What is management override of controls?
Every audit file has the same line item on the fraud risk assessment: management override, presumed, non-rebuttable. Most teams copy the wording from last year (SALY with better narratives, at best) and move on to journal entry testing without stopping to think about what the risk actually means for this client. That's a problem, because override is the one fraud risk where the person committing it has the authority to make everything look normal.
Override is different from a control deficiency. A control deficiency means the control doesn't work as intended. Override means management deliberately circumvents a control that does work. The control environment can be well designed and operating effectively, and override can still happen. The person bypassing the control is the person who has the authority to do so.
ISA 240.31 establishes management override as the only presumed fraud risk the auditor can't rebut. Unlike the revenue recognition presumption under ISA 240.26 (which can be rebutted with documented justification), the override presumption applies on every engagement without exception. Management is uniquely positioned to manipulate records, instruct staff, override system-enforced controls, and alter assumptions in estimates.
ISA 240.32 –33 require four responses: test journal entries (JEs) and other adjustments, review accounting estimates for biases that could indicate fraud, evaluate significant unusual transactions, and determine whether additional procedures are needed. These aren't optional. They apply regardless of the entity's size or the apparent strength of its governance.
Key Points
- Management override is a presumed risk on every engagement, with no option to rebut.
- ISA 240.32 –33 require four responses: test JEs, review estimates for bias, evaluate unusual transactions, and consider additional procedures.
- A well-designed control environment doesn't eliminate override risk; it only changes where to look.
- Failure to document the override response procedures is among the most common inspection findings.
Why it matters in practice
Worked example: Müller Verpackung GmbH
Client: German packaging manufacturer, FY2024, revenue €85M, HGB. CEO has significant influence with no independent CFO. Supervisory board meets twice per year.
The team starts with JE testing. They obtain the complete SAP population of 12,340 entries and select 47 using ISA 240 .A44 criteria: entries posted outside business hours, entries by senior management, entries to unusual account combinations, and round-amount entries above €25,000. The selection targets fraud characteristics, not just size.
For estimate bias, retrospective review of the warranty provision reveals a consistent understatement. Historical claim rate data supports a provision of €820K, but management recorded €650K (an understatement of €170K). The team evaluates whether the directional pattern indicates bias under ISA 240.32 (b).
The unusual transaction test focuses on a December intercompany sale of €1.4M to a related party. No independent valuation was prepared. The team obtains comparable market data and concludes the price falls within a reasonable range, but documents the basis for that conclusion and the absence of an independent valuation.
The warranty finding is reported to those charged with governance per ISA 240.40 . The file shows the four required responses as an integrated assessment of override risk, not as isolated checklist items. That distinction matters. If your override WPs read like four separate tick-box exercises with no thread connecting them, you haven't responded to the risk; you've just done some ticking and bashing around it.
What reviewers get wrong
The FRC's 2023 inspection report found JE tests where selection criteria were too narrow. Threshold-only selection missed entries with fraud characteristics entirely. ISA 240 .A44 requires criteria based on fraud indicators (timing, preparer, account combinations, and posting authority), not just monetary size.
Teams also treat the ISA 240.32 requirements as isolated procedures rather than an integrated response. It's frustrating to see in review, because the whole point is lost. A pattern of small JEs adjusting the same estimate goes undetected when each entry falls below the individual testing threshold but the cumulative effect is material.
Management override vs management bias
| Dimension | Management override | Management bias |
|---|---|---|
| What it means | Deliberate circumvention of controls | Consistent directional tendency in judgment |
| Intent | Fraudulent intent present | May or may not involve intent |
| ISA reference | ISA 240.31 –33 (presumed fraud risk) | ISA 540.21 (indicator of possible bias) |
| Auditor response | Four mandatory procedures | Retrospective review, evaluate range for directional pattern |
Key standard references
- ISA 240.31 : Presumed risk of material misstatement due to fraud from management override (non-rebuttable).
- ISA 240.32 (a): Test JEs and other adjustments made in preparing the FS.
- ISA 240.32 (b): Review accounting estimates for biases that could result in material misstatement due to fraud.
- ISA 240.32 (c): Evaluate the business rationale for significant unusual transactions.
- ISA 240.33 : Determine whether additional audit procedures are needed to respond to override risk.
- ISA 240 .A44: Application guidance on criteria for selecting JEs for testing.
Related terms
Related reading
Frequently asked questions
Can the auditor rebut the presumption of management override risk?
No. Unlike the revenue recognition fraud risk presumption under ISA 240.26, management override under ISA 240.31 is a non-rebuttable presumed risk on every engagement.
What are the four mandatory responses to management override?
Test journal entries and other adjustments (ISA 240.32(a)), review accounting estimates for bias (ISA 240.32(b)), evaluate significant unusual transactions (ISA 240.32(c)), and determine whether additional procedures are needed (ISA 240.33).