4.4 Common Traps in Governance, Risk Management, and Control

Trap 1 — Letting Internal Audit "Own" Risk or Control

The most common wrong answer in this section hands internal audit a management responsibility. The exam writers know candidates over-credit internal audit's importance, so they offer choices like "internal audit sets the risk appetite," "internal audit designs the controls," or "internal audit accepts residual risk." All are wrong. Management owns risk and control; the board oversees; internal audit assures.

Where this gets subtle is the advisory (consulting) role. Internal audit may advise management on improving risk management and control design — but it must not make management decisions, and if it has recently designed a control, it must wait an appropriate period and disclose the prior involvement before auditing it, to protect objectivity. A related trap concerns the chief audit executive (CAE) facilitating a risk assessment: internal audit can facilitate or coordinate an enterprise risk-management workshop, but management must remain the decision-maker and risk owner.

If an answer choice says internal audit "is responsible for the effectiveness of risk management," reject it — internal audit is responsible for assessing and reporting on that effectiveness.

Rule of thumb: any answer that makes internal audit accountable for the outcome (rather than for the assurance about the outcome) is a trap.

The same trap appears in governance scenarios. If a stem asks who is accountable for establishing and maintaining effective governance, the answer is the board and management, with internal audit evaluating and recommending improvements. An answer that says "internal audit is responsible for the organization's governance" inverts the relationship and is wrong. Watch for verbs: words like own, establish, implement, approve, accept, and decide belong to management or the board; words like assess, evaluate, review, assure, advise, and report belong to internal audit.

Trap 2 — Mixing the Two COSO Frameworks

COSO publishes two frameworks and the exam routinely swaps their components in distractors:

A question that asks for the "five components of internal control" expects the 2013 list; one that asks about "managing risk integrated with strategy and performance" expects the 2017 ERM list. The fastest tell: if you see Control Activities and Monitoring, you are in the Internal Control framework; if you see Strategy & Objective-Setting and Review & Revision, you are in ERM. Do not let a choice that says "Risk Assessment is a component of COSO ERM" fool you — Risk Assessment is an Internal Control component; in ERM, risk identification and assessment live inside the Performance component.

Trap 3 — Appetite vs. Tolerance

Distractors freely swap these. Risk appetite is broad, strategic, and enterprise-level — the amount of risk pursued for value. Risk tolerance is narrow — the acceptable variation around achieving a specific objective or measure. If the stem mentions a percentage band around one target ("±5% of budget"), the answer is tolerance, not appetite.

A related snare swaps inherent and residual risk. Remember the order of operations: inherent is the raw risk before management acts; residual is what remains after responses. A choice that calls the exposure remaining after controls "inherent risk" is wrong by definition. The exam also tests whether you grasp that a control reduces residual risk, not inherent risk — adding a control does not lower inherent risk (the raw exposure is unchanged), it lowers the residual exposure that survives the control.

Trap 4 — Three Lines Misremembering, and Other Snares

Several smaller traps recur:

• "Three Lines of Defense" wording. The IIA updated the model to the Three Lines Model in 2020. An answer that frames the lines as a purely defensive, siloed structure or that calls it the "defense" model is using outdated terminology. The current model emphasizes roles, collaboration, and alignment.
• Putting internal audit in the second line. Compliance and risk-management functions are the second line; internal audit is always the third line and must stay independent of management. The first and second lines are management roles.
• Confusing governance with management. Governance is direction and oversight (the board); management is execution. A scenario about "setting the ethical tone and approving strategy" is governance; "implementing the controls" is management.
• Assuming more controls are always better. Controls exist to bring risk within appetite; over-control wastes resources and can itself be a finding. The right answer often balances control cost against the risk it mitigates.
• Treating preventive and detective as interchangeable. Preventive stops the event before; detective finds it after. Preventive is generally preferred, but detective and corrective controls are necessary backstops.

Keep one mental checklist: Who owns it? Which framework? Appetite or tolerance? Which line? Before or after the event? Run any governance, risk, and control question through those five filters and the traps fall away.

Finally, beware the trap of outdated counts and dates. The 2025 Global Internal Audit Standards have five Domains, 15 Principles, and 52 Standards, effective 9 January 2025 — an answer citing the superseded 2017 IPPF structure is a distractor. The COSO Internal Control framework has 17 principles, while COSO ERM 2017 has 20; choices that swap these numbers, or that attribute "17 principles" to ERM, are deliberately wrong. Memorizing the exact figures inoculates you against an entire class of distractors that rely on candidates being fuzzy about the numbers.