THE COSO FRAMEWORK, as illustrated in the 1992 Framework document and the 2006 guidance, illustrated the use of a matrix format for aligning the control objectives (attributes) with the control procedures, assertions, and assessed risks associated with the control objective or attribute. The 2013 revision continues to illustrate matrices as a tool to gather information. In addition, the AICPA Audit Guide Assessing and Responding to Audit Risk in a Financial Statement Audit (editions 2006 to 2014) contains an extended example of documenting a case study using a matrix format.

Sometimes a form can be a more effective approach to documentation since the form can present information in a specific order for more efficient and effective data entry. However, the display of information for review and analysis that is already collected may warrant a different presentation to assist the reviewer in organizing and integrating the information for the principle, component, and overall assessments. Thus, there may be trade-offs between ease of data entry and ease of analysis that could be solved by formatting reports from a database that display the information most useful for the analysis task.

The next section is adapted from the matrices from the COSO and AICPA guidance. This presentation may help readers discern the changes in the guidance over time and gain insight and clues as to how to modify existing documentation and data entry methods ...