Risk Control Matrix (RCM) :
The various risks, both at the financial statement level and at the process level which are assessed together with the controls relevant against the same can be documented in the form of a RCM, which is a comprehensive document which captures at one place, for each business cycle, the following information:
• The risks of material misstatement including the fraud risks and any other significant risks which must be separately identified.
• The account balances affected against each of the risks identified above.
• The financial statement assertions which are addressed for each of the above risks and accounts balances.
• The controls which address each of the risks and assertions. A control may address more than one risk or assertion as discussed earlier.
• The frequency of the control.
• Who is responsible for testing and reporting on the control and the document(s) which need to be prepared to evidence the exercise of the control.
An illustrative format of the RCM is given hereunder:
RISK CONTROL MATRIX——–BUSINESS CYCLE#
* Should also cover / address the responsibilities, frequency, and documentary evidence. The frequency could also be specified in separate column.
# The following are some of the common business cycles for which separate RCMs could be prepared, depending upon the nature of the entity’s business and the materiality of the particular process, which are relevant from the point of view of ICFR:
• Financial Closing and Reporting
• Bill to collect (Revenue and Receivables)
• Procure to Pay (Purchase / Expenses and Accounts Payables)
• Payroll
• Treasury
• Cash and Bank
• Fixed assets and Depreciation
• Taxation
• Lending
• Borrowing
• Deposits (Separately for Term Deposits and Current and Savings Accounts)
• Derivatives and FX
An important element in the preparation of the RCM is to understand the interplay between the business cycles and the related activities / processes and the account balances affecting the same, to the extent it impacts the financial reporting. Finally, the RCM should also help to identify controls which are relevant and not relevant.
Preparation of a RCM is one of the documentation methods for the Internal Control Framework and would assist in reporting on the operating effectiveness of Internal Financial Controls, wherever applicable. Further, whilst the preparation of the same is recommended by the Management as a part of its assessment of the design and operating effectiveness of the controls for Board Reporting, in terms of Section 134(5 (e) of the companies Act, 2013, in case the same is not prepared the auditor can use the same for testing the operating effectiveness of Internal Financial Controls over Financial Reporting. The Management should put in place a system to periodically test the effectiveness of the significant controls identified in the RCMs.