risk control matrix
ComplianceMarch 09, 2021

Is my RCM mature enough?

It’s the time of year when SOX departments have made their final push to ensure they receive a clean 404 opinion from auditors and are daydreaming about that piña colada they are going to have on the beach in a couple of weeks…only to have the clock reset and start all over from the beginning! As an auditor, there are specific steps you can take to increase production year-over-year, but with the help of TeamMate, becoming more efficient is made easier.

At the core of a SOX process sits the Risk and Control Matrix (RCM). Too many auditors neglect the importance of this document, and too many internal audit departments are not investing the time to evaluate their control environment. Having a well-documented environment with a mature RCM is not just a SOX tool. Many successful internal audit departments have at least one thing in common — a well-documented, mature RCM.


How do you know if your RCM is mature enough? You need to consider the objectives of the process and sub-process, the risks that could prevent you from achieving that objective, and the controls that would prevent those risks from being realized. With this achievable flow in mind, let us concentrate on a few high-level concepts: scoping, mapping, documenting, and testing.

Every RCM starts with a list of scoped-in processes and sub-processes. These are referred to as “Entities” in TeamMate terminology. Further, a set of Entities is a Dimension, and as part of the scoping process, we perform an analysis of which Entities are auditable and those that should be excluded. Once we have vetted our processes and sub-processes, we have the foundation to build our RCM.

We also would have considered other factors, such as which business units, locations, etc., fall within scope during the scoping exercise. With the scoping questions answered, we can begin mapping our objectives, risks, and controls to our process and sub-process. They can then be mapped to business units, locations, etc., with the goal of mapping through to a line item on the financial statements.

View a demo

With the foundation in place, we need to document our objectives, risks, and controls. The good news is that TeamMate allows you to build these manually, or if you already have these documented, you can import them into the system all at once. Once RCM is documented in the system, you can use TeamStore to link all these objects together, which will allow you to build mature RCM within your assessment. In addition to having a fully mapped mature RCM within your assessment, you can now attach design documentation to the controls so that flowcharts and process narratives are readily available when you begin walk-throughs and testing phases. Also, TeamMate provides for integrating control owners into the design phase. The control self-assessment feature sends self-assessments to the control owners for their assigned controls. It allows them to provide updates, submit updated narratives, and self-report issues, as needed. This means that you are not just building a mature RCM, you are reinforcing ownership of the controls.


Now that you have successfully utilized TeamMate to build a mature RCM that you can roll-forward and update year-to-year, effectiveness testing is the last component to consider. TeamMate provides you with the ability to assign test steps to your controls and opine on the results. It also supports multiple testing phases, including remediation and validation testing, and provides for tracking of agreed-upon remediation.

In conclusion, TeamMate enables you to build a mature RCM you can use in your SOX and internal audit process. Investing the time to design a mature, well-documented control environment puts you on a path to success. It has increased efficiencies within the SOX and audit life cycle.


Whether the external auditors have just provided a clean SOX 404 opinion and item 9a in our 10-K notes no material weaknesses, or you have just finished sign-off on an operational internal audit, your mature RCM will provide dividends for years to come -- including some extra time to sip a piña colada on a beach of your choice!

Subscribe below to receive monthly Expert Insights in your inbox

For auditors who are challenged to improve audit productivity while delivering strategic insights, TeamMate provides expert solutions, delivered with premium professional services, to auditors around the globe and in every industry.
Back To Top