What is management override of controls?
Override is different from a control deficiency. A control deficiency means the control doesn't work as intended. Override means management deliberately circumvents a control that does work. The control environment can be well designed and operating effectively, and override can still occur — because the person bypassing the control is the person who has the authority to do so.
ISA 240.31 establishes management override as the only presumed fraud risk the auditor cannot rebut. Unlike the revenue recognition presumption under ISA 240.26, which can be rebutted with documented justification, the override presumption applies on every engagement without exception. The rationale is that management is uniquely positioned to manipulate records, instruct staff, override system-enforced controls, and alter assumptions in estimates.
ISA 240.32–33 require four responses: test journal entries and other adjustments, review accounting estimates for biases that could indicate fraud, evaluate significant unusual transactions, and determine whether additional procedures are needed. These are not optional. They apply regardless of the entity's size, industry, or the apparent strength of its governance.
Key Points
- Management override is a presumed risk on every engagement, with no option to rebut.
- The auditor must test journal entries, review estimates for bias, evaluate unusual transactions, and consider additional procedures.
- A well-designed control environment does not eliminate override risk; it only changes where to look.
- Failure to document the override response procedures is among the most common inspection findings.
Why it matters in practice
Worked example: Müller Verpackung GmbH
Client: German packaging manufacturer, FY2024, revenue €85M, HGB. CEO has significant influence with no independent CFO. Supervisory board meets twice per year.
Journal entry testing: The team obtains the complete SAP population of 12,340 entries and selects 47 using ISA 240.A44 criteria — entries posted outside business hours, entries by senior management, entries to unusual account combinations, and round-amount entries above €25,000. The selection targets fraud characteristics, not just size.
Estimate bias analysis: Retrospective review of the warranty provision reveals a consistent understatement. Historical claim rate data supports a provision of €820K, but management recorded €650K — an understatement of €170K. The team evaluates whether the directional pattern indicates bias under ISA 240.32(b).
Unusual transaction evaluation: In December, the entity recorded an intercompany sale of €1.4M to a related party. No independent valuation was prepared. The team obtains comparable market data and concludes the price falls within a reasonable range, but documents the basis for that conclusion and the absence of an independent valuation.
The warranty finding is reported to those charged with governance per ISA 240.40. The file shows the four required responses as an integrated assessment of override risk, not as isolated checklist items.
What reviewers get wrong
The FRC's 2023 inspection report found journal entry tests where selection criteria were too narrow — threshold-only selection that missed entries with fraud characteristics. ISA 240.A44 requires criteria based on fraud indicators (timing, preparer, account combinations), not just monetary size.
Teams also treat the ISA 240.32 requirements as isolated procedures rather than an integrated response. A pattern of small journal entries adjusting the same estimate goes undetected when each entry falls below the individual testing threshold but the cumulative effect is material.
Management override vs management bias
| Dimension | Management override | Management bias |
|---|---|---|
| What it means | Deliberate circumvention of controls | Consistent directional tendency in judgment |
| Intent | Fraudulent intent present | May or may not involve intent |
| ISA reference | ISA 240.31–33 (presumed fraud risk) | ISA 540.21 (indicator of possible bias) |
| Auditor response | Four mandatory procedures | Retrospective review, evaluate range for directional pattern |
Key standard references
- ISA 240.31: Presumed risk of material misstatement due to fraud from management override — non-rebuttable.
- ISA 240.32(a): Test journal entries and other adjustments made in preparing the financial statements.
- ISA 240.32(b): Review accounting estimates for biases that could result in material misstatement due to fraud.
- ISA 240.32(c): Evaluate the business rationale for significant unusual transactions.
- ISA 240.33: Determine whether additional audit procedures are needed to respond to override risk.
- ISA 240.A44: Application guidance on criteria for selecting journal entries for testing.
Related terms
Related reading
Frequently asked questions
Can the auditor rebut the presumption of management override risk?
No. Unlike the revenue recognition fraud risk presumption under ISA 240.26, management override under ISA 240.31 is a non-rebuttable presumed risk on every engagement.
What are the four mandatory responses to management override?
Test journal entries and other adjustments (ISA 240.32(a)), review accounting estimates for bias (ISA 240.32(b)), evaluate significant unusual transactions (ISA 240.32(c)), and determine whether additional procedures are needed (ISA 240.33).