Control Matrix 2805

  • Facing problems in maintaining Control Matrix.
    How exactly it should look like and what are the key fields which need to be part of the Control matrix?
    Any help is appreciated 😛

  • There is no standard or mandated format for the matrix.
    I would suggest that it include the following information -
    Identified risk
    Control that covers the risk
    FS assertion related to the risk
    Risk level (low, medium, high)
    Who performs the control
    Frequency with which the control is performed
    Whether the control type is prevent or detect
    Whether the control is manual or automated or a combination
    Accounts covered by the control (BS and IS)
    There are probably other attributes that can be added to this list. This is what we have in our control matrices.

Log in to reply