TOOLS ON EVALUATING CONTROLS

Controls Definition
Any action taken by
management, the board and
other parties to manage risk and
increase the likelihood that
established objectives and goals
will be achieved.
Controls must be:
A. Adequate
B. Effective
C. Efficient
Adequate Controls
• Planned
• Organized
• Designed
Effective controls
• Directing
• Executing
• Implementing
Efficient
• Less cost and effort
• May mitigate multiple risk
Heat Map?
A visualization tool to help organize,
define, and quickly communicate key risks.
• an indispensable tool in any risk
management toolbox and can help cut
through the complexity
• risk heat maps are a common part of an
ERM approach to risk management.
• (COSO) promotes the use of a risk matrix
or heat map to focus management’s
attention on the most important threats
and opportunities and to lay the
groundwork for risk responses.

Source:https://internalaudit360.com/how-internal-audit-can-better-convey-risk-using-a-heat-map/
Heat Map?
•  Two-dimensional representation
of data in which values are
typically represented by colors
(often red, green, and yellow)
and can range in complexity
from simple (for example,
showing qualitative risks only) to
more complex (including
qualitative and quantitative
risks).

Source:https://internalaudit360.com/how-internal-audit-can-better-convey-risk-using-a-heat-map/
Heat Map?
•  In the risk assessment process,
visualization of risks using a heat
map presents a concise, big-
picture view of the full risk
landscape to discuss while
making decisions about the
likelihood and impact of risks
within the company.

Source:https://internalaudit360.com/how-internal-audit-can-better-convey-risk-using-a-heat-map/
Heat Map?
According to Norman Marks, risk
expert
“a heat map can be an important
tool to communicate risk within
an organization.”
“A heat map is very effective in
communicating which risks rate
highest when you consider their
potential impact and the
likelihood of that impact,”

Source:https://internalaudit360.com/how-internal-audit-can-better-convey-risk-using-a-heat-map/
Heat Map?
According to Norman Marks, risk
expert
“a heat map can be an important
tool to communicate risk within
an organization.”
“A heat map is very effective in
communicating which risks rate
highest when you consider their
potential impact and the
likelihood of that impact,”

Source:https://internalaudit360.com/how-internal-audit-can-better-convey-risk-using-a-heat-map/
 Heat Map Illustration
• It’s important for the organization to
create a common language around
discussions of risk.
• Terms like “ potential impact” and
“likelihood” need to be defined and
used throughout the organization
and in the design of the heat map so
that everyone is on the same page
on discussions of risk.

Source:https://internalaudit360.com/how-internal-audit-can-better-convey-risk-using-a-heat-map/
 Heat Map Illustration
• It also requires a common
understanding of the risk appetite of
the organization.
• Organizations use a variety of ways
to identify entity-wide risks,
including:
• Surveys
• Workshops
• Interviews
• Risk factors in financial reports

Source:https://internalaudit360.com/how-internal-audit-can-better-convey-risk-using-a-heat-map/
 Heat Map Illustration
• A typical risk heat map will show risks
plotted on a graph with:
potential impact” on the vertical axis at
left. It contain the minimum 3 categories
as follows:
a. High
b. Medium
c. Low
likelihood” plotted on the horizontal axis
along the bottom. It contain the
minimum 3 categories as follows:
a. Low
b. Moderate
c. High

Source:https://internalaudit360.com/how-internal-audit-can-better-convey-risk-using-a-heat-map/
Eight Steps in Creating a Risk Heat Map
1. Define the scope
2. Create a common language
3. Gather the necessary data
4. Score the risks
5. Plot the points and create the
map.
6. Assess the relative placement of
individual risks.
7. Gather feedback.
8. Refine and update the map.
1. Define the scope
• Decide on the scope of the map
you want to create.
• It can be a simple 3×3 matrix with
three colors for high, medium,
and low, or it can be a complex
affair with layers based on types
of risk, several categories on each
axis, multiple shades depending
on risk scores, lines that follow
how risks have changed over
time, and more.
2. Create a common language.
• Terms like “likelihood,” “impact,”
and “onset speed” need to be
defined and used in the same
way throughout the organization.
• It’s also a good idea to give
rankings along the axes
quantitative ranks, such as
percentage ranges or scale
ratings, such as 1 out of 5 for
“low.”
3. Gather the necessary data.
•  Risk heat map should be built
after a solid risk assessment
process is completed, so the data
should be there already.
• You may be consolidating data
from several departments or
functions, in which case you need
to ensure that the assessments
were done in the same way and
that duplication is eliminated.
4. Score the risks
•   Score on likelihood, impact, and
other factors you want on the
map, according to the agreed
scope.
•  It’s important that process
owners and those that “own the
risk” drive the risk scoring
process, since they are closest
too it, with help from the second
and third lines of defense.
5. Plot the points and create the map.
•   The actual mapping of risks is
fairly easy, once the data is
gathered and consensus is
achieved on scores.
• Use a simple application, such as
Excel, at first and for simple
maps.
6. Assess the relative placement of
individual risks.
•   A risk that is clearly more
severe in terms of impact and
has a higher likelihood is
somehow in a “safer” quadrant
than a far more benign risk.
7. Gather feedback
•   The feedback and consensus
process starts again with the
whole map in view and
adjustments are made to fix
outliers, errors, and in light of
the relevant scores of each risk.
8. Refine and update the map
•   Use the feedback to make
adjustments to the map and then
create the process for updating the
map and ensuring that it is a living
document.
•  It can be annual process to coincide
with the risk assessment that is
completed as part of the audit
planning stage.
• It can also be updated on a quarterly,
monthly, or more frequent basis
Risk and Control Matrix
• Powerful tool that can help an
organization identify, rank, and
implement control measures to
mitigate risks.
• Repository of risks that pose a
threat to an organization’s
operations, as well as the
controls in place to mitigate
those risks.
Risk and Control Matrix
• RACM serves as a snapshot of
an organization’s risk profile,
measuring the organization’s
risks against the formalized
actions taken to prevent
negative events from occurring.
Risk and Control Matrix
• Tool for matching risks and
controls
 Assessing likelihood and impact
of risks
Assessing adequacy of controls
(Test of Design)
Specifying controls that have to
be tested (Test of Control)
Risk and Control Matrix
Use of Control Matrix
• Controls do not necessarily
match risks one to one
• Certain controls may address
more than one risk, and more
than one control may be needed
to adequately address a single
risk.
Thank you