P3 RM Flashcards
Chapter: 3
Topic: Banking
Question: Princiapls of Basel III / Dodd Frank Act / Bank of England
Hint: Do banks have sufficient capital to withstand anticipated losses during financially stressful situations?
Basel III : Three pillars [sound banking practices]
Min Amounts of Capital Required
Visability of Risks
Disclosure to encourage better behaviour
DFA : Three Scenarios
Baseline
Adverse
Serverly Adverse
BoE : using variables to predict unfavourable macro scenarios Global Economy Unemployment Rates Commodity Prices House Prices Interest Rates
Chapter: 9
Topic: Centralised Management of CS Controls
Question: Four main controls present within Information System
Hint: SANG
1) Software Controls - ensuring correct software is used. Buying from recognised supplier.
2) Application Controls - completeness / accuracy of records + validity of entries made to a specific application. Inc. Input [data entry checks] / Processing [accuracy during computer processing] / Output [exception reports].
3) Network Controls - protect IS from CS risks across entire network. Inc Firewalls, Virus protection, spyware, encryption.
4) General Controls - prevent or detect errors / irregularities in for all accounting systems. Inc both software and hardware, personnel, access and password controls.
Chapter: 10
Topic: Cyber Risk Reporting Frameworks
Question: SOC 2 Framework
Hint: Service Organisations
Describes CRMP + effectiveness of controls when processing clients data. Features inc:
- Specific SOC 2 Criteria [to CRMP’s description and controls] - CPA approved
- Description criteria inc. type of service provided [payroll / finance], systems used to provide + boundaries. DN inc. description of specific controls in a service organisation.
- Written assertion from management [Re: description in line with criteria + controls suitably designed] + CPA opinion to validate description and controls.
- Detailed list of controls tests carried out by CPA.
- Limited availability.
Chapter: 10
Topic: Cyber Risk Reporting Frameworks
Question: SOC Framework
Hint: Offers accredititation for overall CS [AICPA]
Delivers a review of entity’s CRMP. Features inc:
- Description criteria of the CRMP in line with agreed criteria [nature of operations / key info assets / inherent CS risk factors / governance / risk assessment / monitoring]. Written assertion by management req.
- Control criteria assessed by management and assertion that it is effective in achieving organisation CS objectives.
- Opinion by CPA on description and control criteria.
- Prepared for general distribution to stakeholders.
- DN contain list of detailed tests carried out.
Chapter: 4
Topic: Sub-Committee of Directors
Question: Audit Committee
Hint: Review + Monitor
Review and monitor:
Annual accounts.
Adequacy of Internal controls [fin + non-fin].
Risk Management systems.
Liases with External Auditors on queries, appoint, denote non-audit services, compensate.
Supervises Internal Audit + scruitnise output.
All independent [financially literate] NEDs with at least one financial expert.
Chapter: 9
Topic: CS Governance + Policy
Question: Three strategies used to avoid being Hacked?
Hint: RSD
Reconnasissance - awareness of how you appear to third parties. Do you look vulnerable?
Simulation - assume you will be hacked at some point. Have contingency plans in place. Are you prepared?
Digital Identity - understanding how you interact with all things digitally. Focus on IoT’s.
Chapter: 5
Topic: Purpose of Internal Controls
Question: Objectives of IC
Hint: ORC
Reasonable Assurance regarding the objectives for:
Operational - financial + operational performance / safeguarding assets.
Reporting - internal / external / financial / non-financial ensuring timeliness, accuracy and transparency.
Compliance - with laws and regulations
Chapter: 5
Topic: Features of Internal Controls
Question: COSO IC Integrated Framework
Hint: Objectives [ORC] / Levels [F / OU / D / EL] / Components [CE / RA / CA / I&C / MA]
Objectives - Operational / Reporting / Compliance
Levels - Functional / Operational Unit / Divisional / Entity Level
Components - Control Environment / Risk Assessment / Control Activities / Information & Comms / Monitoring Activities
Chapter: 1
Topic: Risk Management Institutes
Question: Four Categories of Risk [‘Institute of RM’]
Hint: FOSH [int / ext]
Financial - long term CFs / ST liquidity / fraud / economic factors.
Operational - day to day business risks.
Strategic - long term outcomes impacted.
Hazard - natural / human.
Chapter: 10
Topic: Cyber Risk Reporting Frameworks
Question: Internal & External forms of CS reporting.
Hint: Int - CV + RA / Ext - RM & DM + 3rd Party R + Risk P & Why?
Internal CS Reporting: to board / management / employees.
Core Values
Risk Appetite
External CS Reporting: to regulators / stakeholders / investors / media.
Risk Management and Decision Making
Third Party Reliance
What needs Protecting and their Importance [why?]
Chapter: 6
Topic: Internal Control Systems in Practice
Question: Control Activities in Any System
Hint: x5 - A S Ip Pr Pc
Expectations of External Auditors:
Authorisation - transactions approved by right personnel
Segregation of Duties - no one person having total control of a process.
Information Processing - general + application controls.
Performance Review - actual vs expected.
Physical Controls - safeguarding of assets / access to data files / periodic counting.
Chapter: 7
Topic: How to deliver Internal Audit
Question: Three types of Testing
Hint: WT / ToC / ST [inc. AR + BM]
Walkthrough Testing: sequential, through documenting events from start to finish.
Test of Controls: known as compliance test. Whether or not the controls in place have operated. Testing the process.
Substantive Testing: ignores the control that has happened, instead, verifies the actual amount itself. Looks at whether individual events are valid [sums received recorded in the correct accounting period]. Testing the content.
Chapter: 7
Topic: How to deliver an Internal Audit
Question: The Five Stages involved in delivery
Hint: OF -> P -> RA -> T -> Bm
1) Organisational Factors - assessment of need.
Inc: Scale, size, complexity, diversity / Cost vs Benefit / Changes in processes, structure, IC, IS? / Changes in key risks? / Increased number of ‘unexplained events’?
2) Planning - prioritise / establish objectives of audit / effective use of resources
3) Risk Assessment - inherent / control / residual / detection
4) Testing - walkthrough / test of controls / substantive testing in order to collect evidence to help achieve audit objectives.
5) Benchmarking - comparing financial and non-financial performance [type of Analytical Review / Substantive Testing].
Chapter: 7
Topic: How to deliver an IA
Question: Three basis for Sampling
Hint: R / N / V
Random - exposes firms to sampling risk [not true representation of whole population]
Nature - inherent risk
Value - materiality
Chapter: 5
Topic: Management Accounting Techniques
Question: 8 Key Areas + Core Fundamentals
Hint:
Marginal Costing - low volume, high complexity. Differentiating between fixed and variable costs.
Just in Time - continuous improvement + reduced inventory handling.
Kaizen - incremental improvements, waste elimination.
Target Costing - viability of production?
EVA - economic profit, reflecting true profit based on value from invested funds. Best for asset-rich companies not for those with intangible assets, such as technology businesses. Can lead to dysfunctional behaviour.
TQM - considers cost of quality. ‘First time, every time’.
Throughput - lead time / efficiency. All costs fixed besides material costs. Success based on how quickly product can be made available to customer.
Life Cycle Costing - matching costs and revenues to the specific product. Focus on profitability and long term planning.
Lean MA - value streams + elimination.
Chapter: 9
Topic: Centralised Monitoring of CS Controls
Question: 14 ISO 27001 Control Sets
Hint: Mgment x3 / Security x5 / C’s x3 / S’s x2 / Other’s x1
Management x3
Information System Incident - monitor / detect / respond
Business Continuity - contingency plans
Asset - access / safeguarding / recovery
Security x5 Information Policy - SANG HR Resources - policy / procedural com Physical & Environmental - natural disaster Operational - malware / back-up policies Communications - network controls
S’s
Supplier Relationships - screening
Systems Development - updating software
C’s
Compliance with Laws & Regs - GDPR
Cryptography - encryption
Access Controls - physical / virtual pw’s
Other’s
Organisation of IS - BYOD
Chapter: 2
Topic: Strategies for Risk Mitigation
Question: Four Methods of Risk Reduction & Control [High Likelihood, Low Impact]
Hint: LC / D / PA / CP
Loss Control - physical devices / psychological awareness + commitment to minimise losses.
Risk Diversification - portfolio approach thru geographical [TLC], product base [PLC], activities [integration].
Procedural Approach - adherence to policies, codes and regulations.
Contingency Planning - post loss needs understood. Regularly reviewed + simulations performed. THINK - 6 Key Elements.
Chapter: 9
Topic: Centralised Management of CS Controls
Question: Six key elements within Contingency Plans
Hint: CC RR BP
Continuity Plans - hotsites / mirror sites.
Communication - internal / external.
Responsibilities - list of staff / accountability.
Risk Assessment - assessing impact.
Back up Procedures - standby / recovery / personnel management.
Priorities - what are we protecting?
Chapter: 6
Topic: Information of a Form of Control
Question: Five key teams required for Sucessful Implementation of a New System?
Hint: SC [Sp / Pm / Ur / ITs / IA]
Sponsor
Project Manager
User Representation
IT Specialist
Internal Audit Function
All form part of the Steering Comitteee. Help to monitor implementation / deliverables / ensure quality + control + costs are met / forum for discussion.
Chapter: 6
Topic: Information of a Form of Control
Question: Ten Types of Information Systems
Hint: D’s x2 / E’s x3 / K / M / O / S / T
OAS - Office Automation, basic spreadsheets
ERPS - Enterprise Resource Planning, organisation wide integration of functions
KWS - Knowledge Work, new knowledge creation inc. training.
EIS - Executive Information, usually presented in graphical format with drill down features.
ES - Expert, stores info and applies rules to make easy decisions [inc. diagnosis of illness]
DSS - Decision Support, data analytics to model scenarios.
SEMS - Strategic Enterprise Management, high level tools such as ABM.
MIS - Management Information, mid level analysis of transactions for DM and control purposes [inc. Standardised Reports]
TPS - Transaction Processing, billing + payroll.
DC - Data Centres, stores data in warehouses. Inc Big Data.
Chapter: 9
Topic: Centralised Monitoring of Cybersecurity Controls
Question: Six step response to CS - ISO 27001
Hint: Me -> AoDR -> TARA -> Rpt -> App CS Profile -> Imp R Treat P
METHODOLOGY - agreed / consistency
ASSESSMENT - impact vs likelihood of Data Risks
TREATMENT - record whether to Control / Avoid / Transfer / Accept risks.
REPORT [all results] - accrediation [ISO 27001] + own interest purposes.
APPLICABILITY - security profile showing all controls and status.
IMPLEMENTATION - risk treatment plan. What, who, how and when.
Chapter: 9
Topic: Cyerbsecurity Risk Governance Structure
Question: CS Risk Governance Structure elements.
Hint: H / CON BT EV / BO / MR / CON BT R
Note: Formal, codified statement which outlines aims. Overseen by board of directors… CS to be embedded.
HIRING - qualified staff inc. CIO [Risk Manager]
CONNECTION B/T CS AND ETHICAL VALUES
BOARD OVERSIGHT - dedicated committee or CIO
MONITORING AND REPORTING - active engagement by board members. Increases accountability.
CONNECTION B/T CS RISKS AND OTHER RISKS - in line with Risk Appetite.
Chapter: 7
Topic: Internal Audit
Question: Purpose + Overall Objectives + Reporting of Internal Audit function
Hint: Sa C Ro Ec Ar Mr
PURPOSE - Independent Assurance that RM, Gov., IC processes are operating effectively. Ultimate aim is OBJECTIVITY in their findings.
OBJECTIVES - Safeguarding Assets Compliance [policy + regulations] Reduce Overheads [business units alignment] Effective Controls [IC] Accounting Records Managing Risk [RM]
REPORTING - to NEDs through Audit Committee.
Chapter: 9
Topic: Centralised Monitoring of CS Controls
Question: Seven Outputs of CS Monitoring Systems
Hint: SR SU AT TN PC CT RI
Staff Responsible System Upgrades Audit Trails Training Needs Policy Changes Consitent Trends Regulators Informed
Chapter: 7
Topic: How to Deliver Internal Audit
Question: Aims of Audit Planning + Prodedures Involved
Hint: A = P Eo Er / P = Aors Ppap Tea
AIMS
- Priorities activities for review [nature / high risk areas]
- Establish objectives of the audit [improve cost controls / ensure compliance with GDPR…]
- Ensure necessary resources available + used effectively & efficicently.
PROCEDURES
- Ascertain business objectives / risks / strategies in place to manage.
- Prelimary analytical procedures on relevant areas / systems.
- Utilise / take account of External Auditors reports.
Chapter: 2
Topic: Risk Management Frameworks
Question: Three Part Risk Management Structure [ISO 31000]
Hint: P F P - constitues effective RM.
PRINCIPLES
How to Design: Proportionate - Aligned - Comprehensive - Embedded - Dynamic
How to Operate: Limitations of available info - Influence of Human & Cultural Factors - Continuous Improvement
FRAMEWORK
Design -> Implement -> Evaluate -> Improve
Allocation of Roles, Responsibilities and Resources.
PROCESS - iterative, fully sequential process.
Support Activities: Comm & Consult - Monitor & Review - Record & Report.
Chapter: 10
Topic: CS Tools and Techniques
Question: Three Tiers of Software Security
Hint: Security must be Secure & Resilient. Focus on Coding / Design / Testing.
TIER 1 - stop CS attacks only.
TIER 2 - stop CS attacks + alert relevant security functions.
TIER 3 - stop CS attacks + altert + protect sensitive data.
Chapter: 6
Topic: Dysfunctional Behaviour
Question: Human Element of Internal Controls
Hint: Training / Motivation / Values / Management
POOR TRAINING
POOR MOTIVATION
VALUES NOT ALIGNED
PROBLEMS NOT MANAGED
Lead to Malfunctions within the ICs
Chapter: 7
Topic: Internal Audit
Question: Five key areas an Internal Audit Report covers
Hint: BgAss / WO / KaP / MOc / MR
Background to Assignment
Work Outstanding
Key Action Points
Major Outcomes of Work
Management Responses
Chapter: 9
Topic: CS Preventive and Dective Controls
Question: Innovative Techniques used for CS
Hint: BhA / DtT / VdN / SmGr
BEHAVIOURAL ANALYTICS - outside of set parameters
DETECTION TECH - zero day attack identified
VIRUTAL DISPERSIVE NETWORKING - splits messages into encrypted parts
SMART GRID TECH - monitor and comm between data points
Chapter: 7
Topic: Auditing in IS Environment
Question: Auditing a Computer / Information System
Hint: UndS / HowT / ScA / DI / Oupt / Autho / BUs
UNDERSTAND SYSTEM
HOW TO TEST
SECURITY ARRANGEMENTS / ACCESS
DATA INPUT [Encryption / Validation]
OUTPUT [Accuracy]
ALL TRANSACTIONS AUTHORISED?
BACK UPS + DISASTER RECOVERY PLANS
CaaT’s can be used to review system controls. Allows IA to review larger samples, efficient use of time + pinpoint trends.
Chapter: 4
Topic: Corporate Governance
Question: Aim of CG + what it provides + who it involves?
Hint: Agency Problem
AIM: Company run for the benefit of its Shareholders [address Agency Problem].
PROVIDES:
- System which firms are directed / controlled
- Structure through which objectives are SET / OBTAINED & MONITORED.
INVOLVES a set of relationship between Directors, Shareholders and Stakeholders.
Chapter: 4
Topic: Corporate Governance
Question: Causes of Poor CG
Hint: Approach vs Structure
POOR APPROACH TO CG - wrong policies / focus. E.g. ST Financial Goals.
POOR STRUCTURE IN PLACE - insufficnet scrutiny over decisions / absence of NEDs. E.g. CEO and Chair the same person.
Chapter: 7
Topic: Assessing Performance of Internal Auditors
Question: Criteria used to assess IA Function
Hint: P A I R
PROFESSIONALISM - systematic + organised approach.
AUTHORITY - findings acted upon? Timely responses backed up by the board?
INDEPENDENCE - whom report to? Physically separate from workforce? Ability to Whistleblow?
RESOURCES - enough personnel + right training, skills and expertise. [Specific qualification not required].
Chapter: 7
Topic: Assessing Performance of Internal Auditors
Question: Conditions under which External Auditors can use Internal Auditors work?
Hint: DO / WCS
IF INTERNAL AUDITORS:
DEEMED OBJECTIVE
WORK SUPERVISED + REVIEWED
COMPETENT
SYSTEMATIC, WELL DOCUMENTED AND DISCIPLINED APPROACH TAKEN [Think, Professionalism]
Chapter: 6
Topic: Dysfunctional Behaviour
Question: Main issue with Performance Measurement + Main Tactic to Mitigate?
Hint: Self Interest vs SMART
PEOPLE MAXIMISE HOW THEY LOOK + ACT IN THEIR OWN SELF-INTEREST, irrespective of whether this causes Dysfunctional Behaviour.
SMART targets set to reduce this risk.
Chapter: 8
Topic: CS Objectives
Question: How firms Establish, Maintain and Approve Cybersecurity Objectives?
Hint: FP / BA / MS
FORMAL PROCESS - CS objectives aligned with wider firm objectives.
BOARD APPROVAL - either through dedicated committe / expert [CIO] or 3rd party consultancy.
MONITOR SUCCESS - feedback loop [similar to how Internal Control objectives are monitored].
Chapter: 3
Topic: Understanding Current Position
Question: External Environment challenges when setting Strategic Plans.
Hint: ISA / C&D -> PHS / SC / EM | PS -> PESTEL + SWOT
INCORRECT SUPPORTING ASSUMPTIONS
COMPLEXITY AND DYNAMISM CREATES LONG TERM UNCERTAINTY
LEADS TO: PLANNING HORIZONS SHORTENED / STRATEGIES MORE CONSERVATIVE / EMERGENT STRATEGIES OVER PLANNED.
MITIGATED BY: PESTLE / SWOT ANALYSIS.
Chapter: 3
Topic: Understanding Current Postion
Question: Resources and Capabilities asigned to within a firm.
Hint: VC / OM / STR / IC
Note:
Resources = capacity to delivery
Capabilities = people and skills
VALUE CHAIN - Inbound Logistics, Operations, Outbound Logistics, Marketing & Sales, Service.
OPERATING MODEL - how value is created. Processes in which value is generated. E.g. Lean Process design.
STRUCTURE OF FIRM - Governance, Board Membership, Rules / Roles/ Responsibilties etc.
INTERNAL CONTROLS - ‘Reasonable assurance regarding Operational, Reporting and Compliance objectives’.
Chapter: 2
Topic: Social, Ethical and Environmental Issues
Question: Approach to Solving an Ethical Issue
Hint: GFs / IP / IAA / MR / JR
GATHER FACTS / EVIDENCE
IDENTIFY THE PROBLEM / RELEVANT ETHICAL ISSUES + FUNDAMENTAL PRINCIPALS
INVESTIGATE ALTERNATIVE ACTIONS
MAKE A RECOMMENDATION
JUSTIFY RECOMMENDATION
Chapter: 9
Topic: Centralised Management of CS Controls
Question: Information Contigency Plan - what does it provide for?
Hint: St Re PM
STANDBY PROCEDURES - back-up sites to allow operations to continue.
RECOVERY - of sensitive data + restoring ‘back to normal’. Implemented after the event.
PERSONNEL MANAGEMENT - key roles and responsibilties. Recovery Plan operates ‘as intended’.
Chapter: 8
Topic: Cybersecurity Objectives
Question: Three Organisational Characteristics to grasp before setting CS Objectives. What is ‘Vulnerable’ / at Risk?
Hint: Dc Ct T
Delivery Channels - used to deliver data. Inc website, email, intranet, social media + epos.
Connection Types - wired or wireless / in-house or networked / national or international.
Technologies - proportion of activity online / amount of digital interaction. Data collection, storage & transmission.
Chapter: 3
Topic: Methods of Development
Question: Questions to consider when choosing Method of Growth
Hint: SH V / M&V / RR / CF
Generate value for shareholders? How quickly is growth / expansion required? Links to SH Expectations.
Fit with mission and values? Does the firm need to retain control over operations? [Think, outsourcing].
Required resources to deliver chosen strategy? Inc. competencies, availability and access.
Cultural Fit with external parties [Mergers / Acquistions]? Integration of people, systems and organisational culture [how things and done and why?].
Chapter: 2
Topic: External Risk Reporting
Question: Two main National Regulators for Risk Reporting?
Hint: UK vs US
2018 UK CORPORATE GOVERNANCE CODE [Principals Based - ‘Comply and Explain’]
‘Fair, balanced and understandable assessment of a firms position + prospects’.
Disclosures inc:
- Description of Audit Committeee work
- Board Responsiblities for preparing annual report + accounts.
- Company’s Going Concern status
- How Risk Management and Internal Controls are reviewed.
- Board assessment of Principal + Emerging risks
- Prospects and timelines
SARBANES OXLEY ACT [Rules Based - ‘Non-compliance unacceptable’].
Provides consistent minimum standard of Governance + RM.
Requires a firm to report on an entity’s Internal Controls. Esp:
- Those related to Financial Reporting
- Assessment of their effectiveness [Verified by independent practitioner]
Chapter: 7
Topic: How to Deliver an Interal Audit
Question: How IA’s reduce risks involved in System Development
Hint: SC / T&T / VAR / PIR
WORK WITH STEERING COMMITTEE TO ENSURE REPONSIBILITES OUTLINED + DESIGN INDEPENDENTLY REVIEWED
ENSURE ONGOING TESTING AND TRAINING
INSPECT VARIANCES IN BUDGETS
PERFORM POST IMPLEMENTATION REVIEW [Focus on compliance with targetted performance].
Chapter: 1
Topic: Risk Management Process
Question: Portfolio Approach to Risk Management
Hint: +ve / -ve R
PORTFOLIO APPROACH [known as Diversification] - build both positively and negatively correlated risks to reduce exposure to certain circumstances.
Requires understanding of the interrelationships between the risks a firm faces.
Chapter: 1
Topic: Risk Management Process
Question: Difference between Correlated and Related Risks
CORRELATED RISK - can be either +ve or -ve.
Postive Correlated Risks move together. Fatty foods inc. risk of heart disease.
Negative Correlated Risk move in opposite directions. Brushing teeth reduces chance of fillings.
RELATED RISK - two risks that are connection due to the same cause. Natural disaster increases chance of job losses and house damages.
Chapter: 2
Topic: Risk Reporting
Question: Purpose and Components of Risk Register
‘Used to manage, monitor and report risks’
Defines the list of Principal Risks a firm faces [+ the interdependencies with other risks].
Details the treatment of those risks based on priortisation [monetary value].
Details who is responsible.
Chapter: 2
Topic: Risk Reporting
Question: Difference between Gross / Residual / Expected / Actual Risk
Hint: Detailed within Risk Register
GROSS - before controls implemented
RESIDUAL - risk remaining after controls performed
EXPECTED - projected risk based on forecasts
ACTUAL - based on the events that occured
Chapter: 10
Topic: CS Tools and Techniques
Question: Forensic Analysis levels
Hint: Sy / St / Net
SYSTEM LEVEL ANALYSIS - threat impacted entire system?
STORAGE LEVEL ANALYSIS - threat impacted data held ?
NETWORK LEVEL ANALYSIS - threat come from outside source ?
Chapter: 7
Topic: Types of Audit
Question: Purpose of Systems Audit
Hint: SCREAM
PURPOSE - test + evaluate internal controls present within any system.
OBJECTIVES [Think: Gov, RM, ICs are operating effectively - SCREAM].
- Ensure suitable and accurate Management Information [Ar]
- Compliance with procedures / laws / regs. [C]
- Safeguarding Assets [Sa]
- Securing economies and efficiencies [Ro]
- Assess stages of IC Process: x4 stages [Ec / Mr]
Chapter: 10
Topic: CS Tools and Techniques
Question: Forensic Analysis Principals used to handle Computer Security Incident
Hint: Prep / Dt&A / Con,Era,Rec / PiA
PREPARATION - reduce impact of incident before it occurs.
DETECTION AND ANALYSIS - incidents priortised and communicated.
CONTAINMENT, ERADICATION AND RECOVERY - recovery procedures.
POST INCIDENT ACTIVITY - what have we learnt for next time? What can we improve?
Chapter: 7
Topic: Systems Audit
Question: Four stages of the Internal Control Process
Hint: Iden / Under / Devel / Imple
IDENTIFY BUSINESS OBJECTIVES
UNDERSTAND THE THREAT TO THESE OBJECTIVES
DEVELOP CONTROLS TO HELP MITIGATE
IMPLEMENT AND MONITOR THE PROCESS
Chapter: 2
Topic: Risk Management Frameworks
Question: COSO Enterprise Risk Management [RM and IC Methodologies]
Hint: ERM / Beliefs / Benefits
ERM - Defines process of RM across the entire firm. Connects core values with enhanced performance.
BELIEFS - risk considered part of strategy / culturally embedded
BENEFITS - helps to apply TARA / allocate capital & resources effectively.
Chapter: 2
Topic: Risk Management Frameworks
Question: COSO ERM Framework Components
Hint: G&C / S&O / P / R&R / I,C&R
GOVERNANCE AND CULTURE - board leads way. Sets core values, ethicals and culture.
STRATEGY AND OBJECTIVE SETTING - ERM considers risk as part of strategy.
PERFORMANCE - unless risks identified, assessed, priotised and managed, performance will suffer.
REVIEW AND REVISION - continuous review due to changing nature of risks. Requires Feedback Loop.
INFORMATION, COMMUNICATION AND REPORTING - to support DM and ensure alignment across entire firm. Internal / External reporting needs.
Chapter: 3
Topic: Banking
Question: Four Scenarios for 2025. [Wade, 2016]
Hint: GB / CC / TD / RM
Highlights need for firms to become more algile…
Global Bazaar - tech thrives, digital focus. Customers less loyal + hard to maintain market postion.
Cautious Capitalism - loss of trust between firms and consumers due to data breaches / cyber risks. Reduces tech opportunities / innovation for firms.
Territorial Dominance - protection of local industries. Greater protectionism, regulation + lower growth.
Regional Marketplace - government regulations limiting international business / collaboration. Expanision + supply chain networks impacted.
Chapter: 10
Topic: Cybersecurity Risk Reporting Frameworks
Question: Cybersecurity Risk Management Program
Hint: Formal / Pragmatic / Comp vs System Driven
Note: https://www.ncsc.gov.uk/collection/risk-management-collection/component-system-driven-approaches/introducing-component-driven-and-system-driven-risk-assessments
PURPOSE - formal way of explaining the approach taken by a firm to manage its Cybersecurity Risks
APPRAOCH - practical such as agreeing policy with CS suppliers / User training to identify CS threats / Balancing costs vs benefits / Content driven, firm needs to be understood.
FOCUS - either:
a) Component Driven - focus on specific aspects within a system, and the individiual risks they face.
b) System Driven - holistic viewpoint, looking at overall performance of system and the risks it faces. Inc. communication links across devices + systems.
Chapter: 4
Topic: Sub-Committee Directors
Question: Nomination Committee
Reponsibile for recommending applicants to join the board. Ultimately decision of SHs who decide who gets appointed.
Appointments made on merit, based on Objective Criteria.
All NEDs.
Chapter: 9
Topic: Cybersecurity Preventive and Detective Controls
Question: Encryption + five main techniques.
Hint: DS / DE / Auth / DB / BC Tech
Note: Encypted data = Cipher Text / Unencrypted Data = Plain Text
ENCRYPTION - ‘scrambling’ data to reduce risk of sensitive information being intercepted
DIGITAL SIGNATURE - private key sent alongside transmission
DIGITAL ENVELOPE - private key sent separately to transmission
AUTHENTICATION - proves the send is who they claim to be through sharing previously agreed algorithm [helps to unscramble the message]
DIAL BACK SECURITY - helps ensure the right person is being contacted securly through dialing into a network
BLOCKCHAIN TECHNOLOGY - records virtually impossible to manipulate. Globally aligned data.
Chapter: 5
Topic: Senior Roles to Support Board
Question: Risk Management Group vs Risk Manager
Hint: Both report to Risk Committee
RISK MANAGEMENT GROUP
- Builds an overall strategy [as prescribed by the board]
- Focus on Risk Reporting + Monitoring
RISK MANAGER [CRO] - ‘combines technical, leadership and persuaive skills’.
- Active lead on risk + developing poicy
- Leads ERM [establish + promote]
- Common RM policies agreed
- Risk Language formed
- Deals w. Insurance
- Risk Indicators
- Allocation of Resources
Both share findings with Risk or Audit Committee
Chapter: 5
Topic: Business Unit Performance and Appraisal
Question: Beyond Budgeting
Hint:
- Considers competitor actions
- Move away from purely financial goals
- Encourages team rewards + focus
- Rolling budgets to reflect dynamic / evolving markets
- Rewards linked to value adding activities
Chapter: 8
Topic: Web Application Attacks
Question: x7 Methods of Cyber Attacks
Hint: H / Ph / Rw / Ddos or BOF / SQL / XSS / CJ
Note: Cyberattacks aim to access, change or destroy sensitive information.
HACKING - illegally gaining access wo user knowledge
PHISING - theft of user details for personal gain [inc. bank cards / pw / login access]
RANSOMWARE - blocking access / interprupting usual business processes until fee is paid
DISTRIBUTED DENIAL OF SERVICE / BUFFER OVERFLOW - flooding systems with external activity in order to make the system crash / vulnerable to attack [install malware]
SQL - coded software used to infilrate a system through data entry
CROSS SITE SCRIPT - embed malware into innocent 3rd party site
CRYPTOJACKING - obtaining cryptocurrency via 3rd party site
Chapter: 8
Topic: Cybersecurity Risks [dependent upon nature of business + firms objectives]
Question: Macro, Specific and Policy impacts on CS Risks
Hint: Pestel / IT + Network / Governance
MACRO P: new legisation, new standards E: lack of CS investment costly S: data sensitivity T: exploited by both firms and criminals E: need for disaster planning L: laws lags behind innovation
SPECIFIC - to IT systems and networks. Inc remote access risks / 3rd party risks / natural disaster risks.
POILICY - weak CS governance / lack of training + awareness of risks / poor design of controls…
Chapter: 4
Topic: Sub-Committees Directors
Question: Risk Committee
PURPOSE - monitor, supervise and oversee RM to determine how prepared the firm is to respond to possible threats [identification / RM].
RESPONSIBILITY
- Approve RM strategy + Review ICs
- Review principal and emerging risks
- Monitor overall exposure [compared against risk appetite] + weightings [for performance purposes]
- Assess effectiveness of RM systems
FEATURES
- Flexibility in appointment of NEDs or EXECs
- Broad risk focus, move away from mainly financial [Audit Committee]
- Ability to drive change / strategy
Chapter: 8
Topic: Hackers and Social Engineering
Question: Influences upon People
Hint: Rep / Comit / SP / Li / Au / Sc
RECIPROCATION - repay good deed
COMMITMENT - avoid ‘hypocritcal’ suggestions
SOCIAL PROOF - mimicking behaviour in uncertain situations
LIKABILITY - behaving in a similar way to those you like
AUTHORITY - instructional
SCARCITY - sense of need / urgency
Ulimately can lead to people being Socially Engineered…
Chapter: 6
Topic: Information as a Form of Control
Question: System Implementation x4 methods
Hint: DC / PR / PO / PC
DIRECT CHANGEOVER - One clean swoop. High risk.
PARRALEL RUNNING - old + new together. Expensive.
PILOT OPERATION - systems implemented within certain functions. Req. targetted training, but does help to address weaknesses.
PHASED CHANGEOVER - releasing systems ‘bit by bit’ across entire organisation. Least risky option - however ‘time to market’ impacted.
Chapter: 6
Topic: Dysfunctional Behaviour
Question: Five forms of DyFct Behaviour [Berry, 1995]
Hint: TV / O / My / Mis / MF
TUNNEL VISON - focus too much on one measure, to the detreiment of others. Think, BS.
OSSIFICATION - unwillingness to change measures once set. Impt to keep PM’s under constant review.
MYTOPIA - short terms goals over long term value.
MISREPRESENTATION - intentionally skewing figures in one’s self interests. Known as ‘creative reporting’. Impt to limit Pressure, Rationalisation + Opportunity.
MEASURE FIXATION - focusing on achieving a measure which is considered ineffective, due to the behaviours required to achieve.
Chapter: 6
Topic: Big Data
Question: The 10 V’s of Big Data
Hint: ax4 / ex2 / i / ox2 / u
VALIDITY - cleansed VALUE - potential VARIABILITY - inconsitencies *VARIETY - types *VELOCITY - speed [especially collection of Ext Data] VERACITY - trust [can all data held be trusted?] VISULISATION - graphical VOLATILITY - useful life *VOLUME - amount VULNERABILITY - exploitation
- Significant differences between ‘earlier approaches’ to data collection / storage / analytics.
Chapter: 6
Topic: Information of a Form of Control
Question: System Development Life Cycle x5 stages.
Hint: FS / S Inv / SA / SD / S Imp.
Note: Focus on DEVELOPMENT, from Start to Finish. Think New eLic.
PURPOSE - ensures firms have systems ‘fit for purpose’ + make efficient use of resources.
FEASILITY STUDY - review current system vs alternative options
SYSTEM INVESTIGATION - understand user needs + problems faced
SYSTEM ANALYSIS - ask the why’s, establish better alternatives / methods
STRATEGIC DESIGN - detailed spec / test / create + determine inputs + outputs + security + storage + design etc [form of Prototyping]
STRATEGIC IMPLEMENTATION - write or aquire proposed software / monitor / train / test / convert / commit!
Chapter: 7
Topic: Internal Audit Reports
Question: Individual Areas Internal Auditors present on [to Board / Relevant Committee]
Hint: BO / OS / Var / WI / C&E Wn / Rec
BUSINESS OBJECTIVES - purpose of the function being assessed.
OPERATIONAL STANDARDS - form of benchmarking.
ACTUAL VS EXPECTED - ToC / Substantive Testing / Walkthrough. Comparing test evidence with expected.
WEAKNESSES IDENTIFIED - within the area tested.
CAUSE AND EFFECT OF WK IDENTIFIED - why its happen and looking at impact.
RECOMMENDATIONS TO BOARD - best way to resolve / improve areas to ensure business objectives are aligned. Includes Timescales / Staff Responsible.
Overall focus of IA is on effectiveness of ICs / RM / Governance [IA should provide an objective view + independent assurance].
Chapter: 7
Topic: Types of Audit
Question: Six Main Audits Conducted
Hint: C&S / F / VfM / MGE / S&E / EA
COMPLIANCE / SYSTEMS FRAUD VALUE FOR MONEY MANAGEMENT SOCIAL & ENVIRONMENTAL EXTERNAL AUDIT
Chapter: 7
Topic: How to Deliver an Internal Audit
Question: Difference between Inherent / Residual / Control / Detection Risk + Sampling & Non-Sampling
Hint: All types of risks considered by Internal Auditor
INHERENT - risk faced due to the nature of operation. Considered ‘uncontrollable’.
RESIDUAL - risk left once control has been put in place. Should align with a firms Risk Appetite.
CONTROL - risk of internal control failing / being absent / inadequate.
DETECTION - internal auditor failure to spot material misstatements. Function of Sampling Risk.
SAMPLING - risk of not testing whole population.
NON-SAMPLING - risk that assumption of whole population is incorrect based on sample
Chapter: 5
Topic: Project Control
Question: Stages of Project Control x3
Hint: D A C
DEVELOPMENT - collection of idea
ANALYSIS - Suitability [core values / strategy alignment?] / Feasibility [can we do it?] / Acceptability [StkH reaction?]
CONTROL - Post Implementation Review [What did we learn?] / Post Completition Audit [outcomes achieved?]
Chapter: 5
Topic: Performance Measures
Question: Performance Measures in Service Firms
Hint: FIRE FC
FLEXIBILITY - ability to adapt to different client needs.
INNOVATION - being able to deliver on time + create value for firms in new ways.
RESOURCE UTILISATION - links to efficiency of operations. Streamlining services to maximise margins.
EXCELLENCE - performing a service which retains and attracts.
FINANCIAL - meeting financial goals set by the board / shareholders / stakeholders.
COMPETITIVENESS - maintaining market position and pursuing growth through benchmarking against rival performers.
Chapter: 9
Topic: Centralised Monitoring of CS Control
Question: Major specialist teams involved in Monitoring of CS Threats
Hint: ITT / TIT / HT / IRT use SIEM.
INSIDER THREAT TEAMS [internal] - aim to intercept threats.
THREAT INTELLIGENCE TEAMS [external] - aim to intercept threats.
HUNT TEAMS - seek out unidentified breaches.
INCIDENT RESPONSE TEAMS - deal w. immediate aftermath.
Use techniques such as SIEM [Security info & Event management] to monitor data + detect patterns.
Chapter: 10
Topic: Cyber Security Risk Reporting Frameworks
Question: How to Control, Direct and Communicate CS RM Activities.
Hint: L / S / OBJ / FB
Note: Risk Reporting is a key output of a ‘Coherent Corporate CS Risk Governance Structure’.
LEADERSHIP ROLES DEFINED
SIZE, REGULATION AND FUNCTION CONSIDERED
CS OBJECTIVES LINKED W. FIRM OBJECTIVES
SYSTEM OF FEEDBACK
Chapter: 8
Topic: Hackers + Social Engineering
Question: Opportunities and Threats of Hackers
Hint: Ethical + Grey Hat Hackers vs Unethical + Social Engineers.
OPPORTUNITIES
- Uncover weaknesses
- Simulate CS attacks [helps to train staff]
- Test response teams + actions of internal staff
- Peer review / benchmarking
THREATS
- Loss of key data
- Expensive to recover + opportunity costs [operational downtime]
- Reputational damage + increased vulnerability
- Compliance issues [failure to alert authorities]
Chapter: 6
Topic: Internal Control Systems
Question: Treasury Function x5
Hint: LL DEC
Liase with Bank
Liquidity Management
Borrowing Activities [debt]
Funding Arrangements [equity]
Currency Management
Helps to mitigate risks of a firm being unable to source capital.
Chapter: 7
Topic: Types of Audit
Question: Conditions Fraud Likely to Occur
Hint: P O R
PRESSURE - external / internal factors
OPPORTUNITY - poor controls / position of power
RATIONALISATION - staff motivation / grudge against company
Used to help with Prevention / Detection.
Chapter: 1
Topic: Risk Management Institues
Question: Six Types of Risk [Financial Reporting Council]
Hint: F O R E B O
FINANCIAL - LT impact on CFs
OPERATIONAL [Process Risk] - failure of ICs
REPUTATIONAL - impact an adverse consequence of an event has on a firm
EXTERNAL / THIRD PARTY - outsourcing / regulators
BEHAVIOURAL - staff motivation / productivity
ORGANISATIONAL - Pestel
Chapter: 1
Topic: Types of Risk
Question: Risks faced by International Business x7
Hint: T T C P E M C
TRANSLATION - assets and liabilities converted into domestic reporting currency. M: matching.
TRANSACTION - agreed at one rate, settled at another [FX Gain/Loss]. M: hedging.
CULTURAL - exposure to the ‘new norms’ [customs, tastes, language, laws]. M: Market Research.
POLITICAL - tariffs / local protection of industry. M: relationship building / supporting.
ECONOMIC - interest rates, inflation, tax rates [CFs impacted in LT]. M: diversifying supplier / customer base.
MARKET - risk from changes in the value / availability of resources. M: Scenorio planning.
CREDIT - default, liquidity, trading damages. M: Insurance / Cash Flow Forecasts / Factoring / Screening.
Chapter: 10
Topic: Cybersecurity Tools and Techniques
Question: Purpose of Forensic Analysis
Hint: The Three C’s
Note: Forensic Analysis is a specialist function, and requires an expert to carry out.
Determine the occurence of a breach [known or suspected], if occured:
CONSEQUENCE - impact / scope / severity of the CS attack
CAUSE - how did it happen: weakness in system or failure of staff members?
CULPRIT - who did it? Important to preserve evidence in case legal action taken.
Chapter: 2
Topic: The Control Environment [COSO Intregrated Framework, Internal Controls]
Question: Aspects within The Control Environment
Hint: Intangible Aspects
RULES AND PROCEUDRES - inc Structure + Methods of imposing control
CORE + ETHICAL VALUES
PERFORMANCE SCHEMES
ATTITUTES AND BEHAVIOURS
OPERATING STYLE OF MANAGERS
HOW FIRM ATTRACTS + RETAINS STAFF
TCE influence / drive Internal Control procedures.
Chapter: 2
Topic: Assurance Mapping
Question: Three Lines of Defence
Hint: OA / MA / IA
Note: Connected elements help achieve firm objectives.
OPERATIONAL ASSURANCE - owns the risk and controls necessary to manage risk. Business Unit Level.
MANAGEMENT ASSUARANCE - management monitoring / reviewing of internal controls, RM and performance. variances investigated? is the work being done correctly / as intended? are the controls functioning as they should? [oversight function]
INTERNAL AUDIT - independent assurance that RM, IC and Gov. are operating effectively / in line with a firms objectives?
First two lines under control of Senior Management.
4th line inc. External Auditors.
Chapter: 2
Topic: Risk Tolerance, Appetite and Capacity
Question: Four Risk Scopes
Hint: Relates to a firms acceptance of risk
RISK APPETITE - desired level
RISK TOLERANCE - boundaries
RISK CAPACITY - ability to absorb losses / take on risk if necessary
RISK UNIVERSE - all possible risk a firm is exposed to
Chapter: 2
Topic: Risk Tolerance, Appetite and Capacity
Question: Two attitudes to Risk
Hint: RS vs RA
RISK SEEKING - focus on Return Level. Actively pursuing higher levels of risk, in the hope of greater returns. Volatility in returns viewed as an opportunity.
RISK ADVERSE - focus on Risk Level. Acceptance of lower risk to gurantee returns. Unwillingness to take on project that exceed a certain level. Higher risk projects only taken on if sufficient levels of return offered / justified.
Chapter: 2
Topic: Risk and Event Identification
Question: Difference between Familiar and Unfamilar Risk
Hint:
FAMILIAR RISK - known to a firm / identified in their assessment of risk. Likely to have occured histrocially.
UNFAMILAR RISK - outside of a firms usual radar. Viewed as exceptional + atypical , hence more difficult to manage. Risk Manager tasked with assessing likely impact / occurance.
Chapter: 2
Topic: Risk Tolerance, Appetite and Capacity
Question: Techniquies used in Identifying Conditions which can lead to Risk x7
Hint: BIC PRIC
BRAINSTORMING
INDUSTRY TRENDS
COMPETITOR ACTIONS / BENCHMARKING
PESTEL / SWOT
REGULATIONS
INTERNAL AUDITS
CHECKLIST OF COMMON RISK AREAS
Chapter: 1
Topic: Risk Management Process
Question: Stages of the Risk Management Process x5
Hint: CP / Iden / Ass / Devl / Imp
ASSESS CURRENT POSITION
IDENTIFY PRINCIPAL RISK
ASSESS SIGNIFICANCE + PRIORTISE RISKS [Impact vs Likelihood]
DEVELOP WAYS TO MANAGE [TARA]
IMPLEMENT CONTROLS BY ALLOCATING RESOURCES
Important to have a Feedback loop in place
Chapter: 1
Topic: Understanding and Assessing Scale of Risk
Question: Risk Mapping Fundamentals
Hint: TARA
Note: Risk Mapping is a qualitative method. Not used to measure risk, instead used to manage risk.
PURPOSE - plot risk to decide best way to manage.
HOW - assesses Impact vs Likelihood.
OPTIONS inc:
Accept - keep under review. concious decision. d/n ignoring risk.
Reduce - most common. ALARP.
Transfer - insurance. contigency. includes Risk Sharing.
Avoid - immediate action require. inherent risk cannot be avoided [aim to reduce].
Chapter: 4
Topic: Corporate Governance and Agency Theory
Question: Rules Based Approach
Hint: US SOX.
STRICT LIMITS ON NON-AUDIT WORK
DETAILED AND RIGID CODE [SET OUT IN LAW]
NON-COMPLIANCE NOT JUSTIFABLE
MANAGEMENT TO ASSESS INTERNAL CONTROLS + FINANCIAL REPORTING [EXTERNAL AUDITOR VERIFY]
CEO’S & CFO’S VERIFY ACCOUNTS
Chapter: 4
Topic: Corporate Governance and Agency Theory
Question: Principles Based Approach
Hint: UK Corporate Governance Code
COMPLY OR EXPLAIN PRINCIPLE
SHAREHOLDERS TO DECIDE ON DEVIATIONS
BEST PRACTICE
FOCUS ON BALANCE OF NEDs
FLEXIBILITY ACROSS JUSIDICTIONS
LACK OF CONSISTENCY + INCORRECTLY VIEWED AS ‘VOLUNTARY’ CAN LEAD TO ISSUES.
Chapter: 6
Topic: Control Weakness and Compliance Failures
Question: Internal Controls Limitations
Hint: HuE / LFo / TooR / Co / MgmtO / Ch / OCs
HUMAN ERROR / FRAUD - intentionally / unintentionally ignoring controls in place
LACK / WRONG FOCUS - controls over immaterial areas. Costs > Benefits. or Non-Routine events outside of controls scope.
TOO RIGID / STIFLE INNOVATION - reduce a firms agliness
COST TO IMPLEMENT - vs benefits. Requires human and financial resources.
MANAGEMENT OVERRIDE - not following set procedures
CHANGE - system no longer ‘fit for purpose’
OPPORTUNITY COSTS - testing, training, supervision and maintainence.
Chapter: 6
Topic: COSO Internal Control
Question: Types of Internal Control x5
Hint: (N)FIN / PDCD / IPO / OS / SLA
FINANCIAL / NON FINANCIAL
Financial ICs - budgets, standard costing, investment appraisal.
Non Financial ICs - KPIs, performance appraisal, codes of conduct.
PREVENT, DETECT, CORRECT, DIRECT
Preventive ICs - stop risks from occuring in the first place. TQM. Invoices checked against goods received.
Detective ICs - identify risks once they have occured. Bank Recs.
Corrective ICs - reduce impact of errors back to acceptable level. Back-ups.
Directive ICs - guide behaviour towards desired outcome. Credit control chasing invoices / Customer service training.
INPUT, PROCESS, OUTPUT
Input ICs - what goes in. Sourcing materials at best price.
Process ICs - focus on optimisation, effeciencies, performance, waste.
Output ICs - meeting expectations in terms of quality, speed, service and accuracy.
OUTSOURCING
Adhoc - ST skill gaps covered.
Project - new IS system needs.
Partial - multiple services outsourced [payroll, finance, storage]
Total - entire service outsourced [licensing].
SEVICE LEVEL AGREEMENTS - minimum standards laid out. Focus on timescale, change process, exit routes.
Chapter: 10
Topic: Cybersecurity Tools and Techniques
Question: Combating Malware Threats
Hint: Understanding the code behind the Malware
Note: Solutions only created once code understood
REVERSE ENGINEERING:
DECOMPLILATION - turns binary code into source code. Easy to understand
DISASSEMBLY - turns binary code into assembly code. Difficult to understand
Chapter: 1
Topic: Assessing Scale of Risk
Question: Quantitative Techniques to Assess Risk
Hint: R / EV / S / SA / CE
REGRESSSION - impact of one variable on another. Assessing volatility of future CFs based on impact of risk factors.
EXPECTED VALUE - Probability x Impact
SIMULATION - focus on mean and standard deviation.
SENSITIVITY ANALYSIS - impact change in one variable has on NPV.
CERTAINTY EQUAIVALENT - quantified amount a firm is willing to accept now, whilst giving up their future returns.
Chapter: 1
Topic: Understanding / Accessing Scale of Risk
Question: Key Accounting Ratios
Hint: CR / G / DvE / IntC
CURRENT RATIO / ACID TEST - liquidity.
GEARING [Int.D / Equity + Int.D] - sustainable structure?
DEBT VS EQUITY - Stakeholder reaction / impact on dividends
INTEREST COVER [Pbit / Int Charges] or CASH FLOW [NCF / D] - Short term obligations
Chapter: 1
Topic: Understanding / Accessing Scale of Risk
Question: Signs of Danger in Accounting Ratios
Hint: Rev / Cost / Receiv / Paybles
CHANGES IN REVENUE:
+ve - able to keep up with demand? Infrastructure able to support growth?
-ve - LT decrease in value indicator? Investor confidence impacted? Temporary issue / or sign of future problems?
CHANGES IN COSTS
+ve - poor controls, financial performance impacted?
-ve - ability to create value impacted? Aligned with strategy?
INCREASED RECEIVABLES - cash flow issues / poor controls on customers?
INCREASE SHORT TERM PAYABLES - reliance / working capital issues?
Chapter: 3
Topic: Forecasting / Projections
Question: Statistical Projections vs Judgemental Forecasts Assumptions
STATISTICAL PROJECTIONS [expected future trends] - based on historic data [has its limitations]. Quantitative research to drive decision making. Bias may be built into modelling + uncertainty often underestimated. Cannot account for special events.
JUDGEMENTAL FORECASTS [prediction of future events] - use of industry knowledge and acumen to drive decisions. Move away from scientific focus to future events. Harder to justify incorrect predictions + discussions may be dominated one one persons view / hunch.
Chapter: 3
Topic: Forecasting / Projections
Question: Statistical Projections vs Judgemental Forecasts Methods
STATISTICAL PROJECTIONS
Trend Analysis - past data to predict future
Time Series Analysis - establish seasonal trends
Regression Analysis - correlation between x and y
Econonmetrics - interrelationships
JUDGEMENTAL FORECASTS
Think Tanks - unstrcuture, experts meeting
Delphi Method - anonymous, concensus reached
Brainstorming - all levels, opinions and ideas in unstructured setting
Jury Forecasts - panel of experts, structured
Derived Demand - predicting future movements in demand for goods
Chapter: 3
Topic: Foresight and Game Theory
Question: Game Theory in Strategy Setting
Hint: WW / WL / LL
ASSUMPTIONS - firms to seek Win-Win outcomes. Firms better off working together, to reduce risk of Lose-Lose.
USE - Competitor reaction to strategy to be considered.
DRAWBACK - collusion is illegal in UK / generally lack of transparency of how competitors will react.
AIM - to maximise chance of W/W scenario.
Chapter: 3
Topic: Scenario Planning
Question: Conditions in which Scenerio Planning is useful
Hint: Impact on Future Events
Scenario planning has value in any situation in which there is SIGNIFICANT UNCERTAINTY about aspects of the future that could MATERIALLY change an organisation’s STRATEGY, PLANS or DECISION.
Known as DISRUPTIONS: ‘interuption in the usual way a system, process or event works’.
Focus on LEARNING / Form of FORESIGHT.
+ve’s: Challenge assumptions / Proactive strategy
-ve’s: Future shaped by only actions imagined NOW.
Chapter: 8
Topic: Cubersecurity Objectives
Question: Purpose + Four Main Objectives of Cybersecurity
Hint: CIIA Triad
PURPOSE - to protect systems, networks and programs from digital attacks.
CONFIDENTIALITY - ‘keeping out’ through encryption / access codes / legal requirements
INTEGRITY OF DATA - records of data kept securly, accurately, not lost or corrupted
INTEGRITY OF PROCESSING - data is not used in a malicious way, or a way that the user of data did not intend
AVAILABILITY - ‘opening up’ to the right personnel / those with legitimate business purpose
Chapter: 9
Topic: Centralised Management of Cybersecurity Policy
Question: Policy / Procedure to control Personnel Risk
Hint: Rvw CU / Recr / JoRo / EnVa / SupV / TerPro
Note: Personnel Risk = risk that person in a position of trust will breach CS of a firm.
REVIEW OF COMPUTER USAGE
RECRIUTMENT
JOB ROTATION
ENFORCED VACATIONS
SUPERVISION
TERMINATION PROCEDURES
Chapter: 9
Topic: Centralised Management of Cybersecurity Controls
Question: Business Continuity Arrangements [in the event of a disaster]
Hint: HS / WS / CS / MR
HOT SITE - functional, ‘ready to go’ back up site. Both hardware and software.
WARM SITE - similar to HS, but additonal time before functional.
COLD SITE - location only. No software or hardware installed.
MIRROR SITE - software only. Used in event of information overflow or reponse to disaster.
Chapter: 8
Topic: Information Systems and Cybersecurity.
Question: Information System Risks
PRIVACY BREACHES / UNAUTHORISED ACCESS
LOSS OF DATA
VIRUS / HACKING
DOWNTIME / HIGH MAINTENANCE COSTS
THIRD PARTY RISK
INTERNAL PARTY RISKS
Chapter: 8
Topic: Nature and Impact of Cybersecurity Risks
Question: Types of Sensitive Information
Hint: Think, ACCESSIBILITY
EMPLOYEE / CUSTOMER / SUPPLIER PERSONAL DATA
FINANCIAL RECORDS [which are not widely available]
DATA STORED WITHIN A FIRMS INFRASTRUCTURE [inc. Medical Data]
INTELECTUAL PROPERTY
ALL COMMERCIALLY VALUABLE DATA.
Chapter: 8
Topic: Web Application Attacks + Defenses
Question: Best Web Application Attack / Malware Defences x6
Hint: AVP / EmT / SpF / FW / DTech / BYOD / BU’s
Note: Contigency plan has combat / contain virus, however does not defend against it in the first place.
ANTI VIRUS PROTECTION - regularly updated
EMPLOYEE TRAINING - defined protocols
EMAIL / SPAM FILTERS - either manual or auto
FIREWALLS - contain impact thru segmentation
ADAPTIVE / INNOVATION DETECTIVE TECHNOLOGY inc Gatekeeping Controls [‘I am not a robot’]
BYOD - minimum standards of software security
BACK-UP COPIES
Chapter: 3
Topic: Understanding Current Position
Question: Related and Unrelated Diversification
Hint: Ansoff’s Growth Vector Matrix
RELATED - outside of usual course of business however within a firms capabilities. Inc Vertical [supplier vs customer] and Horizontal [megers] integration.
UNRELATED - outside of usual course of business + capabilities.
Chapter: 3
Topic: Types of Data
Question: Usefulness and Risks of using Data when Formulating Strategy
Hint:
USES - anticipate change / design appropriate strategies / support decisions to drive growth
RISKS - shared when it needs to be / timescales of usefulness / historical data does not necessarily help to predict the future
Chapter: 6
Topic: Internal Controls
Question: Benefits of Internal Controls
Hint:
DEGREE OF BUSINESS ASSURANCE
EFFICIENCY AND EFFECTIVENESS OF OPERATIONS
VALIDATION BY EXTERNAL AUDITORS
INCREASES STAKEHOLDER CONFIDENCE
HELPS TO REDUCE THE COST OF FAILURE
Chapter: 3
Topic: Formulating Strategy
Question: Link between Strategy, Corporate Objectives and Risk
Hint:
STRATEGY - mission and values determine the amount of risk a firm is willing to accept. Strategy is formulated to achieve the mission.
CORPORATE OBJECTIVES - in order to achieve objectives, risk has to be taken.
RISK - inherent within operations. Important that a firm understands the likely risk when setting strategy.
Allocation of resources to match risk appetite.
Chapter: 6
Topic: Dysfunctional Behaviour
Question: Common Issue with Governance / Pay Structures
Hint: PRP
PERFORMANCE RELATED PAY - leading to excessive risk taking / focus on short term deliverables.
MITIGATED THRU - creation of long-term interest:
- Share Options
- Performance assess over multiple years
Chapter: 3
Topic: Understanding Current Position
Question: Risk associated with Product Life Cycle / Industry Life Cycle
RISKS
- Misassessment [Intro, Growth, Shakeout, Mature, Decline] impacts marketing / commercial decisions
- Product stages vary upon industry / product behaviours
MITIGATE
- Balanaced, well diversified portfolio
- Understanding stage of industry improves strategic decision making. E.g. decision to divest.
Chapter: 3
Topic: Understanding Current Position
Question: Risks associated with Stakeholders
Hint: Mendelow’s Matrix
NOT PRIORTISING KEY PLAYERS - must be satified as a minimum
CONFLICTING DEMANDS - even once interest vs power determined.
IGNORING INTEREST - assessment helps to understand those Stakeholders likely to inhibit success
Chapter: 3
Topic: Understanding Current Position
Question: Risks associated with ‘Generic Strategies’
Hint: Porter’s Generic Stratgies [Cost Leadership vs Differentiation vs Stuck in the Middle vs Focus]
BEING STUCK IN THE MIDDLE
TRYING TO ADOPT BOTH - lower costs may impact premium nature
LOW COSTS DN EQUAL LOW PRICES
DIFFERENT DN EQUAL VALUE
FOCUS SACRIFIES EoS + SEMENTS LESS DISTINCT
Chapter: 3
Topic: Understanding Current Position
Question: Risks associated with Growth Options
Hint: Market Pen / Product + Market Development / Diversification
MARKET PENETRATION - least risky, minimum capital investment required
MARKET DEVELOPMENT - low to medium risk, same prdouct new market.
PRODUCT DEVELOPMENT - medium risk, requires capital investment to develop new products.
DIVERSIFICATION - high risk and uncertainty attached. High investment likely in order to achieve return.
Chapter: 3
Topic: Understanding Current Position
Question: Risks associated with Products / Markets in respect to their Market Share vs Market Growth
Hint: Boston Consulting Matrix
MARKETS DIFFICULT TO DEFINE
HIGH MARKET SHARE REQUIRES SIGNIFICANT INVESTMENT [WC] + DN SUPPORT NICHE STRATEGY
NOT SUPPORTING QUESTION MARKS OR STARS THROUGH CASH COWS - linked to balanced portfolio
FAILURE (NOT) TO DIVEST DOGS - ignoring market trends
Chapter: 8
Topic: Malware Threats and Defense
Question: Five Types of Malware [Malicous Software]
Hint: V / W / Tj / B / Ma
PURPOSE - attempts to gain unauthorised access in order to damage software or steal sensitive data
VIRUS - attaches to program, spreads upon usage
WORM - does not attach, spreads without user knowledge. Standalone, without need for user to launch.
TROJAN - sits within network [does not spread], deloying various functions [pop-up ads / malware links / allows external access]
BOT…
Web Crawlers: gather information in the background
Botnet: allow external users to access network
Keyloggers: touch pad sensors to gain password access
MALVERTISING - online ads which contain hidden malware
Chapter: 9
Topic: Cybersecurity Governance and Policy
Question: Third Party Relationship Controls
Hint:
CONTROLS:
Due Dilligence
SLA [confirming the processes to be used]
Review of ISO 27001 Accreditation [a way to assess the CS controls in place within the 3rd party]
Setting KPIs / Performance Measures
Screening
Chapter: 4
Topic: Board Membership, Roles and Structure
Question: Five Characteristics of an Effective Board
Hint: Bal / InKn / FoSchTk / CMT / Fair Rem&Ap
BALANCE [NEDs / EXECs] + SIZE + DIVERSITY
INDUSTRY EXPERIENCE, KNOWLEDGE, SKILLS AND DEVELOPMENT [CPD]
FORMAL SCHEDULE OF TASKS
COMMITMENT inc regular meet-ups, sufficent time allocation to fulfil responsibilities. Link to Accountability.
FAIR REMUNERATION / APPRAISAL based on objectives factors:
- Independence & Innovation
- Industry Familiarity
- Active Participation
- Enthusiasm
- Business and Personal Development
Chapter: 4
Topic: Board Membership, Roles and Structure
Question: Responsibility of Chair & CEO
Hint: Board vs Company.
CHAIR - responsible for managing the board of directors. Ensures company is functioning in the best interests of the SHs.
CEO - reponsible for managing the company. Helps to implement the strategy set by the board.
Chapter: 4
Topic: Board Membership, Roles and Structure
Question: Roles of Chair & CEO
Hint:
CHAIR
- Leadership to board
- Encourage participation / communication across board
- Transparency with shareholders
- Resolve conflicts between NEDs and EXECs
- Induct new directors
- Appraise CEO and Board members
- Accurate, timely information shared with Board
CEO
- Leadership to company
- Effective implementation of Board decisions / vision
- Firm performance accurately reported to Board
- New investment initiatives
- Communication with stakeholders
- Involvment with induction
- Involvement with appraisal
Chapter: 4
Topic: Board Membership, Roles and Structure
Question: Purpose of splitting the role of Chair & CEO
Hint: Accountability
AVOIDS CONFLICT OF INTEREST - relationship to remain professional
REDUCES BURDEN
IMPROVES ACCOUNTABILITY - implementation or vision?
ENHANCED SCRUNITY OVER DECISION MAKING
Chapter: 9
Topic: Cybersecurity Preventive and Detective Controls
Question: Patch Management
Hint: Focus on Time.
PATCH MANAGEMENT - quick fix software update to address vulnerabilities spotting within system.
Either Corrective [in response to breach] or Preventive [in anticipation to potential breach].
Key focus is TIME.
Chapter: 9
Topic: Cybersecurity Governance and Policy
Question: Methods to Communicate Cybersecurity Policies
Hint: Internal vs External Responsibility
Note: Cybersecurity Policy - emcompassess objectives, expectations, responsibilities via a formal policy statement.
INTERNAL :
- TRAINING, to ensure staff understand importance of compliance.
- CORPORATE COMMUNICATION, via intranet and emails.
EXTERNAL: to meet regulatory and stakeholder needs
- REPORTING
- CONTRACTS
- STATEMENTS
Chapter: 5
Topic: Integrity and Ethical Values
Question: Fundamental Principals
Hint: PIPCO
PROFESSIONAL BEHAVIOUR - engaging in a way that does not discredit the proffesion
INTEGRITY - truthful, honest actions + not engaging in activities known to be corrupt / false
PROFESSIONAL DUE CARE - keeping up to date on developments and knowledge
CONFIDENTIALITY - not sharing informaiton unless for a justifiable business purpose
OBJECTIVENESS - removing bias, conflict of interest or undue influence.
Chapter: 3
Topic: Stress Testing
Question: Load Testing vs Stress Testing
Hint:
LOAD TESTING - testing a system at expected capacity
STRESS TESTING - testing the breaking point of a system
Value at Risk = the maximum expected losses based on current activity / normal probability distributions.
Chapter: 1
Topic: Nature of Risk
Question: Four main types of Risk
Hint: F / S / Pu / Par
FUNDAMENTAL RISK - macro level, cannot influence at an individual level
SPECULATIVE RISK - return either positive or negative outcomes
PURE RISK - only negative outcomes [no upside]
PARTICULAR RISK - individual has control over. E.g. Decision to stop smoking reduces chance of lung cancer
Chapter: 1
Topic: Categories of Risk
Question: Strategic Risk vs Operational Risk
Hint:
STRATEGIC RISK - possible outcomes [due to internal decisions vs external factors] which have material impact on future strategies. Assessed in terms of source, scale and duration. Impact should be felt long term [volatility of long-term performance]
OPERATIONAL RISK - day to day business risks. Includes risk of IC controls failure, key staff resigning, industry disputes, IS and RM problems.
Chapter: 9
Topic: Cybersecurity Preventive and Detective Controls
Question: CS Email Policy x3
Hint: ConExt / SeSt / AttF
CONFIDENTIAL INFO NOT SHARED WITH EXTERNAL SOURCES [unless commercially justifiable - impt to encrypt]
SENISTIVE EMAILS STORED SECURELY [in case of legal purposes]
ATTACHMENTS CHECKED FOR VIRUSES [and reported if suspicious]
Chapter: 2
Topic: External Risk Reporting
Question: Limitations of Risk Disclosures
Hint: Think changes in external environment - is the information relevant?
COMMERCIALLY VALUABLE INFORMATION SHARED WITH COMPETITORS
MISINTERPRETATION BY RECEIVER
DYNAMIC ENVIRONMENT MAY LEAD TO DISCLOSURES BEING OUTDATED
Chapter: 8
Topic: Hackers and Social Engineering
Question: Five Types of Hackers?
Hint: E BUGS
ETHICAL - work for owners, look for gaps. Spot weaknesses + improve.
BUG-BOUNTY - reward hackers for breaking system
UNETHICAL - exploitation, malicious purposes
GREY HAT - fix for fee / post online
SOCIAL ENGINEERS - expolit trust to gain access either physically or virtually. Inc. ‘Dump Diving’
Chapter: 5
Topic: Performance Controls / Review
Question: Focus for Non-Commercial Firms [N4P]
Hint: Three E’s
ECONOMY - sourcing resources at best price.
EFFICIENCY - processes streamlined, minimum waste.
EFFECTIVENESS - in achieving the firms objectives in terms of Speed / Quality / Delivery / Service etc.
Chapter: 5
Topic: Integrity and Ethical Values
Question: Threat to Fundamental Principals
Hint: Sr / In / Fam / Ad / Si
SELF REVIEW - difficult to spot own errors.
INTIMIDATION - actual / perceived threat.
FAMILIARITY - too close to party.
ADVOCACY - objectivitiy compromised.
SELF INTEREST - financial or other gain impacting judgment.
Chapter: 6
Topic: Dysfunctional Behaviour
Question: Three Management Styles that may cause Dysfunctional Behaviour
Hint: BC / PC / NA
BUDGET CONSTRAINED - most likely cause of DFB. Short term focus - High tension - High manipulation - Impacted staff relations.
PROFIT CONSCIOUS - medium risk of DFB. Assessment against hitting profit targets / financial goals. Medium tension - Little manipulation - Good staff relations.
NON ACCOUNTING - low risk of DFB. Move away from financial factors. DFB occurs through ignoring the financial goals [which ultimately is the best way to measure a firm’s performance]. Medium tenision - Little Manipulation - Good relations.
Chapter: 2
Topic: Risk and Return
Question: Why Risk is always present?
EXTERNAL FACTORS EVERCHANGING [PESTEL]
DECISION MAKING AT AN INDIVIDUAL LEVEL
CONTROL FAILURES [inc. bypassing]
UNEXPECTED HAZARDS [‘Unknown unknowns’]
Chapter: 2
Topic: Risk and Return
Question: Why do firms embrace Risk?
Hint: Higher Risk should equate to Higher Returns
Note: Taking on risk is not the issue; not managing risk effectively is where the problems lies.
GREATER DEMAND FROM SHAREHOLDERS
GREATER DEMAND FROM CUSTOMERS
KEEPING UP WITH COMPETITION
INNOVATION NEEDS
Chapter: 2
Topic: External Risk Reporting / Corporate Governance
Question: Global Regulators x2
Hint: G20/OECD vs ICGN
Note: Risk Reporting to Primary Stakeholders [does not include Employees]
OECD - advises Governments on best practice for Corporate Governance for companies.
Focus on ‘Disclosure & Transparency’.
ICGN - practical guidance for Board of Directors, to meet expectations of shareholders.
Focus on Disclosure of Risk Management / Risk Responsibility / Sound governance policies [independence / culture / oversight / fair remuneration / SH rights].
Chapter: 2
Topic: Risk Approach
Question: NEDs vs EXECs
Hint:
NEDs - provide independent perspective / balanced viewpoint inc. scrutiny over Execs. Removes risk associated with PRP.
EXECs - provide skills, knowledge and experience when setting Risk Management approaches + Strategy.
Chapter: 6
Topic: Data Protection Risks
Question: Compliant measures with Data Protection
Hint: IA RERP OP
THE RIGHT: to be Informed [on how your data will be used] to Access to Rectify to be Erased to Restrict to be Portable to Object to have a Person decide [on how your data will be used]
FIRMS SHOULD:
- Supply copies of data if requested
- Obtain consent from user to hold sensitive data [including consideration of data already held]
- Not pass on data to unauthorised parties
- Hold themselves accountable
Chapter: 6
Topic: Data Protection Risks
Question: Consequences of Non-Compliance with Data Protection
Hint: CCC
COMPENSATION TO DATA USER FOR DAMAGES / LOSS
INACCURATE DATA TO BE CORRECTED OR WIPED
SUPPLY USER WITH COPIES OF DATA HELD
Chapter: 5
Topic: Cost of Quality
Question: Types of ‘Costs’ regarding Quality
Hint: CC vs N-CC
CONFORMANCE COSTS - incurred to avoid sub-par output. Inc. Appraisal [checking goods before they go out] and Prevention [stopping errors in the first place!].
NON-CONFORMANCE COSTS - incurred in order to rectify errors in quality [product recall] / internal failures [wastage].
Chapter: 7
Topic: Types of Audit
Question: Key Features of External Audit
Hint: ‘True and fair reflection…’
Note: External Audit = Financial Audit
Examination of financial records
Report on the truth and fairness of financial statements
Responsible to shareholders
Use of rigorous testing to collect evidence to support their findings
Deputy to the laws, regulations, auditing + accounting standards
Chapter: 7
Topic: Types of Audit
Question: Social and Environmental Audit
Hint: CSR - responsibilties extending beyond the scope of commercial relations.
SOCIAL AUDIT - sustainable use of HR, Health and Safety, labour conditions and equal opportunities.
ENVIRONMENTAL AUDIT - sageguarding environment.
Chapter: 7
Topic: Types of Audit
Question: Management Audit
Hint: Broad Focus
Independent appraisal of effectiveness of managers / corporate structure in achieveing entity’s objectives.
Focus across both financial and non-financial objectives.
Looks for ways to rectify.
Important to understand the objectives of the business before ‘Carrying out Investigation -> Gathering Evidence -> Report the Result’.
Chapter: 1
Topic: Risk Factors
Question: Event Categories [that impact implementation of strategy]
Hint: EE / IE / LEI / ET
EXTERNAL EVENT - opps vs threats [economic changes / political developments / tech]
INTERNAL EVENTS - strengths vs weaknesss [equipment failure / human error / product defects]
LEADING EVENT INDICATOR - give rise to another event
ESCALATION TRIGGERS - require immediate action
Chapter: 4
Topic: Sub Committee Directors
Question: Remuneration Committee
Hint: Purpose / Structure / Focus / Aim / Considerations
PURPOSE - determine general policy on remuneration of Execs, Chair, CEO and Senior Management.
STRUCTURE - NEDs [independently agreed, transparently disclosed]
FOCUS - clarity, simplicity, proportional [to performance], alignment with culture [best practice], market factors.
AIM - attract, retain sufficient calibre. Motivate in line with SH’s best interests.
CONSIDERATIONS [both] - Fixed & Variable, Immediare & Deffered, Long Term & Short Term, Cash & Non-Cash.
Chapter: 6
Topic: Information of a form of Control
Question: Three levels of Information Needs
Hint: Information up [narrows] vs. Objectives down [widen]
STRATEGIC MANAGEMENT / PLANNING
- Trends / Pestel
- Market Characteristics
- Technology Developments
- Customer Competitor Info
TACTICAL MANAGEMENT / MANAGEMENT CONTROL [acts as the link / facilitator]
- Strategic decisions [helps them to implement]
- Operational reports [filtered through to senior management]
- Financial and performance targets
- Cost information
OPERATIONAL CONTROL [Detail & Data]
- Orders
- Staff Feedback
- Customer Feedback
- Bottlenecks
- Volume and availability of resources
Chapter: 3
Topic: Digital Technology
Question: Four Types of Digital Characters / Groupings
Hint: DN / DI / DV / DR
Note: Risk involves natives ignoring ‘tactful business acumen’ [Scientific approach only] vs Immigrants retaining ‘accent’ / stifle innovation or tech solutions.
DIGITAL NATIVES - milenials
DIGITAL IMMIGRANTS - adopted
DIGITAL VISITORS - purpose only
DIGITAL RESIDENTS - leave clear trace
Chapter: 3
Topic: Evaluating Strategic Options
Question: Management Accounting x Appropriate Strategy
Hint: PS
PROFESSIONAL SCEPTISM - addressing the limitations of lack of information + the subjectivity within assumptions + why information is necessary to drive DM.
Helps to assess Feasibility & Acceptability of a project / strategy.
Chapter: 3
Topic: Evaluating Strategic Options
Question: Evaluation of Strategy
Hint: S A F
Note:
Resources = capacity to delivery
Capabilities = people and skills
SUITABILITY - does it fit with a firms direction / core values / help to fulfil objectives? Address key opps or threats?
ACCEPTABILITY - how will the ‘key players’ / shareholders react to the decision? Consideration of Risk Appetite / Financial + Non Financial factors / CSR / Existing Agreements.
FEASIBILITY - do we have or access to the resources in order to carry out the strategy? Within current / potential strategic capabilities? Can we implement?
Chapter: 7
Topic: Types of Audit
Question: Value for Money [VfM] Audit
Hint: Three E’s / Four C’s
USE - Government / Not-for-Profit
PURPOSE - how well public money is being used to provide services?
FOCUS -
a) Economy / Efficiency / Effectivness
b) Challenge / Compare / Consult / Compete
Chapter: 4
Topic: Board Membership, Roles and Structure
Question: Company Secretary
Hint: ‘Ultimate Loyalty is the Company’
COMPLIANCE W. LEGAL AND REGULATORY FRAMEWORKS [inc signing docs & registers + annual accounts]
INFORMATION NEEDS TO THE BOARD + ARRANGE MEETINGS FOR SH’S
COMMUNICATION WITH SHAREHOLDERS
BOARD DECISIONS BROADCASTED TO EMPLOYEES AND WIDER STKHOLDERS
FINANCIAL OR LEGAL EXPERTISE
Chapter: 4
Topic: Board Membership, Roles and Structure
Question: Board Structures x3
Note: More tier’d;
+ve Greater Indepedence / Broader Rep
-ve Conflicting viewpoints / lack of accountability + authority / more bureaucratic
SINGLE - unitary
DUAL
a) Supervisory, overall responsibility
b) Management, daily running of firm
THREE TIER
a) Policy, strategic
b) Functional, operational
c) Monocratic, PR
Chapter: 4
Topic: Corporate Governance and Agency Theory
Question: Agency Problem x Solution
Hint: Principal [SH’s] needs the help of an Agent [Directors] to carry out activities on their behalf.
PROBLEM - Information Asymmetry [‘trust issues’] + Conflicts of Self- Interest [‘balancing act’]
SOLUTION - Transparency, disclosures + LT interest of firm instilled into directors, SH power [removal / exercise control]
ULTIMATE AIM - introduce control mechanisms to control board without impacting their ability to function effectively.
Chapter: 4
Topic: Board Membership, Roles and Structure
Question: The Board, responsibilities and aims.
Hint:
PROMOTING SUCCESS OF FIRM
DRIVE DIRECTION OF FIRM THRU ENTREPRENEURIAL LEADERSHIP w.i EFFECTIVE CONTROLS.
ACCOUNTABILITY TO SHAREHOLDERS
MONITOR PERFORMANCE OF COMPANY IN ACHIEVING AIMS
ENSURE FIRM IS ACTING WITHIN A COMMERCIALLY
+ SOCIALLY ACCEPTABLE MANNER
MAINTAIN AN EXTERNAL FOCUS
ENSURE NECESSARY RESOURCES / SKILLS
SET STRATEGIC AIMS
ENABLE RISK TO BE ASSESSED + MANAGED
Chapter: 4
Topic: Non Executive Directors
Question: Three Specific Roles of NEDs
Hint: FC / OC / HS
FATHER CONFESSOR - act as confidant
OIL CAN - manage conflict
HIGH SHERIF - removal of high positions
Chapter: 4
Topic: Non Executive Directors
Question: Areas of Focus of NEDs + Issues
Hint: S S R P + I E
FOCUS
- Strategy: contribute and challenge
- Scrutiny: performance of Execs and Management
- Risk: ensure systems are robust
- People: safeguard interests of SHs
ISSUES
- Lack of true independence: cross dictatorships / remuneration / pensions / shareholdings / previous employment
- Lack of effectiveness: industry experience / availability / commitment
Chapter: 10
Topic: Cybersecurity Tools and Techniques
Question: Penetration Testing
Hint: Controlled form of hacking
Note: GDPR Compliant to adopt PT
PURPOSE - systematic process of PROBING for VULNERABILITIES in applications + networks
EXAMPLES - Connections w. internet / Simulating phising and social engineering
Chapter: 10
Topic: Cybersecurity Tools and Techniques
Question: Types of Penetration Testing
Hint: Box - classified on level of knowledge / access granted to Pentester at beginning of assignment
WHITE BOX - full access to system / network. Comprehensive assessment of both internal and external vulnerabilities.
GREY BOX - partial access to system [user level privileges only]. Focus assessment on systems with greatest risk and value from the start.
BLACK BOX - no access provided prior to test. Exposes external vulnerabilites of a system.
Chapter: 10
Topic: Cybersecurity Tools and Techniques
Question: Three Software Communication Options
Hint: IP / TLP / MS
IP SECURITY - secure private comms
TRANSPORT LAYER SECURITY - secure private comms with bespoke encryption
MIKEY-SAKKE - end-to-end encryption
Chapter: 9
Topic: Cybersecurity Processess
Question: Key Principals in Developing Cybersecurity Policies
Hint: PDR
PROTECTION - what to protect [software vs hardware] + ICs in place to do so.
DETECTION - monitoring, recording and escalating threats.
RESPONSE - proactive vs reactive measures. Inc. Patch Management vs Specialist Teams [hunt teams]
Chapter: 3
Topic: Risk of Unethical Behaviour
Question: Reputational Risk Causes
Hint: Response to Rep Risk involves LISTENING.
Note: Strategy / Brand / Reputation all interdependent.
CSR ISSUES - not extending reach beyond commericial responsibilties.
CUSTOMER SERVICE - not understanding why the customer buys from you. Link to expectation
LEGAL ISSUES - data protection / impact industry dependent
STAFF POLICIES - link to ethics.
FAILURE TO INNOVATE - viewed as ‘outdated’
POOR GOVERNANCE STRUCTURE - lack of diversity / accountability?
INVOLVEMENT IN BRIBERY / CORRUPTION - mitigated through strong ICs + whistleblowing arrangements
POOR ETHICS - increases compliance / external auditor focus
Chapter: 3
Topic: Risks of Unethical Behaviour
Question: Three Main Risks of Unethical Behaviour
Hint: P B R
Note: Ethics = set of moral principals that guide behaviour
PROBITY - untruthful or misleading behaviour
BRIBERY & CORRUPTION - borders no boundaries for prosecution [UK Bribery Act + US Foreign Corruption Practice Act]. Leads to fiancial, legal and reputational risk
REPUTATIONAL RISK - caused as a result of adverse consequences of another risk. ‘Years to build, but can disappear overnight’.
