The Importance of Internal Controls
While people sometimes assume that internal controls — sometimes called application controls — are only pertinent to financial reporting and internal audit, in fact, the benefits of internal controls go far beyond the financial function. And with the audit function responsible for policing the entire organization, it’s clear that effective internal controls can positively impact your whole business.
Internal controls can be used to protect assets, reduce duplication of work, and report efficiently in a range of corporate departments; the popular COSO internal controls framework, for example, supports tests and controls throughout the business.
An effective internal controls management solution strengthens your three lines of defense against organizational risk.
But internal controls, though necessary and valuable, are not without limitations.
Best practice means being honest about internal control weaknesses. Rather than disregard these shortcomings, you must work to tackle them. Implementing internal controls effectively means identifying and finding ways to mitigate these limitations
What Are the 12 Limitations of Internal Controls?
Internal controls are highly effective, but they’re not infallible. Inherent limitations of internal controls exist, but by identifying them, we can work through them and find mitigation strategies.
The limitations of internal controls include weaknesses relating to manual processes, overlapping or duplicating of effort, and a lack of governance. Here, we share our list of internal controls limitations, along with ways to mitigate and reduce these limitations' impact.
1. Manual Processes/Human Error
Internal controls best practices can be compromised if you rely on manual intervention to capture and report on data. Human error can be intentional (and we cover collusion and fraud in more depth below) or unintentional.
Managing all your internal controls, including those relating to SOX, ITGC, ICFR and OMB A-123 is a complex process. Documenting internal controls via spreadsheets and other legacy data-capture techniques is inefficient, with potential for human error, failing to deliver the necessary rigor or assurance.
How to Mitigate:
Automating internal controls can make the difference here. Rather than relying on manual processes, an automated internal controls solution can bring rigor via workflows that automatically test, record data and flag any issues. Dashboards can provide clear views into control and testing status to prevent blind spots. With these pros, it’s not surprising that a 2018 KPMG survey found that 71% of respondents were looking to automate elements of their controls testing process.
We start with data analytics, then machine learning, then artificial intelligence. These are the milestones the board is looking at.
— Cynthia Comparin, Independent Director, Cullen Frost Bank & Universal Display Corporation
2. Lack of Accurate Data
This can be a side-effect of manual, fallible data gathering processes. If internal controls aim to identify and remediate out-of-tolerance readings swiftly, accurate data is a non-negotiable component. Inaccurate or incomplete data jeopardizes your entire internal controls process.
How to Mitigate:
To ensure accurate and comprehensive data inform your internal controls, you need to pull data from across your business applications. Data should ideally be captured at source and via automated means rather than relying on manual readings.
3. Too Many Controls
Incomplete data may be an issue, but so can too much. Compliance Week cites “Having and testing too many controls instead of focusing on key controls” as a problem that “can lead to unexpected deficiencies in the effectiveness of internal control.”
How to Mitigate:
Engage your process owners to identify key internal controls, and eliminate those that aren’t vital. Pinpoint any duplicative controls or those that prioritize low-risk or non-essential controls. Work out whether there is potential to harmonize controls that address multiple regulations.
Some automation platforms enable you to uncover insights across vast amounts of corporate data, bringing order to a wealth of measures.
4. Inconsistent Controls
Whether due to M&A activity or varying legacy approaches in different departments, many businesses have complex, inconsistent approaches to controls testing across the organization. This makes managing, measuring and re-engineering the control environment a challenge.
How to Mitigate:
Creating a single risk and control matrix drives consistency and enables simpler, cleaner and more easily-used controls data.
5. Insufficient Resources
If you have limited resources — and what business doesn’t? — you need to ensure they are correctly deployed. Failing to resource your internal controls processes, or applying resources disproportionately, can mean you under-or-over-control the risks you face.
How to Mitigate:
Managing risk with limited resources is a challenge all organizations face. As with the challenge of too many controls, you need to prioritize your risks and dedicate commensurate effort to tackling them. Your control program should be flexible and agile to enable swift changes in direction as risk priorities ebb and flow.
How do we save time without reducing the level of assurance? You need to start with the financials, which are going to be easier to automate. Then connect data across systems to give new insights.
— Tom Keaton, Director of Internal Audit, Crown
6. Siloed Approach
Taking a siloed approach to internal controls risks inefficient or duplicative testing, with time and resources wasted. If different teams are manually testing the same controls, you fail to optimize your internal controls process.
How to Mitigate:
You need a cross-business, holistic view of risk to avoid silos, duplication and wasted effort. Taking a simple, workflow-driven approach will execute your controls testing in a regular, structured way, with reporting covering all elements of your operation.
7. Cannot Achieve 100% Control
This is often cited as a limitation of internal controls — and it can be — although 100% control is not always something you should seek. You can’t add controls for every element of your operations; arguably, you shouldn’t. Some risks are worth taking, and the cost of control can sometimes outweigh the risk.
So while 100% control is not necessarily a desirable aim, what is important is knowing which controls to focus on. While no solution can guarantee 100% control, you can deliver reasonable assurance for your stakeholders via efficiency and focus. Understanding where you should address your efforts is the key.
How to Mitigate:
As with the challenge of too many controls, clarity is essential here. You need to identify which controls are key and focus on high-risk issues. To do this, you need sight of current and upcoming regulations and an understanding of your most pressing risks. These may not be the most likely to occur, but those that cause the most significant problems if they do.
You can’t audit everything. You can’t verify everything. You need to use a risk model to prioritize the audits you do.
— Louis Miramontes, Independent Director, Rite Aid Corporation
8. Collusion/Fraud
Internal controls often employ a “segregation of duties” approach to prevent potential fraud by ensuring no single employee controls enough processes to enable fraud. Collusion, though — two or more people working together — can circumvent this type of control. Internal controls cannot prevent employees from colluding to commit fraud at different stages of the process.
How to Mitigate:
The same solution to a siloed approach will also help prevent collusion fraud. Taking a holistic view of your controls data gives you the big picture, removing hiding places for fraud or mismanagement.
9. Management Override of Internal Controls
Another of the inherent limitations of internal controls is the ability of management to override the controls set — whether for fraud, reporting or other reasons. Manual internal controls are fallible and can be manipulated.
How to Mitigate:
Again, automation of internal controls can help here, providing automated workflows to capture testing data, mandating testing schedules and automating reporting. Data is pulled from business applications and stored in a centralized risk and control library, with dashboards automatically created. As a result, the potential to override or falsify controls is dramatically reduced.
10. Issues Remediation is Reactive and Tactical
This can be one of the symptoms of an internal controls policy that delivers siloed testing results. If results aren’t easily shared across the organization, your approach to remediation can be piecemeal, reactive and tactical.
How to Mitigate:
Sharing control testing results across your business will enable you to take a more proactive, informed and coordinated approach throughout the organization. Automating control tests can ensure those relevant to a number of business streams are easily accessed and shared across the company.
11. Static Controls
One of the limitations of internal controls can be their static nature. Internal controls need to keep pace with a changing regulatory and risk landscape; the Sarbanes-Oxley Act of 2002 (SOX), for example, led organizations to make “significant changes” to the ways they designed and monitored internal controls.
Have there been other, less-publicized changes that your controls have failed to align with? If you haven’t updated your internal controls processes recently, they may be out of line with best practice and latest requirements.
How to Mitigate:
Awareness of new benchmarks, best practices and regulations is vital to devise relevant internal controls. Investing in an internal controls management solution can enable you to use pre-built templates and frameworks that tap into the latest external requirements and ensure your internal controls align with them.
12. Lack of Stakeholder Engagement With Reporting
User-unfriendly reporting is the fastest way to turn off your key stakeholders; the very people you need to engage with your internal controls process. Whether you want to secure more resources, demonstrate success or gain support for your approach, you need reporting that clearly shows all the components of internal controls testing and management.
How to Mitigate:
Disjointed and unclear reporting can be avoided if your controls testing is based on consistent templates and frameworks and reports are presented as intuitive, accessible dashboards. Explore the solutions and platforms you can use to deliver the reporting your stakeholders need.
Minimize the Limitations of Your Internal Controls Process
Reaching internal controls Utopia requires an honest approach, recognizing that the internal controls process has limitations. That said, there are ways to mitigate many of these limitations. Hopefully, our summary above has given you an insight into some of the limitations of internal controls and the ways you can tackle them.
You may be facing issues of human error, the challenge of organizing multiple controls data streams, the need to prioritize risk management tactics, or the difficulty of operating in an ever-shifting regulatory landscape. Whatever your internal controls challenges, implementing an internal controls management solution can help to solve many of the limitations of traditional internal controls processes. Find out more about Diligent’s internal controls management solution.
