Risk Control Matrix

The Risk Control Matrix (RCM) is an essential element of the system that enables clients to perform a "data-driven" analysis for a given process, organization, IT system, project/event or custom entity. This analysis is focused on determining key objectives, identifying related risks, documenting mitigating controls and loading supporting test information that validates the effectiveness of controls.

The analysis conducted within the RCM can be used to support financial reporting assurance regarding the design and operating effectiveness of controls over financial reporting. In addition, the RCM can be used to support other GRC initiatives including regulatory compliance, IT Governance, operational risk, and enterprise risk management as well as internal audit’s assessment of risks and controls.

The Governance Portal supports multiple approaches to analysis of controls over financial reporting. This affords organizations flexibility while providing a common technology to support their efforts. These optional approaches are facilitated through the various linking options between the financial reporting element and the objects within the RCM. Organizations should select a single approach to ensure reporting consistency. Note: Most out-of-the-box reporting supports the objective-risk-control-test relationship which is used in the process-based and risk-based approaches below.

Process Based Approach - This approach allows organizations to link financial elements (accounts) to controls via objectives within the process. This approach allows the team to streamline ongoing maintenance of RCMs within the Governance Portal as it utilizes existing frameworks. However, the approach may result in "over-linking" controls to financial accounts as not all controls within a process may impact a given financial account.
Risk Based Approach - This approach allows organizations to link financial elements (accounts) to controls via risks within a process. This approach may be used by teams that perform the control design assessment at the risk level (e.g. controls are collectively designed to mitigate a particular risk). This approach allows management to report on the design and operating effectiveness of controls over financial reporting at a macro-level. A risk based approach also enables project teams to identify compensating controls that may result in adequate controls even if a single control is not operating effectively. Teams that choose to utilize this approach should define their risks with an appropriate level of specificity.
Control Based Approach - This approach allows organizations to link financial elements (accounts) directly to controls within a process. This approach is ideal for clients who do not view controls via the risk or who perform the design evaluation at the control level.

The Risk Control Matrix is divided into five sections: financial reporting elements, objectives, risks, controls and testing.

Below is a table of definitions and information that will assist users in completing the matrix.

Financial Reporting Elements	This link provides a list of the financial reporting elements that are linked to the process in the PCS tab. These are informational details.
Objective	Management establishes controls to achieve certain objectives. These objectives support management's overall objective with respect to the effectiveness of internal controls over financial reporting, operational risks and controls or other types of risks and controls. The independent public accounting firm (external auditor) should approve the objectives relating to financial reporting.
Risk	Risk represents "what can go wrong" in a process. Identifying risks in a process assists an evaluator to focus on controls that may mitigate the risk.
Control	Controls are designed to a) reduce the identified risks to an acceptable level and b) provide reasonable assurance that the defined objectives are met.
Testing	Testing is utilized to support or prove the control evaluation.