You are here

Steps in Preparing the Control Matrix

19 January, 2016 - 12:35

Control goals represent the first element of the matrix. The goals are listed across the top row of the matrix; they should be familiar to you from discussions in IT Governance: The Management and Control of Information Technology and Information Integrity. Indeed, in Figure 9.1, we have merely tailored the generic goals shown in Table 8.1  to Causeway’s cash receipts system. The tailoring involves:

  • Identifying operations process goals for a cash receipts process; we include only two examples here—namely,
    • Goal A—to accelerate cash flow by promptly depositing cash receipts.
    • Goal B—to ensure minimum cash balances are maintained in our depository bank.1

(Other possible goals of a cash receipts process would be shown as goals C, D, and so forth, and would be included at the bottom of the matrix.)

  • Listing the resources of interest in this process—namely, Causeway’s physical asset, cash, and an information resource, the accounts receivable master data.
  • Naming the information process inputs—namely, remittance advices representing cash receipts data.
  • Identifying the master data being updated in this system—namely, the accounts receivable master data.

In determining what operations process goals are appropriate for the operations process under review, you may find it helpful to first ask yourself, “What undesirable events might occur?” For example, in deciding on Causeway’s operations process goal of accelerating cash flow by promptly depositing cash receipts, we might have first speculated that there was a possibility that the mailroom could delay the processing of incoming payments, the cashier could hold endorsed checks for a time before taking them to the bank, and so forth. Noting these weak points can also be useful in deciding on recommended control plans, discussed next.

Recommended control plans, appropriate to the process being analyzed, represent the second element of the matrix. To illustrate, we list two representative plans for a cash receipts process such as Causeway’s in the left column of Figure 9.1. Each of these plans (and others) will be explained in THE “ORDER-TO-CASH” PROCESS: PART II, REVENUE COLLECTION (RC). Two other plans listed in Figure 9.1 are identified merely as plans 3 and 4.

In the body of the matrix, located at various intersections of goals and plans, are cells. Cells can have entries in them (P-1, P-2, M-1, M-2), or they can be left blank. Entries in cells represent the third element of the matrix. If a recommended control plan can help to achieve a control goal (i.e., there is a relationship between that plan and a particular goal), an entry—either a P or an M—should appear in that cell. A corresponding entry (e.g., P-1, M-2) is also made on the systems flowchart for purposes of cross-referencing. We refer to this technique as annotating a systems flowchart. The process of relating the plans listed in the matrix to the point where the plans can be located on the systems flowchart is illustrated in Figure 9.2, the annotated flowchart for Causeway. Take a few moments to trace the codes, P-1, P-2, M-1, and M-2, from Figure 9.1  to their locations in Figure 9.2. From the descriptions of plans P-1 and M-1 in Figure 9.1, do you agree with where we have put them in Figure 9.2? If not, check with your instructor.

Review Question

Describe the relationship between the control matrix and the systems flowchart. What does it mean to “annotate” the systems flowchart?

There are two types of entries that you can register in a cell. You can enter a “P,” which indicates that a particular control plan is present in the flowchart. For example, in Figure 9.1, the entries “P-1” and “P-2” indicate that those plans are present in Causeway’s system. A glance at the flowchart in Figure 9.2 shows the location of these plans. Alternatively, you can enter an “M,” which signifies that a particular, recommended control plan is missing (for example, entries “M-1” and “M-2” indicate that those plans are not present in Causeway’s system). Again, Figure 9.2 identifies the location of where these desirable, but missing, plans should be installed to control Causeway’s cash receipts process more effectively.

Because the control plans listed in the first column of the matrix are all recommendedplans, entering a “P” in a cell symbolizes a strength in the system. It depicts a control plan as contributing to the accomplishment of one or more control goals. For example, in Figure 9.1, the plan “Immediately endorse incoming checks” helps to ensure that the cash resource (customer checks) will not be misappropriated. We depict this relationship by entering a “P-1” in the cell where this plan intersects with the goal of ensuring security of resources. And as importantly, at the bottom of the matrix, we provide the fourth, and final, matrix element—the explanation of how this plan helps to achieve this particular goal. In this case, a restrictive endorsement on the check (i.e., “deposit only to the account of Causeway Company”) prevents it from being diverted to any other purpose. Of the four matrix elements, many people have the most difficulty in providing these explanations. Yet this element is the most important part of the matrix because the whole purpose of the matrix is to relate plans to goals. Unless you can explain the association between plans and goals, there’s a good possibility you may have guessed at the cell entry. Sometimes you’ll guess right, but it’s just as likely you’ll guess wrong. Be prepared to defend your cell entries.

Review Question

How could the matrix be used to recommend changes in the system in order to improve control of that system?

Entering “M” in a cell symbolizes a weakness in the system. It tells us that a system does not incorporate a particular control plan that may be necessary to ensure the accomplishment of a related control goal. For example, in Figure 9.1, notice that the recommended plan, “Immediately separate checks and remittance advices,” is missing from Causeway’s system. The explanation of cell entries in Figure 9.1  goes on to explain what goals would be achieved if this plan were present.

When your assessment leads you to the identification (and correction) of control weaknesses, you are fulfilling the fourth step of the control framework: recommending remedial changes to the system (if necessary) to correct deficiencies in the system.

In addition to telling you about the control strengths and weaknesses of a particular system, a completed matrix also facilitates evaluation from the perspectives of control effectiveness (are all the control goals achieved?), control efficiency (do individual control plans address multiple goals?), and control redundancy (are too many controls directed at the same goal?).

Review Question

How would the matrix be useful in evaluating control effectiveness, control efficiency, and control redundancy? Include in your answer a definition of these three terms.

Table 9.1 Steps in Preparing a Control Matrix

Step 1

Review the systems flowchart and related narrative description to become familiar with the system under examination. Identify the business process (e.g., cash receipts), the important, relevant resources (e.g., cash, accountants receivable master data), the input (e.g., the remittance advice), storage, if any, for the input data (e.g., cash receipts event data), and the master data being updated (e.g., accounts receivable master data).

Step 2

List the goals that are germane to the business process under examination. The goals must be tailored to the process under study. In the business process chapters (THE “ORDER-TO-CASH” PROCESS: PART I, MARKETING AND SALES (M/S)THE BUSINESS REPORTING (BR) PROCESS), we suggest a few typical goals.

Step 3

List a set of recommended control plans that is appropriate for the process being analyzed. The list could include both the plans related to the operations process (e.g., the cash receipts process) and those related to the information processing methods (e.g., data entry controls, batch controls). In Figure 9.1, we presented only two illustrative plans for Causeway’s system. Later, this chapter presents controls related to the processing methods and in the business process chapters, you see controls related to those processes.

Step 4

Examine the systems flowchart and related narrative description, looking for each of the control plans listed in the matrix in step 3. When you find an implemented control plan (i.e., a plan that is present), mark its location on the flowchart and cross-reference this information to the control matrix. Use “P-1” . . . “P-n” as identifiers. When you determine a control plan is missing, mark the location on the flowchart where it should be found and cross-reference this information to the control matrix. Use “M-1” . . . “M-n” as identifiers. As mentioned earlier, this information is used in completing step 4 of the control framework: recommending remedial action to correct deficiencies in the system. Figure 9.1 and Figure 9.2 illustrated the technique for cross-referencing the control matrix and systems flowchart.

Step 5

At the bottom of the control matrix, provide a short statement explaining how each existing control plan accomplishes each related control goal. Also provide a short statement explaining the significance of each missing control plan, in terms of each unmet control goal.

 

Table 9.1 summarizes the steps we have just undertaken in preparing the illustrative control matrix in Figure 9.1. Combined with the preceding discussion and illustration, the steps should be self-explanatory. You should take a fair amount of time now to study each of the steps and to make sure that you have a reasonable understanding of them.

Review Question

What are the five steps involved in preparing a control matrix?