Inherent Limitation of Internal Controls
Having discussed the internal control framework and the ERM framework, let’s address the inherent limitations of the responses a company can employ. A perfectly designed internal control could be in place, but errors can still occur during its execution. Similarly, there might be a well-implemented internal control, but collusion could occur, where two individuals cooperate to circumvent the control. These scenarios exemplify what are known as ‘inherent limitations.’ ‘Inherent’ implies these limitations are unavoidable. Let’s examine each inherent limitation and discuss its impact on different company elements.
Here’s a list of the inherent limitations:
• Human Errors
• Human Bias
• Strategy Not Properly Aligned
• Collusion
• Management Override Controls
• External Events
Firstly, we have human errors. Even the most diligent employee, striving to adhere to the internal control or ERM framework, will inevitably make mistakes, reducing the frameworks’ effectiveness.
Secondly, humans apply biases when making decisions. For instance, a manager, over-fond of the company, could wrongly assess it as being devoid of risks while evaluating potential threats to the business.
Thirdly, management might implement an excellent framework, but it might fail to coincide with the company’s direction, indicating a misalignment of strategy.
Fourthly, the frameworks can be overridden via collusion. Collusion happens when at least two people conspire to deceive. For example, consider an accountant desiring to embezzle company funds, but lacking access to the accounting software’s source code. This accountant could collude with an IT specialist to alter the code.
The fifth inherent limitation is that management may choose to override controls. Recollect the internal control example of storing TVs in a cage, which requires a key. The manager possessing the keys may decide against the inconvenience of distributing keys all day and choose to bypass the control, leaving the key on their desk for anyone to use.
The sixth inherent limitation involves external events. These events occur outside of the organization’s control. Despite having the most comprehensive frameworks, a business cannot control the world and thus remains vulnerable to potentially unfavorable external events.