P3 RM Flashcards
Chapter: 3
Topic: Banking
Question: Princiapls of Basel III / Dodd Frank Act / Bank of England
Hint: Do banks have sufficient capital to withstand anticipated losses during financially stressful situations?
Basel III : Three pillars [sound banking practices]
Min Amounts of Capital Required
Visability of Risks
Disclosure to encourage better behaviour
DFA : Three Scenarios
Baseline
Adverse
Serverly Adverse
BoE : using variables to predict unfavourable macro scenarios Global Economy Unemployment Rates Commodity Prices House Prices Interest Rates
Chapter: 9
Topic: Centralised Management of CS Controls
Question: Four main controls present within Information System
Hint: SANG
1) Software Controls - ensuring correct software is used. Buying from recognised supplier.
2) Application Controls - completeness / accuracy of records + validity of entries made to a specific application. Inc. Input [data entry checks] / Processing [accuracy during computer processing] / Output [exception reports].
3) Network Controls - protect IS from CS risks across entire network. Inc Firewalls, Virus protection, spyware, encryption.
4) General Controls - prevent or detect errors / irregularities in for all accounting systems. Inc both software and hardware, personnel, access and password controls.
Chapter: 10
Topic: Cyber Risk Reporting Frameworks
Question: SOC 2 Framework
Hint: Service Organisations
Describes CRMP + effectiveness of controls when processing clients data. Features inc:
- Specific SOC 2 Criteria [to CRMP’s description and controls] - CPA approved
- Description criteria inc. type of service provided [payroll / finance], systems used to provide + boundaries. DN inc. description of specific controls in a service organisation.
- Written assertion from management [Re: description in line with criteria + controls suitably designed] + CPA opinion to validate description and controls.
- Detailed list of controls tests carried out by CPA.
- Limited availability.
Chapter: 10
Topic: Cyber Risk Reporting Frameworks
Question: SOC Framework
Hint: Offers accredititation for overall CS [AICPA]
Delivers a review of entity’s CRMP. Features inc:
- Description criteria of the CRMP in line with agreed criteria [nature of operations / key info assets / inherent CS risk factors / governance / risk assessment / monitoring]. Written assertion by management req.
- Control criteria assessed by management and assertion that it is effective in achieving organisation CS objectives.
- Opinion by CPA on description and control criteria.
- Prepared for general distribution to stakeholders.
- DN contain list of detailed tests carried out.
Chapter: 4
Topic: Sub-Committee of Directors
Question: Audit Committee
Hint: Review + Monitor
Review and monitor:
Annual accounts.
Adequacy of Internal controls [fin + non-fin].
Risk Management systems.
Liases with External Auditors on queries, appoint, denote non-audit services, compensate.
Supervises Internal Audit + scruitnise output.
All independent [financially literate] NEDs with at least one financial expert.
Chapter: 9
Topic: CS Governance + Policy
Question: Three strategies used to avoid being Hacked?
Hint: RSD
Reconnasissance - awareness of how you appear to third parties. Do you look vulnerable?
Simulation - assume you will be hacked at some point. Have contingency plans in place. Are you prepared?
Digital Identity - understanding how you interact with all things digitally. Focus on IoT’s.
Chapter: 5
Topic: Purpose of Internal Controls
Question: Objectives of IC
Hint: ORC
Reasonable Assurance regarding the objectives for:
Operational - financial + operational performance / safeguarding assets.
Reporting - internal / external / financial / non-financial ensuring timeliness, accuracy and transparency.
Compliance - with laws and regulations
Chapter: 5
Topic: Features of Internal Controls
Question: COSO IC Integrated Framework
Hint: Objectives [ORC] / Levels [F / OU / D / EL] / Components [CE / RA / CA / I&C / MA]
Objectives - Operational / Reporting / Compliance
Levels - Functional / Operational Unit / Divisional / Entity Level
Components - Control Environment / Risk Assessment / Control Activities / Information & Comms / Monitoring Activities
Chapter: 1
Topic: Risk Management Institutes
Question: Four Categories of Risk [‘Institute of RM’]
Hint: FOSH [int / ext]
Financial - long term CFs / ST liquidity / fraud / economic factors.
Operational - day to day business risks.
Strategic - long term outcomes impacted.
Hazard - natural / human.
Chapter: 10
Topic: Cyber Risk Reporting Frameworks
Question: Internal & External forms of CS reporting.
Hint: Int - CV + RA / Ext - RM & DM + 3rd Party R + Risk P & Why?
Internal CS Reporting: to board / management / employees.
Core Values
Risk Appetite
External CS Reporting: to regulators / stakeholders / investors / media.
Risk Management and Decision Making
Third Party Reliance
What needs Protecting and their Importance [why?]
Chapter: 6
Topic: Internal Control Systems in Practice
Question: Control Activities in Any System
Hint: x5 - A S Ip Pr Pc
Expectations of External Auditors:
Authorisation - transactions approved by right personnel
Segregation of Duties - no one person having total control of a process.
Information Processing - general + application controls.
Performance Review - actual vs expected.
Physical Controls - safeguarding of assets / access to data files / periodic counting.
Chapter: 7
Topic: How to deliver Internal Audit
Question: Three types of Testing
Hint: WT / ToC / ST [inc. AR + BM]
Walkthrough Testing: sequential, through documenting events from start to finish.
Test of Controls: known as compliance test. Whether or not the controls in place have operated. Testing the process.
Substantive Testing: ignores the control that has happened, instead, verifies the actual amount itself. Looks at whether individual events are valid [sums received recorded in the correct accounting period]. Testing the content.
Chapter: 7
Topic: How to deliver an Internal Audit
Question: The Five Stages involved in delivery
Hint: OF -> P -> RA -> T -> Bm
1) Organisational Factors - assessment of need.
Inc: Scale, size, complexity, diversity / Cost vs Benefit / Changes in processes, structure, IC, IS? / Changes in key risks? / Increased number of ‘unexplained events’?
2) Planning - prioritise / establish objectives of audit / effective use of resources
3) Risk Assessment - inherent / control / residual / detection
4) Testing - walkthrough / test of controls / substantive testing in order to collect evidence to help achieve audit objectives.
5) Benchmarking - comparing financial and non-financial performance [type of Analytical Review / Substantive Testing].
Chapter: 7
Topic: How to deliver an IA
Question: Three basis for Sampling
Hint: R / N / V
Random - exposes firms to sampling risk [not true representation of whole population]
Nature - inherent risk
Value - materiality
Chapter: 5
Topic: Management Accounting Techniques
Question: 8 Key Areas + Core Fundamentals
Hint:
Marginal Costing - low volume, high complexity. Differentiating between fixed and variable costs.
Just in Time - continuous improvement + reduced inventory handling.
Kaizen - incremental improvements, waste elimination.
Target Costing - viability of production?
EVA - economic profit, reflecting true profit based on value from invested funds. Best for asset-rich companies not for those with intangible assets, such as technology businesses. Can lead to dysfunctional behaviour.
TQM - considers cost of quality. ‘First time, every time’.
Throughput - lead time / efficiency. All costs fixed besides material costs. Success based on how quickly product can be made available to customer.
Life Cycle Costing - matching costs and revenues to the specific product. Focus on profitability and long term planning.
Lean MA - value streams + elimination.
Chapter: 9
Topic: Centralised Monitoring of CS Controls
Question: 14 ISO 27001 Control Sets
Hint: Mgment x3 / Security x5 / C’s x3 / S’s x2 / Other’s x1
Management x3
Information System Incident - monitor / detect / respond
Business Continuity - contingency plans
Asset - access / safeguarding / recovery
Security x5 Information Policy - SANG HR Resources - policy / procedural com Physical & Environmental - natural disaster Operational - malware / back-up policies Communications - network controls
S’s
Supplier Relationships - screening
Systems Development - updating software
C’s
Compliance with Laws & Regs - GDPR
Cryptography - encryption
Access Controls - physical / virtual pw’s
Other’s
Organisation of IS - BYOD
Chapter: 2
Topic: Strategies for Risk Mitigation
Question: Four Methods of Risk Reduction & Control [High Likelihood, Low Impact]
Hint: LC / D / PA / CP
Loss Control - physical devices / psychological awareness + commitment to minimise losses.
Risk Diversification - portfolio approach thru geographical [TLC], product base [PLC], activities [integration].
Procedural Approach - adherence to policies, codes and regulations.
Contingency Planning - post loss needs understood. Regularly reviewed + simulations performed. THINK - 6 Key Elements.
Chapter: 9
Topic: Centralised Management of CS Controls
Question: Six key elements within Contingency Plans
Hint: CC RR BP
Continuity Plans - hotsites / mirror sites.
Communication - internal / external.
Responsibilities - list of staff / accountability.
Risk Assessment - assessing impact.
Back up Procedures - standby / recovery / personnel management.
Priorities - what are we protecting?
Chapter: 6
Topic: Information of a Form of Control
Question: Five key teams required for Sucessful Implementation of a New System?
Hint: SC [Sp / Pm / Ur / ITs / IA]
Sponsor
Project Manager
User Representation
IT Specialist
Internal Audit Function
All form part of the Steering Comitteee. Help to monitor implementation / deliverables / ensure quality + control + costs are met / forum for discussion.
Chapter: 6
Topic: Information of a Form of Control
Question: Ten Types of Information Systems
Hint: D’s x2 / E’s x3 / K / M / O / S / T
OAS - Office Automation, basic spreadsheets
ERPS - Enterprise Resource Planning, organisation wide integration of functions
KWS - Knowledge Work, new knowledge creation inc. training.
EIS - Executive Information, usually presented in graphical format with drill down features.
ES - Expert, stores info and applies rules to make easy decisions [inc. diagnosis of illness]
DSS - Decision Support, data analytics to model scenarios.
SEMS - Strategic Enterprise Management, high level tools such as ABM.
MIS - Management Information, mid level analysis of transactions for DM and control purposes [inc. Standardised Reports]
TPS - Transaction Processing, billing + payroll.
DC - Data Centres, stores data in warehouses. Inc Big Data.
Chapter: 9
Topic: Centralised Monitoring of Cybersecurity Controls
Question: Six step response to CS - ISO 27001
Hint: Me -> AoDR -> TARA -> Rpt -> App CS Profile -> Imp R Treat P
METHODOLOGY - agreed / consistency
ASSESSMENT - impact vs likelihood of Data Risks
TREATMENT - record whether to Control / Avoid / Transfer / Accept risks.
REPORT [all results] - accrediation [ISO 27001] + own interest purposes.
APPLICABILITY - security profile showing all controls and status.
IMPLEMENTATION - risk treatment plan. What, who, how and when.
Chapter: 9
Topic: Cyerbsecurity Risk Governance Structure
Question: CS Risk Governance Structure elements.
Hint: H / CON BT EV / BO / MR / CON BT R
Note: Formal, codified statement which outlines aims. Overseen by board of directors… CS to be embedded.
HIRING - qualified staff inc. CIO [Risk Manager]
CONNECTION B/T CS AND ETHICAL VALUES
BOARD OVERSIGHT - dedicated committee or CIO
MONITORING AND REPORTING - active engagement by board members. Increases accountability.
CONNECTION B/T CS RISKS AND OTHER RISKS - in line with Risk Appetite.
Chapter: 7
Topic: Internal Audit
Question: Purpose + Overall Objectives + Reporting of Internal Audit function
Hint: Sa C Ro Ec Ar Mr
PURPOSE - Independent Assurance that RM, Gov., IC processes are operating effectively. Ultimate aim is OBJECTIVITY in their findings.
OBJECTIVES - Safeguarding Assets Compliance [policy + regulations] Reduce Overheads [business units alignment] Effective Controls [IC] Accounting Records Managing Risk [RM]
REPORTING - to NEDs through Audit Committee.
Chapter: 9
Topic: Centralised Monitoring of CS Controls
Question: Seven Outputs of CS Monitoring Systems
Hint: SR SU AT TN PC CT RI
Staff Responsible System Upgrades Audit Trails Training Needs Policy Changes Consitent Trends Regulators Informed