It’s the time of year when SOX departments have made their final push to ensure they receive a clean 404 opinion from auditors and are daydreaming about that piña colada they are going to have on the beach in a couple of weeks…only to have the clock reset and start all over from the beginning! As an auditor, there are specific steps you can take to increase production year-over-year, but with the help of TeamMate, becoming more efficient is made easier.
At the core of a SOX process sits the Risk and Control Matrix (RCM). Too many auditors neglect the importance of this document, and too many internal audit departments are not investing the time to evaluate their control environment. Having a well-documented environment with a mature RCM is not just a SOX tool. Many successful internal audit departments have at least one thing in common — a well-documented, mature RCM.
How do you know if your RCM is mature enough? You need to consider the objectives of the process and sub-process, the risks that could prevent you from achieving that objective, and the controls that would prevent those risks from being realized. With this achievable flow in mind, let us concentrate on a few high-level concepts: scoping, mapping, documenting, and testing.
Every RCM starts with a list of scoped-in processes and sub-processes. These are referred to as “Entities” in TeamMate terminology. Further, a set of Entities is a Dimension, and as part of the scoping process, we perform an analysis of which Entities are auditable and those that should be excluded. Once we have vetted our processes and sub-processes, we have the foundation to build our RCM.
We also would have considered other factors, such as which business units, locations, etc., fall within scope during the scoping exercise. With the scoping questions answered, we can begin mapping our objectives, risks, and controls to our process and sub-process. They can then be mapped to business units, locations, etc., with the goal of mapping through to a line item on the financial statements.
