InFission approach to risk and controls documentation
Each department manager is also responsible for maintaining the risks and controls documentation in a similar manner as it is done for the Process and Procedure documents. However, the audit team provides risks and controls templates to the process owners who ensure that the controls are designed to meet InFission risk tolerance and control objectives. The biannual walkthrough of control documentations with each department also includes the review of the risks and controls matrix. In addition, as required by Sarbanes Oxley Act section 302, each process owner certifies that the controls are operating effectively and reports any issues to the audit team.
During the biannual control documentation walkthrough, the auditor and the process owner review any changes to the risk ratings, controls, and control test plans. Risk rating is a relative ranking of risk value, calculated as a product of the numeric values (1 through 5) from the risk significance...
