Identifying recommended control plans for the business process under evaluation is the second step in the construction of a control matrix. This step focuses on the nature and extent of control plans that should be in place to accomplish our objectives and to minimize risks to an acceptable level of residual risk. In the final analysis, the comfort level that management and auditors reach with respect to residual to residual risk is a matter of professional judgment.
For a given business process, each operations and information process control goal should be addressed by one or more control plans. For instance one or more control plans should cover the effectiveness goals (A and B), the efficiency goal, the security goal, and each of the information process goals (IV, IC, IA, UC, and UA). The following advice will help you thinking with regard to control plans. Perhaps the most difficult part of this process, the preparation of a control matrix, is identifying controls that should be in place (we call these present controls) and those controls that are not in place but should be (we call these missing controls). Follow along as we describe a process to help you complete this task: