Internal Control System
Want to follow the Objective Controls blog?

Get a reminder sent automatically each time a new post is added

[ new code ]

Blog on internal controls and risk management

Welcome to Objective Blog, a blog about everything related to internal control - objectives, risks, internal controls, internal control frameworks and more. Here I try to bring points of interest from around the world of internal control to the attention of readers. In doing so, I hope to shed some light and encourage thought towards reducing risks and improving the probability of achievement of objectives.

If you have any comments about this blog, whether they are general or refer to specific posts, please send them to and where possible I will place them in the blog and/or get back to you as soon as I can.

Neil Leigh

10 Big Points About The COSO ERM Public Exposure 2016

Neil Leigh September 13, 2016

I must start by repeating the message I made in my previous post COSO Enterprise Risk Management Public Exposure that it is easy to be a critic, especially when someone else has researched and thought and planned and then prepared a well laid out draft for feedback. Furthermore, 'critical feedback' is much easier to make than 'reinforcing feedback'. So, whatever my opinions, I commend the authors for their work and respectfully offer my comments in good faith. After digesting the draft further, I have developed my feedback into the current post, which also appears on the COSO website at Look for Neil Leigh.

read more ...

COSO's New Enterprise Risk Management

Neil Leigh July 29, 2016

Last month, June 2016, COSO released the draft of its revised Enterprise Risk Management Integrated Framework which is to be named Enterprise Risk Management—Aligning Risk with Strategy and Performance. According to the informative accompanying FAQ published by COSO, this public exposure is the 3rd of 4 phases, the last of which will be finalization following feedback received from the public.

read more ...

Can we Define Controls Without Mentioning Risk?

Neil Leigh June 18, 2016

What prompted me to pose the question that comprises the title of the current post is that quite a lot of people in their feedback my last post emphasized the relationship of the control to the risk in their definitions of control objectives. That's not exactly surprising because according to the most popular risk management standards and internal control frameworks, the control exists to reduce, treat or mitigate risk. Some people mentioned the control's relationship directly to strategic objectives and that is something I had been thinking about for some time - that an organization might want to manage internal controls directly against its objectives, regardless of its risk management activity.

read more ...

What are Control Objectives?

Neil Leigh May 15, 2016

Intuitively, the meaning of the term control objective should be fairly obvious to people with some knowledge of internal controls and risk management. Nevertheless, intuition has its limitations and many of us look for a better understanding of important terms through a formal definition.

read more ...

RiskTech100® 2016

Neil Leigh January 31, 2016

In January 2016, Chartis Research published the latest rendering of its annual summary of 'the world's most significant' risk and compliance technology companies, called RiskTech100® (2016). In this post I highlight some of the trends reported and suggestions made, particularly those with a notable significance to implementers of internal controls.

read more ...

The Internal Control InstituteTM (ICI)

Neil Leigh January 04, 2016

There are many organizations that address the profession of auditing internal control, but very few that are totally dedicated to the establishment, implementation and ongoing management of internal control systems. Meet the ICI, the Internal Control Institute™, Florida.

read more ...

Accountability through Risk Management and Internal Controls

Neil Leigh September 16, 2015

Following on from the last post I made on this spot about the Code (the UK Corporate Governance Code), this time I focus on a related guidance paper from the same UK government source. It's all about risk management, internal control and reporting and the entire paper is dedicated to practically applying Section C of the UK Corporate Governance Code - Accountability.

read more ...

The UK Corporate Governance Code - a Snapshot

Neil Leigh September 2, 2015

This week I take a look at the UK Corporate Governance Code. It is fairly short, concise and to-the-point and you don't have to be British or a board member of a public company to get value from it.

read more ...

Residual Risk Discussion - the Feedback

Neil Leigh August 21, 2015

Following the tremendous response I received from last week's post, I want to share the insights I have received from professionals all over the World. All the documented reactions came through Linkedin, where I publish a slightly more compact version of what I publish on my blog.

read more ...

What is Residual Risk?

Neil Leigh August 12, 2015

This week, I talk about residual risk and inherent risk. These terms are misunderstood by many professionals while executive managers may not even have heard of them. Understanding the differences between them is in my opinion paramount in managing risk and internal controls.

read more ...

Cyber Risk Control Using COSO

Neil Leigh August 05, 2015

Last week I summarized a COSO thought leadership paper that was published at the beginning of July about how the Three Lines of Defense model can be applied to the COSO Internal Controls Framework. This week I want to look at another paper published by COSO in January that puts some light on one of todays most misunderstood areas of risk management and internal control - cyber risk.

read more ...

COSO and the 3 Lines of Defense

Neil Leigh July 27, 2015

This month, COSO organization published a new thought leadership paper called Leveraging COSO across The Three Lines of Defense. The Paper was commissioned by COSO and written by the IAA - Institute of Internal Auditors, one of COSO's 5 sponsoring organizations.

The purpose of the paper is to help organizations enhance their governance structures and it does this by mapping out COSO 2013 Internal Control Framework's 17 principles against the model of three lines of defense (3LOD), introduced in 2013 by the IIA.

read more ...

Riskspotlight Portal - 2 weeks free

Neil Leigh July 15, 2015

Getting hold of relevant external risk content is a challenge for many risk managers, internal control specialists and internal auditors. While it's true that internet-based search engines have provided us with a path to what would have been an incomprehensible amount of risk-related information just a few years ago, the task of acquiring suitable material still requires time and expertise.

RiskSpotlight has announced it is launching its RiskSpotlight Portal and giving a free 2-week trial so risk pro's can try it out for themselves.

read more ...

Evaluating the Internal Control Environment

Neil Leigh July 07, 2015

This is a brief look at a government circular I found on the web instructing staff in the yearly internal control survey. It is a positive example of how objectives, risks and controls are taken seriously and there are examples of some of the internal controls assessed.

read more ...

Objective Blog on Risk Management and Internal Controls

Neil Leigh June 28, 2015

This week I bring some points made on a couple of quality professional Linkedin groups that I like to follow and occasionally participate in.

In the first group, dedicated to the ISO 31000 Risk Management Standard, a discussion has been ensuing for more than 10 days now about whether the term 'potential' should be added to the standard's current definition of risk. From the second group, the official Linkedin group of the International Internal Auditor's Association, a question was asked about whether inherent risk should be considered with or without the residual risk. I've included some of the highlights of both of these interesting risk control discussion.

read more ...

Risk Management and Internal Controls on the Net

Neil Leigh June 22, 2015

I made a couple of interesting finds this week. First I found a US municipal website whose office of internal audit has been putting an internal control tip on their website every month since April of last year for their staff. Next, while checking out the latest posts on my Linkedin groups, I followed a link to an opinion piece about risk management and innovation. I've summarized them both in a few sentences and put a link in case you want to take a look for yourself.

read more ...

Risk Management Software and Avoiding Disaster

Neil Leigh March 30, 2015

Why does anyone use software? To save money? To work more efficiently? To make money? These are all valid and common reasons. But how many of you use software products to help your organization avoid a disaster that could have serious consequences for your company and job? One example of software that fits the bill is anti-virus software and it has prevented many costly outcomes since its arrival and adoption. However, good as it is, an antivirus program only covers one specific area of potential hazards. Risk management oversees all this and much more.

To avert disasters and ensure business continuity, a number of business mechanisms are typically...

read more ...

OMG! They're Asking to See Our BC Plan!!!

Neil Leigh March 12, 2015

Many suppliers and vendors don’t take much notice of the subject of BC plans and BC planning (BC = business continuity) until one of their important customers asks to see it. And then, all hell breaks loose!

It's funny how we do the right thing only when we are forced to do so. That's all too often the case when it comes to BP plans. Today, enterprise customers are becoming more demanding of their suppliers than ever before. They want to be sure that if a disaster befalls their suppliers, they won't be left without an important service or product.

read more ...

COSO 2013 for SME's

Neil Leigh March 3, 2015

I started writing this post about COSO 2013 a few days ago but it just grew and grew until I had virtually made a whole article of it. So I delayed the planned post and turned what I had into a white paper; here I will summarize the main messages of that paper.

If you're not familiar with COSO, here's a brief intro to put things in perspective. COSO is an American organization that publishes guidance on organizational risk and internal control. Its most influential publication is The COSO Internal Control Framework, originally published in 1992 and released updated in 2013. COSO 2013 is current and highly relevant today although it has arguably been overshadowed by the COSO Enterprise Risk Management Integrated Framework that it published in 2004.

read more ...

What are Internal Controls?

Neil Leigh Feb. 23, 2015

Most corporate managers have heard of internal controls and some will even be familiar with their mention in the U.S. SOX Law Section 404, but how many really know what internal controls are and how to leverage them to get a business running correctly?

So what is an internal control? An internal control is a process or rule meant to ensure other processes work correctly. The word 'internal' simply qualifies the control as being employed by the organization by choice, rather than emanating from outside, like a law. The terms 'control' and 'internal control' therefore are largely interchangeable.

read more ...

Starting off with Risk Management KPI's

Neil Leigh Feb. 8, 2015

An important subject in the world of risk management is that of KPI's - key performance indicators. If we accept the importance of managing risk effectively, as opposed to just doing the minimum to meet demands made of us by others, then it makes sense for us to have some kind of check or measure by which we can see how well we are doing. The general idea of KPI's is certainly not exclusive to risk management but it can serve this area admirably and doesn't need to be complex.

read more ...

Back to Top