ABSTRACT
The Risk-Control Matrix (RCM) is a tool used to primarily document business objectives, risks, and controls. It provides a centralized repository of this information so internal auditors can better understand the link between these three components. Risks are often measured using a 3-point scale of High—Medium—Low. It is important to list the name and position of the owner for each control, especially those controls that mitigate high risks. The risk owner is the individual with the knowledge, resources, and authority to be responsible for the management and monitoring of the risk identified. Internal auditors should use a risk-based, top—down approach to testing and focus on those controls related to important risks, and whose failure would significantly jeopardize the achievement of business objectives. RCM gathers information related to the business objectives, risks, controls, and audit steps pertaining to the area being audited.
