Annual Audit Manual
COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
5508 Management Override of Controls
Jun-2020
In This Section
Management override of controls
Review of accounting estimates
Evaluating business rationale for significant unusual transactions
Overview
This topic explains:
- Our requirement to treat the risk of management override as significant.
- The required audit procedures to respond to the risk of management override of controls.
CAS Requirement
Management is in a unique position to perpetrate fraud because of management’s ability to manipulate accounting records and prepare fraudulent financial statements by overriding controls that otherwise appear to be operating effectively. Although the level of risk of management override of controls will vary from entity to entity, the risk is nevertheless present in all entities. Due to the unpredictable way in which such override could occur, it is a risk of material misstatement due to fraud and thus a significant risk (CAS 240.32).
OAG Guidance
The impact and potential for management override of internal controls on the audit depend to a great extent on the integrity, attitude, and motives of the individual. As in any other audit, exercise professional skepticism and neither assume that the individual is dishonest nor assume unquestioned honesty. Management override is an important factor to be considered when assessing audit risk, planning the nature and extent of audit work, evaluating audit evidence, and assessing the reliability of management representations.
Procedures to address the risk of management override are performed on every audit, and include:
- Examining journal entries and other adjustments (refer to OAG Audit 5509)
- Reviewing accounting estimates for biases
- Evaluating the business rationale for significant unusual transactions
CAS Requirement
Irrespective of the auditor’s assessment of the risks of management override of controls, the auditor shall design and perform audit procedures to (CAS 240.33):
a) Test the appropriateness of journal entries recorded in the general ledger and other adjustments made in the preparation of the financial statements. In designing and performing audit procedures for such tests, the auditor shall: (See OAG Audit 5509 for more guidance on journal entries)
i) Make inquiries of individuals involved in the financial reporting process about inappropriate or unusual activity relating to the processing of journal entries and other adjustments;
ii) Select journal entries and other adjustments made at the end of a reporting period; and
iii) Consider the need to test journal entries and other adjustments throughout the period.
b) Review accounting estimates for biases and evaluate whether the circumstances producing the bias, if any, represent a risk of material misstatement due to fraud. In performing this review, the auditor shall:
i) Evaluate whether the judgments and decisions made by management in making the accounting estimates included in the financial statements, even if they are individually reasonable, indicate a possible bias on the part of the entity’s management that may represent a risk of material misstatement due to fraud. If so, the auditor shall re-evaluate the accounting estimates taken as a whole
ii) Perform a retrospective review of management judgments and assumptions related to significant accounting estimates reflected in the financial statements of the prior year
c) For significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual given the auditor’s understanding of the entity and its environment and other information obtained during the audit, the auditor shall evaluate whether the business rationale (or the lack thereof) of the transactions suggests that they may have been entered into to engage in fraudulent financial reporting or to conceal misappropriation of assets. (See the block below on Evaluating business rationale for significant unusual transactions for more guidance)
CAS Guidance
The preparation of the financial statements requires management to make a number of judgments or assumptions that affect significant accounting estimates and to monitor the reasonableness of such estimates on an ongoing basis. Fraudulent financial reporting is often accomplished through intentional misstatement of accounting estimates. This may be achieved by, for example, understating or overstating all provisions or reserves in the same fashion so as to be designed either to smooth earnings over two or more accounting periods, or to achieve a designated earnings level in order to deceive financial statement users by influencing their perceptions as to the entity’s performance and profitability (CAS 240.A46).
The purpose of performing a retrospective review of management judgments and assumptions related to significant accounting estimates reflected in the financial statements of the prior year is to determine whether there is an indication of a possible bias on the part of management. It is not intended to call into question the auditor’s professional judgments made in the prior year that were based on information available at the time (CAS 240.A47).
A retrospective review is also required by CAS 540. That review is conducted as a risk assessment procedure to obtain information regarding the effectiveness of management’s previous accounting estimates, audit evidence about the outcome, or where applicable, their subsequent re‑estimation to assist in identifying and assessing the risks of material misstatement in the current period, and audit evidence of matters, such as estimation uncertainty, that may be required to be disclosed in the financial statements. As a practical matter, the auditor’s review of management judgments and assumptions for biases that could represent a risk of material misstatement due to fraud in accordance with this CAS may be carried out in conjunction with the review required by CAS 540 (CAS 240.A48).
OAG Guidance
For specific OAG guidance on testing accounting estimates see OAG Audit 7070.
CAS Requirement
Irrespective of the auditor’s assessment of the risks of management override of controls, the auditor shall design and perform audit procedures (as follows) (CAS 240.33):
c) For significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual given the auditor’s understanding of the entity and its environment and other information obtained during the audit, the auditor shall evaluate whether the business rationale (or the lack thereof) of the transactions suggests that they may have been entered into to engage in fraudulent financial reporting or to conceal misappropriation of assets.
CAS Guidance
Indicators that may suggest that significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual, may have been entered into to engage in fraudulent financial reporting or to conceal misappropriation of assets include (CAS 240.A49):
- The form of such transactions appears overly complex (for example, the transaction involves multiple entities within a consolidated group or multiple unrelated third parties).
- Management has not discussed the nature of and accounting for such transactions with those charged with governance of the entity, and there is inadequate documentation.
- Management is placing more emphasis on the need for a particular accounting treatment than on the underlying economics of the transaction.
- Transactions that involve non-consolidated related parties, including special purpose entities, have not been properly reviewed or approved by those charged with governance of the entity.
- The transactions involve previously unidentified related parties or parties that do not have the substance or the financial strength to support the transaction without assistance from the entity under audit.
OAG Guidance
For related guidance on transactions outside the entity’s normal course of business see OAG Audit 7532.
OAG Guidance
These accounts have frequently been used to record fraudulent entries throughout the year. Potential indicators of fraud risk for such accounts include: unclear business purpose, inadequate controls over entries to accounts, failure to reconcile intercompany/related party accounts, failure to monitor suspense/clearing/holding accounts, adjusting balances to zero at year-end, ensure items clear on a timely basis, unusually high balances and numbers of transactions, and other conditions inconsistent with our understanding of the entity and its environment and the use of the accounts in question.
CAS Requirement
The auditor shall determine whether, in order to respond to the identified risks of management override of controls, the auditor needs to perform other audit procedures in addition to those specifically referred to in CAS 240.32 (that is, where there are specific additional risks of management override that are not covered as part of the procedures performed to address the requirements in CAS 240.33) (CAS 240.34).