Challenges and Limitations of Internal Controls in Statutory Audit/External Auditor Procedures
The challenges and limitations are the obstacles that the internal control system faces. The main challenges and limitations are those that cause the auditor to rely on internal controls. If they are not able to do so, auditors will have to revert to substantive testing in all areas, and this is an inefficient use of resources. An example is if an internal control is effective but has no supporting documentation, the auditor cannot gain evidence of this and will have to revert back to the more costly substantive testing. The limitations of internal controls are that if they are not effective, they will affect the reliability and integrity of the financial statements. If controls are manual and simple, they are easily overridden and accounts can still be manipulated. An example is where management puts pressure on an employee to override a control to ensure a manipulation can take place. An auditor could potentially find this while testing the control with a questionnaire; however, often it will not be discovered. A more severe limitation is where there is collusion between management and employees to purposely manipulate accounts and override controls to prevent detection. This is the worst-case scenario, and if an auditor becomes aware of this, they must tailor their audit strategy to perform substantive tests in the affected areas, and it may ultimately result in the withdrawal of an audit opinion as they cannot determine the extent of the manipulation.
- Inherent limitations of internal controls
Work provided to the auditor by management requires the preparation of a representation letter by management to the auditor. This representation letter will state that the information provided to the auditor is true and accurate. The purpose of this letter is to make management responsible for the accuracy of the information provided to the auditor as the information will be used by the auditor to assess the risks of material misstatement in the financial statements. The implementation of this letter causes a significant shift of responsibility to management, which in turn causes management to take a more active role in the internal control system and monitor it on a regular basis. However, the effectiveness of the letter may be called into question. Studies have shown that perception of the representation letter by management and by auditors differ. To the auditors, this letter has significant impact, yet to management it is seen as only a routine part of the audit. This difference in perception could lead to the representation letter not being taken seriously by management. Lines of inquiry have also shown that there is no clear guidance available to management on value for money (VfM) statements. As VfM is a subjective assessment of the cost of quality, no one can say with certainty what the cost should be or if it is being achieved. This makes it difficult for the auditor to carry out assessment of risks and obtain information to do so. The report “Guidance for auditors P157-158” states that when seeking VfM information, auditors are to obtain evidence that management has considered and reviewed relevant cost and performance information in order to make decisions. This includes information used to compare present and past operations and information used to compare to similar services provided by other organizations. It also includes evidence that management has involved employees or the public in these decision-making processes. The information-seeking techniques are similar to those used when obtaining information on how sales have taken place. However, evidence gathered by NAO shows that because there is no prescribed method for making VfM assessments and no prescribed form content of the evidence to be obtained, there is little proven evidence of auditors knowing exactly what information they need to obtain from management and who ought to have it. Finally, the change in public sector organizations and the way they are audited make it difficult for auditors to relate to the information available on internal controls in the corporate sector to the information available on internal controls in public sector organizations. Public sector organizations are now proudly marketing themselves as being more business-like, yet they still retain many old-style practices and have new practices that aim to combine the best elements of the private/public sectors. Traditional corporate governance practices may not be best suited to public sector organizations. With the advent of a new best value framework, there is the temptation for auditors to only consider best value and not VfM when assessing risks. The effectiveness of contemporary and traditional internal controls can vary, and in some cases, such as management override, it is difficult to assess. Some controls will be effective in one company and not effective in another company. These factors create different levels of risks of material misstatement in different companies, and it may only be efficient to apply audit procedures to certain accounts in the balance or income statements. An example of internal controls effectiveness will be when assessing audit risks on relevant decisions and events as to how they affect the company’s pension scheme. With differing levels of effectiveness of internal controls and the complexity of the topic, there may be no easy or sure method for obtaining information to make a substantive assessment of audit risk.
- Complexity and cost of implementing effective controls
A list of control procedures in section 2.1 would indicate that to implement effective controls is both complex and costly. The list includes segregation of duties, management controls, specific risk controls, activity controls, and information and communication. Each of these control procedures is wide-ranging and might include various control tasks. Consider segregation of duties; it can incorporate spreading the duties of a key job over more than one person, developing workgroups to accomplish a task previously assigned to an individual, and ensuring that the work of one job is reviewed by another. These types of controls need to be well thought out, implemented, and monitored so that they achieve their objective, which is to reduce the risk of misstatement on the financial reports. This involves a large amount of organizational changes, for example, job development and rotation, changes to the reporting structure, and often the reassigning of job tasks. All of these changes incur a cost and often require increased salaries to attract the right staff to fulfill the new job requirements. In addition, consider what will happen if a company wants to use an external expert, such as increasing monitoring a specific risk control of entering a new market by hiring someone who knows the industry well and can advise the company on the effectiveness of this control. This will increase the cost of the control, and if the expert is not an employee of the company, it may be considered part of the cost of external controls. A study by the Securities and Exchange Commission in the USA concluded that in 2004, the accelerated implementation of the Sarbanes-Oxley Act for public companies would greatly increase the cost of compliance, especially for smaller companies, which will have to spend up to four times their prior expenditure of less than 1% of revenue. This study predicted that money spent on internal controls by public companies in the US would rise from 6 billion in 2002 to 35 billion in 2010. While this is a US study, the result is applicable for any company that has public accountability, e.g., listing on a stock exchange or large private company with numerous shareholders. This is because the cost of implementing controls is usually proportional to the size of the company, and it’s an ongoing cost due to controls being a permanent function in an organization.
- The role of professional judgment in audit procedures
The success of internal control design is critical for a statutory audit as auditors have to rely on an assessing control risk to plan an effective audit strategy. The expectation that audit risk will be reduced to an acceptably low level depends on the effectiveness of internal control in preventing and detecting material misstatements. When internal control is effective in this regard, the auditor is able to use the internal control system as an evidential source for an audit conclusion concerning the financial statement item. Control risk concerns the risk that a material misstatement that could occur in a relevant assertion will not be prevented or detected on a timely basis by the entity’s internal control. The auditor’s assessment of control risk is therefore a major factor in determining the nature, timing and extent of substantive procedures. If the auditor believes the control risk is higher than at a maximum level it may not be efficient to measure the effectiveness of the internal control in this regard choosing instead to assess a lower control risk in which case the in seeking evidence about the system the auditor should know that it is now more cost effective to test the control.
As the effectiveness of internal control increases, its importance as a source of audit evidence decreases the risk of misstatement, whether that be in simply assessing a relevant assertion or a complex implementation manual or automated control procedure. In this case, the most effective form of evidence available to the auditor is the direct use of the control system itself. An example would be the use of computer-assisted audit techniques to test a control system programmed within the client’s system, e.g. a program to detect duplicate invoice numbers and prevent the overpayment of a supplier. In this instance, the expected reliability of the system will directly affect the auditor’s expected efficiency and effectiveness as the system can only be tested if it is known that there is a lack of change in the program between the time of which the system was last assessed and the time applicable to the audit. An expectation the control system is still in place can be assessed by considering the nature and complexity of changes in the control during the recent past and the cost vs benefit of its assessment with other methods of obtaining a similar level of assurance. The assessment of expected reliability at the system level will affect the auditor’s decision on the mix of types of tests of controls and the assessment of individual control and in more complex cases the nature, timing and extent of related substantive procedures. An assertion by the client regarding a perceived ineffectiveness of the control system is unsatisfactory basis for the auditor to change his assessment of control risk as this could lead an overall lowering of control risk and less substantive work in an attempt to justify a lower audit fee. An alternative system is not troubling circumstances where the client has implied that an inadequacy in the control system has caused occurrence of error or irregularity in financial recording.