The role of the CFO entails identifying operational issues, evaluating the risks of fraud and working toward ongoing fraud prevention. When serving as the CFO, these issues are “easier” to manage and control. However, investors and business partners do not always have the ability to control the financial statements.
The AICPA wrote a marvelous piece called “MANAGEMENT OVERRIDE OF INTERNAL CONTROLS: The Achilles’ Heel of Fraud Prevention” and a full version of the report can be found here. The AICPA has graciously allowed the reproduction this condensed version of the report. To provide an investor’s perspective, the terms “audit committee” has been replaced with “investor(s)”; “internal control” with “processes / reporting processes” and in some cases “management” with “sponsor.”
EXCERPTS OF AICPA REPORT
Management override is very difficult to detect. In considering the risk of management override of [reporting processes], the [investors] will set aside any beliefs about the integrity of [the sponsor] because override is most often committed by “good executives gone bad,” rather than consistently dishonest people. Appropriate skepticism by [investors] is essential to their assessment of the risk of management override of [reporting processes].
[The AICPA noted that]: Discovered frauds perpetrated by employees took a median of 12 months to detect. Discovered frauds perpetrated by owners and executives, however, took a median of 24 months to detect.…it can be helpful to ponder the questions in [the] appendix related to the three elements of the “fraud triangle:” incentives or pressures, opportunities, and attitudes or rationalizations.
Risk of Sponsor
Even though [processes] over financial reporting (hereinafter referred to as internal control or simply as controls) may appear to be well-designed and effective, [processes] that are otherwise effective can be overridden by [the sponsor] in every entity. Many financial statement frauds have been perpetrated by intentional override by [sponsors] of what might otherwise appear to be effective [processes]. Indeed, with very few exceptions, most of the major fraud cases in the past 50 years that had catastrophic results for the organization were perpetrated by senior members of management circumventing or overriding seemingly sound [processes].
Because [the sponsor] is primarily responsible for the design, implementation, and maintenance of [reporting processes], the entity is always exposed to the danger of [sponsor} override of controls, whether the entity is publicly held, private, not-for-profit, or governmental. When the opportunity to override internal control is combined with powerful incentives to meet accounting objectives, [sponsors] may engage in fraudulent financial reporting. Thus, otherwise effective [reporting processes] cannot be relied upon to prevent, detect, or deter fraudulent financial reporting perpetrated by [sponsors].
How it May Occur
Management may override controls to intentionally misstate the nature and timing of revenue or other transactions by:
(1) recording fictitious business events or transactions or changing the timing of recognition of legitimate transactions, particularly those recorded close to the end of an accounting period;
(2) establishing or reversing reserves to manipulate results, including intentionally biasing assumptions and judgments used to estimate account balances; and
(3) altering records and terms related to significant or unusual transactions.
Skepticism
An effective starting point for the [the investor] in assessing fraud risk is the exercise of an appropriate level of skepticism when considering the risk of [sponsor] override of [reporting processes]. [Investors should continue to] maintain an appropriate level of skepticism, strengthening [their] understanding of the business and brainstorming about fraud risks. An antifraud specialist, working with the [investor], can often enhance the effectiveness of the brainstorming session. [An effective] brainstorming session includes a consideration of known external and internal factors affecting the entity that might (1) create incentives or pressures for [the sponsor] and others to commit fraud, (2) provide the opportunity for fraud to be perpetrated, and (3) indicate a culture or environment that enables [the sponsor or it’s employees] to rationalize committing fraud. An attitude that includes a questioning mind…setting aside any prior positive beliefs regarding the honesty and integrity of management increases the usefulness of the discussion.
Skepticism is an attitude that acknowledges that fraud risks, including the risk of management override, exist in every entity. An appropriate level of [investor] skepticism requires alertness to potential fraud risk factors and a willingness to ask sometimes difficult and perhaps even embarrassing questions. Appropriate skepticism by [investors] is essential to their assessment of the risk of management override of [reporting processes].
Business Knowledge
The identification of fraud-related incentives or pressures, opportunities, and attitudes or rationalizations begins with each [investor] obtaining a solid and complete understanding of the business. Those threats or risks include competition, capital constraints, major customer or vendor loss, production issues, economic downturn, or regulatory change. They too may create incentives or pressures for engaging in fraud. Unrealistic performance expectations, real or perceived, have too often been the catalyst for financial statement fraud at remote or relatively small business units. Information obtained by the [investor] about differences in the financial reporting cultures across different units may signal areas within the company where fraud risks may be heightened.
Summary
The risk of management override of internal control is present in every entity. Although the best practices guidance provided in this document cannot guarantee that the [investor] will prevent, deter, or detect fraud through [sponsor] override of internal control, the implementation of these suggestions will result in more effective [investor] oversight of [sponsors].
Comments