Can an auditor build a risk-control matrix without taking ownership of management's controls?
The auditor can build an audit working version of a risk-control matrix to plan and document the engagement. That is different from designing management's control framework. The distinction should be visible in the workpapers and in the report.
An audit working matrix says, in effect, "Based on walkthroughs and evidence, this is how internal audit understood the objective, risk, expected control, actual practice, owner, and evidence." Management still must decide whether the controls are accurate, sufficient, approved, and sustainable. If management wants a formal control inventory, the recommendation should require management to create, approve, and maintain it.
Objectivity becomes more exposed if internal audit chooses the control response, writes the policy as the owner, or operates the monitoring process. A safer advisory role is to facilitate discussion, provide examples of good criteria, document decisions made by management, and avoid later assurance work unless safeguards are in place.
Master CIA Part 2 with our CIA Course
45 lessons · 90+ hours· Expert instruction
Related Questions
What should an auditor do if a supervisor weakens a supported finding?
How should auditors prepare for a technical exit meeting?
When should audit quality concerns be escalated beyond the engagement team?
How does business knowledge affect internal audit quality?
Where should an auditor begin a full-company internal control audit?
Join the Discussion
Ask questions and get expert answers.