Understanding internal control systems is essential for any organization as they form the backbone of effective risk management, providing a framework for operational efficiency, financial reliability, and regulatory compliance, despite their inherent limitations.
Internal control refers to processes, policies, and plans designed and developed by the board of directors and implemented at all levels, through senior management of an organization.
A system of internal control consists of operational, financial, and compliance controls. The purpose of such a system is to achieve the objectives of the organization. The internal control system ensures that the business activities are efficiently run, information obtained and produced is reliable and all applicable laws and regulations are complied with by the management and employees of the organization.
A strong internal control system supports the board of directors and senior management of an organization, in the identification, assessment, and mitigation of various types of risks and threats, which may be encountered in the fulfillment of business objectives. Risks to which an organization may be exposed include operational risks, compliance risks, and financial risks. Such risks may relate to different departments, functions, or units within an organization.
An internal control system encompasses the hierarchy, policies, processes, and operating procedures of an organization that taken together facilitates minimizing the chances of occurrence of risks and ensures the effective running of business operations.
Understanding Internal Control Systems
A robust internal control system aims to safeguard physical assets and information from being accessed and used by unauthorized personnel. Assets may be physical assets such as property plant or equipment and intangible assets such as software or patents.
Internal controls system requires the development and maintenance of processes and records that generate timely, relevant, and reliable information and ensure compliance with applicable laws, regulations, and internal policies. An effective internal control system reduces the possibility of significant errors or lapses by management and employees and assists them in their timely detection for appropriate mitigation.
Internal control system varies from organization to organization and is built depending on the size and business requirements of the organization.
Internal controls provide reasonable assurance about the operating effectiveness of control activities designed and implemented by the board and management of an organization.
Reasonable assurance means that there is a likelihood or a probability where internal controls designed and implemented by management, might not identify or manage risks, to which an organization is exposed to. In another way, reasonable assurance means that there is no guarantee that after the implementation of an internal control system, risks shall not occur.
For example, when external auditors perform an audit of the risk management activities of the organization, they provide reasonable assurance which means that risk identification and assessment activities may not be risk-based activities, due to either fraud of management or the occurrence of human error.
Similarly, when the senior management of an organization develops policies and processes, it intends to provide reasonable assurance toward the achievement of the objectives for which policies and processes are developed. Because there may be various factors that might be overlooked or outside the control of senior management when they were preparing policies and procedures.
Internal controls have inherent limitations as well. Internal controls cannot provide absolute assurance. Below are some inherent limitations of internal controls:
- Collusion by two or more staff or employees
- Possibility of human error in performing tasks
- Override of controls by senior management
- Poor judgment or decisions are taken by senior management
- Cost-benefit analysis and consideration in the application of controls
- Unforeseen circumstances such as the occurrence of natural disasters
- Untrained staff or lack of training
Design and implementation of internal controls involve human judgment, which may be wrong, resulting in the development of ineffective controls to mitigate the risks and losses.
Collusion
Internal controls cannot prevent the effects of collusion, where certain employees combine to conduct fraud. Although internal controls may limit the activities of employees, they can go around this limit by partnering with someone who can override internal controls.
An employee may be authorized to enter a transaction voucher into the system but is not allowed to print the cheques. Another employee may be authorized by management to print cheques. If these two employees combined to conduct fraud, they can easily overcome their respective limits and succeed in producing a fake cheque.
Incorrect Judgment
Incorrect human judgments may be involved in setting internal controls. Suppose in the organization cash is put in the vault because the manager doubts that cash may be stolen by someone. The manager hires a staff based on his judgment and delegates the responsibility to the hired staff to look after and manage the cash. There may be a possibility that the manager hired the wrong person with bad character or malicious intentions, in which case the cash will be stolen by the hired staff.
Failure to Train Employee
Implementation of internal controls requires training of employees to make them understand the processes and procedures to be followed in certain circumstances. Training is a critical function of making internal controls work. Training gives awareness to employees about what they are not allowed to do. Through training, employees get to know how to uphold internal controls. For example, everyone should know their passwords, how to make a strong password, and that passwords should not be shared with anyone.
Management Override of Controls:
Senior management of the organization is provided with authority and powers from the board of directors, to run the daily business affairs of the organization. Because of such authority and power senior management may override the internal controls, policies, and processes developed and implemented in the organization.
In smaller organizations, internal controls can also be breached by the employees who are given specific authority levels.
Example of Inherent Limitation of Internal Controls:
The board of directors and management of an organization want that the financial statements, prepared by the finance department, are free from material misstatement. To achieve this objective, the board and management hire a qualified finance professional as Chief Financial Officer (CFO), to lead the finance department. The board and management provide the CFO with a team of finance professionals and other physical resources, to run and manage the financial affairs of the organization.
Hiring a CFO, and providing him with a finance team and other physical resources does not mean that the financial statement’s material misstatement risk is eliminated. Because CFO and his team may intentionally prepare materially misstated financial statements and present them in a wrong way to the board and management, to gain their confidence and trust.
Final Thoughts
The complexity and importance of internal control systems within organizations cannot be overstated. Such systems are pivotal in achieving operational efficiency, ensuring financial reliability, and complying with legal requirements. However, while they may offer reasonable assurance towards risk management, it’s essential to recognize that they are not foolproof. The inherent limitations—such as the possibility of collusion among employees, human error, poor judgement, management’s override of controls, and unforeseen circumstances—highlight the importance of regular audits and employee training.
Therefore, for optimal business operations, organizations must strive for a delicate balance between stringent controls and flexibility, continually adapting their systems in response to shifting business requirements, and evolving risks.
