Internal Controls Design graphic Internal Controls Design
consulting and research for internal control with risk management

This website is retiring

A little while ago, my research led to some major new insights into risk, uncertainty, and management generally. The impact was so great that I started a new website, with a new name, and a new approach. It's called Working In Uncertainty.

All new work will appear on the Working In Uncertainty site and old favourite articles from Internal Controls Design are gradually being revised, placed on the new site, and deleted from Internal Controls Design. Some other articles are being taken down because they no longer reflect the best advice and insights I can give you.

Please go to



Overview of risk control / internal control
- This website summarised
- A simple introduction to risk management and internal control in organisations
- Seven frontiers of internal control and risk management
- 7 frontiers audio version

Tools to download and use (free)
- Risk-Control Matrix for a process
- Simple Risk-Control Matrix
- General Risk-Control Matrix
- Risk register format generator
- Probability-Impact grid analysis tool
- Efficient sampling spreadsheet

Productive, creative risk control projects
- The Natural Method of designing internal control systems
- Natural project risk management
- Fixing a process and controls mess
- Matrix Mapping: the easiest and best way to map internal controls
- Diagrams for controls work
- Reengineering internal controls for efficiency
- Controls for e-business processes
- Risk modeling alternatives for risk registers
- Internal control and leaking profits

Risk control processes and human behaviour
- Making sense of risk appetite, tolerance, and acceptance (2nd edition)
- Risk appetite definitions
- Straighten out your thinking on 'risk aversion', 'risk appetite', 'risk tolerance', 'risk limits', and all that
- The real reasons we avoid risk
- What circumstances are relevant to decision making under uncertainty?
- How to be positive about risk
- What happens when you say "uncertainty" instead of "risk"
- Results of an experiment in risk and uncertainty management
- Practical word choices for risk managers
- An introduction to the Risk Register Studies
- Risk register study 1: Impact Spread
- Risk register study 2: Causal links within and between risk register items
- Measuring and managing risk register quality
- Alternative risk lists
- Favourite ways to characterise risks
- Risk Meters: A better way to make and show rough, subjective risk ratings
- Everyday Risk Management
- "So embedded it's disappeared"
- Embedded risk management should be easier
- The psychology of devising internal controls
- The Risk Manager people want to work with

Personal skills to manage risk & uncertainty
- Open and honest about risk and uncertainty
- Individual differences in risk and uncertainty management
- Writing about flexible plans (A challenge of the new OFR)
- Results of an experiment in risk and uncertainty communication
- Overconfidence and strategic mistakes
- Participation and Key Performance Indicators (KPIs)
- Giving ideas

Risk management reform
- A comparative overview of risk management and internal control guidance
- What's good about BS31100?
- Defining 'risk'
- Results of a survey of alternative risk phrases
- Problem areas for current risk management standards (speech at BSI)
- A first step towards successful risk management standards
- Requirements of Risk Management processes
- The crisis in management control and corporate governance (questionnaire)
- What's on your risk registers?
- Uncertainty quantification
- Clear thinking and “risk appetite”
- Time to put numbers on internal controls
- Innovating in the face of internal control regulations

Efficient audit & reviews
- What can auditors do when they have read 'A pocket guide to risk mathematics'?
- Sarbanes-Oxley Act section 404 and 302: efficient compliance (updated)
- Evidence for an efficient approach to evaluating controls effectiveness
- When is a good time to talk about saving money on SOX 404 compliance?
- How to test fewer “key controls” in a Sarbanes-Oxley s404 project
- Controls design for efficient compliance with Sarbanes-Oxley’s section 404
- How to cut Sarbanes-Oxley s404/302 compliance costs
- A new focus for Turnbull compliance
- Easier Turnbull compliance
- Efficient samples for internal control and audit testing
- Efficient reviews of documentation of internal control systems and audit testing
- Why the COSO frameworks need improvement
- COSO’s new guidance for smaller organisations: a Trojan Horse?
- Risk management versus internal control
- Embedded risk management: the auditors’ contribution
- Embedding risk management: easier, faster, better

Intelligent risk controls
- Designing intelligent internal control systems
- Results of a survey on internal control and risk management recommendations
- Why is Evolutionary Project Management so effective?
- What is attractive about embedded risk management? (survey results)
- Success with innovative projects
- Post-implementation project failure
- Promoting good management of risk and uncertainty

Integrated risk & performance management
- Progressive risk control integrated with strategy and performance management (Interactive article)
- Risk Management and Beyond Budgeting
- Control without budgets
- Results of a performance management survey
- How to embed risk management into performance management and strategy making
- Managing risk and uncertainty in Beyond Budgeting implementations
- Design ideas for Beyond Budgeting management information reports
- Research on risk management within performance management
- How the United Kingdom Accreditation Service improved its financial forecasting
- Better management of large scale financial and business processes using predictive statistics

Innovative cases
- Visualizing an uncertain sales pipeline at Z/Yen

Other food for thought
- The Campaign for Plain Maths starts here
- Auditors and risk management

Author and services


The author (picture, CV)

Books and services

The NEW BOOK: "A pocket guide to risk mathematics: key concepts every auditor should know"

The FIRST BOOK: "Intelligent internal control and risk management: designing high performance risk control systems"

Tutoring and mind expanding events

Consulting services

Preferred ways of working

Contact the author

Conference schedule

Useful links

Add to favourites

Other websites by Matthew Leitch

  Company: The Ridgeway Expertise Company Ltd, registered in England, no. 04931400.
  Registered office: 29 Ridgeway, KT19 8LD, United Kingdom.
  Words © 2008 Matthew Leitch