Skip to main content

Control Objective

Short Description

A control objective is an objective, owned by a party, that aims to contribute to the realization of another (set of) objective(s) of that party, by producing results that this party needs to realize these other objective(s). A control objective has the property that it is both managed (as it produces specific results) and also governed (as it uses these results - as a contribution to the realization of other objectives of that party) by (or on behalf of) its owner.

The governance aspect entails the specification of the results that are needed, and the characteristics that they should have in order to be a useful and relevant contribution for the objective for which it is a control. as a realization

Typical contributions for a control objective is the production of an intermediate result, the mitigation of a specific risk, or results that contribute to the realization of compliance objectives.

There are various ways for parties to come to grips with specifying and managing their control objectives. Here are some examples:

We have observed that (the management of) the controls associated with the objectives that control management processes pursue themselves, are often 'forgotten', i.e. these objectives are not in the scope of any control management process. Parties should set control objectives that aim to mitigate the controls associated with (the objectives pursued by) their control management processes.

Control objectives should also be associated with assessment frameworks that auditors will use for determining the control-levels for each of these objectives.

Purpose

The purpose of control-objectives is help parties determine and prioritize the work they need to do in order to ensure that the controls they run become, and/or remain, acceptable.

Criteria

A control-objective is an objective that

Notes

In the figure below, objectives Obj-1a, Obj-1b and Obj-1b.2 are control objectives of Red. Obj-1b.2 is a control objective for Obj-1b, which in turn is a control objective for Obj-1. Note that objectives such as Obj-1a, which haven't been explicitly assigned a producer party, will default to the objective's owner being the producer. And therefor, Obj-1a is also a control objective.

Chaining ObjectivesFigure 1: Chained Objectives - results produced in one objective are consumed in another

The figure shows four parties (Red, Yellow, Blue and Green) and their associated scopes of control. Within these, they own the objectives (the figure shows 6 objectives owned by red and one for each of the other parties). The figure in the top right hand corner of the rectangle that represents an objective, is the party that the owner of the objective expects to produce the objective's results. It is not necessary that such a party is known all the time (e.g. objective Obj-1a).

The arrows indicate that results produced to realize a certain objective (at the source of the arrow) are (to be) used to produce the results of another objective (at the end/tip of the arrow).

For more information, e.g. about how different parties interact in their roles of producer and consumer, we refer you to the Governance and Management pattern.