Risk Control Matrix (RCM) — every risk, every control, mapped.
RCM design, IFC and ICFR documentation, Test of Design and Test of Operating Effectiveness, and process-level controls mapping — built on the COSO framework and aligned with Section 143(3)(i) of the Companies Act, 2013.
Every business runs on a web of controls — approvals, reconciliations, segregation of duties, system-enforced limits, periodic reviews. Most of the time, no one writes them down. They live in people's heads, in ERP configurations, in habits built over years. That works fine until something breaks, a key person leaves, the auditor asks for IFC documentation, or a regulator opens a query. By then, recreating the picture from memory is slow, incomplete, and expensive.
A Risk Control Matrix changes that. It takes the invisible control fabric of the business and turns it into a structured, testable, auditable document. Every key process — order-to-cash, procure-to-pay, payroll, fixed assets, inventory, tax, financial close — is broken down into risks, each risk is mapped to the control that addresses it, and each control is described, owned, and tested. The RCM becomes the live blueprint of how the company is actually run.
We design and implement RCMs for listed companies preparing IFC / ICFR documentation under Section 143(3)(i), for unlisted companies above the threshold, for NBFCs and financial services firms, and for growing businesses readying themselves for fundraising, acquisition, or IPO. Our approach is COSO-aligned, audit-ready, and practical — built so that the finance and operations teams using it actually find it useful, not burdensome.
Risk & Control Services We Offer
Risk Control Matrix Design
End-to-end RCM design covering risk identification, control mapping, control attributes, and ownership — at process and entity level.
IFC / ICFR Documentation
Full Internal Financial Controls and ICFR documentation aligned with Section 143(3)(i) — process narratives, flowcharts, and RCM combined.
Process-Level RCM
Detailed process-level RCMs across O2C, P2P, payroll, inventory, fixed assets, treasury, taxation, and financial close cycles.
Test of Design (ToD)
Evaluation of whether each control, as designed, is capable of preventing or detecting the risk it is meant to address.
Test of Operating Effectiveness (ToE)
Sample-based testing of whether controls actually operated as designed during the period — with evidence, exceptions, and conclusions.
Entity-Level Controls (ELC)
Documentation and assessment of governance, ethics, risk culture, IT general controls, and other entity-level controls under COSO.
RCM Refresh & Update
Annual or event-triggered refresh of existing RCMs — updating for new processes, ERP changes, regulatory shifts, or organisational restructure.
RCM Training & Workshops
Workshops for finance, operations, and internal audit teams on RCM usage, control testing, and integration with internal audit planning.
Our RCM Implementation Process
Business Understanding
Walk-throughs with process owners, ERP review, prior audit reports, and identification of in-scope business cycles and locations.
Risk Identification
Risk register at process level — what could go wrong, financial reporting impact, likelihood, and operational consequence.
Control Mapping
For each identified risk, document the existing control — type (preventive/detective), nature (manual/automated), frequency, and owner.
RCM Drafting
Structured RCM workbook by process, with attributes, references to evidence, and links to process narratives and flowcharts.
Testing & Validation
Test of Design and Test of Operating Effectiveness, with exception reporting, remediation plan, and final IFC / ICFR conclusion.
Why RCM Implementation Matters
Frequently Asked Questions
A Risk Control Matrix is a structured document that maps every key risk in a business process to the controls designed to mitigate it. For each risk, the RCM captures the control description, control owner, frequency (daily, monthly, etc.), preventive or detective nature, manual or automated, and how the control is tested. It is the foundational document for Internal Financial Controls (IFC) and Internal Controls over Financial Reporting (ICFR) compliance.
RCM documentation is essential for every listed company and for unlisted public and private companies subject to IFC reporting under Section 143(3)(i) of the Companies Act, 2013. It is also commonly maintained by NBFCs, banks, insurance companies, large family-run businesses preparing for fundraising or listing, and any organisation that wants a structured view of where its operational and financial reporting risks sit and how they are being managed.
Under Section 143(3)(i) of the Companies Act, 2013, the auditor of every applicable company must report on the adequacy and operating effectiveness of Internal Financial Controls over Financial Reporting. To do this, the company must document its risk and control framework — typically through an RCM — covering entity-level controls, IT general controls, and process-level controls across order-to-cash, procure-to-pay, payroll, fixed assets, inventory, tax, and financial close cycles.
Test of Design (ToD) evaluates whether the control, as designed, is capable of preventing or detecting the risk it is meant to address. It looks at the control's logic, approval flow, segregation of duties, and timing. Test of Operating Effectiveness (ToE) evaluates whether the control actually operated as designed during the period under review — usually through sample testing of evidence such as approvals, reconciliations, and exception logs.
The RCM is the foundation on which an effective internal audit programme is built. It defines what controls exist, who owns them, and how they should operate — giving the internal audit team a clear basis for risk-based audit planning, sample selection, exception reporting, and follow-up. Without an RCM, internal audit tends to be ad-hoc; with one, it becomes structured, repeatable, and aligned to financial reporting risk.
The COSO Internal Control — Integrated Framework is the most widely adopted basis for designing and evaluating internal controls globally, and is the reference framework used in IFC / ICFR documentation in India. It identifies five components — control environment, risk assessment, control activities, information and communication, and monitoring — and 17 principles. A well-designed RCM addresses all five components and maps process-level controls back to relevant COSO principles.
An RCM should be reviewed at least annually as part of the financial reporting cycle, and updated whenever there are significant changes — new processes, new ERP systems, organisational restructuring, expansion into new business lines, regulatory changes, or material control failures. The annual refresh ensures that the RCM remains a live document that reflects the actual control environment rather than becoming a stale historical record.
Yes. While IFC reporting is most rigorous for listed companies, unlisted companies that cross prescribed thresholds also have IFC obligations. Even where no statutory obligation applies, family-run businesses, growing startups, and companies preparing for fundraising or IPO benefit significantly from an RCM. It surfaces hidden risks, strengthens succession-readiness, and gives founders structured visibility into how their business actually operates.
Build Your Risk Control Matrix
Talk to our team about designing or refreshing your RCM, completing IFC / ICFR documentation, and running Test of Design and Operating Effectiveness — all in time for your next statutory audit.
Talk to a Controls Expert or call +91 9819 000 511