One of the fundamental concepts identified earlier in the chapter is that internal control can provided only reasonable assurance to management and the board of directors regarding the achievement of an entity's objectives. AU 319.16-18, Considerations of Internal Control in a Financial Statement Audit, identifies the following inherent limitations that explain why internal control, no matter how well designed and operated, can provide only reasonable assurance regarding achievement of an entity's control objectives.
- Mistake in judgment. Occasionally, management and other personnel may exercise poor judgment in making business decisions or in performing routine duties because inadequate information, time constrains, or other procedures.
- Breakdowns. Breakdowns in established control may occur when personnel missunderstand instructions or make errors owning to carelessness, distractions, or fatigue. Temporary of permanent changes in personnel or in systems or procedures may also contribute to breakdowns.
- Collusion. Individuals acting together, such as an employee who performs an important control acting with another employee, customer, or supplier, may be able to perpetrate and conceal fraud so as to prevent its detection by internal control (e.g, collusion among three employees from personnel, manufacturing, and payroll departments to initiate payments to fictitious employees, or kickback schemes between an employee in the purchasing department and a supplier or between an employee in the purchasing department and a customer).
- Management Override. Management can overrule prescribed policies or procedures for illegitimate purposes such as personnel gain or enhanced presentations of an entitiy's financial condition or compliance status (e.g., inflating reported earnings to increase a bonus payout or the market value of the entity's stock, or to hide violations of debt covenant agreements or noncompliance with law and regulations). Override practices including making deliberated misrepresentations to auditors and others such as by issuing false documents to support the recording of fictitious sales transactions.
- Cost versus benefits. The cost of an entity's internal control should not exceed the benefits that they are expected to ensure. Because precise measurement of both cost and benefits usually is not possible, management make both quantitative and qualitative estimates and judgments in evaluating the cost benefit relationship.
For example, an entity's could eliminate losses from bad checks by accepting certified or cashier's checks from customers. However, because of the possible adverse effects of such a policy on sales, most companies believe that requiring identification from the check writer offers reasonable assurance against the type of loss.