It’s clear that there is a time and place for management to occasionally override a control. Everything in business is not routine, and there are times when special situations require special treatment. It would be silly to prohibit management from ever overriding the policies and procedures that are in place. There has to be guidance in place to direct employees when they may consider overriding controls.
However, it’s important to recognize that the override of controls should be the exception rather than the rule. Employees should be able to circumvent the system only on an infrequent basis, and these instances must be actively monitored to determine if the override process is being abused.
For example, there may be a policy specifying levels of approval before a payment can be issued. What if the person who normally approves the payment is on emergency sick leave and a payment needs to be made? There must be a process for getting an alternate employee to approve the payment. This transaction should then be flagged for later follow-up to determine that the payment was still proper. In this case, there is a need for overriding the normal control, but this is something that should happen infrequently.
There is an obvious dilemma surrounding the problem of override of internal controls. Management must monitor the controls and look for overrides. When management themselves are the ones doing the overrides, who is watching them?
The responsibility usually falls on the owner of a company and the board of directors. The board of directors should be proactively involved in monitoring internal controls and acting when overrides are discovered.
How can the board do this when they’re not involved in the daily operations of a company? One of the most important steps is creating and maintaining a culture of integrity. This means that an ethical corporate culture is continuously supported and exhibited. When unethical behavior is discovered, it must be met with swift action.
Another effective step is creating a whistleblower program that works. Studies have shown that giving employees an anonymous way to report suspicions of fraud is an effective way to detect and prevent fraud. Employees must be educated on what types of things should be reported, including instances of management overriding stated policies and procedures.
In larger companies, internal auditors can often be in a position to see which policies and procedures are being followed, and which are being circumvented. It’s important for companies to allow the internal auditors enough access to give them the opportunity to evaluate compliance with internal controls. They could be one of the best watchdogs companies have.
Some companies severely reduce the access internal auditors have in a deliberate attempt to undermine their function and prevent them from seeing what is really going on. The board of directors should demand access for internal audit employees, and should ensure that internal auditors feel comfortable approaching the board directly with any concerns or problems.
Companies also may rely on their outside auditors and consultants to identify and report instances of overriding internal controls. This shouldn’t be a primary method of detecting override, however, because outside auditors and independent consultants often aren’t around enough to make it likely that they’ll see a lot of misbehavior.