It is not sufficient to simply have an internal control system since a system can be ineffective and fail to support the organisation and serve the aim of corporate governance.
The Turnbull guidance described three features of a sound internal control system.
Embedded within operations and not treated as a separate exercise:
The principles of internal control should be embedded within the organisation’s structures, procedures and culture. Internal control should not be seen as a stand-alone set of activities and by embedding it into the fabric of the organisation’s infrastructure, awareness of internal control issues becomes everybody’s business and this contributes to effectiveness.
Able to respond changing risks within and outside the company:
Internal control systems should be capable of responding quickly to evolving risks to the business arising from factors within the company and to changes in the business environment. The speed of reaction is an important feature of almost all control systems. Any change in the risk profile or environment of the organisation will necessitate a change in the system and a failure or slowness to respond may increase the vulnerability to internal or external trauma.
Includes procedures for reporting control failing or weakness:
Sound internal control systems include procedures for reporting immediately to appropriate levels of management any significant control failings or weaknesses that are identified, together with details of corrective action being undertaken. Information flows to relevant levels of management capable and empowered to act on the information are essential in internal control systems. Any failure, frustration, distortion or obfuscation of information flows can compromise the system. For this reason, formal and relatively rigorous information channels are often instituted in organisations seeking to maximise the effectiveness of their internal control systems.