Balancing Risks and Controls

The goal: a "reasonable" level of assurance

Internal controls help management have a "reasonable" level of assurance that the organization will be able to achieve its goals. But, you may ask, why not strive for an "absolute" level of assurance?

Answer: Because attaining an absolute level of assurance is not always reasonable, given the following factors:

  • It can be cost-prohibitive. There should be an optimal level of controls for an acceptable level of risk.
  • Management can bypass or override the internal controls, reducing the assurance they can provide.
  • Employees may collude with each other, rendering some controls less effective.
  • Human error may occur.

Reasonable assurance can be achieved by effectively balancing risks and controls. Internal controls should be proactive, value-added and cost-effective, and they should make good business sense.

Risks and controls that are out of balance can cause problems such as the following: 

Excessive Risks

Excessive Controls

Loss of Assets

Donors or Grants: Increased Bureaucracy

Poor Business Decisions

Reduced Productivity


Increased Complexity

Increased Regulations

Increased Cycle Time

Public Scandals

Increase of Non-value–adding Activities