4.5 Practice Drills and Readiness Markers

Drill 1 — The Five-Filter Reflex

Every governance, risk, and control question can be cracked by running it through five filters. Drill them until the answer surfaces before you finish reading the choices:

1. Who owns it? Management owns risk and control; the board oversees; internal audit assures.
2. Which framework? Internal Control (2013) vs. ERM (2017) — look for the giveaway components.
3. Appetite or tolerance? Enterprise-wide pursuit of value vs. variation around one objective.
4. Which line? First = operations, second = risk/compliance, third = internal audit.
5. Before or after the event? Preventive vs. detective vs. corrective.

Practice by taking any practice question, ignoring the choices, and saying which filter the stem is testing. When you can label the filter in under five seconds for 20 questions in a row, your recognition speed is exam-ready.

Drill 2 — Risk-Response Speed Round

Flash through these until the mapping is reflexive:

Then quiz yourself in reverse: given the example, name the response in one word. A useful refinement: for every example, also state whether the response changes likelihood, impact, or both. Reduce typically attacks likelihood or impact directly; share leaves the underlying event unchanged but transfers the financial consequence; avoid eliminates the exposure entirely; accept leaves both untouched because the risk is already tolerable.

Being able to articulate which dimension a response affects is the difference between recognizing the term and truly understanding it, and the exam occasionally rewards that deeper distinction in "which response best addresses a high-impact, low-likelihood risk" questions, where share (insurance) is frequently the strongest answer.

Drill 3 — Recite the Frameworks Cold

Write these from memory, timed, until you can do it without errors:

• COSO Internal Control (2013) — 5 components / 17 principles: Control Environment, Risk Assessment, Control Activities, Information & Communication, Monitoring Activities.
• COSO ERM (2017) — 5 components / 20 principles: Governance & Culture; Strategy & Objective-Setting; Performance; Review & Revision; Information, Communication & Reporting.
• Three Lines Model (2020): governing body (oversight); first line (operational management, owns risk); second line (risk/compliance, support & challenge); third line (internal audit, independent assurance).
• IIA Global Internal Audit Standards (2025): 5 Domains, 15 Principles, 52 Standards, effective 9 January 2025.

The target is mechanical recall: if recalling these costs you thinking time during the exam, you have not over-learned them enough. Pair each component with one scenario tell so you can recognize it inside a narrative, not just list it.

Drill 4 — Control Classification Sprints

Take 15 control descriptions and tag each as preventive / detective / corrective and manual / automated, then sanity-check: preventive stops it before, detective finds it after, corrective fixes it. Add the higher-order judgment the exam rewards — would more of this control add value, or is the risk already within appetite (over-control)? This trains you to answer the "what should the auditor recommend" variant, not just the classification variant.

Finish the sprint by tagging each control with the COSO Internal Control component it supports — most procedural controls are Control Activities, but a reconciliation feeding a management report touches Information & Communication, and a periodic re-test of controls is Monitoring. Forcing two classifications per control (timing type and COSO component) wires the frameworks together so that a single scenario can no longer surprise you regardless of which angle the question takes.

Readiness Markers — Know When You're Done

Use these concrete checkpoints to decide whether the governance, risk, and control material is ready:

• You score 85%+ on mixed practice sets, with misses concentrated in careless reading rather than missing knowledge.
• You can state which COSO framework a component belongs to without pausing.
• You never place internal audit in the first or second line, and never give it ownership of risk or control.
• You distinguish inherent vs. residual and appetite vs. tolerance instantly, including when the stem buries the cue in a percentage band.
• You can explain why preventive controls are generally preferred yet why detective and corrective controls remain essential.
• You can articulate internal audit's contribution to governance, ethics, IT governance, and ESG oversight in one sentence each.

Because Section C is 30% of Part 1 — one of the two heaviest sections, behind only Foundations — it deserves a large share of your final review and should be an area where your accuracy is highest. Treat any residual confusion between the two COSO frameworks or the Three Lines roles as a priority gap to close before test day. When all six markers above are true and your timed recall of the frameworks is mechanical, you have converted this section from a likely source of lost points into one of your strongest scoring areas.

A final readiness habit is to review your wrong answers by trap category rather than by topic. Tally whether your misses cluster in ownership confusion, framework mix-ups, appetite-versus-tolerance, line placement, or control timing — then drill the dominant category specifically. Because the same handful of traps recurs across dozens of differently worded questions, closing your single weakest trap usually lifts your score on this section by several percentage points at once, which on a 30% section is a meaningful swing in your overall result.