risk control matrix
ComplianceFinanceTax & AccountingMarch 09, 2021

Is my RCM mature enough?

It’s the time of year when SOX departments have made their final push to ensure they receive a clean 404 opinion from auditors and are daydreaming about that piña colada they are going to have on the beach in a couple of weeks…only to have the clock reset and start all over from the beginning! As an auditor, there are specific steps I can take to increase production year-over-year, but with the help of TeamMate, becoming more efficient is made easier.

At the core of my SOX process sits my Risk and Control Matrix (RCM). Too many auditors neglect the importance of this document, and too many internal audit departments are not investing the time to evaluate their control environment. Having a well-documented environment with a mature RCM is not just a SOX tool. Many successful internal audit departments have at least one thing in common — a well-documented, mature RCM.


How do I know if my RCM is mature enough? I need to consider the objectives of the process and sub-process, the risks that could prevent you from achieving that objective, and the controls that would prevent those risks from being realized. With this achievable flow in mind, let us concentrate on a few high-level concepts: scoping, mapping, documenting, and testing.

Every RCM starts with a list of scoped-in processes and sub-processes. These are referred to as “Entities” in TeamMate terminology. Further, a set of Entities is a Dimension, and as part of the scoping process, we perform an analysis of which Entities are auditable and those that should be excluded. Once we have vetted our processes and sub-processes, we have the foundation to build our RCM.

We also would have considered other factors, such as which business units, locations, etc., fall within scope during the scoping exercise. With the scoping questions answered, we can begin mapping our objectives, risks, and controls to our process and sub-process. They can then be mapped to business units, locations, etc., with the goal of mapping through to a line item on the financial statements.

With the foundation in place, we need to document our objectives, risks, and controls. The good news is that TeamMate allows you to build these manually, or if you already have these documented, you can import them into the system all at once. Once I have my documented RCM in the system, I can use TeamStore to link all these objects together, which will allow me to build my mature RCM within my assessment. In addition to having a fully mapped mature RCM within my assessment, I can now attach design documentation to the controls so that my flowcharts and process narratives are readily available when I begin my walk-throughs and testing phases. Also, TeamMate provides for integrating control owners into the design phase. The control self-assessment feature sends self-assessments to the control owners for their assigned controls. It allows them to provide updates, submit updated narratives, and self-report issues, as needed. This means that I am not just building a mature RCM, I am reinforcing ownership of the controls.


Now that I have successfully utilized TeamMate to build a mature RCM that I can roll-forward and update year-to-year, effectiveness testing is the last component to consider. TeamMate provides me with the ability to assign test steps to my controls and opine on the results. It also supports multiple testing phases, including remediation and validation testing, and provides for tracking of agreed-upon remediation.

In conclusion, TeamMate enables me to build a mature RCM that I can use in my SOX and internal audit process. Investing the time to design a mature, well-documented control environment puts me on a path for success. It has increased efficiencies within my SOX and audit life cycle.
Whether the external auditors have just provided a clean SOX 404 opinion and item 9a in our 10-K notes no material weaknesses, or I have just finished sign-off on an operational internal audit, my mature RCM will provide dividends for years to come -- including some extra time to sip my piña colada on a beach of my choice!

Curt Barnhill
Senior Consultant
Curt Barnhill is a Professional Services Consultant with Wolters Kluwer TeamMate. As a seasoned Internal Audit & SOX Expert with over 25 years of experience, he began his career with KPMG’s Long Island assurance team and was then part of PWC’s NYC Internal Audit Services practice. 
Back To Top