Business Enquiries
+91 9819 000 511 | +91 9821 83 26 83  +91 9167 058 000
 
     
   
 

Risk Control Matrix (RCM) Services — Internal Controls & Audit Advisory

Risk Control Matrix (RCM) Services in India

Running a business in India today means managing more moving parts than ever before — multiple entities, overlapping regulations, growing teams, and investors or auditors who want assurance that your house is in order. Most business owners and CFOs know something can go wrong. What separates well-governed companies from the rest is not the absence of risk, but the presence of structured, documented controls designed to catch problems before they become crises.

That structured system is called a Risk Control Matrix — and at N D Savla & Associates, building, testing, and maintaining it for companies across India is something we have done for over 25 years. If you are a listed company, an IPO-bound business, or simply a serious organisation that wants clean audits and confident governance, a Risk Control Matrix is where that journey begins.


What Is a Risk Control Matrix?

A Risk Control Matrix (RCM) is a working document — usually a structured spreadsheet or a GRC tool — that maps every significant business process to the risks that could affect it, and then to the specific controls that are supposed to prevent or detect those risks. Think of it as a single source of truth for your organisation's internal control environment.

For every process — whether it is procure-to-pay, payroll, financial reporting close, or inventory management — the Risk Control Matrix captures four things: what can go wrong, how likely and how damaging that failure would be, what control exists to stop or catch it, and whether that control is actually working in practice. This is the heart of what auditors under SA 315 (Revised) need to understand about a company, and the RCM is the cleanest way to give them that picture.

In the context of the Companies Act 2013, the Risk Control Matrix directly supports the Internal Financial Controls (IFC) framework that listed companies and their boards are required to maintain and report on. A well-built RCM does not just satisfy a compliance requirement — it genuinely reduces the chance of financial misstatement, fraud, and operational failure.


IFC and Risk Control Matrix — Understanding the Difference

IFC is the regulatory obligation. Under Section 134(5)(e) and Section 143(3)(i) of the Companies Act 2013, the board of every listed company must confirm that adequate internal financial controls exist and are operating effectively. Your statutory auditor is required to report on this separately. This is a legal requirement, not optional.

The Risk Control Matrix is the operational tool used to build, document, and test that IFC framework. Without a properly designed RCM, there is no structured way to demonstrate to your board, your auditor, or a regulator that your controls actually exist and work. One way to think about it: IFC is the destination, and the Risk Control Matrix is the detailed map that shows you how to get there — and that proves you arrived.

For companies that need statutory audit support aligned with IFC requirements, see our Audit and Assurance under Companies Act page.


Who Needs a Risk Control Matrix in India?

Listed and Large Companies

For listed companies, a Risk Control Matrix is not optional — it is the foundation of your IFC compliance under the Companies Act 2013. The board's IFC declaration and the auditor's IFC opinion both depend on documented, tested controls. Without an RCM, you are making both those statements without evidence.

IPO-Bound Companies

SEBI requires companies seeking a listing to demonstrate that their internal controls are in good shape. Investment bankers, legal due diligence teams, and the lead manager for your IPO will all ask to see your Risk Control Matrix or equivalent documentation. Starting this work early — ideally 12 to 18 months before your anticipated listing date — avoids last-minute fire-fighting and strengthens investor confidence.

NBFCs, Banks, and Financial Services Firms

RBI's guidelines on internal audit and risk management for NBFCs and banks effectively require documented risk and control frameworks across all key lending, treasury, and compliance processes. A Risk Control Matrix built on our experience with financial services clients covers the specific risks that regulators and internal auditors look for.

Manufacturing, Trading, and Distribution Companies

Inventory shrinkage, procurement fraud, vendor duplication, and revenue leakage are among the most common issues we uncover during internal audits in this sector. A process-level Risk Control Matrix covering the procure-to-pay, order-to-cash, and inventory management cycles is one of the most practical investments these companies can make.

Startups and Growth-Stage Businesses Raising Institutional Capital

PE and VC investors increasingly ask for evidence of internal controls as part of their due diligence before closing a funding round. Having a documented Risk Control Matrix sends a clear signal to investors that the business is being run with institutional-grade discipline — which often accelerates deal timelines.


What Goes Into a Risk Control Matrix — The Ten Core Components

  • Process Name and Objective — The specific business process being assessed — its name, purpose, and key stakeholders involved. Examples: Procure-to-Pay, Payroll Processing, Financial Reporting Close, Revenue Recognition.
  • Risk Statement — A plain-language description of what could go wrong. Written as "There is a risk that [X] occurs, resulting in [Y consequence]." Clarity here drives everything else.
  • Risk Category — Whether the risk is financial reporting risk, operational risk, compliance risk, or fraud risk. Each category has different control implications.
  • Inherent Risk Rating — The raw risk rating before controls — assessed on likelihood (Low / Medium / High) and impact (Low / Medium / High). This determines how much control rigour is warranted.
  • Control Activity — The specific action taken to prevent or detect the risk. For example: three-way matching of purchase order, GRN, and invoice; dual approval for payments above a threshold; monthly bank reconciliation reviewed by CFO.
  • Control Type — Preventive controls stop a risk from occurring. Detective controls identify that a risk has materialised. A well-designed Risk Control Matrix includes both.
  • Control Owner — The named individual or role responsible for performing and evidencing the control. Controls without owners are not controls — they are wishes.
  • Control Frequency — How often the control is executed — per transaction, daily, weekly, monthly, or quarterly. Frequency must match the risk exposure.
  • Evidence of Operation — The documentation, system log, or signed record that proves the control was actually performed. This is what auditors test against.
  • Residual Risk and Testing Result — After controls are applied and tested, the residual risk rating is assessed. Testing results — whether the control passed or failed the sample — are recorded, along with any remediation actions required.

How We Build a Risk Control Matrix — Our 8-Step Process

  1. Scope Definition — We sit with your leadership, CFO, and process owners to agree on scope: which legal entities, locations, and business processes will be covered. For listed companies, we align this to the IFC reporting perimeter. For others, we prioritise based on financial exposure and operational complexity.
  2. Process Walkthrough and Risk Identification — We conduct structured process walkthroughs and interviews with the people who actually run each process day-to-day. This is not a desktop exercise — we are looking for what really happens, not what the policy manual says should happen. We supplement this with our proprietary risk library built from 25 years and 16 industries of audit observations.
  3. Control Mapping — For each identified risk, we map the existing controls — automated or manual, preventive or detective. We assess whether the design of each control is adequate to address the risk, or whether there is a control gap that needs to be addressed before testing begins.
  4. Risk Control Matrix Documentation — We prepare the RCM document — typically in Excel or a GRC tool — covering all ten components described above, in a format ready for management review, board presentation, and statutory auditor use.
  5. Control Effectiveness Testing — We test a statistically representative sample of control executions to determine whether controls are actually operating as designed. Our testing methodology follows SA 330 (Auditor's Responses to Assessed Risks) and ICAI's guidance on IFC testing.
  6. Gap Identification and Remediation Roadmap — Where controls are found to be absent, poorly designed, or not operating effectively, we prepare a remediation roadmap with specific recommendations — redesigned approval workflows, new system configurations, enhanced reconciliation processes, or additional exception reporting.
  7. Management Reporting and Audit Support — We prepare a control testing report and executive summary for management and the board. We also directly support your statutory auditors in their IFC review, which typically reduces auditor queries and speeds up the audit closure process significantly.
  8. Periodic Review and Maintenance — A Risk Control Matrix is a living document. Business processes change, regulations evolve, and audit observations create new requirements. We support an annual RCM refresh, and are available for ad-hoc updates when a significant process change or regulatory development requires it.

Risk Control Matrix and Internal Audit — How They Work Together

A Risk Control Matrix is the foundation on which an effective internal audit programme is built. The internal audit plan is derived from the RCM — high-risk processes with weak or untested controls get prioritised for deeper audit coverage. The internal audit team's findings, in turn, feed back into the RCM: new risks are added, failed controls are flagged for remediation, and the residual risk ratings are updated.

This creates a continuous improvement loop — not a one-time compliance exercise. Companies that invest in a well-maintained Risk Control Matrix consistently see fewer audit findings, faster audit cycles, and greater confidence from their boards and external auditors. Learn more about how we structure risk-based internal audit programmes on our Internal Audit services page.


Risk Control Matrix for US-Listed Indian Subsidiaries — SOX Alignment

For Indian subsidiaries of US-listed companies, the Risk Control Matrix must be built to satisfy not only Indian IFC requirements under the Companies Act, but also the requirements of the Sarbanes-Oxley Act (SOX) — specifically Section 404, which requires management and the auditor to assess and report on the effectiveness of internal controls over financial reporting.

Our team has experience building and testing SOX-aligned Risk Control Matrices for Indian subsidiaries, including the specific documentation formats required by US-based parent company audit committees and external auditors.


Why N D Savla & Associates for Risk Control Matrix Work

  • Audit-integrated methodology. Our RCM team and our internal/statutory audit team are the same people. The RCM we build for you is designed from the ground up to survive audit testing — because the people building it are also the people who test it.
  • Real industry risk libraries. Over 25 years we have documented risks and control failures across manufacturing, real estate, financial services, FMCG, technology, healthcare, gems and jewellery, and more. We do not start from a generic template — we start from what we have actually seen go wrong in your industry.
  • Partner-led, not junior-staffed. Every Risk Control Matrix engagement at N D Savla & Associates is overseen by a named Chartered Accountant partner. Senior review happens at every stage — scoping, documentation, testing, and reporting.
  • End-to-end coverage. We do not hand you a document and walk away. We support the entire lifecycle — from design and testing through audit support, board presentation, and annual refresh.
  • Multi-city presence. With offices in Andheri (Mumbai), Charni Road (South Mumbai), Navi Mumbai, Thane, New Panvel, and Goa, we serve clients across Maharashtra and pan-India.

Frequently Asked Questions — Risk Control Matrix in India

What is a Risk Control Matrix, and how does it work in practice?
A Risk Control Matrix (RCM) is a structured document that maps your business processes to the risks they carry, and to the controls designed to manage those risks. In practice, it works as a reference document for management (to know where controls are weak), for internal auditors (to plan their audit work), and for statutory auditors (to assess IFC compliance under the Companies Act 2013). It is updated periodically to reflect process changes, new risks, and audit findings. Companies with a well-maintained Risk Control Matrix consistently report fewer audit observations and faster audit closures.
Is the Risk Control Matrix mandatory under Companies Act 2013 in India?
The Risk Control Matrix itself is not a statutory filing. However, the Internal Financial Controls (IFC) framework that it supports is mandatory for listed companies under Section 134(5)(e) and Section 143(3)(i) of the Companies Act 2013. In practical terms, without a documented, tested RCM, it is very difficult for a listed company's board to make the IFC declaration, or for the statutory auditor to issue a clean IFC opinion. For unlisted companies above a certain size, it is strongly recommended as part of good governance practice.
What is the difference between a Risk Control Matrix and a Risk Register?
A Risk Register is a simpler document that lists identified risks, their likelihood, impact, and a risk owner — but it stops there. A Risk Control Matrix goes several steps further: it maps each risk to a specific control activity, documents the control owner and frequency, records the evidence of operation, and tracks the results of control testing. The RCM is essentially a Risk Register plus a controls layer plus a testing framework — making it a far more actionable and audit-ready document.
How long does it take to build a Risk Control Matrix from scratch?
For a mid-sized company covering 8 to 12 business processes across one or two locations, a well-structured Risk Control Matrix — including process walkthroughs, documentation, and an initial round of control testing — typically takes 4 to 8 weeks. Larger companies with multiple entities, complex process flows, or international operations may require 10 to 16 weeks. The timeline also depends on how quickly process owners are available for walkthroughs and how much existing process documentation is available.
Can a Risk Control Matrix help our company prepare for an IPO in India?
Yes, significantly. SEBI requires listed companies to maintain documented internal controls, and IPO due diligence processes — conducted by investment banks, legal teams, and the lead manager — routinely review the internal control framework. A mature, tested Risk Control Matrix demonstrates to SEBI, investors, and the public market that the company has the governance infrastructure required of a listed entity. Companies that invest in RCM work 12 to 18 months before their planned listing date are generally better positioned for a smoother, faster IPO process.

Ready to Build a Risk Control Matrix for Your Business?

Whether you need a Risk Control Matrix built from scratch, a review of your existing framework, or support for an upcoming internal or statutory audit, we are ready to help.

?? +91 9821 83 26 83  |  ?? WhatsApp: +91 9819 000 511  |  ?? nainitsavla@savlagroup.in

Contact Us Today