The purpose of internal controls provide reasonable assurance about the operating effectiveness of control activities designed and implemented by the board and management of an organization.
Purpose Of Internal Controls: What It Can And Cannot Do
Reasonable assurance means that there is a likelihood or a probability where internal controls designed and implemented by management might not identify or manage risks an organization is exposed to. In another way, reasonable assurance means that there is no guarantee that after the implementation of an internal control system, risks shall not occur.
For example, when the external auditors perform an audit of the financial statements of an organization, they provide reasonable assurance. This means that financial information prepared by the organization may still be materially misstated due to either fraud or occurrence of human error. This happens even in large global corporations. Examples include the American company Enron and the German company Wirecard. Auditors do not provide absolute assurance when performing their audit activities and concluding their work.
Similarly, when the senior management of an organization develops policies and processes, that management intends to provide reasonable assurance toward the achievement of the objectives for which policies and processes are developed. However, there may be various factors overlooked or outside the control of senior management when they were preparing policies and procedures.
Internal controls have inherent limitations. Internal controls cannot provide absolute assurance.
Inherent Limitations Of Internal Controls
Generally, there are 7 inherent limitations of internal controls.
- Collusion by two or more staff or employees;
- Possibility of human error in performing tasks;
- Override of controls by senior management;
- Poor judgment or decisions taken by senior management;
- Cost-benefit analysis and consideration in the application of controls;
- Unforeseen circumstances such as the occurrence of natural disasters; and
- Untrained staff or lack of training
Design and implementation of internal controls involve human judgment, which may be wrong, resulting in the development of ineffective controls to mitigate the risks and losses.
Let’s discuss some of the inherent limitations of internal controls in further detail.
Collusion
Internal controls cannot prevent the effects of collusion, which means that two or more employees collaborate to conduct fraud for their personal benefit. Although internal controls may limit the activities of employees, employees may be able to find ways to go around the internal control system by collaborating with others.
For example, an employee may be authorized to enter a transaction voucher into the system but is not allowed to print the cheques. Another employee may be authorized by management to print cheques. If these two employees would collaborate to conduct fraud, they can overcome their respective limits and succeed in producing a fake cheque.
Incorrect Judgement
Incorrect human judgment may be involved in setting internal controls. Suppose that in an exemplary organization cash is put in the vault because the manager doubts that cash would be stolen. The manager hires a staff based on his/her judgment and delegates responsibility to the staff to look after and manage the cash. There may be a possibility that the manager hired a person with bad character traits or malicious intentions, which could lead to theft.
Failure to Train Employees
Implementation of internal controls requires training of employees to help them understand the processes and procedures to be followed in certain circumstances. Training is a critical means of making internal controls work. Training gives awareness to employees about what they are allowed and not allowed to do. Through training, employees become familiar with upholding internal controls. One of the most basic examples involves account passwords. In an organization, everyone should know their passwords, how to make a strong password, and that passwords should not be shared with anyone.
Management Override Of Controls
Senior management of the organization is provided with authority and powers from the board of directors, to run the daily business affairs of the organization. Because of such authority and power, senior management may override the internal controls. In smaller organizations, internal controls can also be breached by employees who are given specific authority levels. For example, in an owner-managed organization, an employee is given the authority to approve invoices up to $4,000. If the owner goes on vacation and an invoice arrives for $5,000, the employee may be able to override the internal control policy and proceed to approve the invoice for payment.
Case Study: Inherent Limitation Of Internal Controls In Practice
The board of directors of an exemplary organization requests that the financial statements, prepared by the finance department, are free from material misstatement. To achieve this objective, the board hires a qualified finance professional as Chief Financial Officer (CFO) to lead the finance department. The board provides the CFO with a team of finance professionals and other physical resources to run and manage the financial affairs of the organization.
However, hiring a CFO and providing a finance team as well as other physical resources does not mean that the financial statement’s material misstatement risk is eliminated. The CFO and the finance team may intentionally prepare materially misstated financial statements and present them in a wrong way to the board to gain the board’s confidence and trust and personally benefit from the fraudulent activities.
The most effective way to strengthen internal controls is to conduct a review of the current controls in place and conduct a limited amount of testing to determine whether required controls functioned as expected. If it is discovered during the review that controls are not always operating consistently, remediation steps should be documented and implemented. Additional testing for deficient controls should be performed within a few months to determine whether required implementation steps were taken.
Final Thoughts
Internal controls are designed to create touchpoints within a process that can be evidenced and reviewed, ultimately creating accountability while lowering the risk of fraud, waste, abuse, and simple mistakes.
Management or the Board of Directors is usually in charge of establishing internal controls. They establish internal controls to ensure that an organization’s objectives are met. This could be to meet internal milestones or even external requirements like an audit or industry standards.
Finally, internal controls enable a company to develop metrics for measuring the efficiency and effectiveness of a process. During an internal control review, it may become clear that a process is operating as expected, or that the operating effectiveness of controls has failed. This enables management to determine whether a new process is required to better meet the company’s objectives.
