Page 301 - COSO Guidance Book
P. 301
Control matrixes
An early use of control matrixes was in the area of IT auditing. One type of control matrix lists exposures
to risk in one column and controls to mitigate the listed exposures in another column. The cells were
checked if a control was present to mitigate certain exposures.
Another approach to a control matrix requires the identification of risks to the organization by listing these
risks in one column and the controls to mitigate the risks in another column. Instead of placing a check
mark in the cell to indicate if the control is present, the letter P is placed in the cell if the control is a
preventive control and the letter D if the control is a detective control. Preventive controls are generally
more cost efficient and effective when compared with detective controls. Therefore, management and
auditors place a high priority on preventive controls when assessing whether the system of internal control
over financial reporting is reliable. Further, a single control may mitigate multiple risks.
Example 8-1
Assume the following system for credit sales at a retail store. A customer selects goods,
takes them to a sales clerk at a point-of-sale register, and pays for the goods with a store-
issued credit card. The clerk scans the barcode for each item and places the items in a
shopping bag. The recorded items’ descriptions and prices are displayed on a small screen
for the customer to observe during the recording process. The store has security cameras in
place to observe all operations.
Signs located throughout the store indicate that the store has security cameras and that
shoplifters will be prosecuted. The clerk receives a base salary and a commission on all
sales.
The accounts-receivable system performs a routine to assess if the current amount of the
sale, when added to the customer’s credit-account balance, exceeds the customer’s credit
limit. If the credit limit is exceeded, then the customer must contact the store’s credit
department for additional credit.
To use the control matrix approach, the exposures (risks) in the system must first be identified.
There are several risks in this case. For example, the customer might be an imposter, a perpetrator
who has either counterfeited or stolen a credit card. The barcode on the item might have been
switched so that a less expensive item’s barcode was placed on a more expensive item. The clerk
might be in collusion with the customer and place additional items that were not paid for in the
shopping bag. There are other risks, but these will suffice for the illustration.
What are the controls? First, the clerk scans items at the point of sale. This permits prompt
recording of the transaction. The item’s price is displayed on a small screen; the customer
can observe whether he or she is being charged the proper amount. (The sales clerk works
on commission and might not record discounts on marked-down items in order to increase
his or her commission.) There is a camera to observe operations. If individuals know there is
a security camera, as is indicated by signs throughout the store, then the camera is a
preventive control. Stores that have cameras discreetly hidden with no notification of their
© 2020 Association of International Certified Professional Accountants. All rights reserved. 8-13
