Identify & Evaluate Controls: Using a Project Risk Control Matrix (RCM)

The IIA standards (2120 - Controls) requests that…. "The internal project activity should assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement." Additional IIA standards covered include 2120.A1.

During the Identify and evaluate the controls phase, the project team, for a specific process, location or transaction will:

• Identify control activities
• Document control activities
• Conduct control testing
• Evaluate the design effectiveness
• Develop recommendations to correct design deficiencies or further improve internal controls.

Within the IA Portal, this is completed via work papers (e.g. process maps, previous documentation etc.) and primarily the Project RCM.

The project RCM allows the team member to complete an independent evaluation of risks, controls and objectives from the perspective of the specific project on which they are working. Accessible via the RCM work paper of an project, the project RCM is pre-populated with the controls, risks and objectives identified when the RCM was created for the organization, process, IT Application or Project/Event as part of the setup process or previous business analysis (e.g. Sarbanes-Oxley documentation). This information "flows through" for each of the projectable units identified as part of the scope of the project, allowing various business users to share information across the Governance Portal.

While the team member may view the business’ evaluation completed as part of other business analysis (e.g. Sarbanes Oxley compliance), the internal projector's information is logged and stored separately within the Governance Portal. Further analysis and comparison of the information may be completed via the internal project searches provided within the system, which support side-by-side comparison of project’s evaluation versus the business’ evaluation.