Controls management is an integral part of risk management but can often end up in disarray. Controls can proliferate, leading to unnecessary duplication. The purpose of the controls themselves may not be fully understood, and testing methods can be inconsistently applied.