As part of its ongoing fraud-prevention program, the American Institute of Certified Public Accountants today issued guidance to help U.S. audit committees understand one of the most significant of fraud risks: management override of internal controls.
The guidance, Management Override of Internal Controls: The Achilles’ Heel of Fraud Prevention – The Audit Committee and Oversight of Financial Reporting, is available free of charge and may be found on the Audit Committee Effectiveness Center page of the AICPA website.
“Our guidance outlines specific steps audit committees can take to address the risk of management overriding established internal safeguards,” said John Morrow, AICPA Vice President – The New Finance. “Had audit committees taken these steps, many financial frauds may have been prevented.
“Proper guidance for audit committees is particularly important in the wake of such widely reported financial-reporting frauds as WorldCom and Enron,” Morrow added.
One of the most common examples of management override is the posting of fictitious journal entries to overstate revenues or understate expenses. In this scenario, the Chief Financial Officer and Controller generally are the architects of the fraud, with lower-level accounting employees serving – usually through fear of losing their jobs or naiveté – as accomplices.
In most instances, the fraud is intended to be a temporary solution to a missed earnings target. One false financial report, however, invariably leads to another, resulting in a domino effect that culminates in the collapse of the company. According to the Association of Certified Fraud Examiners’ 2002 Report to the Nation on Occupational Fraud and Abuse, the average length of time from inception of a financial-statement fraud to its detection is 25 months.
Management Override of Internal Controls identifies six key actions the audit committee should consider:
- Maintaining skepticism. With an appropriate attitude about the ever-present risk of management override, audit committee members can use their knowledge of the business and related financial statement risks to oversee that risk. In addition, an open display of skepticism, in itself, can be a deterrent to management override of controls.
- Strengthening committee understanding of the business. The identification of fraud-related incentives or pressures begins with each audit committee member obtaining a solid understanding of the business. This working knowledge can be used to assess fraud risk as the audit committee evaluates press releases, analysts’ forecasts and reports, and financial reports to shareholders.
- Brainstorming to identify fraud risks. Members of the audit committee can improve their effectiveness by discussing among themselves the potential for fraud. Possible brainstorming agenda items may include the results of whistleblower hotline calls, fraud risk assessments performed by the company’s independent auditor, and fraud risk factors or concerns identified by audit committee members.
- Using the code of conduct to assess financial reporting culture. The audit committee can use the code of conduct as a benchmark to assess whether the “tone at the top” and management’s actions will preserve the highest levels of integrity even when there is the pressure and opportunity to commit fraud.
- Ensuring the entity cultivates a vigorous whistleblower program. The audit committee can help create strong antifraud controls by encouraging a culture in which employees view whistleblowing as valuable contribution to both the workplace and their own futures. Successful whistleblowing procedures require strong leadership not only from the audit committee, but also the board of directors and management.
- Developing a broad information and feedback network. The audit committee should cultivate a network that extends beyond senior management. Such a network may include internal auditors, independent auditors, the compensation committee and key employees. The audit committee may consider meeting periodically with representatives from each of these groups to discuss matters affecting the financial reporting process. Inconsistencies in information obtained from these sources may indicate management override of internal controls.
“All audit committees, even those not covered by the Sarbanes-Oxley Act of 2002, should seriously consider establishing a whistleblower hotline,” said Morrow. “It’s the number one method for catching fraud at the management level.”
The AICPA has produced separate whistleblower guidance, titled Anonymous Submission of Suspected Wrongdoing (Whistleblowers) – Issues for Audit Committees to Consider. It is also available from www.aicpa.org/audcommctr
Management Override of Internal Controls and the whistleblower guidance are the latest in the AICPA’s portfolio of resources for audit committees. In 2004, the Institute issued an Audit Committee Toolkit, which provides a set of best practices for audit committee members. The AICPA also sponsors the Audit Committee Matching System, which helps organizations find CPAs with relevant knowledge and experience to serve on their audit committees.