Risk & Controls · Panaji, Goa
Design and testing of a robust Risk Control Matrix — mapping every process risk to its control — to power your Internal Financial Controls (IFC) reporting and risk-based internal audit.
Overview
A Risk Control Matrix turns a vague sense of "we have controls" into a precise, testable map — linking each process risk to the specific control that mitigates it, who owns it, and how it is checked. It is the foundation of credible Internal Financial Controls reporting under the Companies Act.
N D Savla & Associates builds and tests RCMs for businesses across Goa, documenting processes through walkthroughs and designing controls that actually work. The RCM then feeds directly into our internal audit and supports the IFC opinion in your statutory audit.
Mapping each key process and sub-process to understand the flow of transactions.
Pinpointing what could go wrong at each step and the financial-reporting assertion at risk.
Linking preventive and detective controls to each risk, with owner and frequency.
Evaluating whether controls, as designed, would address the identified risks.
Testing operating effectiveness on samples, with documented exceptions.
Recommendations to close gaps and a maintainable, living RCM.
Our process
Walkthroughs of key processes and systems.
Build the matrix linking risks to controls.
Assess design and test operating effectiveness.
Findings, recommendations and a living RCM.
Frequently asked questions
A structured document mapping each business process to its key risks and the controls that mitigate them — recording the risk, control objective, type (preventive/detective, manual/automated), frequency, owner and testing. It underpins internal financial controls and risk-based internal audit.
Companies must establish and report on adequate IFC over financial reporting. The RCM documents those controls process by process, enabling assessment of design adequacy and operating effectiveness and supporting IFC reporting in the audit.
Process and sub-process, risk description, control description, control type and frequency, the assertion or objective addressed, the control owner, and test-of-control results.
Preventive controls stop errors or fraud before they occur (e.g. authorisation limits, segregation of duties); detective controls identify issues afterwards (e.g. reconciliations, management reviews). A healthy environment uses a balanced mix, which the RCM maps.
We test design first — whether a control would address the risk — then operating effectiveness, by examining samples over the period. Exceptions are documented, root causes analysed and remediation recommended.
Companies reporting on internal financial controls, businesses strengthening governance, organisations preparing for fundraising or due diligence, and any entity wanting a structured view of risks and controls.
The RCM drives risk-based internal audit by identifying which controls matter most. Internal audit tests those controls, reports gaps and tracks remediation, while the RCM is updated as processes and risks evolve.
Yes. We document processes through walkthroughs, identify risks and existing controls, design any missing controls, and deliver a complete, testable RCM with testing and remediation support.
Related services
Book a free consultation with a qualified Chartered Accountant in Goa. We'll map your risks, design the controls and deliver a testable RCM — no obligation.