The more important each control is (i.e. the bigger the level of risk reduction it achieves) the more important it is to have assurance. Assurance of controls should look at both the design (does the control, as designed, reduce the probability or impact of the risk?) and also the operation (is the control operating in the way the design intended?), to confirm that both are effective.
There is a ‘many to many’ relationship between risks and controls. This means that each risk could have several controls related to that risk, but also one control may mitigate several risks. Controls are often embedded in processes. Organisations often get assurance over their controls by auditing their processes. When identifying their key controls, organisation should also consider situations where they are reliant on a single control.