Risk Control Matrix Layout Overview

The many-to-many relationships contained on the Risk Control Matrix make it the most complex area of the Governance Portal. To simplify the end-users experience, the forms and sub forms utilized for the risk-control analysis follow a consistent layout. For each risk-control object (e.g. process, objectives, risks, controls, and testing details), the following convention is followed:

These links allow users to:

There are several attributes that are captured for internal controls including:

Control Type1, 2

The “control type” will impact an evaluator’s ability to rely on a control when assessing design. The system allows definition of two control types to give further detail in describing different types and methods of controls.

Control Significance

This provides information around how important a given control is in relation to others. It will be a great attribute to filter on for reporting purposes.

Control Frequency

Gives an idea of how often a particular control is used or “in action.” It will also be a great attribute to filter on for reporting purposes.

Primary COSO Component

When performing a review of internal controls over financial reporting, most of the attention at the process level focuses on control activities and monitoring.

Control Activities – Internal controls that specifically address financial reporting objectives or risks.

Monitoring – Addresses the effectiveness of the key control activities built into the process as well as the effectiveness of the control environment, risk assessment and information/communication components.

Control Owner

Owner of the control activity.

The risk and control matrix addresses three questions with respect to controls design:

Tests of the operating effectiveness of a control are concerned with how the control was applied, the consistency with which it was applied and by whom it was applied.

Tests ordinarily include procedures such as:

The Risk Control Matrix is accessed from the Org Unit Process Model, the Process Form, IT Applications, and/or Projects and Events. In addition, a risk control matrix is also available for use by internal audit. (See Identify and Evaluate Controls for additional information). Users will be instructed to create a risk matrix, after a process has been linked to an organization. From there they can access the risk matrix from the process form.

The matrix is aligned with SOA 404 requirements to identify objectives and evaluate the design and operating effectiveness of controls. In addition, the detailed analysis performed in the RCM can be used to support operational risk assessments revolving around the impact and likelihood of a risk event occurring in various areas of the business and Internal Audit control evaluations within organization, processes, projects/events or IT applications.

The process of completing the RC matrix can be summarized as:

Top down identification (creating a list of each item and linking to create relationships):


Bottom up evaluation of the:

See Also

Risk Control Matrix

Manage RCMs in the Entity Hierarchy

Create a Risk Control Matrix

Add and Manage Objectives

Add and Manage Risks

Quantify Control Weight in a Risk

Link Financial Elements to Risks

Add and Manage Controls

Link Financial Elements to Controls

Add and Manage Tests

Configure your RCM

View Risk Matrix Links

Leverage RC Matrix Information from Library

Set Permissions for the Risk Control Matrix

Risk Control Matrix Quick Reports

Risk Event Analysis

Mass Update RCM Sub Objects