Big4Guy
Big4GuyWelcome to Big4Guy.com. Big4Guy is an online resource where I will share with you the latest news, insights, knowledge and some experiences as a Big 4 consultant. We will discuss some of the important issues which organisations are facing today in the areas of information security, security and controls in SAP R/3, Oracle Applications, J.D.Edwards, Peoplesoft and various other ERP's. You will also find information on latest complaince regulations like Sarbanes Oxley, Basel II and so on. Big4guy will also attempt to provide valuable resources for individuals interested in examinations the CISA, CISM, CISSP, PMP and various other security certifications considered essential for entry in any Big 4 accounting, auditing and consulting firms. You are invited to post your comments and viewpoints to posts here. I sincerely hope this online journal will be useful to everyone from a budding student to a professional in the accounting, auditing, management and consultancy professions.
|
Post details: Using Control Matrix to Document Risks and Controls
04/07/06
Using Control Matrix to Document Risks and Controls
There are many ways to in which one can document controls. You can use flowcharts, or simple processes description documents to document controls and risks within a process. An alternate way of documenting controls is by using control matrices. Control matrices are an efficient way of understanding key controls that address specific risks. So what does a control matrix include. Ideally, a control matrix should include a
- list all the assertions and risks for an account or line item
- list all the key controls which address the assertion
- Relate the risks with the controls which address the risks
- Type of Control (manual or automated)
- frequency (daily, monthly, weekly, yearly)
- Objective and significance of control
So whats all the use of documenting controls using control matrices. One significat advantage which I can see is that with control matrices one can quickly determine whether there is an identified risk for which there is no key control which addresses that risk. Using the control matrix process owners can check whther the risk is infact real or not. If the risk is real, a potential mitigating control can be designed. Absence of a control could mean a gap in internal control over financial reporting which should be remediated.
Related Posts
Evaluating IT Controls as part of ICOFR
Sarbanes Oxley Record Retention Requirements
Planning & Scoping a Sarbanes Oxley Engagement
5 Step Compliance to Sarbanes Oxley
Comments:
- list all the assertions and risks for an account or line item"
Seems to be a catch 22 there, in order to understand how controls address risks, you must list those risks? This would be difficult, as the strength of your controls is an aspect of quantifying risk.
Maybe we shouldn't be using "risk" here, maybe we are identifying points of attack for a specific threat community?
I don't know, maybe I'm just jaded because I think audit level work stresses control over risk and process.
04/07/06 @ 09:41 Will u please guide me with identifying SOX certification centre in India.
Thanks
Sammir
09/20/06 @ 04:53
Categories
Archives
Search
| Mon | Tue | Wed | Thu | Fri | Sat | Sun |
|---|---|---|---|---|---|---|
| << < | > >> | |||||
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 | |||||
Misc
All content copyright © 2005-2008
Big4Guy.com
Do not reproduce either in part or full without the express permission of the
Webmaster
