Understanding the limitations of internal control can help your business or organization better prevent gaps in its information systems. Learn how with this helpful guide from the team at Reciprocity.
As the inherent risks confronting your organization or business grow, having the proper policies, procedures, and technical safeguards in place to prevent problems and protect your assets is more important than ever before. Together, these policies, procedures, and technical safeguards are called internal controls.
Internal controls are designed to provide organizations with reasonable assurance regarding the achievement of objectives in the following categories: reliability of financial reporting, effectiveness and efficiency of business operations, and compliance with applicable laws and regulations. More generally, internal controls are typically established to avoid or minimize loss.
Internal controls do, however, have their limits. These limits can prevent the policies, procedures, or technical safeguards you already have in place from effectively protecting your organization against threats.
In this article we’ll take a closer look at the effectiveness of internal controls, including some of the most common limitations to a company’s internal controls; so you can better position your business to avoid putting itself at risk.
What Are Internal Controls?
There are three types of internal controls: detective, preventative, and corrective. Detective controls seek to understand risks once those risks have occurred; corrective controls take corrective action to remedy vulnerabilities. Preventative controls attempt to prevent those risks from striking in the first place.
In information security, internal controls consist of security policies and procedures, plans, devices, and software intended to strengthen your cybersecurity. Ultimately, internal controls aren’t just important for the sake of your cybersecurity; they’re also important for avoiding financial losses, reputational damage, and even regulatory fines and legal consequences.
A number of regulatory obligations and compliance frameworks require organizations to implement and demonstrate security controls that enable your organization to manage its information security for your information systems, networks, and devices. In many cases you may need to conduct an internal audit, to assure that your control procedures are in place and that they’re working.
Audit procedures – that is, the processes and methods external or internal auditors use to obtain sufficient and appropriate evidence to make a judgment about the effectiveness of an organization’s internal controls – are usually associated with meeting regulatory compliance. They involve a number of steps you can read more about here.
COSO
One common internal control framework is the Committee of Sponsoring Organizations (COSO) framework, known as Internal Control-Integrated Framework. The COSO framework provided the first common definition of internal control: “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance.”
COSO’s framework guidelines were developed to help organizations assure that their financial statements are accurate, their assets and stakeholders are protected from fraud, and their operations are running effectively and efficiently. While the original purpose of the COSO framework in 1992 was fraud deterrence, today (after a major overhaul in 2013) it is one of the most widely used frameworks in the United States for internal controls.
At its core, COSO provides an approach that organizations can use to assess the effectiveness of their own system of internal controls throughout the entire organization, from auditing to IT. The framework also first introduced the five key elements of internal control, which we will discuss in more detail in the following section.
5 Key Elements of Internal Control
As defined by COSO, the five elements of internal control each contain supporting principles and points of focus to help organizations design, implement, conduct, monitor, and assess internal control processes. The five elements of internal control are control environment, risk assessment, control activities, information and communication, and monitoring activities.
Control Environment
The control environment is at the foundation for all the other internal control elements. It encompasses your organization’s attitude about internal controls, under the assumption that your board of directors and senior management are responsible for establishing the “tone at the top” regarding the importance of internal controls and the expected standards of conduct. Ideally, other employees will then follow suit.
An effective internal control environment should include the following seven factors:
- Integrity and ethical values.
- Commitment to competence.
- Human resource policies and practices.
- Assignment of authority and responsibility.
- Management’s philosophy and operating style.
- Board of directors or audit committee participation.
- Organizational structure.
Risk Assessment
The risk assessment process includes identifying, analyzing and prioritizing your organization’s risks. It will ultimately inform the process for managing and mitigating risks.
An effective risk assessment should:
- Clearly specify objectives.
- Identify risks to the achievement of objectives.
- Consider the potential for fraud.
- Identify and assess significant changes.
- Include third-party and supply chain risks.
Control Activities
Control activities are the actions established by policies and procedures that help assure management directives are carried out. Control activities should be performed at all levels of your organization and at various stages within your business processes. They should address the risks identified in your risk assessment, be clearly documented and clearly communicated to stakeholders and staff, and evolve with the changing needs of your business.
Control activities should include:
- Performance reviews.
- Information processing.
- Physical controls.
- Segregation of duties.
Information and Communication
Information and communication are the systems and processes that support identifying, capturing, and exchanging information that allows people to carry out their duties effectively.
Your information and communication systems should:
- Facilitate the acquisition, generation, and use of quality information throughout your organization.
- Define the processes for internally communicating information about internal controls.
- Define the processes for externally communicating information about internal controls.
Monitoring Activities
Monitoring activities are the processes that identify, monitor and report on the quality of your internal controls.
Monitoring activities should include:
- Ongoing and/or separate evaluations.
- Evaluation and communication for any internal control deficiencies.
- Options for automation wherever possible.
Limitations of Internal Controls
No matter how well your internal controls are designed, they can only go so far as to provide reasonable assurance that objectives are being achieved. While internal controls are effective in preventing, detecting and rectifying many problems, they cannot provide organizations with absolute assurance.
This means that internal controls can’t detect and prevent all cases where problems may exist. There will always be unforeseen circumstances for which internal controls simply can’t compensate.
Here are some of the most common inherent limitations of internal controls:
Human Error
Ultimately, the effectiveness of your internal controls will be limited by any decisions that involve human judgment. Decision makers are often under immense pressure to get results, which can lead to impulsive or careless actions. People are often the weakest link in cybersecurity, and internal controls are no exception to this rule.
Even the most well-designed and well-thought-out internal control can fall victim to human error, and for this reason, internal control systems that limit human control or automate parts of the process are often more successful in the long run. Automation is one way your organization can strive to prevent human error from limiting the efficacy of your internal controls.
Breakdowns
Sometimes even well-designed internal controls break down. Whether it’s a result of employees misunderstanding instructions or simply making mistakes, errors will inevitably occur at some point.
In general, the effectiveness of your internal controls relies heavily on the competence of your employees and the people responsible for carrying out the processes associated with them. If your employees don’t fully understand their roles and responsibilities, or if they don’t think certain internal controls are necessary, they aren’t as likely to follow the internal controls put in place.
Errors may also occur when you introduce new technologies and as your computerized information systems become increasingly complex. Whatever the origin, breakdowns and errors have the potential to throw your entire internal control system out of whack.
To prevent breakdowns from putting limitations on your internal controls, we recommend starting with a comprehensive security awareness training program for your employees to help them better understand the why, so they’re more likely to follow the how.
Management Override
Management override occurs when high level personnel or privileged user accounts override prescribed policies and procedures for personal gain, advantage, or convenience. This sounds similar to management intervention, but the two are different. Management intervention occurs when management actions depart from prescribed policies and procedures for legitimate reasons. Management override involves some sort of nefarious intent.
For obvious reasons, management override has the potential to disrupt your internal control system altogether – if management isn’t following the correct procedures, why should anyone else? In some extreme cases, organizations even allow their top managers to neglect internal controls altogether, which in turn, limits the internal controls’ effectiveness almost entirely.
Ultimately this kind of situation can ripple throughout your organization, as lower level employees are also more likely to see internal controls as unnecessary and ignore them.
This is why the control environment is so important. You need to make sure that the people at the top of your organization set the right example and expectations for employees that carry out the internal control functions on a regular basis.
Collusion
Many internal control systems can be circumvented by employee collusion: several internal actors working together against the organization, usually to alter financial data or other management information in ways that can’t be identified by control systems.
One of the most common internal controls that companies use to prevent collusion is the segregation of duties. This means that various duties are spread among multiple employees, so that no single person has so much power that he or she can commit fraud alone. Still, some employees can evade this type of control by teaming up with others to conceal their fraudulent actions.
In addition to the segregation of duties, you should also closely monitor end user behavior for any anomalies or suspicious behavior. If you haven’t already done so, implementing a data privacy policy can also let potentially malicious internal actors know that you’re watching the flow of information closely for any inappropriate transactions.
Unforeseen Circumstances
As mentioned above, there’s simply no way for an organization to foresee all of the possible risks that may occur, and at the same time introduce systems to prevent or control them. It’s simply not possible. There will always be random variables or events that can render your internal controls useless.
You can, however, equip your organization with the best tools available to help you detect and prevent risks before they do any real damage. Improving your internal controls or starting from scratch is no easy task. Fortunately, there are security solutions designed to help.
Make ZenRisk Part of Your Internal Control System
Developing, implementing, and maintaining your internal controls can be a difficult task, and most organizations aren’t sure where to begin. The answer is automation. Whether your organization is struggling to manage its cyber risks, meet business objectives, or comply with regulatory requirements, software solutions can help simplify these tasks and streamline your efforts.
ZenRisk from Reciprocity takes the guesswork out of risk management. Using ZenRisk, you can quickly review your internal controls to determine whether they’re working the way they should, so that you can manage your risks by exposing vulnerabilities before they’re exploited by threat actors.
Give your company leaders peace of mind using easy to read dashboards and reporting metrics. Stay up-to-date in real time with automated continuous monitoring from ZenRisk, including in-a-click unlimited self audits and easy evidence collection in our single source of truth repository.
We can even help you achieve compliance with multiple frameworks (including COSO) and provide automatic framework updates so you always know where your compliance efforts stand.
With Zen, a team of cybersecurity professionals is always looking out for you and your assets, making sure you get the best and most up-to-date cybersecurity risk management tools on the market.
Join some of the world’s leading companies and schedule a demo to get started on the path toward worry-free risk management, the Zen way.