A control objective is an objective, owned by a party, that aims to contribute to the realization of another (set of) objective(s) of that party, by producing results that this party needs to realize these other objective(s). A control objective has the property that it is both managed (as it produces specific results) and also governed (as it uses these results - as a contribution to the realization of other objectives of that party) by (or on behalf of) its owner.
The governance aspect entails the specification of the results that are needed, and the characteristics that they should have in order to be a useful and relevant contribution for the objective for which it is a control. as a realization
Typical contributions for a control objective is the production of an intermediate result, the mitigation of a specific risk, or results that contribute to the realization of compliance objectives.
- Organizations (specifically those with a rather large scope of control) are known to classify their (regular) objectives according to (business) topics such as finance, (information) security, safety, quality, legal, human resources etc. This allows them to specify control objectives that are particular to such topics, and define equally specific control management processes for that.
- Organizations that realize that their departments (and sub-departments) are actually parties that each have their owns set of objectives, may require such departments to specify their own control objectives and associated control management process(es). This enables such organizations to specify control objectives that (only) seek assurances that their departments are properly specifying their own objectives, and manage the associated controls.
- Organizations are also known to create control objectives that fit traditional control management processes, e.g. as defined in ISO standards.
- Organizations may classify their objectives using the formalization of objectives (and the governance and management pattern), e.g.
- expectations, i.e. objectives the result of which is consumed, but not produced by the organization. Such objectives are not managed but governed, and hence require a corresponding control management process;
- obligations, i.e. objectives the result of which is produced by the organization and consumed by (at least) one other party. Such objectives are managed, and also require communication with the consuming parties;
- controls, i.e. objectives the result of which is produced and (only) consumed by the organization itself. These objectives must be managed and governed by the party that owns them.
We have observed that (the management of) the controls associated with the objectives that control management processes pursue themselves, are often 'forgotten', i.e. these objectives are not in the scope of any control management process. Parties should set control objectives that aim to mitigate the controls associated with (the objectives pursued by) their control management processes.
- is associated with one or more (classes of) objectives that are controlled by the owner of the control-objective;
- is associated with one or more normative frameworks that these (classes of) objectives are to comply with;
- may be associated with appropriate assessment frameworks that auditors must use to determine the level of control.
In the figure below, objectives Obj-1a, Obj-1b and Obj-1b.2 are control objectives of Red. Obj-1b.2 is a control objective for Obj-1b, which in turn is a control objective for Obj-1. Note that objectives such as Obj-1a, which haven't been explicitly assigned a producer party, will default to the objective's owner being the producer. And therefor, Obj-1a is also a control objective.
Figure 1: Chained Objectives - results produced in one objective are consumed in another
The figure shows four parties (Red, Yellow, Blue and Green) and their associated scopes of control. Within these, they owns the objectives (the figure shows 6 objectives owned by red and one for each of the other parties). The figure in the top right hand corner of the rectangle that represents an objective, is the party that the owner of the objective expects to produce the objective's results. It is not necessary that such a party is known all the time (e.g. objective Obj-1a).