Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ / Audit Chapter 3
Microlesson · 5-min read

Limitations of Internal Control

## Limitations of Internal Control

Internal control, however well-designed, can only provide reasonable assurance — not absolute assurance — about the achievement of financial reporting objectives. This is because of inherent limitations.

### Six Inherent Limitations

#### i) Provides Only Reasonable Assurance

  • Internal control gives reasonable (not absolute) assurance about financial reporting objectives.
  • Reason: Inherent limitations prevent IC from providing absolute assurance.

#### ii) Lack of Understanding of Purpose

  • Individuals responsible for reviewing information may not understand the purpose of the control.
  • Consequence: They fail to take appropriate action even when a control exception is noted.

#### iii) Collusion

  • Two or more employees can collude to override controls.
  • Example: An edit check in the system is deliberately disabled by colluding employees.
  • No control system can fully prevent determined collusion.

#### iv) Limitations in Smaller Entities

  • In small businesses, segregation of duties is often not practicable (too few staff).
  • The owner-manager has more control over the business but is also in a position to override controls.

#### v) Faulty Human Judgement in Decision-Making

  • Controls often depend on human judgement at the design stage.
  • A poorly designed control may fail to catch errors even when properly operated.
  • Human decisions are inherently fallible.

#### vi) Management Override of Controls

  • Management can override controls that have been properly implemented.
  • Even well-designed controls are vulnerable when management circumvents them.
  • This is one reason auditors perform unpredictability in audit procedures.

### Summary Table

#LimitationKey Word
iOnly reasonable assuranceInherent Limitation
iiLack of understandingIgnorance / Inaction
iiiCollusionOverride by employees
ivSmaller entitiesNo segregation of duties
vFaulty judgementDesign error
viManagement overrideImplementation bypass

Worked example

### Example 1

Example — Collusion (Limitation iii):

In a bank, the system requires dual authorisation for any fund transfer above ₹50 lakhs (one from the maker, one from the checker). However, the maker and checker are in collusion and routinely approve fraudulent transfers for each other. The dual-control system — well-designed on paper — is defeated by collusion.

### Example 2

Example — Smaller Entity (Limitation iv):

A proprietorship firm has only three accounting staff: one handles purchases, payments, and reconciliations. Because the same person performs all functions, segregation of duties is impossible. Even if the proprietor reviews transactions, they can override any control, so the assurance provided by IC is limited.

### Example 3

Exam Question: 'Why does Internal Control provide only reasonable, not absolute, assurance?'

Answer: Because of its inherent limitations — including the possibility of human error in design and operation, collusion between employees, management override of controls, the impracticability of segregation of duties in small entities, and the possibility that individuals operating controls may not understand their purpose.

⚠️ Common exam mistakes

  • Writing only 3–4 limitations and missing points — all six points (reasonable assurance, lack of understanding, collusion, smaller entities, faulty judgement, management override) should be covered in a full answer.
  • Mixing up 'faulty judgement in design' (limitation v) with 'management override during implementation' (limitation vi) — design errors occur when controls are created; override occurs when controls are bypassed during use.
  • Not explaining why smaller entities face this limitation — the reason is the impracticability of segregation of duties, not merely their size.
  • Using 'absolute assurance' and 'reasonable assurance' interchangeably — IC only provides reasonable assurance; the auditor also provides reasonable assurance in audit reports.
Reference:
← Previous
Internal Control – Meaning, Ob
Next →
Materiality and Audit Risk
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic