Risk and Control Matrix

Hi All,


I would like to start this topic to discuss all fundamentals of RCMs. Do share your thoughts.

RCMs are a fundamental requirement for SOX-404 Complaince.


They are considered as a standard template for SOX purposes to document all Financial Reporting Risks and Controls pertaining to business processes.
Components of RCM are:


1. Control Objective
2. Risks
3. Control Description
4. Control Ref No.
5. Frequency of Control
6. Control Type
7. Control Method
8. Information Processing Objectives
9. Financial Statement Assertions
10. COSO Component
11. Control owner
12. Evidence of control
13. Design Deficiency
14. Remediation Action Plan

Each component to be discussed in detail....
At first, we need to do a scoping of processes agaisnt which we need to prepare RCMs.


Please refer one of our topics on "Procedure of Risk Assessment", wherein we had identified the business cycles and processes agaisnt them.

Refer the same list for doing the scoping. Identify the processes which will have a direct impact on our Financials and Accounts.

The crux of the matter is that RCM needs to be prepared for all the processes which have a financial impact on our books of accounts.

Prepare templates for RCM for each process identified, in an excel sheet, containing al the RCM components in the same chronological order mentioned in my last posts.


Finalize a naming convention for RCM so as to able to keep consistency in the names of all RCM and have a version control over them.

First component of an RCM is Control Objective.


Against this component we identify all the financial control objectives that we need to have in the sub-process.

They mainly constitute of the factors which ensure that any transaction which will be having a financial impact on company's financials are accurate, complete, approved, correctly accounted, approved entry, monitored etc.

Another component to be mapped in RCM is Risks.


Against every Control Objective, we need to assess the possible risks and map them in RCM. These should be the risks which will in any way impact the financials of the company, fo eg. incomplete/inaccurate or unauthorized figures, computations, transactions susceptible to manual interventions, inadequate segregation of duties etc...

All such controls should be mapped which are mitigating the risks identified.


There can be more than one control to mitigate one risk.

While mapping the control, it should be ensured that detailed process is not documented in RCM, but only the control due to which such risk will be mitigated.

Each control should be given a Control Ref No.. Control Ref no should be named in a manner such as:
Location.Process.Sub-process.Control No.


We need to map the frequency or periodicity of the control we have identified under "Control Description".


This could be "Multiple times a Day", "Daily", "Weekly", "Quarterly", "Monthly", "Half-yearly", "Annually" or "Per Occurence".


Against the control mapped, we need to map whether the control type is "Preventive" or "Detective"


Preventive Control:
Preventive controls focus on preventing errors or exceptions. Such preventive controls are:
- Standard policies and procedures
- Proper segregation of duties
- Authorization levels/approvals

Detective Control:
Detective controls are designed to identify an error or exception after it has occurred. Such detective controls are:

- Exception reports
- Reconciliations
- Periodic audits


It is important for every process and RCM to have both Preventive and Detective Controls to ensure a complete set of controls

Information Processing Objectives (CAVR) are needed to be mapped agaisnt the controls identified.



Following are four information processing objectives:

1. Completeness - All transactions that occurred are entered and accepted for processing

2. Accuracy - Transactions are recorded at the correct amount, in the appropriate account, on a timely basis in the proper period

3. Validity - All recorded transactions actually occurred (are real), relate to the
organization, and were approved by designated personnel

4. Restricted access - Data is protected against un-authorized amendments, its
 Cnfidentiality is ensured, and physical assets are protected
 Eery "application control" needs to be mapped to one or more of these information processing objectives.


What is an Application Control ?


Application controls are procedures designed to ensure the integrity of the accounting records.
Application controls directly support the control objectives of completeness, accuracy, validity and restricted access, as defined earlier.

Example of Application Controls:

1. Completeness:
- Reconciliation of the accounts payable subsidiary ledger to the control account in the general ledger.
- Sequence check - e.g., computerized check of sales invoice numbers to identify missing invoices.
- Reconciliation between general ledger control accounts and other ledgers.

2. Accuracy:
- One-for-one checking a report of changes to standing data to authorized amendment forms - e.g., checking a report of amended selling prices to an authorized list of amended prices. This report should also be reviewed by the authorizer and, if computer generated, relies on automated procedures to ensure its accurate production.
- One for one checking of output to input - e.g., checking a report of hours worked by employees to clock cards.
- Reconciliation between general ledger control accounts and other ledgers.

3. Validity:
- Dual signatures required for payments in excess of a certain amount.
- Authorization of credit memos by a responsible official prior to issuing to customer.
- Review of an exception report, such as a report of discounts given above a set percentage by the sales manager.
4. Restricted access:
- Checkbooks kept in a locked safe to prevent unauthorized use.
- Application access security, which ensures only authorized individuals have access to payment processing functions.
- Stores kept locked/supervised at all times to prevent the theft of inventory.


Financial Statement Assertions



Financial Statement Assertions are representations made by management as to the fair presentation of financial statements. They are mapped against the controls mapped under "Control Description" column, which impact the financial statements. The financial assertions are of 5 types:


1.Existence or Occurence
2. Completeness
3. Valuation or Allocation
4. Rights and Obligations
5. Presentation & Disclosure

Details of Financial Assertions:

1. Existence or Occurence: Assets, liabilities and ownership interests exist at a specific date, and recorded transactions represent events that actually occurred during a certain period.
2. Completeness: All transactions and other events and circumstances that occurred during a specific period, and should have been recognized in that period, have, in fact, been recorded.
3. Valuation or Allocation: Asset, liability, revenue and expense components are recorded at appropriate amounts in conformity with relevant and appropriate accounting principles. Transactions are mathematically correct and appropriately summarized, and recorded in the entity’s books and records.
4. Rights & Obligations: Assets are the rights, and liabilities are the obligations, of the entity at a given date.
5. Presentation & Disclosure: Items in the financial statements are properly described, sorted and classified.

Difference:Financial Assertions & Infmtn Objctves

Assertions applies to All Controls, whereas, CAVR applies to Application Controls (IT & Manual)
Assertions are assessed at Account Balance, whereas, CAVR is assessed at Sub-Process level