Testing For Management Override of Internal Controls 1980

Silverspur

I’ve done some SAS 99 research and I know our external auditors are meeting this requirement, however, we need to increase our testing to cover management override internally.
Does anyone have a good example what you are doing at your places of business to test for management override of internal controls?
Here are some things we’ve discussed and are thinking of testing:
(Using ACL)
Obtained extracts of all journal entries and trial balances by month at consolidated level.
Queries/Scripts we plan to run inlcude:

1. Late journal entries posted after the GL closes
2. Run Benford Analysis (2 digits) and investigate incidents above or below the normal distribution.
3. Group all journals by the person(s) entering and authorizing the journal.
   Does anybody have any suggestions of what else we should look for from a journal entry perspective? — Possibly other ways to manipulate revenue or expense outisde of the journal entry process?
   Thanks.

harrywaldron

Hi and welcome I’m more of an IT person, but will share some ideas that might help to mitigate the risk:

1. Use strict autonomy levels for special journal entries or late accounting adjustments, that are outside of normal sources.
2. If any adjustments are made to spreadsheets, use change control and security to publish them from test to production server environments. For example, someone in accounting might work up the final adjustments from all manual and automated sources and then it would be moved from the test directory to production (where it would be read-only for folks that need to know and non-viewable for everyone else).
3. Create formal policies and procedures for the folks in Finance, so that any special adjustments or overrides are documented in writing.
4. Internal Auditors might periodically examine controls directly through interview and observations. Maybe samples could be sequenced by timestamps, so that the latest entries are focal points for examination.