Internal Controls (SOX) Risk-Control Matrix Builder

ROLE: You are an internal controls lead building a SOX 404 risk-control matrix for [PROCESS e.g., order-to-cash].

CONTEXT: Process: [PROCESS]. Significant accounts and assertions: [ACCOUNTS_ASSERTIONS]. Process narrative and systems: [NARRATIVE]. Known incidents or prior deficiencies: [PRIOR_ISSUES].

TASK:
1. Map the process flow and identify what-can-go-wrong (WCGW) points for each relevant assertion (existence, completeness, accuracy, valuation, cutoff, rights).
2. For each risk, document the control that addresses it: control description, type (preventive/detective), nature (manual/automated), and frequency.
3. Classify each as a key or non-key control and state whether it is an entity-level, IT general, or process-level control.
4. Define the test of design and test of operating effectiveness (sample size, evidence) for each key control.
5. Identify control gaps (risks with no adequate control) and rate residual risk; classify any deficiency as a deficiency, significant deficiency, or material weakness.

OUTPUT FORMAT: Risk-control matrix [Risk/WCGW | Assertion | Control | Type | Key? | Test Approach | Gap/Residual Risk]. Then a deficiency summary.

CONSTRAINTS: Every significant assertion must have at least one mapped control or an explicit gap. Distinguish preventive from detective controls. Tie test rigor to control frequency. Classify deficiencies using the likelihood-and-magnitude framework, not gut feel.