Internal controls are the processes, procedures, tasks, and activities meant to protect an organization from fraud, financial information misreporting, cybercrime, and accidental losses. A strong internal control system is also vital to maintain compliance with all applicable laws and regulations.

Internal controls do, however, have one nagging weakness: management override of those controls. When managers abuse their override powers to ignore or subvert internal control, all manner of risk and misconduct can follow.

Let’s explore how such overrides can happen, and how organizations can reduce “management override risk” to protect the company’s assets, financial position, and reputation.

What Is Management Override of Internal Controls?

The Committee of Sponsoring Organizations (COSO) defines “internal control” as a process to provide “reasonable assurance” over the achievement of an organization’s objectives for operations, reporting, and compliance.

A comprehensive internal control system includes three types of internal controls: detective, preventive, and corrective. Together, these controls enable organizations to identify risks and develop appropriate responses to keep those risks at acceptable levels. Strong controls also prevent errors, fraud, cybersecurity failures, and other inappropriate actions.

Management override of internal controls can hinder the company from achieving these goals, because it prevents those internal controls from functioning properly. Unfortunately, such overrides are fairly common because the management designs, implements, assesses, and maintains these controls in the first place.

To be clear, management override is not an inherently bad thing. Circumstances can arise where overriding internal controls might be in the best interests of the company. For example, if corporate policy is never to pay an invoice before onboarding a vendor, but the company urgently needs a critical component before a system failure – then management might decide to skip onboarding for now and pay a vendor immediately for that component.

The issue is management abuse of its override authority. Such overrides can affect any organization and result in, say, financial statement fraud, even if the controls are well-designed and effective. In fact, most major corporate scandals of the past half century resulted from management overriding internal controls and manipulating financial or operating results.

Examples of Management Override of Internal Controls

Senior management can override internal controls in many ways.

For one, they can commit journal entry fraud by:

  • Capitalizing expenses
  • Inflating profits
  • Recording non-existent receivables and/or revenues in the general ledger
  • Recording revenues before they are earned
  • Moving amounts from the income statement to the balance sheet

Executives could (and have, many times) record fictitious transactions or change the timing of legitimate transactions by making entries that are fraudulent and not in accordance with generally accepted accounting principles (GAAP).

Some senior managers also intentionally bias the assumptions used to estimate account balances. Manipulating accounting estimates allows managers to inflate earnings, profits, and assets; resulting in the publication of fraudulent financial results to shareholders and regulators.

Sometimes, a C-suite leader may alter or manipulate significant or unusual transactions on financial records. For instance, the executive might record a related-party transaction outside the normal course of business without providing adequate transaction support to confirm its legitimacy. Executives might direct (or even threaten) accounting staff to override internal controls and transfer company money to the manager’s personal account. Such behavior is not new in the history of corporate frauds.

Consequences of Management Override of Internal Controls

When management bypasses internal controls, usually executives have an incentive to meet some financial objective. Overriding controls to understate payables or liabilities, increase earnings, or make post-closing adjustments allows management to perpetrate fraud and participate in the misappropriation of company funds.

Senior managers may also bypass controls to boost the company’s stock price. Inflating profits and reporting lower costs suggests that the company is healthy (it really isn’t), which can lift share price. If the managers are shareholders, they can sell their shares at higher prices and earn higher profits.

Overrides can also happen when the company is applying for a loan and loan covenants require the company to hit certain financial performance ratios. Manipulating the numbers on financial statements can help bring those ratios to the desired amount and allow the company to get that loan.

In the short term, management override of controls can benefit the manager, and as seen above, even the company. But it’s difficult to maintain such fraudulent behaviors for an extended period.

Sudden increases in executive compensation, unusual jumps in stock prices, and unexpected increases in corporate profits can attract the attention of regulatory bodies such as the Securities & Exchange Commission. If the SEC then decides to examine the company more closely, SEC fraud examiners will eventually discover those schemes to make the company appear more profitable than it is.

All manner of repercussions can follow once those frauds are exposed: enforcement actions from regulators, credit rating agencies downgrading the company, shareholder lawsuits, plummeting share price, and more. In the most egregious cases, the company may have to file for bankruptcy, and its management may be tried for fraud in civil or criminal courts.

Companies such as Enron and WorldCom experienced all these consequences in the early 2000s due to corporate misconduct and management overriding internal controls. The collapse of these firms led to the creation of new auditing standards and regulations, such as the Sarbanes-Oxley Act (SOX), to promote the integrity of financial reporting for public companies.

How to Identify the Risk of Management Override of Internal Controls

It’s not always easy to detect whether management is abusing its override authority, but inappropriate overrides usually raise at least some warning signals. Organizations must pay attention to such red flags and investigate them promptly to root out the problem.

For example, a senior manager may dispute an external or internal auditor’s findings on accounting matters or financial disclosures, or may be unwilling to discuss issues that could require financial adjustments. Such disagreements may indicate that the manager has manipulated financial statements and doesn’t want the auditor to look deeper.

A manager who fails to identify business risks on a timely basis or ignores known problems may also be engaging in fraudulent behavior. Additionally, if the manager is lax about enforcing anti-fraud controls, it may be a sign that he or she knows about fraud but is purposely ignoring (or even perpetuating) it.

Finally, when senior managers produce overly optimistic performance reports or significant estimates, it could suggest a problem they don’t want to publicize, either to protect the company’s stock price or to hide their own wrongdoing.

How to Prevent Management Override of Internal Controls

An appropriate tone at the top, set by the board of directors, is crucial to deter inappropriate overrides. Board members must also implement a code of conduct and encourage the auditing and public reporting of the company’s internal controls.

Furthermore, vigilance is crucial to prevent management from overriding internal controls. One way to assure greater vigilance of leadership behavior is to institute an audit committee. (For companies that trade on U.S. stock exchanges, their boards are required to have audit committees.) Here’s how audit committees can mitigate the risk of material misstatements and play a role in fraud prevention:

Oversee the financial reporting process

The audit committee must closely oversee the financial reporting process and the actions of senior management. In addition, committee members should understand the financial reporting environment and any pressures that may result in senior managers manipulating the company’s financial statements.

Additionally, the committee must assess any differences in the financial reporting cultures across different functional units, to find areas where fraud risks may be higher. It must also understand how the company develops budgets and reports its earnings, and investigate any suggestions that management has an incentive to misreport earnings.

Assess fraud risk

The audit committee should understand the key drivers of earnings and revenues to understand which of these levers management may use to perpetrate fraud. Committee members should also:

  • Identify business and financial risks that may increase the likelihood of fraud
  • Be alert to new fraud risk factors
  • Avoid blindly trusting in the integrity of management
  • Identify fraud-related pressures, opportunities, and attitudes (the “fraud triangle”)
  • Implement robust audit procedures

These best practices can help the committee to monitor management properly and identify fraud risk factors before a crisis occurs.

Create a mechanism for whistleblowers

Whistleblowers are invaluable allies for detecting fraud, corporate misconduct, and management override of internal controls. Organizations must encourage employees to speak up if they suspect something is wrong.

Whistleblowers should be encouraged to report wrongdoing via a confidential telephone or web-based hotline. In addition, the committee must protect potential whistleblowers from retribution. Committee members must also create a culture where employees view whistleblowing as a valuable contribution to creating an ethical workplace, and where integrity and “doing what’s right” are valued over financial performance.

Develop a robust feedback network

An extensive information network is also crucial to detect management override of internal control. The network must extend beyond senior management and the financial reporting process to include:

  • Internal audit team
  • Independent auditors/external auditors
  • Key employees
  • Compensation committee
  • Compliance department
  • Security department
  • Marketing and sales departments

The audit committee must establish the means for these entities to report possible fraud. In addition, members must meet periodically with representatives from these groups to conduct fraud risk assessments and discuss gaps in the system of internal controls.

Streamline Risk, Compliance, and Audits with ZenGRC

ZenGRC provides a single, integrated experience and a unified foundation for governance, risk, and compliance programs. The platform reveals information security risk across your business and even reveals gaps in your risk management program.

With ZenGRC, you get the automated support and built-in content you need to simplify critical tasks, collect critical data, and quickly respond to security incidents. Schedule a demo of ZenGRC today.