Your Risk and Control Matrix – How much is too much?
By Randal Slifer, Manager, Assurance Services
Many organizations treat the development of a risk control matrix (RCM) as a one-time exercise, as inherent process risks rarely change. What these organizations sometimes overlook is that the control environment evolves constantly due to changes in applications, reassignment of control activities, or reorganization of personnel involved in performing control activities. These changes may lead to overlapping controls, or may expose new control gaps.
Too much of a good thing?
Let’s assume, for a moment, that we can all agree that pizza is good, and chocolate is good. Can we then deduce that chocolate-covered pizza is good? No? Controls can be viewed in the same manner. For control-minded individuals, there may be a bias toward adding controls—i.e., “This control is good, but it would be even better with another layer of controls.” While this attitude is certainly valid when considering potential control breakdowns, it isn’t always the proper approach. Overlapping controls may lead to operational inefficiency due to the time and expense required to administer, monitor and test the control. For these reasons, it’s worth reviewing your RCM on a regular basis to ensure that your control framework maintains its effectiveness and facilitates the development of efficient audit testing programs.
Is that a forest, or simply many trees?
Because the RCM provides the foundation for your controls testing activities, it may be beneficial to seek an external review. An independent reviewer can assist in this process by challenging assertions and assumptions without being swayed by the bias of being “too familiar” with a particular process. To demonstrate how Marcum assists clients in this process, I have prepared a brief example which I’ll use to demonstrate the RCM review steps.
What does the RCM review entail?
Starting with the client’s existing RCM, the first step is a cursory review of the listed controls and risks. It’s important to note at this point that a control isn’t really a control without a specific action (e.g., monitor, verify, review). If a listed control is a simple statement, such as “All journal entries comply with corporate policy,” it should be updated to state how this compliance is tested. For example, “All journal entries are reviewed by the controller for policy compliance and are approved prior to posting” is a stronger control because it assigns the specific actions of review and approval to a specific individual—the controller in this instance. For the review of risks, a basic understanding of the process is required to assess the reasonableness of the stated modified risk ranking. For example, a highly manual process is naturally a greater risk for fraud due to the possibility of collusion between two employees involved in the application of the control.
The next step is to consider the identified controls for each risk, with comments added for any requests for clarification, or for any recommendations. Items to consider are the relevance of the stated control for each risk, recommendations on how to strengthen the control description, and possibly the addition or removal of controls as appropriate. The example below shows the reviewer’s comments, which are then shared with the client for their input.
The final step is to identify key controls and secondary controls for each risk. Using the explanations provided by the client in the prior step, I’ll identify the key control by highlighting the control in red, the second-most critical control in orange, and all other relevant controls in yellow. In the final version shown below, note that Control J has been eliminated from the matrix, as there are no listed risks that the control mitigates.
I would also recommend for the client to consider eliminating Controls B and D. Those controls are only designated with yellow highlights, which means that there are other more effective controls to mitigate the risks.
As mentioned earlier, the review of your organization’s RCM should not be viewed as a one-time activity, since a regular review may lead to strengthened controls or allow you to maximize the efficiency of your control activities.