Limitations of Internal Control
Internal control, no matter how well designed, implemented and conducted, can provide only reasonable assurance to management and the board of directors of the achievement of an entity’s objectives. The likelihood of achievement is affected by limitations inherent in all systems of internal control. These include the realities that human judgment in decision making can be faulty, external events outside the organization’s control may arise, and breakdowns can occur because of human failures such as making errors. Additionally, controls can be circumvented by two or more people colluding, and because management can override the system of internal control
Internal control has been viewed by some observers as ensuring that an entity will not fail—that is, the entity will always achieve its operations, reporting, and compliance objectives. In this sense, internal control sometimes is looked upon as a cure-all for all real and potential business ills. This view is misguided. Internal control is not a panacea
In considering limitations of internal control, two distinct concepts must be recognized. The first set of limitations acknowledges that certain events or conditions are simply beyond management’s control. The second acknowledges that no system of internal control will always do what it is designed to do. The best that can be expected in any system of internal control is that reasonable assurance be obtained, which is the focus of this chapter. Second, internal control cannot provide absolute assurance for any of the objective categories
The first set of limitations acknowledges that certain events or conditions are simply outside management’s control. The second acknowledges that no system of internal control will always do what it is designed to do. The best that can be expected in any of system of internal control is that reasonable assurance be obtained, which is the focus of this chapter.
Reasonable assurance does not imply that systems of internal control will frequently fail. Many factors, individually and collectively, serve to strengthen the concept of reasonable assurance. Controls that support multiple objectives or that effect multiple principles within or across components reduce the risk that an entity may not achieve its objectives. Furthermore, the normal, everyday operating activities and responsibilities of people functioning at various levels of an organization are directed at achieving the entity’s objectives. Indeed, it is likely that these activities often apprise management about the process toward the entity’s operations objectives, and also support the achievement of compliance and reporting objectives. However, because of the inherent limitations discussed here, there is no guarantee that, for example, an uncontrollable event, mistake, or improper incident could never occur. In other words, even an effective system of internal control may experience failures. Reasonable assurance is not absolute assurance
Preconditions of Internal Control
The Framework specifies several areas that are part of the management process but not part of internal control. Two such areas relate to the governance process that extends the board’s role beyond internal control and establishing objectives as a precondition to internal control. There is a dependency established on these areas, among others, to also be effective. For example, an entity’s weak governance processes for selecting, developing, and evaluating board members may limit its ability to provide appropriate oversight of internal control. Similarly, ineffective strategy-setting or objective-setting processes would challenge the entity’s ability to identify poorly specified, unrealistic, or unsuitable objectives. A system of internal control cannot encompass all activities undertaken by the entity, and weaknesses in these areas may impede the organization from having effective internal control.
Judgment
The effectiveness of internal control is limited by the realities of human frailty in the making of business decisions. Such decisions must be made with human judgment in the time available, based on information at hand, subject to management biases, and under the pressures of the conduct of business. Some decisions based on human judgment may later, with the clarity of hindsight, be found to produce less than desirable results, and may need to be changed.
External Events
Internal control, even effective internal control, operates at different levels for different objectives. For objectives relating to the effectiveness and efficiency of an entity’s operations—achieving its mission, value propositions (e.g., productivity, quality, and customer service), profitability goals, and the like—internal control cannot provide reasonable assurance of the achievement when external events may have a significant impact on the achievement of objectives and the impact cannot be mitigated to an acceptable level. In these situations, internal control can only provide reasonable assurance that the organization is aware of the entity’s progress, or lack of it, toward achieving such objectives.
Management Override
Even an entity with an effective system of internal control may have a manager who is willing and able to override internal control. The term “management override” is used here to mean overruling prescribed policies or procedures for illegitimate purposes with the intent of personal gain or an enhanced presentation of an entity’s performance or compliance. A manager of a division or operating unit, or a member of senior management, might override the control for many reasons such as to:
Override practices include deliberately making misrepresentations to bankers, lawyers, accountants, and vendors, and intentionally issuing false documents such as purchase orders and sales invoices.
Management override should not be confused with management intervention, which represents management’s actions to depart from prescribed controls for legitimate purposes. Management intervention is necessary to deal with non-recurring and non-standard transactions or events that otherwise might be handled inappropriately. Provision for management intervention is necessary because no process can be designed to anticipate every risk and every condition. Management’s actions to intervene are generally overt and subject to policies and procedures or otherwise disclosed to appropriate personnel. Actions to override usually are not documented or disclosed, and have the intent to cover up the actions.
Collusion
Collusion can result in internal control deficiencies. Individuals acting collectively to perpetrate and conceal an action from detection often can alter financial or other management information so that it cannot be detected or prevented by the system of internal control. Collusion can occur, for example, between an employee who performs controls and a customer, supplier, or another employee, Sales and/or operating unit management might collude to circumvent controls so that reported results meet budgets or incentive targets.