How many control objectives do you have?


I just returned from a seminar in Las Vegas where I asked the attendees, “how many control objectives (policies for regulatory compliance) does your organization have.”  The answer: “Which, the one’s for CobIT?  We have more than 300 for CobIT (the de-facto audit standard for Sarbanes Oxley).”

Afterwards, it occurred to me that many of us may be confusing control objectives with control statements, the procedures that implement controls and the technical controls that implement procedures.  However, control statements are very specific to each framework and each specific audit.  There are the 300 plus control statements associated with CobIT for SOX, there’s the ubiquitous ISO 17799 and 27000 control directives, and specific PCI DSS statements and tests, among many others. If we’re confusing control objectives (policies) with controls (procedures that implement policy) we may all be battling an overgrown forest.

When paired with compartmented teams often spun-up to pass different compliance audits (“I just need to pass PCI this quarter”, “we have to pass the OCC audit this month, another team is working on SOX”, etc.), it is probably not surprising that organizations are complaining about spend on regulatory audit.

Aligning business risk with policy and then mapping control objectives (policy) to control statements may be seen as too much of a luxury when you’re knee-deep, cutting paths for the auditors through the thickets, brambles, and new-growth trees.  Unfortunately, the paths tend to become ensnarled with new growth again when the auditors return the following month, quarter, or year.

The research results ( are overwhelming: the fewer the number of risk-based control objectives, the better the results for protecting sensitive data and sailing through regulatory audit.

The questions I still have are these:
How many control objectives does your firm have?
– Are you c
onfusing control statements or controls (procedures that implement an objective or policy), with control objectives (policy)?
Is there an opportunity to reduce costs by consolidating redundant control statements across multiple audits?

 Jim Hurley 


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: