There are many ways to in which one can document controls. You can use flowcharts, or simple processes description documents to document controls and risks within a process. An alternate way of documenting controls is by using control matrices. Control matrices are an efficient way of understanding key controls that address specific risks. So what does a control matrix include. Ideally, a control matrix should include a

- list all the assertions and risks for an account or line item
- list all the key controls which address the assertion
- Relate the risks with the controls which address the risks
- Type of Control (manual or automated)
- frequency (daily, monthly, weekly, yearly)
- Objective and significance of control

So whats all the use of documenting controls using control matrices. One significat advantage which I can see is that with control matrices one can quickly determine whether there is an identified risk for which there is no key control which addresses that risk. Using the control matrix process owners can check whther the risk is infact real or not. If the risk is real, a potential mitigating control can be designed. Absence of a control could mean a gap in internal control over financial reporting which should be remediated.

Related Posts

Evaluating IT Controls as part of ICOFR
Sarbanes Oxley Record Retention Requirements
Planning & Scoping a Sarbanes Oxley Engagement
5 Step Compliance to Sarbanes Oxley