Management may soon face more skeptical audit committees as accounting experts offer new advice on when a management decision to override internal controls could be a red flag for fraud.

The American Institute of Certified Public Accountants has issued new guidance for audit committees that describes six key measures committees should take to help guard against instances where fraud is hidden by management decisions that otherwise seem legitimate. AICPA’s Antifraud Programs and Controls Task Force issued the guidance to help sensitize audit committees to their role as an important gatekeeper in preventing fraud.

Morrow

“The problem is that audit committees have not been so sensitive to this before,” said John Morrow, AICPA vice president. “Clearly Sarbanes-Oxley has taken the sensitivity to a new level, but this is a tool to help them do a better job of detecting and preventing fraud.”

Edwards

Management override of internal controls is the toughest kind of fraud to detect and prevent, says Paul Edwards, an attorney and chair of the Securities Law Group of McDonald Hopkins. “Management is most responsible in corporate America today for designing and establishing the internal controls,” Edwards said. “It’s hard to prevent fraud in that circle.”

That would explain AICPA’s title for the document: “Management Override of Internal Controls: The Achilles’ Heel of Fraud Prevention – The Audit Committee and Oversight of Financial Reporting.”

Wagner

The advice may leave management and audit committee members alike shifting uncomfortably in their chairs, says Stephen Wagner, co-chair of the Sarbanes-Oxley steering committee for Deloitte Touche. “It’s an uncomfortable subject, almost accusatory,” he said. “The audit committee may feel uncomfortable playing the role of the healthy skeptic, but it’s vital.”

Where a given company’s audit committee decides to adopt the advice, here is what management can expect from the audit committee:

Skepticism

Management may face more skeptical questions about their decisions to override internal controls. AICPA says an open display of skepticism in itself can be a deterrent to management override.

More Data, Please

Committee members will seek a better understanding of the business so they can be more aware of fraud risks when evaluating press releases, analysts’ forecasts and reports, and financial reports to shareholders.

Seeking Whistleblowers

The audit committee will want to encourage a culture in which employees see whistleblowing as valuable to their workplace and their own future. “It’s the No. 1 method of catching fraud at the management level,” said Morrow.

Greater Access

The audit committee won’t rely solely on management for information about the business. They’ll reach out to internal and external auditors, the compensation committee and even key employees for information. They may regard inconsistencies as suspicious.

In Code Mode

Audit committees may cite the company’s code of conduct more often in assessing management’s response when faced with the pressure or opportunity to commit fraud.

The AICPA document also advises audit committees to brainstorm among themselves the potential for fraud, examining whistleblower tips, risk assessments from outside auditors and any specific risks or concerns among committee members.

Morrow acknowledged that there are times when it is legitimate for management to override internal controls, but management must be prepared to answer the inevitable questions.

“In some companies management will be very open” to challenges and questions about their management decisions, Morrow said. “In other places, management will be defensive. In spite of that, this needs to be done. The audit committee has to be prepared to challenge those things. That’s their job.”

AICPA says the advice applies not just to public companies, but in varying degrees to private companies, not-for-profits, and government agencies as well.

The complete document is available from the box above, right.