3.

Internal Control Matrix

The Internal Control Matrix is a tool that arose from the urgent need to
take preventive action to suppress and/or significantly reduce the effects of the
a multitude of risks to which different types of organizations are affected, be it
these private or public, with or without profit motives. The numerous rules and
regulations, whether they are of a tax, labor, ecological, or consumer nature,
accounting, banking, corporate, stock market among others, coming from organizations
national (federal), provincial (state), and municipal, require administrations
for organizations to remain very alert to the risks posed by non-compliance
of the same mean for their assets. They must also add the need to
verify compliance with both internal regulations and various standards in
security and internal control matters, as well as verify the compliance of the various
areas or sectors to the company's policies.

As can be appreciated from the above, and despite not having detailed mention made
Of all the regulations, the risks that companies are exposed to are many and
they must imperatively be brought under control.

The constant advancement of state and para-state bureaucracy in various countries over
private entities have led them to the search for tools or instruments that
allow, as expressed at the beginning, "to eliminate and/or significantly reduce the risks
to which they are exposed.

A company is exposed on one side to good faith internal errors, but also to
actions that accidentally or otherwise expose it to losses. If we take as
For example, a banking entity is exposed to the actions of bad faith from its
personal, as well as that of its clients and suppliers, the possibility of committing
non-compliance with legal regulations, the actions of scammers or thieves, the lack of
forecasts in internal security matters (such as fires, or losses of
files in the computer system). Any of these events originate for the entity
economic losses. Losses that in many cases can put the continuity at risk
same as the company. Let's think about what the theft of formulas or plans implies.
concerning manufacturing processes or products, or the illegal sale of databases of
customers to the competition.

No less important are the losses caused by defects in the production processes.
the quality of products and services, and with it the costs (reprocessing, warranties,
waste) as well as the degradation of the company's reputation.

Very few companies have systematically established policies, plans, and methodologies.
to avoid the aforementioned risks. They generally act based on experience, intuition or
They plan in a biased manner.
Nowadays, no serious company, whether aspiring to excellence or not, can continue operating.
in such a way. One of the serious shortcomings of external audits lies precisely in not
to control and properly evaluate the internal controls in their entirety, nor
evaluate from a systemic point of view the audited companies. Let us think about this in regard to
the effects that the loss of information has on the economic value of a company
ultraconfidential how could the development of a pharmaceutical product still be
patented. For such reasons, this control tool is also of great utility for the
external audits.

What is the Internal Control Matrix?

It is a way of thinking, planning, delegating, making decisions, and solving.

problems, and seeing the organization as a whole.

It is a way of thinking, because by analyzing the interrelation of the various products,

services and areas of the company with external and internal regulatory provisions, as well
also with the principles of internal control and security, it leads both the officials,
like the internal (or external) auditors and the managements of the different areas to
to wonder how, if at all, the various regulations affect their processes
and activities, or inquire about the existence or not of regulations that relate to the
same.

One might wonder how many times organizations are subject to monetary sanctions.
for breach of formal duties solely for not having carried out the
inquiries or the lack of planned controls and respective actions.

It is a way of planning because the organization's officials establish

number of controls to be executed per period of time, with what elements or resources will be used
to tell, which questionnaires are to be used and who will prepare them. By means of the
Delegation assigns on one side who is responsible for carrying out the controls.

As the matrix system makes use of effectiveness scores, the aspects or areas of greatest
risks, which arise from the lowest scores, are those in which one must
prioritize adjustments and corrections, also through the analysis of the reasons for the low
scores allow us to know the reasons that originate them and in this way adopt the best ones
actions aimed at its resolution.

5. What is this Matrix like and how does it work?

In that Matrix, we have that in the columns the External Regulations are recorded.
Internal, as well as the Principles and Policies whose application must be verified.

On the side of the rows, we have the Products, Services, Areas / Sectors - Activities /
Processes that take place in the company.

Thus, once the titles of the columns and rows are placed, it is time to interrelate.
the same (Example: Sales / National Taxes "Point 1.1") based on the
regulations and principles that the areas, activities, and
products. In the event that there is no interrelation between the item in the row and that in the column,
that space is canceled (shaded) (Example: Research and Development has no standard of
Central Bank application.

The points assigned to each slot correspond to the applicable control questionnaires and
to the Audit Manual, it will also serve to allocate resources in the budget of
control, as well as to establish the number of controls over periods and delegate
responsibility of the respective control.

NORM
AS Y
PRINCE
PIOS A
VERIFI
CAR

1 2 3 4 5 6 7 8 9 10 11 12 13 14
LABORATORY IS PRIN PRIN
AREA RALE Oh CIPI CIPIO
S- S 90 OS S Y
PROD (National LAW 00 OF NOR
UCTO - ES IS MORE BAN NOR POLITIC
S- IMP. Pciale DE THE TROUBLE OF THE HOUSE A REGI
ACTI IMP.NA PROVI IMP.L s. - SEG CON 14 THE SEG CEN INTE ORGANIC SOCI STRO
LIFE CIONAL NCIAL OCAL Local URO TABL 00 INTE URID TRA RNA ZACION ETARI PROP
DES EN ES ES es) S ES 0 RNO AD L S AL AS IEDAD
 VENT
1AS 1,1 1,2 1.3 1,4 1,5 1,6 1,7 1,8 1.9 ["1.11","1.12"]

COMP
2RAS 2.1 2.2 2.3 2,4 2,5 2,6 2,7 2,8 2.9 ["2.11","2.12"]

HR
3. 3.1 3.2 3.3 3,4 3,5 3,6 3,7 3,8 3.9 3.11 3.12

COMP
4UTOS 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.11 4.12 4.13 4.14
CONT
5ABLE 5.1 5.2 5.3 5,4 5,5 5,6 5,7 5,8 5,9 5,10 5,11 5,12 ["5.13","5.14"]

PROD
UCCIO
6N 6.1 6.2 6.3 6,4 6,5 6,6 6,7 6,8 6.9 6.11 6.12 6,14

7I & D 7.6 7.7 7.8 7.9 7.11 7.12 7,14

CRED.
Y
8COBR.8,1 8.2 8.3 8.5 8.6 8.7 8.8 8,9 8.11 8.12
FINANCIAL
9ZAS 9.1 9.2 9.3 9,4 9,5 9,6 9,7 9,8 9.9 9.10 9.11 9.12 9.13 9.14
DISTR
1IBUCI 10 10.1
0ON 10.1 10.2 10.3 10.4 10.5 10.6 7 10.8 10.9 1 10,12

1MARK 11, 11.1

1ETING 11.6 7 11.8 11.9 1 11,12 11,14

1SERVI 12 12.1
2CIOS 12.1 12.2 12.3 12.4 12.5 12.6 7 12.8 12.9 1 12,12

Starting from this matrix, we proceed to break down these points. In the case of Sales,
these are subject to national tax provisions, linked on one side to
to the regulations on invoicing and, on the other hand, those relating to perceptions, tax on
added value and the related documentation for the clients. Then in
The questionnaires will be formulated based on this function to verify the various points of the
Matrices are being duly completed.

The questionnaires have a first column corresponding to the question number in

question, a second with the respective question, and the third and fourth correspond to YES or
NO. (See Annex). The number of YES responses in each questionnaire is divided by the total number of questions.
of the questionnaire and is multiplied by 100, achieving a compliance percentage or
effectiveness, which will be applied on a scale of 10 to obtain the score for
questionnaire.

Example: If a questionnaire has 8 questions of which 5 are YES, the percentage is

62.50%, while the score is 6.25 points. Similarly, if another questionnaire had
10 questions of which 5 were yes, the percentage would be 50% and the score 5. From this
this way a rather objective analysis is achieved. But not all questions have the same weight.
importance, reason why the system can be improved by assigning a weighting. From
Such forms of minor aspects would be given a score of 1 point, and for medium level aspects 2.
points and fundamental issues 3 points. Example: For a questionnaire of 10
questions, with 3 worth 1 point, four worth 2 points, and 3 worth 3 points, the maximum score would be 20
points. If the positive responses were 2 of one point, 2 of two points, and 1 of three points, then
obtained amounts to 9 points, resulting in an effectiveness percentage of 45% and a
score of 4.5.

The scores instead of one, two, and three, could be one, three, and five, to make it more
sensible the final score to the most important aspects.

The same reasoning applies to obtain the score corresponding to each point of the
matrix, so if counting a certain point in the matrix with four questionnaires whose
the maximum score for answering all questions positively would be 40 points and it
he obtained a total of 35 points, the effectiveness percentage is 87.05%, and the score is 8.71
points.

Finally, and given that not all areas - activities or products are subject to the same
amounts of control points, all control points are multiplied by 10
by obtaining the maximum possible score, the points obtained are added according to the paragraph
previous and is divided by said maximum obtaining the effectiveness score by area.
Let's see: the area or activity 'Sales' out of a total of 14 boxes has 11 control points.
If we multiply 11 by ten, we have a maximum score of 110 points. Let's suppose that from
The conducted controls result in a maximum score of 80 points, the percentage of effectiveness.
It is 72.72%, that is, a score of 7.27.

The same criterion applies to the columns, so we have that "Property Registry" has
six scoring boxes out of a total of 12, so the maximum score is 60 points. If
The score obtained is 60 points, we will have 100% effectiveness and a score of 10.

Based on the totals by row (areas, activities/processes, products/services), of the

totals by column, and the points by box, the level of priorities is ordered for the
analysis and resolution of problems.

Thus a low score in product and service ratings in relation to ISO standards.
9000 and ISO 14000 would indicate problems in terms of quality controls, to the
which should receive immediate attention.

It is worth noting that the total number of columns included in the Matrix is for example purposes.
depending on the quantity and content of them to the regulations specific to each place or
country, as well as the activities that the company under control develops. For example
the regulations concerning the provision of information to the
official entities of Industrial Statistics.
 NORM
AS Y
PRINCI
A PIOS
VERIFY
CAR

1 2 3 4 5 6 7 8 9 10 11 12 13 14
LAB IS PRIN PRIN
AREA ORA The CIPI CIPI
S- THE 90 OS OS Y
PRO (Nation. LAW 00 OF NOR REGI
DUCT - ES IS WITH MORE BAN NOR POLITI STR
OS - IMP. Special DE THE TROUBLE OF CO MAS CA O
ACTI IMP.NA PROVI IMP.L es. - SEG WITH 14 The segment centers integrate social organizations
LIFE FINANCIAL LOCAL Local EURO TABLE 00 INTERURBAN TRANSACTION ITALY FOOT
DES THE ES ES is) S ES 0 RNO AD L S NAL AS AD

VENT 6.2 8 8.0 7.2

1AS 7,10 6,50 6,30 7,00 0 8,0000 7,00 8,50 0 7.40 7

COMP 6.3 6 7.0 5.9

2RAS 6,50 6,10 5,00 6,50 0 9,1000 6,00 7,00 0 6.25 3

RR.H 7.1 5 6.8 6.0

3H. 5,50 7,15 6,15 8,34 2 7,2200 6,10 6,00 5 6.42 3

COMP 6.0 6, 7.2 10.0 6.4

4UTOS 8,00 8,50 7,32 6,22 5 5.7780 5.90 5.50 2 7.00 7.10 0 1
CONT 6,9 5, 5.6 7.0 10.0 6.5
5ABLE 7,15 7,00 6,80 7,55 8 8,0050 7,20 6,70 0 0 6.55 6.70 0 4
PROD
UCCI 6.6 6 6.0 10.0 6.3
6ON 8,00 6,40 6,00 5,80 0 8,2000 8,30 5,80 0 6.90 0 3

5 8.1 10.0 7.6

7I & D 8,2080 6,00 7,00 0 8,15 0 1
CRED.
Y
COBR 7.3 6 7,8 6.4
8. 8.00 8.00 6.00 0 6,2000 8,00 6,80 0 8.00 1
FINAN 6.9 4 6.0 7.1 10.0 6.4
9ZAS 7,00 7,10 6,75 7,00 0 7,1500 7,00 6,00 0 2 8.53 7.00 0 7
DISTR
1IBUCI 6.9 5, 6.1 6.1
0ON ["8.00","7.00","6.00","7.00"] 0 7.5075 6.00 7.00 2 8.00 2

1MARK 6 6.5 10.0 6.8

1ETING 6,8025 7,00 6,00 0 5.50 0 6
1SERVI7.00 8.00 7.00 6.50 7.0 6.80 6, 8.00 5.80 6.7 7.18 6.3
2CIOS 0 40 0 1

5.9
7.23 7.18 6.33 6.88 6.74 7.41 6.88 6.51 5.80 7.037.16 6.93 10.00

Thus, from the total scores observed in this Matrix, problems in the area of
Purchases (resulting from a very ineffective compliance with tax regulations, of
quality and internal control), on the regulatory side, there is a low performance in terms of
compliance with the provisions of the ISO 9000 / ISO 14000 regulations and in the
corresponding to the provisions of the Central Bank (formation of credit folders
the special information required by the oversight body to access the
bank financing; which could result in a cut in the lines
credit, or an increase in the interest rate.

6. Implementation of the SMCI

For the implementation of the system, a total of 10 basic steps must be carried out.
fundamentals, which we will describe below.

1. Training. The owners and/or members of senior management must

to be fully aware of the existing risks, and therefore the advantages,
benefits, functioning, and objectives of the Matrix System of Internal Control.

1. Planning. The tasks to be performed must be clearly determined, designating

responsible parties, and setting deadlines for compliance. Additionally, they must be calculated and
specify the quantity and quality of human and material resources necessary to
the startup of the System.

1.Training. It constitutes one of the main tasks of the plan. It must be trained and
to train both the System Builder Team and the users, whether they are
the managers and those responsible for the controls (controllers), such as the receivers
of information.

1.Formation of Teams. They are the Constructor Teams of the System for each
segment (sector and standard to be verified). To do this, they will work in the respective teams:
members of the affected area, auditor (external or internal, specialist in the subject) and
company specialists or external. For example, for the design of the questionnaire
corresponding to the accounting sector in tax matters will work: the person in charge of
tax of the accounting sector, the internal (or external) auditor dedicated to auditing
respective, and the company's tax advisor.
 1. Construction of the Matrix. The identification of all the Standards will proceed.
Internal and external factors that may or may not affect the company. Based on this, it
proceed to prepare the respective questionnaires, assigning to the questions a
a certain level of weighting in such a way that the sum of all of them reaches
a total of 1 -one- (so if we have three questions: a?, b? and z?. Question a? is granted a
weighting of 0.50; to b? 0.25 and to z? 0.25; in such a way that the sum of all the
weights give a total of 1.00). It will be determined for each question (point of
control) of the questionnaire the frequency of its control and the person responsible for its execution.
(Example: the accountant of each bank branch would have to carry out daily the
cash reconciliation - question: does the total reconciled match the accounting total? - if not
If the total matches, that response would be recorded as 'NO' in the system.
computer scientist, clarifying the magnitude of the difference in question, in such a way at home
Automatically centralizes both the General Manager and the Branch Manager.
The Branch Manager and the Internal Audit Manager would take note of
that difference and its magnitude.

Regarding the way to reach the weighting levels, it will be necessary once
selected all the questions corresponding to a certain questionnaire use the
next matrix:

If we assign a letter to each question and place it at the top of the column.
the letter corresponding to each question, doing the same to the left of each row,
we will have a formed matrix. From there we relate each letter
corresponding to the different rows in relation to each column. Thus we will assign a score
of 1 if it has priority or greater importance in relation to the other question, if it has less
We will assign a value of zero to importance, and if it holds equal importance, the value will be 0.50.
In the case below, since 'A' is more important than 'B' according to the criteria of
A working group is given a value of 1; since 'A' has a lower value than 'C', a value is given.
from "zero"; having the same value as "D" the value of the box is 0.50; and when exceeding in
importance is given to both 'E' and 'F' in both boxes, the value 1 is placed. We arrive at such
it forms a total of 3.50 for question 'A'; of 2.50 for the corresponding question
letter 'B'. When we total all the letters, we have a grand total of 16.50. Then we calculate the
percentage relationship of the total of each letter in relation to the overall total. In other words, how much it represents.
3.50 out of 16.50 (is 21.21%, which represented in decimal values is 0.21). The sum of
All these calculations give 100%, or in other words, 1.

FACTORS

A B C D E F WEIGHTING
A 1 0 0.5 1 1 3,50 21.21% 0.21

B 0 1 0.5 0 1 2.50 15.15%0.15

C 1 1 1 1 1 5.00 30,30%0,31

D 0.5 1 0 1 1 3.50 21,21%0,21

E 0 1 0 0 0.5 1.50 9.09%0.09

F 0 0 0 0 0.5 0.50 3.03%0.03

16.50 100.00% 1.00

In this way, the weighted values of each question are determined; with a 0.21.
for questions 'A' and 'D'; a 0.09 for 'E'; a 0.15 for 'B'; a 0.31 for 'C'
corresponds to the 'C' and a 0.03 for the 'F'.

1.Execution of the Controls. Developed by Internal Auditors or

Area managers, as appropriate based on what is specified in the point
"5" anterior.

1. Report Reception and Ongoing Monitoring. The system will inform permanently.
immediate shortcomings, errors, or discrepancies detected. In the case presented as
example at point '5' the designated authorities for that point would be
informed immediately of the detected difference, saving reports of
audit and preparation time of the report, and its respective reading (including for
a certain type of control can report such shortcomings to different
employees by virtue of the magnitude or size of the detected difference or deviation.
A permanent monitoring will also be allowed to know the current situation.
What internal control measures does the company have.

1.Verification by Internal Audit (or another responsible for controls in

in case such Management or Department does not exist). They will develop controls
surprises and special verifications pursuing the proper use of the SMCI, as well as the
faithful compliance with regulations regarding controls.

1. System Evaluation. The number of errors and failures detected will be measured by the
SMCI, the frequency of the same. Costs will also be calculated and analyzed.
 attributable: audit, inspection, and verification costs plus costs for failures or
failures. The goal is to minimize these costs, thus increasing the
organizational efficiency and effectiveness.

1. System Adjustments. Product of the verifications carried out by Audit

Based on the internal evaluation of the System, adjustments will be made.
aimed at improving both the Matrix System of Internal Control and the
organizational processes and activities, thereby achieving a basic principle or
fundamental of TQM, which is Continuous Improvement in organizational Processes.

7. Conclusiones

In this way, senior management can verify through the SMCI that it
is fulfilling all the controls, those in charge of them
verifications, when was the last time they conducted checks for each point and with
what frequency. Based on the relative importance of the different points and of the
Problems that they have will be given priority for control and correction.

The area managers and those responsible for control, whether internal or external auditors
they can verify and reason based on the matrix (matrix reasoning) the
compliance with the various provisions.

The matrix considers 100% of the risk factors, thus being a vehicle.
formidable to avoid or correct defects that harm patrimonial and economically to
the entity.

The Matrix System of Internal Control places great importance on compliance with
tax provisions, such as control to prevent fraud, or safeguarding the quality of the
Products and services, as well as protecting human resources among others. Therefore
reason for a quick view of said matrix, printed or on monitor, by the executives
they allow them to know the areas that compromise the company, and proceed to analyze the causes or
reasons, in order to then apply the corresponding adjustment measures.

The SMCI is ultimately a profit generator since its objective is

eliminate or reduce the losses caused by fraud, the lack of insurance against
risks, low levels of quality, the lack of compliance with legal provisions, the
lack of optimal information among others.

As the Americans say: 'Basketball games start by winning with'

a good defense. It is of no use to score many points if the opponents convert on us.
more. Similarly, it will be of little use to work hard and generate sales if a good part of
are absorbed by losses caused by neglect, wastefulness, and shortages of
controls.
Each sector or control point of the Matrix represents a link in a chain, and a
a chain is only as strong as its weakest link, hence the importance of verifying
preventively ensuring compliance with various aspects related to the company,
correcting the aspects, areas, processes, activities, rules, and after the controls
principles with lower or unsatisfactory levels of effectiveness in order to strengthen each
link.
8. Appendix 1 – Questionnaire Model

F.de
POINT 3.4 - Credits / Internal Control Ctrol. 20/05/2003

No. VERIFICATION QUESTION SI NO Clarification - Observations

There is a Credit Sector dependent on
1 Financial Area? X

There are updated written regulations on

2 composition of
credit file corresponding to the
clients? X

Computerized information is available.

3 about the X

update of the folders?

The Credit Sector performs the qualification and

4 analyses of the X

clients?

The property titles are verified. There is a norm, but I don't

5 companies or X meet

guarantors?

The folders are updated. There is a standard, but I don't know

6 credits? X completes

There are written provisions regarding the levels

7 credits? X
 Information is available at the level of The computing systems
8 reliable debt and X not working

updated? nan correctly

Updated data is maintained of the

9 clients in terms of X
to its economic-financial situation
heritage and legal?

No credit sales are made without approval.

10 good things about the Sector X

Credits?

The Responsible and other staff of the Sector Only the person in charge of
11 has ca_ X Sector count

Capacity to carry out the tasks? with technical knowledge

The staff of the Sector updates its It's been more than two years since
12 periodic knowledge X do not act
they refine or perfect their
mind? (at least twice a year) knowledge

terms of service.
There are regulations on indicators or indices.
13 minimums to analyze

from the customers? X

The folders are correct. There is a mistake

14 analyzed? X interpretation of

some indicators.

TOTAL SCORE 6 8 4.29 POINTS

 Clarification: The existence of the regulations, as well as their compliance, must be verified.
existir la norma o sistema, pero no
to apply or function correctly, it must be applied
the NO. column

Control carried out by: Martín Martínez

Gonçalves

The score indicates a problem in the area, product, or activity, but it does not imply that people
of said sector or process are
always responsible for any problems that may be observed. The rule of must be taken into account
85/15 (J. Juran) according to which
85% of the problems are not related to the employees or workers, but to the system, and therefore
it is the responsibility of the Management

its correction.

9. Annex 2 – Exception Report

QUESTIONNAIRE POINT 3.4 Credits / Date Control.

Internal Control 20/05/03

OBSERVATION IMPLICANCE RISK

Property titles are not verified. It lacks verification

companies and their updated from the Elevated

guarantors properties

The folders are not updated. There is a lack of information that

credit support the level Elevated

credit
The matrix system of internal control allows not only for the automatic calculation of scores
both by questionnaire, as well as by matrix cell and by area or regulation/principle, but rather
Additionally, the automatic generation of the report by exception. Yes for each negative response.
it indicates in the program the corresponding observation and its implications and risks, once
after the control has been carried out and the mark (“X”) placed in the “NO” column of the questionnaire, the
the report is carried out automatically. This allows standardization of reports, reducing
the paperwork and bureaucratic tasks, allowing for a quick report for the respective officials
and greater uniformity in the information criteria.
10. Annex 3 – Work scheme

INTERNAL AUDITORS
WORK IN Taxes, Labor
TEAM SPECIALISTS Security, ISO
STAFF OF Ventas, Producción,
SECTOR Finance

CONTROLS CONTROLS BY PART

FOR OF SUPERVI_
PART OF MATRICES Y SORES OF THE AREA O
AUDITORS QUESTIONNAIRES SECTOR

INTERNOS

CONTROLS OF
SPECIALIST

TAS
 VERIFICATIONS BY THE AUDITORS
INTERNALS

Autor:Mauricio Lefcovich

Consultant in Operations Management and Business Strategy

Specialist in Continuous Improvement, Quality, Productivity, Cost Control and Reduction, and Data Collection and
Evaluation of Internal Control