How to Document Management Override Procedures: Journal Entries, Estimates, and Unusual Transactions

Every audit file has a management override section. Most of them look the same: a journal entry sample, a cursory note on estimates, and nothing on unusual transactions. Inspectors know what this looks like because they see it in file after file. The procedures were performed. The documentation doesn't show why the selection criteria were chosen, whether the population was complete, or what the results actually mean for fraud risk.

To document management override procedures under ISA 240, structure your working papers around three mandatory procedures (ISA 240 (Revised) paragraph 32, current standard paragraph 35): journal entry testing with gating steps before selection, retrospective review of accounting estimates for directional bias, and evaluation of significant unusual transactions for business rationale.

Why management override gets its own procedures

ISA 240 treats management override of controls as a presumed risk on every engagement, regardless of what other fraud risks the team identifies. This is not a default that can be rebutted. It applies to every audit, every year, every entity. You cannot conclude that management override is not a risk.

The reason is straightforward. Management is in a unique position to commit fraud because of management's ability to manipulate accounting records and prepare fraudulent financial statements by overriding controls that otherwise appear to be operating effectively (ISA 240.31 Revised). An employee who commits fraud must work around the control system. Management can work through it. The CEO who approves journal entries, the CFO who prepares estimates, the managing director who structures transactions: each of these individuals can use their legitimate authority for illegitimate purposes, and the control system is not designed to prevent the very people who designed it from bypassing it.

Three specific procedures address this risk, each targeting a different mechanism through which management override occurs.

Journal entry testing (ISA 240.49 Revised) targets the recording mechanism: management can post entries that bypass normal approval processes, adjusting balances after controls have operated on the underlying transactions. Estimates review (ISA 240.50-51 Revised) targets the judgment mechanism: management can bias estimates in a direction that serves their interests, knowing that estimates involve inherent uncertainty that makes manipulation difficult to detect. Significant unusual transaction evaluation (ISA 240.52 Revised) targets the structural mechanism: management can create or structure transactions that lack genuine business purpose, using the transaction itself (rather than a journal entry or an estimate) as the vehicle for fraud.

Each procedure has its own working paper section with a distinct structure. They are not interchangeable, and performing one does not substitute for another. An audit file that contains detailed journal entry testing but no estimates review and no unusual transactions evaluation has addressed only one of three required procedures.

Journal entry testing: the 10-step walkthrough

Journal entry testing under ISA 240 is not the same as testing journal entries for completeness under ISA 315 or testing controls over journal entry processing. It is a fraud procedure. The objective is to identify entries that may have been made to record material fraudulent misstatements.

A structured journal entry testing section follows ten steps, organised in three phases: preparation (steps 1-3), design (steps 4-6), and selection and testing (steps 7-10).

The preparation phase starts with understanding how journal entries are initiated, processed, recorded, and corrected at this entity. Document the journal entry process: who can initiate entries, what approval is required, what system controls exist, how corrections and reversals are processed, and whether automated entries exist (ISA 240.35 Revised). This is not a generic description of how ERP systems work. It is a specific description of how this entity processes journal entries in its specific system with its specific approval workflows.

Next, identify controls over journal entries designed to prevent or detect fraud. Document the controls management has established and evaluate their design effectiveness (ISA 240.36 Revised). This informs your selection criteria: if a strong automated control prevents entries without dual approval above a threshold, your testing can focus on entries below that threshold (where the control does not operate) or on manual adjustments that bypass the system entirely.

Then obtain and verify completeness of the journal entry population. This is a gating step. Obtain the full population of journal entries and other adjustments for the entire period (not just year-end). Reconcile the total to the trial balance. Verify period coverage. Confirm extraction from all relevant sub-ledgers and systems. Document the source system, extraction date, and reconciliation (ISA 240.49(b) Revised). This step must be completed and signed off before any selection begins.

The design phase continues with inquiries of financial reporting staff about inappropriate or unusual activity relating to journal entries (ISA 240.49(a) Revised). Then design risk-based selection criteria, split into quantitative criteria (materiality-based thresholds, absolute thresholds, percentage thresholds) and qualitative criteria (specific account combinations, posting times, unusual users, vague descriptions, manual entries, round amounts, entries without supporting documentation). Every criterion must link to a specific fraud risk from the risk register.

The selection and testing phase covers period-end entries (ISA 240.49(c) Revised), throughout-the-period entries if warranted (ISA 240.49(d) Revised), testing of each selected entry against source documentation (ISA 240.48 Revised), and evaluation of results with a conclusion on fraud risk implications.

The three gating steps that prevent the most common deficiency

Steps 1-3 are gating steps. They must be completed and signed off before selection and testing can begin. This structural feature prevents the single most common journal entry testing deficiency: selecting entries from an incomplete population using criteria unconnected to the fraud risk assessment.

The population completeness gate is where most problems start. Regulators consistently find that audit teams test journal entries from a population that covers only part of the period, excludes certain sub-ledgers, or was not reconciled to the trial balance. A population that covers only January through November misses December, which is when the most significant period-end adjustments occur. A population extracted from the general ledger that excludes manual adjustments posted through a separate spreadsheet misses the entries most likely to be used for management override. If the population is incomplete, the testing is unreliable regardless of how well the selection criteria were designed.

The process understanding gate prevents a second common problem: designing selection criteria without knowing how the entity's journal entry system works. If you do not know that the entity processes manual top-side adjustments outside the ERP, you will not include those adjustments in your population. If you do not know that the CFO can post entries below EUR 75,000 without approval, you will not design criteria to target those entries.

The controls identification gate ensures you know what controls exist before you design your fraud-focused selection. If a strong automated control prevents certain types of entries, your selection criteria should focus on areas where controls are weaker or absent. Testing entries that are already well-controlled is less effective than testing entries in areas where controls do not operate.

All three gating steps require sign-off before the team proceeds. If a reviewer finds that selection began before the population was verified as complete, the entire journal entry testing section is unreliable.

Selection criteria: quantitative and qualitative

The selection criteria are split into two categories because they serve different purposes. Both must link to specific fraud risks in the risk register.

Quantitative criteria are threshold-based. Entries above a materiality-based threshold (for example, 0.5x performance materiality), entries in round amounts above a certain size (EUR 50,000), entries that exceed a percentage of account balance. These criteria cast a wide net based on magnitude. They will capture large entries regardless of their characteristics.

Qualitative criteria are pattern-based and fraud-risk-linked. This is where the selection becomes genuinely responsive to fraud risk rather than a mechanical exercise. Here are the most common qualitative criteria, each linked to the fraud risk it addresses:

Entries posted outside business hours (weekends, holidays, after 20:00): relevant when the fraud risk involves concealment through timing, because a person posting fraudulent entries may do so when fewer people are in the office to observe.

Entries by users who do not normally post journal entries: relevant when the fraud risk involves management override by a specific individual. If the CFO typically does not post journal entries but has system access to do so, any entries posted by the CFO warrant selection.

Entries with vague or absent descriptions: relevant when the fraud risk involves concealment through ambiguity. A legitimate journal entry has a clear description. A fraudulent entry may have a vague description or no description at all.

Entries to unusual account combinations: relevant when the fraud risk involves misclassification. An entry that debits revenue and credits an intercompany receivable is an unusual combination that warrants investigation.

Manual entries in a system that is predominantly automated: relevant because manual entries bypass the automated controls that apply to system-generated entries.

Every qualitative criterion must reference a specific fraud risk. "Entries posted on weekends" is a generic criterion. "Entries posted on weekends by [CFO user ID] to accrual accounts, linked to fraud risk of management override through manipulation of period-end accruals" is fraud-risk-linked. The difference is what makes the testing a fraud procedure rather than a data quality exercise.

For firms without data analytics tools, Excel pivot tables, VLOOKUP-based time analysis, and conditional formatting can identify unusual entries effectively. For firms with IDEA, TeamMate Analytics, or comparable tools, full-population analysis is possible, and the tool and parameters used should be documented.

Estimates and bias review: retrospective analysis

The second management override procedure is the retrospective review of accounting estimates (ISA 240.50-51 Revised). This is a fraud procedure, not a routine analytical procedure. The objective is different: you are looking for directional bias, not just accuracy.

A structured estimates review section covers every significant accounting estimate, not just those the team considers "high risk." Common estimates to evaluate: impairment provisions, bad debt allowances, inventory write-downs, warranty provisions, fair value measurements, pension obligations, contingent liabilities, revenue recognition estimates (particularly percentage-of-completion), useful life and depreciation assessments, lease term assessments, and expected credit losses.

For each estimate, the retrospective review documents five elements: the prior-year estimate (amount and key assumptions), the actual outcome (subsequent realisation or re-estimation), the variance (amount, percentage, and direction), a directional bias indicator (was the estimate overstated or understated relative to the actual outcome?), and the cumulative pattern assessment.

The directional bias indicator is the fraud-specific element. An estimate that was EUR 50,000 too high is not inherently suspicious. But an estimate that was EUR 50,000 too high this year, and EUR 40,000 too high last year, and EUR 55,000 too high the year before, shows a consistent pattern of overstatement. If that pattern applies to a revenue accrual, it means the entity has been consistently overstating revenue. If it applies to a provision, it means the entity has been consistently understating expenses. The direction tells you what management's bias might be.

Cumulative pattern assessment across multiple periods

A single year of data tells you very little about bias. A variance between an estimate and the actual outcome could reflect genuine uncertainty, new information that emerged after the estimate was made, or changing economic conditions. You cannot conclude bias from one data point.

ISA 240.51(a) Revised requires you to assess whether, taken individually or together, the differences between estimates and actual outcomes indicate a possible bias by management. This assessment must span at least two periods. Ideally, you would review three or more periods to identify a statistically meaningful pattern.

If management bias indicators are identified, evaluate whether they represent a risk of material misstatement due to fraud (ISA 240.51(a) Revised). If yes, add a new risk to the fraud risk register. If the cumulative pattern is within tolerable thresholds, document the pattern and note it for the estimates-taken-as-a-whole evaluation performed in the completion section (ISA 240.51(b) Revised).

The estimates-taken-as-a-whole evaluation (whether the aggregate pattern across all estimates suggests fraud) is a separate step in the completion sequence. The individual estimate reviews in this section feed that aggregate assessment. A single estimate showing 6% understatement may not be concerning. But if every estimate at the entity shows 4-7% understatement, the aggregate pattern is a fraud indicator even though no individual estimate is alarming.

Significant unusual transactions: business rationale evaluation

The third management override procedure is evaluating significant unusual transactions (ISA 240.52 Revised). These are transactions outside the normal course of business, or that otherwise appear unusual given the auditor's understanding of the entity.

The evaluation asks one core question: does the business rationale (or lack of it) suggest that the transaction was entered into to engage in fraudulent financial reporting or to conceal misappropriation of assets?

What qualifies as "significant unusual"? Related-party transactions with no clear commercial purpose. Large one-off transactions near period-end. Transactions with entities that appear to have no economic substance. Sales followed by immediate returns or reversals. Payments to unusual destinations or newly created entities. Property or asset transfers at prices that differ significantly from independent valuations.

For each transaction, document: what the transaction was, the stated business rationale, what evidence supports that rationale, what evidence contradicts it, whether the terms are consistent with arm's-length conditions, who approved the transaction and at what level of governance, and the conclusion on whether the transaction indicates fraud risk.

If the entity has no significant unusual transactions during the period, document that conclusion with the basis for it. Describe what you considered: did you review the general ledger for unusual counterparties? Did you inquire of management about transactions outside the normal course? Did you review board minutes for approved transactions? A blank working paper section tells a reviewer nothing. A documented "no significant unusual transactions identified based on [procedures performed]" tells a reviewer that the requirement was considered and addressed.

Worked example: Van Houten Vastgoed B.V.

Scenario: Van Houten Vastgoed B.V. is a Dutch real estate management company with revenue of EUR 54M. The entity manages 340 residential properties and 42 commercial units. The CFO has authority to post journal entries up to EUR 100,000 without secondary approval. Total journal entries for the year: 8,700. Key estimates include bad debt provision on tenant receivables (EUR 1.2M) and property impairment provisions (EUR 3.8M across 12 properties). During the year, a portfolio of 28 residential units was sold to a related party.

Journal entry testing:

1. Process understanding (gating): Van Houten uses Exact Online for accounting. The CFO and two accounting staff can initiate journal entries. Entries above EUR 100,000 require managing director approval. Monthly top-side adjustments are processed via a separate spreadsheet and uploaded in bulk. Automated entries include rent invoicing (system-generated monthly) and depreciation (batch run quarterly). Documentation note: "JE process documented. CFO threshold EUR 100,000 without secondary approval. Top-side adjustments uploaded monthly from spreadsheet, not subject to system controls within Exact Online. Automated entries: rent invoicing and depreciation."

2. Controls identification (gating): system-enforced dual approval above EUR 100,000, automated sequential numbering, full audit trail within Exact Online. No system control over the monthly spreadsheet upload. The spreadsheet upload process bypasses the dual-approval control entirely. Documentation note: "Key gap identified: monthly spreadsheet uploads (average 12 entries per month, approximately 142 per year) bypass the EUR 100,000 dual-approval control."

3. Population completeness (gating): full population of 8,700 journal entries extracted from Exact Online covering 1 January to 31 December 2025. Total debits reconciled to trial balance within EUR 12 (rounding). Top-side adjustment spreadsheets obtained separately for all 12 months (142 entries, EUR 4.8M total). Combined population: 8,842 entries. Documentation note: "Population of 8,842 entries verified complete. Reconciled to trial balance (variance EUR 12, rounding). Top-side adjustments (142 entries from monthly spreadsheets) included in population. Extraction date: 18 January 2026. All sub-ledgers confirmed included. Gating sign-off: [preparer], [date]."

4. Selection criteria: quantitative (all entries above EUR 200,000, which is 0.6x performance materiality of EUR 340,000; all entries in round amounts above EUR 50,000) and qualitative (all CFO entries to provision or impairment accounts, linked to fraud risk of management override through estimate manipulation; all entries posted after 20:00 or on weekends, linked to concealment risk; all top-side spreadsheet entries, linked to the uncontrolled upload process identified in gating step 2). Documentation note: "Selection criteria linked to three fraud risks: CFO provision entries (management override of estimates), off-hours entries (concealment), top-side adjustments (uncontrolled process). All criteria reference Tab 4 risk register."

5. Testing: 67 entries selected (23 quantitative, 44 qualitative, with overlap). 64 traced to source documentation with no exceptions. Three CFO entries to the bad debt provision account (EUR 87,000 total) required additional investigation. Source documentation was a management estimate spreadsheet prepared by the CFO without independent input. Independent verification performed: recalculated the bad debt provision using the aged receivables report and historical loss rates (3-year average loss rate of 4.2% applied to each ageing bracket). Recalculated provision: EUR 1.14M versus recorded EUR 1.2M. Difference: EUR 60,000, within tolerable range but directionally consistent with overstatement. No fraud indicator at the individual entry level, but pattern noted for aggregate evaluation in the estimates review. Documentation note: "3 CFO provision entries investigated. Independent recalculation confirmed provision within acceptable range. EUR 60,000 overstatement noted for estimates-taken-as-a-whole assessment."

Estimates review:

1. Bad debt provision: prior-year estimate EUR 980,000. Actual losses in current year: EUR 1,040,000. Variance: EUR 60,000 understatement (6.1%). Direction: management's estimate was too low, meaning actual credit losses exceeded the provision. Two-year-prior data: estimate EUR 890,000, actual EUR 950,000. Variance: EUR 60,000 understatement (6.7%). Cumulative pattern: consistent understatement of credit losses across two periods. Documentation note: "Cumulative understatement pattern identified. Bad debt provision understated by 6-7% in both periods reviewed. Pattern suggests optimistic bias in credit loss estimation. Not individually material (below PM of EUR 340,000) but escalated to estimates-taken-as-a-whole evaluation."

2. Property impairment (Keizersgracht commercial unit, largest single impairment): prior-year provision EUR 420,000. Current-year independent valuation: EUR 410,000 (downward revision of EUR 10,000). Variance: EUR 10,000 understatement (2.4%). Two-year-prior data: provision EUR 380,000, actual write-down required EUR 420,000. Variance: EUR 40,000 understatement (10.5%). Pattern: consistent understatement of impairment provisions across two periods, directionally consistent with the bad debt pattern. Both estimates understate losses. Documentation note: "Property impairment provisions underestimated in both periods (10.5% and 2.4%). Direction consistent with bad debt pattern. Both estimates understate losses or liabilities. Increased scrutiny applied to current-year estimates. Carried to estimates-taken-as-a-whole evaluation."

Significant unusual transactions:

1. Sale of 28 residential units to the managing director's spouse for EUR 2.1M. Independent valuation (obtained by the audit team from a registered valuer): EUR 2.3M. Discount: EUR 200,000 (8.7% below market value). Business rationale stated by management: portfolio restructuring to focus on commercial properties, consistent with the entity's strategic plan approved by the supervisory board in 2024. Team evaluation: the restructuring rationale is plausible (the entity has been increasing commercial unit acquisitions for the past two years, with three commercial units acquired in 2025). However, the 8.7% discount to a related party exceeds normal negotiation range (typical portfolio discounts for bulk residential sales in this market range 3-5% per industry data). Supervisory board approved the sale but minutes show no discussion of the pricing discount or comparison to independent valuation. Documentation note: "Related-party sale at EUR 200,000 below independent valuation. Discount of 8.7% exceeds normal market range of 3-5% for bulk residential sales. Supervisory board approved but pricing not discussed in minutes. Rationale for strategic restructuring is plausible but pricing warrants TCWG communication. Reported under ISA 240.65. IAS 24 disclosure adequacy assessed separately in the related-party working paper."

Practical checklist

1. Verify all three gating steps (process understanding, controls identification, population completeness) are completed and signed off before journal entry selection begins (ISA 240.49 Revised).
2. Link every selection criterion (quantitative and qualitative) to a specific fraud risk in the register. If a criterion cannot be linked to a risk, question whether it belongs in a fraud procedure.
3. For the estimates review, assess cumulative directional patterns across at least two periods, not just the most recent year-on-year variance (ISA 240.51(a) Revised).
4. For significant unusual transactions, document the business rationale evaluation for each transaction separately, including evidence that both supports and contradicts the stated rationale (ISA 240.52 Revised).
5. Complete all three management override procedures. Journal entry testing alone does not satisfy the requirement. All three are mandatory on every engagement.
6. Ensure the journal entry population covers the entire reporting period, including entries from all sub-ledgers, manual adjustments, and top-side entries processed outside the main accounting system.

Common mistakes

• Selecting journal entries using only quantitative criteria (above-materiality entries) without qualitative, fraud-risk-linked criteria. The AFM and FRC have both flagged this as a common deficiency. A materiality threshold alone does not make the selection responsive to the assessed fraud risks at this entity.
• Performing the estimates retrospective review for one year only. ISA 240.51(a) Revised looks for cumulative patterns across multiple periods. A single-year comparison cannot identify directional bias.
• Treating the significant unusual transactions evaluation as a check on disclosure adequacy rather than a fraud procedure. The question is not whether the transaction is properly disclosed under IAS 24 or another standard. The question is whether the business rationale suggests the transaction was entered into to commit or conceal fraud.
• Not documenting "no significant unusual transactions" when none are identified. A blank working paper section does not show that the auditor considered the requirement. A documented conclusion with the procedures performed to reach it does.