Complete Exam Study Guide
KU Leuven · Faculty of Economics and Business
Lecturer: Jeffrey Ottevanger · Guest lectures: EY & KU Leuven Internal Audit
Part I (Ch 1-8): Risk management & internal control theory. Part II: the EY guest lectures — Data Analytics &
Process Mining, CSRD/Sustainability, Fraud & Forensics, IT Controls/Cybersecurity/AI, and Business Continuity
Management.
Risk Management & Internal Control — Study Guide | Page 1
,How to use this guide & exam overview
This guide is written so that you can revise from this document alone. It follows the order in which the
course was taught. Each chapter teaches the concepts from scratch, defines every key term, explains
every framework in full, and flags the visual slides you must be able to recognise and reproduce. Shaded
call-out boxes mark the highest-yield exam points.
The exam format (confirmed on the slides)
• Closed-book, written exam with multiple-choice and open-ended questions (Intro slide 11).
• Roughly half the exam comes from EY’s part of the curriculum and half from the risk-
management & controls theory (wrap-up slide). The EY material spans five guest sessions — all
covered in Part II of this guide. Give it equal weight.
• The mock exam shows three question types: (1) yes/no with a justification, (2) multiple-choice,
and (3) large open questions (e.g. “What is the fraud triangle?”). Example open prompts named
on the slides: “Discuss the three lines of defence” and “Discuss the role of corporate governance
in ERM.”
Exam strategy
Be able to (a) state precise definitions (ISO Guide 73 risk, COSO Internal Control, COSO ERM, internal
auditing, audit, materiality), (b) draw and label the recurring diagrams (Three Lines, RASP, COSO
cube, ISO 31000 RMP, risk matrix, bow-tie, Fraud Triangle, double-materiality matrix, IT-control
families), and (c) apply them to short scenarios, exactly as the MCQs and EY case studies do.
Risk Management & Internal Control — Study Guide | Page 2
,Table of Contents
How to use this guide & exam overview......................................................................................................2
The exam format (confirmed on the slides).............................................................................................2
Table of Contents........................................................................................................................................3
Chapter 1 — Introduction to Risk Management & Internal Control............................................................6
1.1 Course objectives (what you should be able to do)...........................................................................6
1.2 A brief history of risk management....................................................................................................6
1.3 What is risk?......................................................................................................................................7
1.4 What is (internal) control?.................................................................................................................8
1.5 Development of ERM: from silos to integration................................................................................8
1.6 Corporate governance and the external regulatory context..............................................................9
1.7 Control responsibilities — who does what......................................................................................10
1.8 Summary: the Three Lines (of Defence) — key visual......................................................................12
Chapter 2 — Linking Strategy and Risk Management (Standards & Frameworks)....................................13
2.1 Standards, process and framework: 8R-4T and RASP......................................................................13
2.2 COSO ERM.......................................................................................................................................14
2.3 ISO 31000.........................................................................................................................................15
2.4 The ISO 31000 Risk Management Process (RMP) — key visual........................................................16
2.5 Linking ERM and strategy development..........................................................................................16
Chapter 3 — Governance & Governing Bodies..........................................................................................18
3.1 Red flags of bad governance — Simons’ Risk Exposure Calculator (key visual)...............................18
3.2 The WorldCom case (worked example)...........................................................................................18
3.3 The external regulatory context: theories behind governance........................................................19
3.4 The Sarbanes-Oxley Act (SOX, 2002) in detail..................................................................................20
3.5 Corporate governance from the internal context: governing bodies...............................................20
3.6 Governance around the world.........................................................................................................21
Chapter 4 — Designing Risk Management & Challenges of ERM Implementation....................................22
4.1 Designing a risk-management framework: the lifecycle..................................................................22
4.2 Implementing the framework: case-study lessons..........................................................................22
4.3 Challenges of ERM implementation.................................................................................................23
4.4 Specific risk categories.....................................................................................................................23
Chapter 5 — Fraud Management..............................................................................................................26
5.1 What is fraud?..................................................................................................................................26
5.2 Who commits fraud, and why?........................................................................................................26
Risk Management & Internal Control — Study Guide | Page 3
, 5.3 Types of fraud..................................................................................................................................26
5.4 The Fraud Triangle (Donald Cressey) — key visual...........................................................................27
5.5 The COSO Internal Control framework — five components (key visual)..........................................28
5.6 Control Activities in detail................................................................................................................28
5.7 Rationalisation in practice................................................................................................................29
5.8 Fraud prevention & detection..........................................................................................................29
Chapter 6 — Risk Assessment, Cognitive Biases & Risk Response.............................................................31
6.1 The appetite vocabulary..................................................................................................................31
6.2 Inherent vs residual risk...................................................................................................................31
6.3 Risk assessment: definition and three tasks....................................................................................31
6.4 Risk description and the risk register...............................................................................................32
6.5 Risk assessment tools & techniques (ISO 31010) — key table.........................................................32
6.6 Cognitive biases...............................................................................................................................34
6.7 Risk response (risk treatment) — the 4 Ts.......................................................................................34
Chapter 7 — A Closer Look at Risks & Controls.........................................................................................36
7.1 Financial risk....................................................................................................................................36
7.2 Market risk.......................................................................................................................................36
7.3 Credit risk.........................................................................................................................................37
7.4 Operational risk...............................................................................................................................38
7.5 Types of controls — in depth...........................................................................................................38
Chapter 8 — Internal Audit (KU Leuven guest lecture)..............................................................................40
8.1 Internal audit definition & ethics (GIAS, 2025)................................................................................40
8.2 The IIA Three Lines Model (updated) — key visual..........................................................................40
8.3 Internal audit at KU Leuven.............................................................................................................40
8.4 What internal audit does.................................................................................................................41
8.5 Conducting an audit.........................................................................................................................42
8.6 ERM and Internal Audit....................................................................................................................43
EY Guest Lecture I — Audit, Data Analytics & Process Mining...................................................................45
EY.1 What an audit is, and why it exists.................................................................................................45
EY.2 Data analytics — theory and practice............................................................................................46
EY.3 Process mining...............................................................................................................................47
EY Guest Lecture II — CSRD & Sustainability Reporting (“More than a report”).......................................50
EY2.1 Context: why sustainability matters.............................................................................................50
EY2.2 The EU regulatory landscape.......................................................................................................50
EY2.3 ESG risk identification..................................................................................................................51
Risk Management & Internal Control — Study Guide | Page 4