Qn1.

Generic Limitation That Most Internal Control System Face

Effective internal control systems can only provide reasonable, not absolute, assurance to
achieve the entity’s financial reporting objective due to the inherent limitations of internal
control. The most generic limitation that most internal control system face is management
override of internal controls.

The term management override refers to the ability of management or those charged with
governance to manipulate accounting records and prepare fraudulent financial statements by
overriding these controls, even where the controls might otherwise appear to operate effectively.
For example, a sales director may choose to opt to extend credit to a long-standing customer in
order to create customer goodwill, in contravention of laid down credit control procedures.

Even though internal control over financial reporting may appear to be well-designed and
effective, controls that are otherwise effective can be overridden by management in every entity.
Many financial statement frauds have been perpetrated by intentional override by senior
management of what might otherwise appear to be effective internal control. Indeed, with very
few exceptions, most of the major fraud cases in the past 50 years that had catastrophic results
for the organization were perpetrated by senior members of management circumventing or
overriding seemingly sound systems of internal control. Audit committees may reduce the risk of
material misstatement in the financial statements due to fraud by addressing the risk of
management override of internal control as part of their oversight of the financial reporting
process.

Because management is primarily responsible for the design, implementation, and maintenance
of internal control, the entity is always exposed to the danger of management override of
controls, whether the entity is publicly held, private, not-for-profit, or governmental. When the
opportunity to override internal control is combined with powerful incentives to meet accounting
objectives, senior management may engage in fraudulent financial reporting. Thus, otherwise
internal control cannot be relied upon to prevent, detect, or deter fraudulent financial reporting
perpetrated by senior management.
Management may override controls to intentionally misstate the nature and timing of revenue or
other transactions by

(1) Recording fictitious business events or transactions or changing the timing of recognition of
legitimate transactions, particularly those recorded close to the end of an accounting period;

(2) Establishing or reversing reserves to manipulate results, including intentionally biasing

assumptions and judgments used to estimate account balances; and

(3) Altering records and terms related to significant or unusual transactions.

Management override is very difficult to detect. However, an audit committee can take actions to
address the risk of management override of controls. Those actions include the following:
maintaining an appropriate level of skepticism, strengthening committee understanding of the
business, brainstorming about fraud risks, using the code of conduct to assess financial reporting
culture, ensuring the entity cultivates a vigorous whistleblower program, and developing a broad
information and feedback network.

Maintaining an appropriate level of skepticism. Skepticism is an attitude that acknowledges

that fraud risks, including the risk of management override, exist in every entity. An effective
starting point for the audit committee in assessing fraud risk is the exercise of an appropriate
level of skepticism when considering the risk of management override of internal control. An
appropriate level of audit committee skepticism requires alertness to potential fraud risk factors
and a willingness to ask sometimes difficult and perhaps even embarrassing questions. It also
requires an environment that encourages open and candid discussion among audit committee
members and sufficient time to think and consider “what if” scenarios related to the possibilities
of fraud at the entity. In considering the risk of management override of internal control, the
audit committee will set aside any beliefs about the integrity of management because override is
most often committed by “good executives gone bad,” rather than consistently dishonest people.

Strengthening committee understanding of the business. Audit committees need a solid

knowledge of the industry and business to form the foundation for effective oversight. Because
financial reporting to stakeholders should reflect the economic activity of the entity, industry and
entity knowledge is critical for determining whether the entity’s financial reporting is sufficient
for its users. That knowledge also helps the audit committee identify and understand business
and financial risks that may increase the likelihood of fraud.

Brainstorming about fraud risks. Members of the audit committee can increase their
effectiveness in dealing with the potential of management override of internal control by
discussing, among themselves, the potential for fraud. An exchange of ideas or “brainstorming”
about how and where they believe the entity may be susceptible to fraud, what might motivate
management to perpetrate fraud, how management might override controls to engage in and
conceal fraudulent financial reporting, and how entity assets could be misappropriated can be
useful for this purpose. The brainstorming session’s effectiveness is increased if conducted, at
least partially, in closed or executive session without management present.

Using the code of conduct to assess financial reporting culture. Most organizations have a
code of conduct. The mere existence of a code, however, is not sufficient to reduce the likelihood
of management override of controls.2 The audit committee can use the code of conduct as a
benchmark for assessing whether the culture or tone at the top and management’s actions are
those required to maintain the highest levels of integrity under pressure and opportunity to
commit fraud. The code also facilitates the reporting of inappropriate conduct by delineating the
types of conduct the organization deems unacceptable.

Cultivating a vigorous whistleblower program. A key defense against management override

of internal control is a whistleblowing process that typically incorporates either a telephone or
web-based hotline, or a combination of both. The audit committee can assist in creating strong
antifraud controls by encouraging the development of a culture in which employees view
whistleblowing as a valuable contribution to an attractive workplace of integrity and their own
futures. The reporting mechanisms must demonstrate confidentiality so potential whistleblowers
are assured that their concerns will be properly considered and that they will not be subjected to
retribution. Successful whistleblowing procedures require strong leadership from the audit
committee, the board of directors, and management.

Conclusively, the risk of management override of internal control is present in every entity.
Although the best practices guidance provided in this document cannot guarantee that the audit
committee will prevent, deter, or detect fraud through management override of internal control,
the implementation of these suggestions will result in more effective audit committee oversight
of management.

Other inherent limitations of any internal control system and examples of each include:

1. Human judgment – faulty decision-making or human error may lead to breakdowns in internal
control. For example, in the design of computer processing controls.

2. Failure to understand or take action – there may be ineffective control because individuals
may not understand the purpose of a specific control. For example, the purpose of a payroll
exception report.

3. Collusion by two or more people – leading to circumnavigation of controls. For example,

between a factory employee, factory manager and a wages data processing clerk to claim,
authorize and process a fraudulent payment for overtime wages.

4. Management judgment – with regard to the nature and extent of risk the company chooses to
assume and the nature and extent of the controls it chooses to implement. For example,
management may adopt a low risk exposure to the loss of non-current assets by implementing an
ongoing system of monitoring and inspection of non-current assets, centered around the
operation of a comprehensively detailed non-current asset register.

5. Cost benefit consideration – a pragmatic approach will often need to be adopted in this regard,
especially in smaller companies. For example, the cost of employing additional accounts staff to
ensure adequate segregation of duties in relevant areas may outweigh the maximum benefit to be
derived from improved internal control.

6. Ability to cope with non-routine transactions – the ability to predict the likelihood of non-
routine transactions arising means that it is less likely that systems will be designed to cope with
such transactions. For example, the purchase of a very expensive non-current asset with an
unusual and complex specification.
Qn2. In computer based systems which are the major distinguished features that must be
recognized and considered by the auditor?

Information technology (IT) is integral to modern accounting and management information

systems. It is, therefore, imperative that auditors should be fully aware of the impact of IT on the
audit of a client’s financial statements, both in the context of how it is used by a client to gather,
process and report financial information in its financial statements, and how the auditor can use
IT in the process of auditing the financial statements.

The major distinguishing features that must be recognized and considered by an auditor in a
computer based system include the following

 Application controls, comprising input, processing, output and master file controls
established by an audit client, over its computer-based accounting system and
 Computer-assisted audit techniques (CAATs) that may be employed by auditors to test
and conclude on the integrity of a client’s computer-based accounting system.

APPLICATION CONTROLS

Application controls are those controls (manual and computerized) that relate to the transaction
and standing data pertaining to a computer-based accounting system. They are specific to a given
application and their objectives are to ensure the completeness and accuracy of the accounting
records and the validity of entries made in those records. An effective computer-based system
will ensure that there are adequate controls existing at the point of input, processing and output
stages of the computer processing cycle and over standing data contained in master files.
Application controls need to be ascertained, recorded and evaluated by the auditor as part of the
process of determining the risk of material misstatement in the audit client’s financial statements.

Input controls-Control activities designed to ensure that input is authorized, complete, accurate
and timely are referred to as input controls. Example format checks, range checks, compatibility
checks, control totals etc.  

Dependent on the complexity of the application program in question, such controls will vary in
terms of quantity and sophistication. Factors to be considered in determining these variables
include cost considerations, and confidentiality requirements with regard to the data input. Input
controls common to most effective application programs include on-screen prompt facilities (for
example, a request for an authorized user to ‘log-in’) and a facility to produce an audit trail
allowing a user to trace a transaction from its origin to disposition in the system.

Processing controls- Processing controls exist to ensure that all data input is processed correctly
and that data files are appropriately updated accurately in a timely manner. The processing
controls for a specified application program should be designed and then tested prior to ‘live’
running with real data. These may typically include the use of run-to-run controls, which ensure
the integrity of cumulative totals contained in the accounting records is maintained from one data
processing run to the next. For example, the balance carried forward on the bank account in a
company’s general (nominal) ledger. 

Output controls- Output controls exist to en sure that all data is processed and that output is
distributed only to prescribed authorized users. While the degree of output controls will vary
from one organization to another (dependent on the confidentiality of the information and size of
the organization). Common controls comprise:

 Use of batch control totals, as described above (see ‘input controls’).

 Appropriate review and follow up of exception report information to ensure that there are
no permanently outstanding exception items.
 Careful scheduling of the processing of data to help facilitate the distribution of
information to end users on a timely basis.
  Formal written instructions notifying data processing personnel of prescribed distribution
procedures.
 Ongoing monitoring by a responsible official, of the distribution of output, to ensure it is
distributed in accordance with authorized policy.

Master file controls- The purpose of master file controls is to ensure the ongoing integrity of the
standing data contained in the master files. It is vitally important that stringent ‘security’ controls
should be exercised over all master files. These include use of appropriate passwords to restrict
access to master file data, adequate procedures over amendment of data etc.

The auditor can also use computer assisted audit techniques (CAATs).The nature of computer-
based accounting systems is such that auditors may use the audit client company’s computer, or
their own, as an audit tool, to assist them in their audit procedures.

The key objectives of an audit do not change irrespective of whether the audit engagement is
carried out in a manual or a computer-based environment. The audit approach, planning
considerations and techniques used to obtain sufficient appropriate audit evidence do of course
change.
 REFFERENCES

American institute of certified public accountants management (2016). Management Override of

Internal Control: The Achilles’ heel of Fraud Prevention. Retrieved from
https://www.aicpa.org/ForThePublic/AuditCommitteeEffectiveness/DownloadableDocuments/ac
hilles_heel.pdf

ACCA. Auditing in a computer based environment. Retrieved from

https://www.accaglobal.com/lk/en/student/exam-support-resources/professional-exams-study-
resources/p7/technical-articles/auditing-computer-environment.html