The limitations on internal control effectiveness need to be stressed to avoid exaggerated expectations due to a misunderstanding of its effective scope. Internal control cannot by itself ensure the achievement of the general objectives defined earlier.
An effective internal control system, no matter how well conceived and operated, can provide only reasonable – not absolute – assurance to management about the achievement of an entity's objectives or its survival. It can give management information about the entity's progress, or lack of it, toward achievement of the objectives. But internal control cannot change an inherently poor manager into a good one. Moreover, shifts in government policy or programs, demographic or economic conditions are typically beyond management's control and may require managers to re-design controls or adjust the level of acceptable risk.
An effective system of internal control reduces the probability of not achieving the objectives. However, there will always be the risk that internal control will be poorly designed or fail to operate as intended.
Because internal control depends on the human factor, it is subject to flaws in design, errors of judgment or interpretation, misunderstanding, carelessness, fatigue, distraction, collusion, abuse or override.
Another limiting factor is that the design of an internal control system faces resource constraints. The benefits of controls must consequently be considered in relation to their costs. Maintaining an internal control system that eliminates the risk of loss is not realistic and would probably cost more than is warranted by the benefit derived. In determining whether a particular control should be established, the likelihood of the risk occurring and the potential effect on the entity are considered along with the related costs of establishing a new control.
Organisational changes and management attitude can have a profound impact on the effectiveness of internal control and the personnel operating the system. Thus, management needs to continually review and update controls, communicate changes to personnel, and set an example by adhering to those controls.
source: Intosai
