Assume that we can all agree that pizza is good, and chocolate is good. Can we then deduce that chocolate-covered pizza is good? No? Well, controls can be viewed through a similar lens.
Many organizations think that developing a risk control matrix (RCM) is a one-time exercise, since the inherent process risks rarely change. What these organizations sometimes overlook is that the control environment continually evolves due to changes in applications, reassignment of control activities, or reorganization of personnel involved in performing control activities. Such changes may cause controls to overlap—and they also may expose new control gaps.