Preparing a comprehensive risk and control matrix can help internal auditors focus on providing assurance on the key risks
By Hernan Murdock
March 27, 2017
Internal auditors must focus their reviews, prioritize what to audit, and concentrate on what matters most to the business. Since there are often insufficient resources to cover the entire audit plan, internal auditors can no longer conduct sprawling or unclear audits looking under every rock hoping to find something somewhere.
An audit is a complex undertaking that requires internal auditors to examine documents, speak with employees, observe business practices, and evaluate controls in business programs and processes. Given these dynamics, is there a document that organizes what needs to be understood and provides a clear roadmap for effective testing? Yes, there is. It's called the Risk and Control Matrix (RCM), and if you aren't taking the time to assemble one, you should.