12 limitations of internal controls and how to overcome them
The importance of internal controls is clear to anyone responsible for internal monitoring, testing and reporting — but internal control processes have limitations, and these cannot be disregarded. Here, we identify these limitations and examine how those responsible for implementing internal controls can alleviate them.
The importance of internal controls
While people sometimes assume that internal controls — sometimes called application controls — are only pertinent to financial reporting and internal audit, the benefits of internal controls go far beyond the financial function. And with the audit function responsible for policing the entire organization, it’s clear that adequate internal controls can positively impact your business.
Internal controls can be used to protect assets, reduce duplication of work, and report efficiently in a range of corporate departments; the popular COSO internal controls framework, for example, supports tests and controls throughout the business.
An effective internal controls management solution strengthens your defense against organizational risk.
However, internal controls, though necessary and valuable, are not without limitations.
Best practice means being honest about internal control weaknesses. Rather than disregard these shortcomings, you must work to tackle them. Implementing internal controls effectively means identifying and finding ways to mitigate these limitations.
What are the 12 limitations of internal controls?
Internal controls are highly effective, but they’re not infallible. Inherent limitations of internal controls exist, but by identifying them, we can work through them and find mitigation strategies.
The limitations of internal controls include weaknesses relating to manual processes, overlapping or duplicating of effort, and a lack of governance. Here, we share our list of internal control limitations, along with ways to mitigate and reduce the impact of these limitations.
1. Manual processes/human error
Internal controls and best practices can be compromised if you rely on manual intervention to capture and report on data. Human error can be intentional (and we cover conspiracy and fraud in more depth below) or unintentional.
Managing all your internal controls is a complex process. Documenting internal controls via spreadsheets and other legacy data-capture techniques is inefficient, with the potential for human error, failing to deliver the necessary rigor or assurance.
How to mitigate:
Automating internal controls can make the difference here. Rather than relying on manual processes, an automated internal controls solution can bring rigor via workflows that automatically test, record data, and flag any issues. Dashboards can provide clear views into control and testing status to prevent blind spots. With these pros, it’s unsurprising that a 2018 KPMG survey found that 71% of respondents were looking to automate their controls testing process.
We start with data analytics, then machine learning, then artificial intelligence. These are the milestones the board is looking at.
— Cynthia Comparin, Independent Director, Cullen Frost Bank & Universal Display Corporation
2. Lack of accurate data
This can be a side-effect of manual, fallible data-gathering processes. Accurate data is a non-negotiable component if internal controls aim to identify and remediate out-of-tolerance readings swiftly. Inaccurate or incomplete data jeopardizes your entire internal control process.
How to Mitigate:
To ensure accurate and comprehensive data inform your internal controls, you must pull data from across your business applications. Data should ideally be captured at source and via automated means rather than relying on manual readings.
3. Too many controls
Incomplete data may be an issue, but so can too much. Compliance Week cites “Having and testing too many controls instead of focusing on key controls” as a problem that “can lead to unexpected deficiencies in the effectiveness of internal control.”
How to Mitigate:
Engage your process owners to identify critical internal controls and eliminate those that aren’t vital. Pinpoint any duplicative controls or those that prioritize low-risk or non-essential controls. Work out whether there is potential to harmonize controls that address multiple regulations.
Some automation platforms enable you to uncover insights across vast amounts of corporate data, bringing order to various measures.
4. Inconsistent controls
Whether due to M&A activity or varying legacy approaches in different departments, many businesses have complex, inconsistent approaches to control testing across the organization. This makes managing, measuring and re-engineering the control environment a challenge.
How to Mitigate:
Creating a single risk and control matrix drives consistency and enables more straightforward, cleaner and more easily-used control data.
5. Insufficient resources
If you have limited resources, what business doesn’t? — you need to ensure they are correctly deployed. Failing to resource your internal controls processes or applying resources disproportionately can mean you under-or-over-control the risks you face.
How to Mitigate:
All organizations face the challenge of managing risk with limited resources. As with the challenge of too many controls, you need to prioritize your risks and dedicate commensurate effort to tackling them. Your control program should be flexible and agile to enable swift changes in direction as risk priorities ebb and flow.
How can we save time without reducing the level of assurance? You need to start with the financials, which are easier to automate. Then, connect data across systems to give new insights.
— Tom Keaton, Director of Internal Audit, Crown
6. Siloed approach
Taking a siloed approach to internal controls risks inefficient or duplicative testing, which wastes time and resources. If different teams manually test the same controls, you fail to optimize your internal controls process.
How to Mitigate:
You need a cross-business, holistic view of risk to avoid silos, duplication and wasted effort. A simple, workflow-driven approach will execute your controls testing in a regular, structured way, with reporting covering all operation elements.
7. Cannot achieve 100% control
This is often cited as a limitation of internal controls — and it can be — although 100% control is not always something you should seek. You can’t add controls for every element of your operations; arguably, you shouldn’t. Some risks are worth taking, and the cost of control can sometimes outweigh the risk.
So, while 100% control is not necessarily a desirable aim, what is important is knowing which controls to focus on. While no solution can guarantee 100% control, you can deliver reasonable assurance for your stakeholders via efficiency and focus. Understanding where you should address your efforts is the key.
How to Mitigate:
As with the challenge of too many controls, clarity is essential here. You need to identify which controls are critical and focus on high-risk issues. To do this, you need to be aware of current and upcoming regulations and understand your most pressing risks. These may not be the most likely to occur, but those that cause the most significant problems if they do.
You can’t audit everything or verify everything. You need to use a risk model to prioritize the audits you do.
— Louis Miramontes, Independent Director, Rite Aid Corporation
8. Collusion/fraud
Internal controls often employ a “segregation of duties” approach to prevent potential fraud by ensuring no single employee controls enough processes to enable fraud. Collusion, though — two or more people working together — can circumvent this type of control. Internal controls cannot prevent employees from conspiring to commit fraud at different stages of the process.
How to Mitigate:
The same solution to a siloed approach will also help prevent collusion fraud. Taking a holistic view of your control data gives you the big picture, removing hiding places for fraud or mismanagement.
9. Management override of internal controls
Another of the inherent limitations of internal controls is the ability of management to override the controls set — whether for fraud, reporting or other reasons. Manual internal controls are fallible and can be manipulated.
How to Mitigate:
Again, automation of internal controls can help here, providing automated workflows to capture testing data, mandating testing schedules and automating reporting. Data is pulled from business applications and stored in a centralized risk and control library, with dashboards automatically created. As a result, the potential to override or falsify controls is dramatically reduced.
10. Issues remediation is reactive and tactical
This can be one of the symptoms of an internal controls policy that delivers siloed testing results. If results aren’t easily shared across the organization, your approach to remediation can be piecemeal, reactive, and tactical.
How to Mitigate:
Sharing control testing results across your business will enable you to take a more proactive, informed, and coordinated approach throughout the organization. Automating control tests can ensure those relevant to several business streams are easily accessed and shared across the company.
11. Static controls
One of the limitations of internal controls can be their static nature. Internal controls must keep pace with a changing regulatory and risk landscape to make “significant changes” to how they designed and monitored internal controls.
Have there been other, less-publicized changes that your controls have failed to align with? If you haven’t recently updated your internal controls processes, they may be out of line with best practices and the latest requirements.
How to Mitigate:
Awareness of new benchmarks, best practices and regulations is vital to devising relevant internal controls. Investing in an internal controls management solution can enable you to use pre-built templates and frameworks that tap into the latest external requirements and ensure your internal controls align with them.
12. Lack of stakeholder engagement with reporting
User-unfriendly reporting is the fastest way to turn off key stakeholders, the people you need to engage with your internal controls process. Whether you want to secure more resources, demonstrate success or gain support for your approach, you need reporting that clearly shows all the components of internal controls, testing and management.
How to Mitigate:
Disjointed and unclear reporting can be avoided if your controls testing is based on consistent templates and frameworks and reports are presented as intuitive, accessible dashboards. Explore the solutions and platforms you can use to deliver the reporting your stakeholders need.
Minimize the limitations of your internal controls process
Reaching internal controls Utopia requires an honest approach, recognizing that the internal controls process has limitations. That said, there are ways to mitigate many of these limitations. Hopefully, our summary above has given you an insight into some of the limitations of internal controls and how you can tackle them.
You may be facing human error issues, the challenge of organizing multiple control data streams, the need to prioritize risk management tactics, or the difficulty of operating in an ever-shifting regulatory landscape. Whatever your internal controls challenges, implementing an internal controls management solution can help to solve many of the limitations of traditional internal control processes. Find out more about Diligent’s internal controls management solution.