What is management override of controls?

Management override of controls is the deliberate circumvention of internal controls by those with the authority to do so — typically senior management or directors. Unlike a control deficiency (where a control is missing or broken), override means the control exists and works, but someone in a position of power chooses to bypass it.

ISA 240.31 establishes management override as a presumed risk of material misstatement due to fraud on every audit. This presumption cannot be rebutted, regardless of the entity's size, industry, governance structure, or the apparent strength of its control environment. The rationale is straightforward: management is uniquely positioned to manipulate records, instruct staff, override system controls, and alter assumptions in ways that other employees cannot.

Because the risk is presumed and non-rebuttable, ISA 240.32–34 prescribes three mandatory audit procedures that must be performed on every engagement, regardless of the auditor's assessment of other fraud risk factors.

Key Points

  • Presumed risk — cannot be rebutted. Management override is a fraud risk on every audit under ISA 240.31, regardless of the quality of the control environment.
  • Three mandatory procedures. Journal entry testing, review of accounting estimates for bias, and evaluation of significant unusual transactions (ISA 240.32–34).
  • Distinct from control deficiency. Override means the control works but is deliberately bypassed. A control deficiency means the control does not exist or does not operate effectively.
  • Management's unique position. Management can direct employees, process transactions, alter records, and override system-enforced controls in ways that other personnel cannot.

Why it matters in practice

Worked example: Vermeer Engineering

Vermeer Engineering BV is an infrastructure contractor with EUR 85 million in revenue. The engagement team performs the three mandatory procedures required by ISA 240.32–34:

1. Journal entry testing (ISA 240.32a). The team obtains the complete journal entry population for the year (14,200 entries). They apply risk-based selection criteria: entries posted outside business hours, entries made by senior management, entries with round amounts above EUR 50,000, and entries posted to unusual account combinations (e.g., revenue credited against provisions). The selection yields 85 entries for testing. The team traces each to supporting documentation, verifies the business rationale, and confirms appropriate authorisation. Three entries are flagged: a EUR 180,000 manual revenue accrual posted by the CFO on 30 December with no supporting contract documentation.

2. Accounting estimate review (ISA 240.33). The team performs a retrospective review of prior-year estimates to identify potential bias. They compare the 2024 provision for contract losses (EUR 2.1 million) against the actual outcomes in 2025. The provision was consistently understated by 15–25% over the past three years, suggesting an optimistic bias. The team also evaluates the current-year assumptions for the percentage-of-completion method on long-term contracts, challenging the estimated costs to complete against historical performance on similar projects.

3. Significant unusual transactions (ISA 240.34). The team identifies a EUR 3.2 million transaction in which Vermeer sold construction equipment to a newly incorporated entity and simultaneously leased it back. The purchasing entity shares a director with Vermeer. The team evaluates the business rationale: the sale generated a gain of EUR 900,000 recognised in Q4, and the leaseback terms are above market rate. The team concludes the transaction lacks clear commercial substance and discusses the implications with those charged with governance.

Override vs control deficiency

The distinction between management override and a control deficiency is fundamental to understanding why override is treated as a fraud risk rather than a control risk:

  • Control deficiency: The three-way match control for purchase invoices is not operating because the system was misconfigured after a software upgrade. Invoices are being processed without matching to purchase orders and goods receipts. This is an unintentional gap — the control was designed but is not working.
  • Management override: The three-way match control is operating effectively for all transactions, but the CFO instructs the accounts payable team to process a specific invoice without a purchase order, overriding the system control with a manual authorisation code. The control works — it was deliberately bypassed by someone with the authority to do so.

This is why management override cannot be addressed through testing controls alone. The controls may be perfectly designed and operating effectively, and override can still occur. The three mandatory procedures in ISA 240.32–34 are designed to detect the traces that override leaves behind: unusual journal entries, biased estimates, and transactions that lack commercial substance.

What reviewers catch

Management override procedures are scrutinised in every regulatory inspection. Common deficiencies include:

  • Journal entry testing was superficial. The auditor selected entries using only one criterion (e.g., entries above a monetary threshold) without considering other risk indicators such as timing, preparer, account combinations, or manual versus automated entries.
  • No retrospective review of estimates. The auditor reviewed current-year estimates but did not perform a look-back comparison of prior-year estimates against actual outcomes to identify potential management bias, as required by ISA 240.33.
  • Significant unusual transactions not evaluated. The file contained evidence of related party transactions or year-end transactions outside the normal course of business, but the auditor did not evaluate their business rationale or consider whether they were entered into to engage in fraudulent financial reporting.
  • Procedures performed but not linked to the fraud risk. The file documented the three procedures but did not explain how the results addressed the risk of management override specifically, treating them as a compliance checklist rather than a substantive response to a fraud risk.

Key standard references

  • ISA 240.31: The presumption that management override of controls is a risk of material misstatement due to fraud, regardless of the auditor's assessment of the risks of management override.
  • ISA 240.32: Testing the appropriateness of journal entries recorded in the general ledger and other adjustments made in the preparation of the financial statements.
  • ISA 240.33: Reviewing accounting estimates for biases and evaluating whether the circumstances producing the bias represent a risk of material misstatement due to fraud.
  • ISA 240.34: Obtaining an understanding of the business rationale for significant transactions that are outside the normal course of business or that otherwise appear unusual.
  • ISA 240.A44–A51: Application guidance on the three mandatory procedures, including criteria for selecting journal entries and indicators of estimate bias.

Related terms

Fraud Risk FactorsAudit SamplingPerformance MaterialityGoing Concern

Related tools

ISA 240 Fraud Risk Pack
ISA 240

Related reading

ISA 240: Fraud in an Audit: Complete Guide
Blog guide

Frequently asked questions

Why can the presumption of management override not be rebutted?

Management is in a unique position: it can direct employees to process transactions, override automated controls, instruct staff to record entries, or manipulate assumptions in accounting estimates. These actions bypass the normal control environment entirely. Because the ability to override exists regardless of how strong the controls are, ISA 240.31 treats it as a presumed risk that cannot be eliminated. Even an entity with an excellent control environment has this risk — the controls work only as long as those with authority choose not to circumvent them.

What are the three mandatory procedures for management override?

ISA 240.32–34 requires three specific procedures on every audit: (1) testing the appropriateness of journal entries and other adjustments made in preparing the financial statements, (2) reviewing accounting estimates for bias that could result in material misstatement due to fraud, and (3) evaluating the business rationale for significant unusual transactions. These are minimum requirements — the auditor may perform additional procedures depending on the assessed risk.

What is the difference between management override and a control deficiency?

A control deficiency means a control does not exist or does not work as designed — it is a gap in the system. Management override means the control exists and works, but someone with authority deliberately circumvents it. The distinction is intent: a control deficiency is typically an unintentional design or implementation failure, while override is a deliberate act to bypass functioning controls. This is why management override is classified as a fraud risk, not a control risk.

This glossary entry is for educational purposes and does not constitute legal or professional advice. Always consult the applicable standard text for authoritative guidance.

Last reviewed: March 2026 · Standards version: IAASB 2024 Handbook