4.3 Scenario Practice for Governance, Risk Management, and Control
Key Takeaways
- Inherent risk is the risk before any management action; residual risk is what remains after controls and other responses are applied.
- Risk appetite is the broad amount of risk an organization is willing to accept in pursuit of value; risk tolerance is the acceptable level of variation around a specific objective.
- The COSO Internal Control framework (2013) has five components — Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring — and 17 principles.
- Controls are classified by timing as preventive (stop errors before they occur), detective (find errors after they occur), and corrective (fix problems and restore expected outcomes).
Reading a Risk Scenario Correctly
Most scenario items hand you a short narrative and ask which framework concept it illustrates. The trap is that the story uses everyday language while the answer choices use precise framework vocabulary. Build a habit of translating the narrative into the exact term.
Start with the inherent vs. residual distinction, which appears constantly:
- Inherent risk is the risk to an entity in the absence of any direct or focused actions by management to alter its severity. Think "raw" or "gross" risk.
- Residual risk is the risk that remains after management has taken action (controls, responses) to reduce the impact and likelihood. Think "net" risk.
Management responds to inherent risk and is left with residual risk, which it then compares to risk appetite and risk tolerance:
| Term | Definition | Scope |
|---|---|---|
| Risk appetite | The amount and type of risk an organization is willing to accept in pursuit of value | Enterprise-wide, strategic |
| Risk tolerance | The acceptable level of variation relative to achieving a specific objective | Specific to one objective/measure |
A scenario that says "the board will accept up to a 10% deviation from the on-time-delivery target" describes risk tolerance, not appetite — it is bounded to one objective.
Notice the directional relationship the exam tests: management starts with inherent risk, applies risk responses (including controls), and is left with residual risk, which it compares against its tolerance for that objective and, more broadly, against enterprise appetite. If residual risk still exceeds tolerance, management must respond further — add controls, share the risk, or avoid the activity.
The internal auditor's job in such a scenario is to evaluate whether management correctly identified the inherent risk, whether the chosen responses are adequate, and whether the remaining residual risk is genuinely within the organization's stated appetite. A scenario in which management reports residual risk inside appetite while controls are clearly failing is a classic assurance gap the auditor must surface.
Mapping Scenarios to COSO Internal Control Components
The COSO Internal Control – Integrated Framework (2013) has five components and 17 principles. Scenario items often describe a single activity and ask which component it belongs to. Use these tells:
| Component | What it covers | Scenario tell |
|---|---|---|
| Control Environment | Tone at the top, integrity, ethical values, organizational structure, competence, accountability | "The board demonstrates independence and sets ethical expectations…" |
| Risk Assessment | Specifying objectives, identifying and analyzing risks, considering fraud and change | "Management identifies and analyzes risks to objectives…" |
| Control Activities | Policies and procedures (approvals, authorizations, reconciliations, segregation of duties) | "Two signatures are required to release a payment…" |
| Information & Communication | Generating and communicating quality information internally and externally | "Relevant data is captured and reported up to management…" |
| Monitoring Activities | Ongoing and separate evaluations; communicating deficiencies | "Internal audit periodically tests whether controls still operate…" |
The framework requires that all five components be present and functioning and operate together in an integrated manner, and that the 17 principles be present and functioning, for internal control to be judged effective. A common distractor confuses Control Environment (the foundation — culture and tone) with Control Activities (the actual procedures). The environment is why people do the right thing; the activities are the specific steps that enforce it.
The framework also distinguishes among three categories of objectives the components serve: operations (effectiveness and efficiency), reporting (reliability of internal and external reporting, financial and non-financial), and compliance (adherence to laws and regulations). A scenario can name an objective category and ask which it falls under, so keep these three straight alongside the five components. Internal control, however effective, can provide only reasonable assurance — never absolute assurance — because human judgment can fail, controls can be circumvented through collusion, and management can override controls.
The exam frequently rewards the choice that acknowledges these inherent limitations: an answer claiming controls give "absolute assurance" that objectives will be met is always wrong.
Classifying Controls by Timing and Type
Scenario questions frequently ask you to classify a control. The primary axis the exam tests is timing relative to the event:
- Preventive control — stops an undesirable event before it happens. Examples: segregation of duties, required approvals, edit checks that reject invalid input, physical locks.
- Detective control — identifies an undesirable event after it has occurred so it can be corrected. Examples: reconciliations, exception reports, variance analysis, after-the-fact reviews.
- Corrective control — fixes the problem a detective control surfaced and restores the process to its intended state. Examples: data-correction procedures, disaster-recovery restoration, disciplinary follow-up.
A single business process usually layers all three. The exam reward is recognizing that preventive controls are generally preferred because stopping an error is cheaper than detecting and correcting it — but no control set is purely preventive, so detective and corrective controls provide essential backstops. Controls are also categorized in other ways the exam may reference (manual vs. automated, key vs. secondary, directive controls that encourage desired behavior), but preventive / detective / corrective is the classification most heavily tested.
Remember the unifying principle: controls exist to bring risk to within appetite — so when a scenario gives you a control with no underlying risk, the correct critique is that it is a redundant or inefficient control.
A bank requires a second officer to approve any wire transfer above $50,000 before it is released. This control is best classified as:
An organization assesses that a new product launch carries significant risk before any controls are considered. After it adds quality testing and insurance, the remaining exposure is far lower. The lower, remaining exposure is called:
A scenario states: 'The CEO and board model integrity, and the organization maintains a code of ethics, defined reporting lines, and competence requirements for staff.' Which COSO Internal Control component does this describe?