need to perform all of the above tests, just the ones that are higher risk in light of journal entry controls and fraud incentives. Data mining software can be helpful in vetting journal entries. For example, you can search for journal entries made by unauthorized persons. Just extract all journal entries from the general ledger and group them by persons making the entries; thereafter, scan the list for unauthorized persons.
Fraudulent journal entries are not the only way to override controls. The books can be cooked with related party transactions.
2. Funny Business
Sometimes, as an auditor, you’ll see funny transactions. No, I don’t mean they are amusing. I mean they are unusual. Management can alter profits with transactions outside the normal course of business, and these are often related party transactions.
For example, Burning Fire, an audit client, is owned by Don Jackson. Mr. Jackson also owns another business, Placid Lake. As you are auditing Burning Fire, you see it received a check for $10 million dollars from Placid Lake. So you ask for transaction support, but there is little. The CFO says the payment was made for “prior services rendered,” but it doesn’t ring true. This could be fraud and is an example of a transaction outside the normal course of business. Why would a company record such an entry? Possibly to bolster Burning Fire’s financial statements. When you see such a transaction, consider whether a fraud incentive is present. For example, do loan covenants require certain financial ratios and does this transaction bring them into compliance?
Next, we look at how management can juice up profits by manipulating estimates.
3. Manipulating Estimates
Auditing standards require a retrospective review of estimates as a risk assessment procedure. Why? Because management can manipulate estimates to inflate earnings and assets. Auditing standards call such tendencies bias, a sign that fraudulent financial reporting might exist. That’s why auditors review prior estimates and related results.
For instance, suppose a company has a policy of reserving 90% of receivables that are ninety days or older. If at year-end the greater-than-ninety-days bucket contains $1,000,000, management can increase earnings $400,000 by lowering the reserve to 50%. What an easy way to increase net income!
Retrospective Review of Estimates
So, how does an auditor perform a retrospective review of an allowance for uncollectible accounts? Compare the year-end reserve with that of the last two or three years. If the reserve decreases, ask why. There might be legitimate reasons for the decline. But if there is no reasonable basis for the smaller allowance, bias could be present. Note such changes in your risk assessment summary. For example, in the accounts receivable section, you might say: The allowance for uncollectible accounts appears to have decreased without a reasonable basis. Why? Because you’ve identified a fraud risk that deserves attention.
Complex estimates are easier to manipulate without detection than simple ones. Why? Because intricate estimates are harder to understand, and complexity creates a smokescreen, making bias more difficult to spot. As an example, consider pension plan assumptions and estimates. Very complex. And changes in the assumptions can dramatically affect the balance sheet and net income.
Now, let's look at how to document your retrospective review.
Documenting Your Retrospective Review
Document your retrospective review. How? List the current and prior year estimates and explain the basis for each. Also, examine the results of the prior year estimates. For example, compare the current year bad debts with the prior year uncollectible allowance. Additionally, consider including incentives for manipulating profits such as bonuses.
Label the workpaper Retrospective Review of Estimates to communicate its purpose. Also, consider adding purpose and conclusion statements such as:
- Purpose of workpaper: To perform a retrospective review of estimates to see if bias is present.
- Conclusion: While the allowance estimate is higher in the current year, the judgments and assumptions are the same. It does not appear that bias is present. All other prior year estimates appear reasonable.
Other conclusion examples follow:
- Conclusion: The rate of return used in computing the pension liability increased by 1%. The increase does not appear to be warranted given the mix of investments and past history. Bias appears to be present and is noted in the risk assessment summary form (in the payroll and benefits section).
- Conclusion: Based on our review of the economic lives of assets in the prior year depreciation schedule, no bias is noted.
- Conclusion: We reviewed bad debt write-offs in the current year and compared them to the uncollectible allowance in the prior year. No management bias is noted.
Is there another way that management might override controls? Yes, sometimes management requires accounting personnel to transfer company cash to personal bank accounts.
4. Transferring Company Cash to Personal Accounts
Years ago I audited a hospital in Alabama. The C.E.O. would sometimes go to Panama City Beach, and while there, direct his accounting staff to wire funds to his personal account—and they did. Why? The threat of losing their jobs. Some management personnel, especially those with muscle, can intimidate the accounting employees into doing the unbelievable. I’ve seen this happen and once the C.E.O. is called out, he pretends to know nothing about the prior conversations with accounting.
Management Override of Internal Controls
In your future audits, consider that management override of internal controls is always a possibility.
So don't allow yourself to believe that management is too honest to commit fraud. (A personal friend of mine just went to jail for stealing $3.5 million; he was part of the company's management team. I've known him for twenty years, so I was stunned to hear this.) Conduct your audits to detect material misstatements, including fraud--even if you've known the management team for many years.