Scribd
Upload
222 views5 pages

Task 4 - Risk Control Matrix Template

The document outlines a Risk Control Matrix for the purchasing process, detailing ten example controls and identifying weaknesses in the current system. Key controls include automated form field validation and compliance training, while weaknesses highlight issues such as incorrect reviewer assignments and lack of vendor vetting. Recommendations for improvement include enforcing pre-approval checkpoints and formal onboarding processes for new vendors.

Uploaded by

Dhir Sonu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
222 views5 pages

Task 4 - Risk Control Matrix Template

The document outlines a Risk Control Matrix for the purchasing process, detailing ten example controls and identifying weaknesses in the current system. Key controls include automated form field validation and compliance training, while weaknesses highlight issues such as incorrect reviewer assignments and lack of vendor vetting. Recommendations for improvement include enforcing pre-approval checkpoints and formal onboarding processes for new vendors.

Uploaded by

Dhir Sonu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd

Risk Control Matrix Template

a) Purchasing Process Controls

Note: The below control references (e.g, C1,


C2, C3) should correspond to the green circles
shown within your drafted process flow.
(Remember, green circles in this process flow
exercise show that a control exists over the
process shown.)

The below template is set up for 10 controls


simply as an example, so you are free to use Note: Create a concise and unique control name for each
more or fewer controls. control identified.
Control # Control Name
C1 Form Field Validation (automated)
C2 Direct Supervisor Routing Based on Org Chart
C3 Locking of Approval Decision
C4 Compliance via Employee Training & Policy Attestati
C5 Permanent Archival of Records
C6
C7
C8
C9
C10

Note: Based on the walkthrough, the client contact directed some of our questions to the Internal Audit and IT teams. Based on those follow-ups, any add
should be added to the above listing.

b) Purchasing Process Control Weaknesses

Note: The weaknesses outlined below are per procedures performed during Task 1 (test of control details) and
Task 3 (purchasing process walkthrough).

Control Weakness # Finding #


Incorrect Reviewer Assignment by Purchase
Control Weakness 1
Request Portal
Control Weakness 2 Purchase Made Prior to Required Pre-Approval
Control Weakness 3 No Vendor Vetting Process
Note: Provide a detailed narrative of how the control is designed and
functions (e.g., when and how control is performed).
Control Description
The Purchase Request Portal includes a built-in control that automatically checks whether all required fields (e.g., requestor, r
Upon submission, the Purchase Request Portal references the most current organizational chart to route the request to the ap
Once a purchase request is approved or denied, the system automatically locks the record, preventing any further edits or bac
All employees are required to complete annual training and acknowledge understanding of the Purchasing Policy, which mand
The Purchase Request Portal archives all approval and denial records permanently. Archived records are accessible by the emp

Audit and IT teams. Based on those follow-ups, any additional controls identified

Note: Provide a detailed narrative of how the current control designed


allowed for an exception to the designed purchase process to exist.

Control Description
A control should exist to ensure that the organizational chart within the Purchase Request Portal is reviewed and updated pro
Although the Purchasing Policy and employee training require pre-approval, there should be a system-enforced checkpoint o
A control should be implemented requiring that new vendors undergo a formal onboarding and conflict-of-interest vetting pr
d fields (e.g., requestor, role, level, date, type, vendor, estimated value) have been completed before allowing submission.
oute the request to the appropriate direct supervisor for review and approval.
g any further edits or backdating of decisions.
hasing Policy, which mandates that purchases above threshold values must receive prior documented approval.
are accessible by the employee and the reviewer and are locked from editing.

eviewed and updated promptly after any personnel changes (e.g., promotions, reassignments). The HR Department must communicate ch
m-enforced checkpoint or periodic exception review to detect non-compliant purchases. A reporting mechanism that flags purchases initia
flict-of-interest vetting process before being accepted for use. This process should include validation of vendor legitimacy, a review for rel
ng submission.

artment must communicate changes to the IT Department, which is responsible for applying the updates in the portal within five business
nism that flags purchases initiated without an associated approval in the portal could strengthen enforcement.
dor legitimacy, a review for related-party concerns, and periodic vendor evaluations.
updates in the portal within five business days, followed by documented validation testing.
nforcement.

You might also like