Internal Control activities, no matter how well designed and executed, can provide only reasonable assurance regarding achievement of objectives. The likelihood of achievement is affected by limitations inherent in all control systems. These limitations include the following:
- Judgment - The effectiveness of controls will be limited by the fact that decisions must be made with human judgment in the time available, based on information at hand, and under the pressures to conduct business.
- Breakdowns - Even if control activities are well designed, they can break down. Personnel may misunderstand instructions or simply make mistakes. Errors may also stem from new technology and the complexity of computerized information systems.
- Management override - Even in effectively controlled organizations, high level personnel may be able to override prescribed policies or procedures for personal gain or advantage. This should not be confused with management intervention, which represents management actions to depart from prescribed policies or procedures for legitimate purposes.
- Collusion - Collusion between two or more individuals can result in control failures. Individuals acting collectively often can alter financial data or other management information in a manner that cannot be identified by the control system
- Costs versus benefits - In determining whether a particular control activity should be established, the risk of failure and the potential effect must be considered along with the cost of establishing the control. Excessive control is costly and counterproductive. Too little control presents undue risk. Agencies should make a conscious effort to strike an appropriate balance.
While carrying out any internal audit, possibilities of above limitations of internal control should be considered and substantive testing needs to be increased in any specific area where other preventive and detective control to mitigate these possibilities are less.