P3 RM Flashcards

1
Q

Chapter: 3

Topic: Banking

Question: Princiapls of Basel III / Dodd Frank Act / Bank of England

Hint: Do banks have sufficient capital to withstand anticipated losses during financially stressful situations?

A

Basel III : Three pillars [sound banking practices]
Min Amounts of Capital Required
Visability of Risks
Disclosure to encourage better behaviour

DFA : Three Scenarios
Baseline
Adverse
Serverly Adverse

BoE : using variables to predict unfavourable macro scenarios
Global Economy
Unemployment Rates
Commodity Prices
House Prices
Interest Rates
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Chapter: 9

Topic: Centralised Management of CS Controls

Question: Four main controls present within Information System

Hint: SANG

A

1) Software Controls - ensuring correct software is used. Buying from recognised supplier.
2) Application Controls - completeness / accuracy of records + validity of entries made to a specific application. Inc. Input [data entry checks] / Processing [accuracy during computer processing] / Output [exception reports].
3) Network Controls - protect IS from CS risks across entire network. Inc Firewalls, Virus protection, spyware, encryption.
4) General Controls - prevent or detect errors / irregularities in for all accounting systems. Inc both software and hardware, personnel, access and password controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Chapter: 10

Topic: Cyber Risk Reporting Frameworks

Question: SOC 2 Framework

Hint: Service Organisations

A

Describes CRMP + effectiveness of controls when processing clients data. Features inc:

  • Specific SOC 2 Criteria [to CRMP’s description and controls] - CPA approved
  • Description criteria inc. type of service provided [payroll / finance], systems used to provide + boundaries. DN inc. description of specific controls in a service organisation.
  • Written assertion from management [Re: description in line with criteria + controls suitably designed] + CPA opinion to validate description and controls.
  • Detailed list of controls tests carried out by CPA.
  • Limited availability.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Chapter: 10

Topic: Cyber Risk Reporting Frameworks

Question: SOC Framework

Hint: Offers accredititation for overall CS [AICPA]

A

Delivers a review of entity’s CRMP. Features inc:

  • Description criteria of the CRMP in line with agreed criteria [nature of operations / key info assets / inherent CS risk factors / governance / risk assessment / monitoring]. Written assertion by management req.
  • Control criteria assessed by management and assertion that it is effective in achieving organisation CS objectives.
  • Opinion by CPA on description and control criteria.
  • Prepared for general distribution to stakeholders.
  • DN contain list of detailed tests carried out.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Chapter: 4

Topic: Sub-Committee of Directors

Question: Audit Committee

Hint: Review + Monitor

A

Review and monitor:

Annual accounts.
Adequacy of Internal controls [fin + non-fin].
Risk Management systems.
Liases with External Auditors on queries, appoint, denote non-audit services, compensate.
Supervises Internal Audit + scruitnise output.

All independent [financially literate] NEDs with at least one financial expert.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Chapter: 9

Topic: CS Governance + Policy

Question: Three strategies used to avoid being Hacked?

Hint: RSD

A

Reconnasissance - awareness of how you appear to third parties. Do you look vulnerable?

Simulation - assume you will be hacked at some point. Have contingency plans in place. Are you prepared?

Digital Identity - understanding how you interact with all things digitally. Focus on IoT’s.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Chapter: 5

Topic: Purpose of Internal Controls

Question: Objectives of IC

Hint: ORC

A

Reasonable Assurance regarding the objectives for:

Operational - financial + operational performance / safeguarding assets.

Reporting - internal / external / financial / non-financial ensuring timeliness, accuracy and transparency.

Compliance - with laws and regulations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Chapter: 5

Topic: Features of Internal Controls

Question: COSO IC Integrated Framework

Hint: Objectives [ORC] / Levels [F / OU / D / EL] / Components [CE / RA / CA / I&C / MA]

A

Objectives - Operational / Reporting / Compliance

Levels - Functional / Operational Unit / Divisional / Entity Level

Components - Control Environment / Risk Assessment / Control Activities / Information & Comms / Monitoring Activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Chapter: 1

Topic: Risk Management Institutes

Question: Four Categories of Risk [‘Institute of RM’]

Hint: FOSH [int / ext]

A

Financial - long term CFs / ST liquidity / fraud / economic factors.

Operational - day to day business risks.

Strategic - long term outcomes impacted.

Hazard - natural / human.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Chapter: 10

Topic: Cyber Risk Reporting Frameworks

Question: Internal & External forms of CS reporting.

Hint: Int - CV + RA / Ext - RM & DM + 3rd Party R + Risk P & Why?

A

Internal CS Reporting: to board / management / employees.

Core Values
Risk Appetite

External CS Reporting: to regulators / stakeholders / investors / media.

Risk Management and Decision Making
Third Party Reliance
What needs Protecting and their Importance [why?]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Chapter: 6

Topic: Internal Control Systems in Practice

Question: Control Activities in Any System

Hint: x5 - A S Ip Pr Pc

A

Expectations of External Auditors:

Authorisation - transactions approved by right personnel

Segregation of Duties - no one person having total control of a process.

Information Processing - general + application controls.

Performance Review - actual vs expected.

Physical Controls - safeguarding of assets / access to data files / periodic counting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Chapter: 7

Topic: How to deliver Internal Audit

Question: Three types of Testing

Hint: WT / ToC / ST [inc. AR + BM]

A

Walkthrough Testing: sequential, through documenting events from start to finish.

Test of Controls: known as compliance test. Whether or not the controls in place have operated. Testing the process.

Substantive Testing: ignores the control that has happened, instead, verifies the actual amount itself. Looks at whether individual events are valid [sums received recorded in the correct accounting period]. Testing the content.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Chapter: 7

Topic: How to deliver an Internal Audit

Question: The Five Stages involved in delivery

Hint: OF -> P -> RA -> T -> Bm

A

1) Organisational Factors - assessment of need.
Inc: Scale, size, complexity, diversity / Cost vs Benefit / Changes in processes, structure, IC, IS? / Changes in key risks? / Increased number of ‘unexplained events’?

2) Planning - prioritise / establish objectives of audit / effective use of resources
3) Risk Assessment - inherent / control / residual / detection
4) Testing - walkthrough / test of controls / substantive testing in order to collect evidence to help achieve audit objectives.
5) Benchmarking - comparing financial and non-financial performance [type of Analytical Review / Substantive Testing].

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Chapter: 7

Topic: How to deliver an IA

Question: Three basis for Sampling

Hint: R / N / V

A

Random - exposes firms to sampling risk [not true representation of whole population]

Nature - inherent risk

Value - materiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Chapter: 5

Topic: Management Accounting Techniques

Question: 8 Key Areas + Core Fundamentals

Hint:

A

Marginal Costing - low volume, high complexity. Differentiating between fixed and variable costs.

Just in Time - continuous improvement + reduced inventory handling.

Kaizen - incremental improvements, waste elimination.

Target Costing - viability of production?

EVA - economic profit, reflecting true profit based on value from invested funds. Best for asset-rich companies not for those with intangible assets, such as technology businesses. Can lead to dysfunctional behaviour.

TQM - considers cost of quality. ‘First time, every time’.

Throughput - lead time / efficiency. All costs fixed besides material costs. Success based on how quickly product can be made available to customer.

Life Cycle Costing - matching costs and revenues to the specific product. Focus on profitability and long term planning.

Lean MA - value streams + elimination.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Chapter: 9

Topic: Centralised Monitoring of CS Controls

Question: 14 ISO 27001 Control Sets

Hint: Mgment x3 / Security x5 / C’s x3 / S’s x2 / Other’s x1

A

Management x3
Information System Incident - monitor / detect / respond
Business Continuity - contingency plans
Asset - access / safeguarding / recovery

Security x5
Information Policy - SANG
HR Resources - policy / procedural com
Physical & Environmental - natural disaster
Operational - malware / back-up policies
Communications - network controls

S’s
Supplier Relationships - screening
Systems Development - updating software

C’s
Compliance with Laws & Regs - GDPR
Cryptography - encryption
Access Controls - physical / virtual pw’s

Other’s
Organisation of IS - BYOD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Chapter: 2

Topic: Strategies for Risk Mitigation

Question: Four Methods of Risk Reduction & Control [High Likelihood, Low Impact]

Hint: LC / D / PA / CP

A

Loss Control - physical devices / psychological awareness + commitment to minimise losses.

Risk Diversification - portfolio approach thru geographical [TLC], product base [PLC], activities [integration].

Procedural Approach - adherence to policies, codes and regulations.

Contingency Planning - post loss needs understood. Regularly reviewed + simulations performed. THINK - 6 Key Elements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Chapter: 9

Topic: Centralised Management of CS Controls

Question: Six key elements within Contingency Plans

Hint: CC RR BP

A

Continuity Plans - hotsites / mirror sites.

Communication - internal / external.

Responsibilities - list of staff / accountability.

Risk Assessment - assessing impact.

Back up Procedures - standby / recovery / personnel management.

Priorities - what are we protecting?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Chapter: 6

Topic: Information of a Form of Control

Question: Five key teams required for Sucessful Implementation of a New System?

Hint: SC [Sp / Pm / Ur / ITs / IA]

A

Sponsor

Project Manager

User Representation

IT Specialist

Internal Audit Function

All form part of the Steering Comitteee. Help to monitor implementation / deliverables / ensure quality + control + costs are met / forum for discussion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Chapter: 6

Topic: Information of a Form of Control

Question: Ten Types of Information Systems

Hint: D’s x2 / E’s x3 / K / M / O / S / T

A

OAS - Office Automation, basic spreadsheets
ERPS - Enterprise Resource Planning, organisation wide integration of functions
KWS - Knowledge Work, new knowledge creation inc. training.
EIS - Executive Information, usually presented in graphical format with drill down features.
ES - Expert, stores info and applies rules to make easy decisions [inc. diagnosis of illness]
DSS - Decision Support, data analytics to model scenarios.
SEMS - Strategic Enterprise Management, high level tools such as ABM.
MIS - Management Information, mid level analysis of transactions for DM and control purposes [inc. Standardised Reports]
TPS - Transaction Processing, billing + payroll.
DC - Data Centres, stores data in warehouses. Inc Big Data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Chapter: 9

Topic: Centralised Monitoring of Cybersecurity Controls

Question: Six step response to CS - ISO 27001

Hint: Me -> AoDR -> TARA -> Rpt -> App CS Profile -> Imp R Treat P

A

METHODOLOGY - agreed / consistency

ASSESSMENT - impact vs likelihood of Data Risks

TREATMENT - record whether to Control / Avoid / Transfer / Accept risks.

REPORT [all results] - accrediation [ISO 27001] + own interest purposes.

APPLICABILITY - security profile showing all controls and status.

IMPLEMENTATION - risk treatment plan. What, who, how and when.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Chapter: 9

Topic: Cyerbsecurity Risk Governance Structure

Question: CS Risk Governance Structure elements.

Hint: H / CON BT EV / BO / MR / CON BT R

Note: Formal, codified statement which outlines aims. Overseen by board of directors… CS to be embedded.

A

HIRING - qualified staff inc. CIO [Risk Manager]

CONNECTION B/T CS AND ETHICAL VALUES

BOARD OVERSIGHT - dedicated committee or CIO

MONITORING AND REPORTING - active engagement by board members. Increases accountability.

CONNECTION B/T CS RISKS AND OTHER RISKS - in line with Risk Appetite.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Chapter: 7

Topic: Internal Audit

Question: Purpose + Overall Objectives + Reporting of Internal Audit function

Hint: Sa C Ro Ec Ar Mr

A

PURPOSE - Independent Assurance that RM, Gov., IC processes are operating effectively. Ultimate aim is OBJECTIVITY in their findings.

OBJECTIVES - 
Safeguarding Assets 
Compliance [policy + regulations] 
Reduce Overheads [business units alignment]
Effective Controls [IC] 
Accounting Records
Managing Risk [RM]

REPORTING - to NEDs through Audit Committee.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Chapter: 9

Topic: Centralised Monitoring of CS Controls

Question: Seven Outputs of CS Monitoring Systems

Hint: SR SU AT TN PC CT RI

A
Staff Responsible
System Upgrades
Audit Trails
Training Needs
Policy Changes
Consitent Trends
Regulators Informed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Chapter: 7 Topic: How to Deliver Internal Audit Question: Aims of Audit Planning + Prodedures Involved Hint: A = P Eo Er / P = Aors Ppap Tea
AIMS - Priorities activities for review [nature / high risk areas] - Establish objectives of the audit [improve cost controls / ensure compliance with GDPR...] - Ensure necessary resources available + used effectively & efficicently. PROCEDURES - Ascertain business objectives / risks / strategies in place to manage. - Prelimary analytical procedures on relevant areas / systems. - Utilise / take account of External Auditors reports.
26
Chapter: 2 Topic: Risk Management Frameworks Question: Three Part Risk Management Structure [ISO 31000] Hint: P F P - constitues effective RM.
PRINCIPLES How to Design: Proportionate - Aligned - Comprehensive - Embedded - Dynamic How to Operate: Limitations of available info - Influence of Human & Cultural Factors - Continuous Improvement FRAMEWORK Design -> Implement -> Evaluate -> Improve Allocation of Roles, Responsibilities and Resources. PROCESS - iterative, fully sequential process. Support Activities: Comm & Consult - Monitor & Review - Record & Report.
27
Chapter: 10 Topic: CS Tools and Techniques Question: Three Tiers of Software Security Hint: Security must be Secure & Resilient. Focus on Coding / Design / Testing.
TIER 1 - stop CS attacks only. TIER 2 - stop CS attacks + alert relevant security functions. TIER 3 - stop CS attacks + altert + protect sensitive data.
28
Chapter: 6 Topic: Dysfunctional Behaviour Question: Human Element of Internal Controls Hint: Training / Motivation / Values / Management
POOR TRAINING POOR MOTIVATION VALUES NOT ALIGNED PROBLEMS NOT MANAGED Lead to Malfunctions within the ICs
29
Chapter: 7 Topic: Internal Audit Question: Five key areas an Internal Audit Report covers Hint: BgAss / WO / KaP / MOc / MR
Background to Assignment Work Outstanding Key Action Points Major Outcomes of Work Management Responses
30
Chapter: 9 Topic: CS Preventive and Dective Controls Question: Innovative Techniques used for CS Hint: BhA / DtT / VdN / SmGr
BEHAVIOURAL ANALYTICS - outside of set parameters DETECTION TECH - zero day attack identified VIRUTAL DISPERSIVE NETWORKING - splits messages into encrypted parts SMART GRID TECH - monitor and comm between data points
31
Chapter: 7 Topic: Auditing in IS Environment Question: Auditing a Computer / Information System Hint: UndS / HowT / ScA / DI / Oupt / Autho / BUs
UNDERSTAND SYSTEM HOW TO TEST SECURITY ARRANGEMENTS / ACCESS DATA INPUT [Encryption / Validation] OUTPUT [Accuracy] ALL TRANSACTIONS AUTHORISED? BACK UPS + DISASTER RECOVERY PLANS CaaT's can be used to review system controls. Allows IA to review larger samples, efficient use of time + pinpoint trends.
32
Chapter: 4 Topic: Corporate Governance Question: Aim of CG + what it provides + who it involves? Hint: Agency Problem
AIM: Company run for the benefit of its Shareholders [address Agency Problem]. PROVIDES: - System which firms are directed / controlled - Structure through which objectives are SET / OBTAINED & MONITORED. INVOLVES a set of relationship between Directors, Shareholders and Stakeholders.
33
Chapter: 4 Topic: Corporate Governance Question: Causes of Poor CG Hint: Approach vs Structure
POOR APPROACH TO CG - wrong policies / focus. E.g. ST Financial Goals. POOR STRUCTURE IN PLACE - insufficnet scrutiny over decisions / absence of NEDs. E.g. CEO and Chair the same person.
34
Chapter: 7 Topic: Assessing Performance of Internal Auditors Question: Criteria used to assess IA Function Hint: P A I R
PROFESSIONALISM - systematic + organised approach. AUTHORITY - findings acted upon? Timely responses backed up by the board? INDEPENDENCE - whom report to? Physically separate from workforce? Ability to Whistleblow? RESOURCES - enough personnel + right training, skills and expertise. [Specific qualification not required].
35
Chapter: 7 Topic: Assessing Performance of Internal Auditors Question: Conditions under which External Auditors can use Internal Auditors work? Hint: DO / WCS
IF INTERNAL AUDITORS: DEEMED OBJECTIVE WORK SUPERVISED + REVIEWED COMPETENT SYSTEMATIC, WELL DOCUMENTED AND DISCIPLINED APPROACH TAKEN [Think, Professionalism]
36
Chapter: 6 Topic: Dysfunctional Behaviour Question: Main issue with Performance Measurement + Main Tactic to Mitigate? Hint: Self Interest vs SMART
PEOPLE MAXIMISE HOW THEY LOOK + ACT IN THEIR OWN SELF-INTEREST, irrespective of whether this causes Dysfunctional Behaviour. SMART targets set to reduce this risk.
37
Chapter: 8 Topic: CS Objectives Question: How firms Establish, Maintain and Approve Cybersecurity Objectives? Hint: FP / BA / MS
FORMAL PROCESS - CS objectives aligned with wider firm objectives. BOARD APPROVAL - either through dedicated committe / expert [CIO] or 3rd party consultancy. MONITOR SUCCESS - feedback loop [similar to how Internal Control objectives are monitored].
38
Chapter: 3 Topic: Understanding Current Position Question: External Environment challenges when setting Strategic Plans. Hint: ISA / C&D -> PHS / SC / EM | PS -> PESTEL + SWOT
INCORRECT SUPPORTING ASSUMPTIONS COMPLEXITY AND DYNAMISM CREATES LONG TERM UNCERTAINTY LEADS TO: PLANNING HORIZONS SHORTENED / STRATEGIES MORE CONSERVATIVE / EMERGENT STRATEGIES OVER PLANNED. MITIGATED BY: PESTLE / SWOT ANALYSIS.
39
Chapter: 3 Topic: Understanding Current Postion Question: Resources and Capabilities asigned to within a firm. Hint: VC / OM / STR / IC Note: Resources = capacity to delivery Capabilities = people and skills
VALUE CHAIN - Inbound Logistics, Operations, Outbound Logistics, Marketing & Sales, Service. OPERATING MODEL - how value is created. Processes in which value is generated. E.g. Lean Process design. STRUCTURE OF FIRM - Governance, Board Membership, Rules / Roles/ Responsibilties etc. INTERNAL CONTROLS - 'Reasonable assurance regarding Operational, Reporting and Compliance objectives'.
40
Chapter: 2 Topic: Social, Ethical and Environmental Issues Question: Approach to Solving an Ethical Issue Hint: GFs / IP / IAA / MR / JR
GATHER FACTS / EVIDENCE IDENTIFY THE PROBLEM / RELEVANT ETHICAL ISSUES + FUNDAMENTAL PRINCIPALS INVESTIGATE ALTERNATIVE ACTIONS MAKE A RECOMMENDATION JUSTIFY RECOMMENDATION
41
Chapter: 9 Topic: Centralised Management of CS Controls Question: Information Contigency Plan - what does it provide for? Hint: St Re PM
STANDBY PROCEDURES - back-up sites to allow operations to continue. RECOVERY - of sensitive data + restoring 'back to normal'. Implemented after the event. PERSONNEL MANAGEMENT - key roles and responsibilties. Recovery Plan operates 'as intended'.
42
Chapter: 8 Topic: Cybersecurity Objectives Question: Three Organisational Characteristics to grasp before setting CS Objectives. What is 'Vulnerable' / at Risk? Hint: Dc Ct T
Delivery Channels - used to deliver data. Inc website, email, intranet, social media + epos. Connection Types - wired or wireless / in-house or networked / national or international. Technologies - proportion of activity online / amount of digital interaction. Data collection, storage & transmission.
43
Chapter: 3 Topic: Methods of Development Question: Questions to consider when choosing Method of Growth Hint: SH V / M&V / RR / CF
Generate value for shareholders? How quickly is growth / expansion required? Links to SH Expectations. Fit with mission and values? Does the firm need to retain control over operations? [Think, outsourcing]. Required resources to deliver chosen strategy? Inc. competencies, availability and access. Cultural Fit with external parties [Mergers / Acquistions]? Integration of people, systems and organisational culture [how things and done and why?].
44
Chapter: 2 Topic: External Risk Reporting Question: Two main National Regulators for Risk Reporting? Hint: UK vs US
2018 UK CORPORATE GOVERNANCE CODE [Principals Based - 'Comply and Explain'] 'Fair, balanced and understandable assessment of a firms position + prospects'. Disclosures inc: - Description of Audit Committeee work - Board Responsiblities for preparing annual report + accounts. - Company's Going Concern status - How Risk Management and Internal Controls are reviewed. - Board assessment of Principal + Emerging risks - Prospects and timelines SARBANES OXLEY ACT [Rules Based - 'Non-compliance unacceptable']. Provides consistent minimum standard of Governance + RM. Requires a firm to report on an entity's Internal Controls. Esp: - Those related to Financial Reporting - Assessment of their effectiveness [Verified by independent practitioner]
45
Chapter: 7 Topic: How to Deliver an Interal Audit Question: How IA's reduce risks involved in System Development Hint: SC / T&T / VAR / PIR
WORK WITH STEERING COMMITTEE TO ENSURE REPONSIBILITES OUTLINED + DESIGN INDEPENDENTLY REVIEWED ENSURE ONGOING TESTING AND TRAINING INSPECT VARIANCES IN BUDGETS PERFORM POST IMPLEMENTATION REVIEW [Focus on compliance with targetted performance].
46
Chapter: 1 Topic: Risk Management Process Question: Portfolio Approach to Risk Management Hint: +ve / -ve R
PORTFOLIO APPROACH [known as Diversification] - build both positively and negatively correlated risks to reduce exposure to certain circumstances. Requires understanding of the interrelationships between the risks a firm faces.
47
Chapter: 1 Topic: Risk Management Process Question: Difference between Correlated and Related Risks
CORRELATED RISK - can be either +ve or -ve. Postive Correlated Risks move together. Fatty foods inc. risk of heart disease. Negative Correlated Risk move in opposite directions. Brushing teeth reduces chance of fillings. RELATED RISK - two risks that are connection due to the same cause. Natural disaster increases chance of job losses and house damages.
48
Chapter: 2 Topic: Risk Reporting Question: Purpose and Components of Risk Register
'Used to manage, monitor and report risks' Defines the list of Principal Risks a firm faces [+ the interdependencies with other risks]. Details the treatment of those risks based on priortisation [monetary value]. Details who is responsible.
49
Chapter: 2 Topic: Risk Reporting Question: Difference between Gross / Residual / Expected / Actual Risk Hint: Detailed within Risk Register
GROSS - before controls implemented RESIDUAL - risk remaining after controls performed EXPECTED - projected risk based on forecasts ACTUAL - based on the events that occured
50
Chapter: 10 Topic: CS Tools and Techniques Question: Forensic Analysis levels Hint: Sy / St / Net
SYSTEM LEVEL ANALYSIS - threat impacted entire system? STORAGE LEVEL ANALYSIS - threat impacted data held ? NETWORK LEVEL ANALYSIS - threat come from outside source ?
51
Chapter: 7 Topic: Types of Audit Question: Purpose of Systems Audit Hint: SCREAM
PURPOSE - test + evaluate internal controls present within any system. OBJECTIVES [Think: Gov, RM, ICs are operating effectively - SCREAM]. - Ensure suitable and accurate Management Information [Ar] - Compliance with procedures / laws / regs. [C] - Safeguarding Assets [Sa] - Securing economies and efficiencies [Ro] - Assess stages of IC Process: x4 stages [Ec / Mr]
52
Chapter: 10 Topic: CS Tools and Techniques Question: Forensic Analysis Principals used to handle Computer Security Incident Hint: Prep / Dt&A / Con,Era,Rec / PiA
PREPARATION - reduce impact of incident before it occurs. DETECTION AND ANALYSIS - incidents priortised and communicated. CONTAINMENT, ERADICATION AND RECOVERY - recovery procedures. POST INCIDENT ACTIVITY - what have we learnt for next time? What can we improve?
53
Chapter: 7 Topic: Systems Audit Question: Four stages of the Internal Control Process Hint: Iden / Under / Devel / Imple
IDENTIFY BUSINESS OBJECTIVES UNDERSTAND THE THREAT TO THESE OBJECTIVES DEVELOP CONTROLS TO HELP MITIGATE IMPLEMENT AND MONITOR THE PROCESS
54
Chapter: 2 Topic: Risk Management Frameworks Question: COSO Enterprise Risk Management [RM and IC Methodologies] Hint: ERM / Beliefs / Benefits
ERM - Defines process of RM across the entire firm. Connects core values with enhanced performance. BELIEFS - risk considered part of strategy / culturally embedded BENEFITS - helps to apply TARA / allocate capital & resources effectively.
55
Chapter: 2 Topic: Risk Management Frameworks Question: COSO ERM Framework Components Hint: G&C / S&O / P / R&R / I,C&R
GOVERNANCE AND CULTURE - board leads way. Sets core values, ethicals and culture. STRATEGY AND OBJECTIVE SETTING - ERM considers risk as part of strategy. PERFORMANCE - unless risks identified, assessed, priotised and managed, performance will suffer. REVIEW AND REVISION - continuous review due to changing nature of risks. Requires Feedback Loop. INFORMATION, COMMUNICATION AND REPORTING - to support DM and ensure alignment across entire firm. Internal / External reporting needs.
56
Chapter: 3 Topic: Banking Question: Four Scenarios for 2025. [Wade, 2016] Hint: GB / CC / TD / RM Highlights need for firms to become more algile...
Global Bazaar - tech thrives, digital focus. Customers less loyal + hard to maintain market postion. Cautious Capitalism - loss of trust between firms and consumers due to data breaches / cyber risks. Reduces tech opportunities / innovation for firms. Territorial Dominance - protection of local industries. Greater protectionism, regulation + lower growth. Regional Marketplace - government regulations limiting international business / collaboration. Expanision + supply chain networks impacted.
57
Chapter: 10 Topic: Cybersecurity Risk Reporting Frameworks Question: Cybersecurity Risk Management Program Hint: Formal / Pragmatic / Comp vs System Driven Note: https://www.ncsc.gov.uk/collection/risk-management-collection/component-system-driven-approaches/introducing-component-driven-and-system-driven-risk-assessments
PURPOSE - formal way of explaining the approach taken by a firm to manage its Cybersecurity Risks APPRAOCH - practical such as agreeing policy with CS suppliers / User training to identify CS threats / Balancing costs vs benefits / Content driven, firm needs to be understood. FOCUS - either: a) Component Driven - focus on specific aspects within a system, and the individiual risks they face. b) System Driven - holistic viewpoint, looking at overall performance of system and the risks it faces. Inc. communication links across devices + systems.
58
Chapter: 4 Topic: Sub-Committee Directors Question: Nomination Committee
Reponsibile for recommending applicants to join the board. Ultimately decision of SHs who decide who gets appointed. Appointments made on merit, based on Objective Criteria. All NEDs.
59
Chapter: 9 Topic: Cybersecurity Preventive and Detective Controls Question: Encryption + five main techniques. Hint: DS / DE / Auth / DB / BC Tech Note: Encypted data = Cipher Text / Unencrypted Data = Plain Text
ENCRYPTION - 'scrambling' data to reduce risk of sensitive information being intercepted DIGITAL SIGNATURE - private key sent alongside transmission DIGITAL ENVELOPE - private key sent separately to transmission AUTHENTICATION - proves the send is who they claim to be through sharing previously agreed algorithm [helps to unscramble the message] DIAL BACK SECURITY - helps ensure the right person is being contacted securly through dialing into a network BLOCKCHAIN TECHNOLOGY - records virtually impossible to manipulate. Globally aligned data.
60
Chapter: 5 Topic: Senior Roles to Support Board Question: Risk Management Group vs Risk Manager Hint: Both report to Risk Committee
RISK MANAGEMENT GROUP - Builds an overall strategy [as prescribed by the board] - Focus on Risk Reporting + Monitoring RISK MANAGER [CRO] - 'combines technical, leadership and persuaive skills'. - Active lead on risk + developing poicy - Leads ERM [establish + promote] - Common RM policies agreed - Risk Language formed - Deals w. Insurance - Risk Indicators - Allocation of Resources Both share findings with Risk or Audit Committee
61
Chapter: 5 Topic: Business Unit Performance and Appraisal Question: Beyond Budgeting Hint:
- Considers competitor actions - Move away from purely financial goals - Encourages team rewards + focus - Rolling budgets to reflect dynamic / evolving markets - Rewards linked to value adding activities
62
Chapter: 8 Topic: Web Application Attacks Question: x7 Methods of Cyber Attacks Hint: H / Ph / Rw / Ddos or BOF / SQL / XSS / CJ Note: Cyberattacks aim to access, change or destroy sensitive information.
HACKING - illegally gaining access wo user knowledge PHISING - theft of user details for personal gain [inc. bank cards / pw / login access] RANSOMWARE - blocking access / interprupting usual business processes until fee is paid DISTRIBUTED DENIAL OF SERVICE / BUFFER OVERFLOW - flooding systems with external activity in order to make the system crash / vulnerable to attack [install malware] SQL - coded software used to infilrate a system through data entry CROSS SITE SCRIPT - embed malware into innocent 3rd party site CRYPTOJACKING - obtaining cryptocurrency via 3rd party site
63
Chapter: 8 Topic: Cybersecurity Risks [dependent upon nature of business + firms objectives] Question: Macro, Specific and Policy impacts on CS Risks Hint: Pestel / IT + Network / Governance
``` MACRO P: new legisation, new standards E: lack of CS investment costly S: data sensitivity T: exploited by both firms and criminals E: need for disaster planning L: laws lags behind innovation ``` SPECIFIC - to IT systems and networks. Inc remote access risks / 3rd party risks / natural disaster risks. POILICY - weak CS governance / lack of training + awareness of risks / poor design of controls...
64
Chapter: 4 Topic: Sub-Committees Directors Question: Risk Committee
PURPOSE - monitor, supervise and oversee RM to determine how prepared the firm is to respond to possible threats [identification / RM]. RESPONSIBILITY - Approve RM strategy + Review ICs - Review principal and emerging risks - Monitor overall exposure [compared against risk appetite] + weightings [for performance purposes] - Assess effectiveness of RM systems FEATURES - Flexibility in appointment of NEDs or EXECs - Broad risk focus, move away from mainly financial [Audit Committee] - Ability to drive change / strategy
65
Chapter: 8 Topic: Hackers and Social Engineering Question: Influences upon People Hint: Rep / Comit / SP / Li / Au / Sc
RECIPROCATION - repay good deed COMMITMENT - avoid 'hypocritcal' suggestions SOCIAL PROOF - mimicking behaviour in uncertain situations LIKABILITY - behaving in a similar way to those you like AUTHORITY - instructional SCARCITY - sense of need / urgency Ulimately can lead to people being Socially Engineered...
66
Chapter: 6 Topic: Information as a Form of Control Question: System Implementation x4 methods Hint: DC / PR / PO / PC
DIRECT CHANGEOVER - One clean swoop. High risk. PARRALEL RUNNING - old + new together. Expensive. PILOT OPERATION - systems implemented within certain functions. Req. targetted training, but does help to address weaknesses. PHASED CHANGEOVER - releasing systems 'bit by bit' across entire organisation. Least risky option - however 'time to market' impacted.
67
Chapter: 6 Topic: Dysfunctional Behaviour Question: Five forms of DyFct Behaviour [Berry, 1995] Hint: TV / O / My / Mis / MF
TUNNEL VISON - focus too much on one measure, to the detreiment of others. Think, BS. OSSIFICATION - unwillingness to change measures once set. Impt to keep PM's under constant review. MYTOPIA - short terms goals over long term value. MISREPRESENTATION - intentionally skewing figures in one's self interests. Known as 'creative reporting'. Impt to limit Pressure, Rationalisation + Opportunity. MEASURE FIXATION - focusing on achieving a measure which is considered ineffective, due to the behaviours required to achieve.
68
Chapter: 6 Topic: Big Data Question: The 10 V's of Big Data Hint: ax4 / ex2 / i / ox2 / u
``` VALIDITY - cleansed VALUE - potential VARIABILITY - inconsitencies *VARIETY - types *VELOCITY - speed [especially collection of Ext Data] VERACITY - trust [can all data held be trusted?] VISULISATION - graphical VOLATILITY - useful life *VOLUME - amount VULNERABILITY - exploitation ``` * Significant differences between 'earlier approaches' to data collection / storage / analytics.
69
Chapter: 6 Topic: Information of a Form of Control Question: System Development Life Cycle x5 stages. Hint: FS / S Inv / SA / SD / S Imp. Note: Focus on DEVELOPMENT, from Start to Finish. Think New eLic.
PURPOSE - ensures firms have systems 'fit for purpose' + make efficient use of resources. FEASILITY STUDY - review current system vs alternative options SYSTEM INVESTIGATION - understand user needs + problems faced SYSTEM ANALYSIS - ask the why's, establish better alternatives / methods STRATEGIC DESIGN - detailed spec / test / create + determine inputs + outputs + security + storage + design etc [form of Prototyping] STRATEGIC IMPLEMENTATION - write or aquire proposed software / monitor / train / test / convert / commit!
70
Chapter: 7 Topic: Internal Audit Reports Question: Individual Areas Internal Auditors present on [to Board / Relevant Committee] Hint: BO / OS / Var / WI / C&E Wn / Rec
BUSINESS OBJECTIVES - purpose of the function being assessed. OPERATIONAL STANDARDS - form of benchmarking. ACTUAL VS EXPECTED - ToC / Substantive Testing / Walkthrough. Comparing test evidence with expected. WEAKNESSES IDENTIFIED - within the area tested. CAUSE AND EFFECT OF WK IDENTIFIED - why its happen and looking at impact. RECOMMENDATIONS TO BOARD - best way to resolve / improve areas to ensure business objectives are aligned. Includes Timescales / Staff Responsible. Overall focus of IA is on effectiveness of ICs / RM / Governance [IA should provide an objective view + independent assurance].
71
Chapter: 7 Topic: Types of Audit Question: Six Main Audits Conducted Hint: C&S / F / VfM / MGE / S&E / EA
``` COMPLIANCE / SYSTEMS FRAUD VALUE FOR MONEY MANAGEMENT SOCIAL & ENVIRONMENTAL EXTERNAL AUDIT ```
72
Chapter: 7 Topic: How to Deliver an Internal Audit Question: Difference between Inherent / Residual / Control / Detection Risk + Sampling & Non-Sampling Hint: All types of risks considered by Internal Auditor
INHERENT - risk faced due to the nature of operation. Considered 'uncontrollable'. RESIDUAL - risk left once control has been put in place. Should align with a firms Risk Appetite. CONTROL - risk of internal control failing / being absent / inadequate. DETECTION - internal auditor failure to spot material misstatements. Function of Sampling Risk. SAMPLING - risk of not testing whole population. NON-SAMPLING - risk that assumption of whole population is incorrect based on sample
73
Chapter: 5 Topic: Project Control Question: Stages of Project Control x3 Hint: D A C
DEVELOPMENT - collection of idea ANALYSIS - Suitability [core values / strategy alignment?] / Feasibility [can we do it?] / Acceptability [StkH reaction?] CONTROL - Post Implementation Review [What did we learn?] / Post Completition Audit [outcomes achieved?]
74
Chapter: 5 Topic: Performance Measures Question: Performance Measures in Service Firms Hint: FIRE FC
FLEXIBILITY - ability to adapt to different client needs. INNOVATION - being able to deliver on time + create value for firms in new ways. RESOURCE UTILISATION - links to efficiency of operations. Streamlining services to maximise margins. EXCELLENCE - performing a service which retains and attracts. FINANCIAL - meeting financial goals set by the board / shareholders / stakeholders. COMPETITIVENESS - maintaining market position and pursuing growth through benchmarking against rival performers.
75
Chapter: 9 Topic: Centralised Monitoring of CS Control Question: Major specialist teams involved in Monitoring of CS Threats Hint: ITT / TIT / HT / IRT use SIEM.
INSIDER THREAT TEAMS [internal] - aim to intercept threats. THREAT INTELLIGENCE TEAMS [external] - aim to intercept threats. HUNT TEAMS - seek out unidentified breaches. INCIDENT RESPONSE TEAMS - deal w. immediate aftermath. Use techniques such as SIEM [Security info & Event management] to monitor data + detect patterns.
76
Chapter: 10 Topic: Cyber Security Risk Reporting Frameworks Question: How to Control, Direct and Communicate CS RM Activities. Hint: L / S / OBJ / FB Note: Risk Reporting is a key output of a 'Coherent Corporate CS Risk Governance Structure'.
LEADERSHIP ROLES DEFINED SIZE, REGULATION AND FUNCTION CONSIDERED CS OBJECTIVES LINKED W. FIRM OBJECTIVES SYSTEM OF FEEDBACK
77
Chapter: 8 Topic: Hackers + Social Engineering Question: Opportunities and Threats of Hackers Hint: Ethical + Grey Hat Hackers vs Unethical + Social Engineers.
OPPORTUNITIES - Uncover weaknesses - Simulate CS attacks [helps to train staff] - Test response teams + actions of internal staff - Peer review / benchmarking THREATS - Loss of key data - Expensive to recover + opportunity costs [operational downtime] - Reputational damage + increased vulnerability - Compliance issues [failure to alert authorities]
78
Chapter: 6 Topic: Internal Control Systems Question: Treasury Function x5 Hint: LL DEC
Liase with Bank Liquidity Management Borrowing Activities [debt] Funding Arrangements [equity] Currency Management Helps to mitigate risks of a firm being unable to source capital.
79
Chapter: 7 Topic: Types of Audit Question: Conditions Fraud Likely to Occur Hint: P O R
PRESSURE - external / internal factors OPPORTUNITY - poor controls / position of power RATIONALISATION - staff motivation / grudge against company Used to help with Prevention / Detection.
80
Chapter: 1 Topic: Risk Management Institues Question: Six Types of Risk [Financial Reporting Council] Hint: F O R E B O
FINANCIAL - LT impact on CFs OPERATIONAL [Process Risk] - failure of ICs REPUTATIONAL - impact an adverse consequence of an event has on a firm EXTERNAL / THIRD PARTY - outsourcing / regulators BEHAVIOURAL - staff motivation / productivity ORGANISATIONAL - Pestel
81
Chapter: 1 Topic: Types of Risk Question: Risks faced by International Business x7 Hint: T T C P E M C
TRANSLATION - assets and liabilities converted into domestic reporting currency. M: matching. TRANSACTION - agreed at one rate, settled at another [FX Gain/Loss]. M: hedging. CULTURAL - exposure to the 'new norms' [customs, tastes, language, laws]. M: Market Research. POLITICAL - tariffs / local protection of industry. M: relationship building / supporting. ECONOMIC - interest rates, inflation, tax rates [CFs impacted in LT]. M: diversifying supplier / customer base. MARKET - risk from changes in the value / availability of resources. M: Scenorio planning. CREDIT - default, liquidity, trading damages. M: Insurance / Cash Flow Forecasts / Factoring / Screening.
82
Chapter: 10 Topic: Cybersecurity Tools and Techniques Question: Purpose of Forensic Analysis Hint: The Three C's Note: Forensic Analysis is a specialist function, and requires an expert to carry out.
Determine the occurence of a breach [known or suspected], if occured: CONSEQUENCE - impact / scope / severity of the CS attack CAUSE - how did it happen: weakness in system or failure of staff members? CULPRIT - who did it? Important to preserve evidence in case legal action taken.
83
Chapter: 2 Topic: The Control Environment [COSO Intregrated Framework, Internal Controls] Question: Aspects within The Control Environment Hint: Intangible Aspects
RULES AND PROCEUDRES - inc Structure + Methods of imposing control CORE + ETHICAL VALUES PERFORMANCE SCHEMES ATTITUTES AND BEHAVIOURS OPERATING STYLE OF MANAGERS HOW FIRM ATTRACTS + RETAINS STAFF TCE influence / drive Internal Control procedures.
84
Chapter: 2 Topic: Assurance Mapping Question: Three Lines of Defence Hint: OA / MA / IA Note: Connected elements help achieve firm objectives.
OPERATIONAL ASSURANCE - owns the risk and controls necessary to manage risk. Business Unit Level. MANAGEMENT ASSUARANCE - management monitoring / reviewing of internal controls, RM and performance. variances investigated? is the work being done correctly / as intended? are the controls functioning as they should? [oversight function] INTERNAL AUDIT - independent assurance that RM, IC and Gov. are operating effectively / in line with a firms objectives? First two lines under control of Senior Management. 4th line inc. External Auditors.
85
Chapter: 2 Topic: Risk Tolerance, Appetite and Capacity Question: Four Risk Scopes Hint: Relates to a firms acceptance of risk
RISK APPETITE - desired level RISK TOLERANCE - boundaries RISK CAPACITY - ability to absorb losses / take on risk if necessary RISK UNIVERSE - all possible risk a firm is exposed to
86
Chapter: 2 Topic: Risk Tolerance, Appetite and Capacity Question: Two attitudes to Risk Hint: RS vs RA
RISK SEEKING - focus on Return Level. Actively pursuing higher levels of risk, in the hope of greater returns. Volatility in returns viewed as an opportunity. RISK ADVERSE - focus on Risk Level. Acceptance of lower risk to gurantee returns. Unwillingness to take on project that exceed a certain level. Higher risk projects only taken on if sufficient levels of return offered / justified.
87
Chapter: 2 Topic: Risk and Event Identification Question: Difference between Familiar and Unfamilar Risk Hint:
FAMILIAR RISK - known to a firm / identified in their assessment of risk. Likely to have occured histrocially. UNFAMILAR RISK - outside of a firms usual radar. Viewed as exceptional + atypical , hence more difficult to manage. Risk Manager tasked with assessing likely impact / occurance.
88
Chapter: 2 Topic: Risk Tolerance, Appetite and Capacity Question: Techniquies used in Identifying Conditions which can lead to Risk x7 Hint: BIC PRIC
BRAINSTORMING INDUSTRY TRENDS COMPETITOR ACTIONS / BENCHMARKING PESTEL / SWOT REGULATIONS INTERNAL AUDITS CHECKLIST OF COMMON RISK AREAS
89
Chapter: 1 Topic: Risk Management Process Question: Stages of the Risk Management Process x5 Hint: CP / Iden / Ass / Devl / Imp
ASSESS CURRENT POSITION IDENTIFY PRINCIPAL RISK ASSESS SIGNIFICANCE + PRIORTISE RISKS [Impact vs Likelihood] DEVELOP WAYS TO MANAGE [TARA] IMPLEMENT CONTROLS BY ALLOCATING RESOURCES Important to have a Feedback loop in place
90
Chapter: 1 Topic: Understanding and Assessing Scale of Risk Question: Risk Mapping Fundamentals Hint: TARA Note: Risk Mapping is a qualitative method. Not used to measure risk, instead used to manage risk.
PURPOSE - plot risk to decide best way to manage. HOW - assesses Impact vs Likelihood. OPTIONS inc: Accept - keep under review. concious decision. d/n ignoring risk. Reduce - most common. ALARP. Transfer - insurance. contigency. includes Risk Sharing. Avoid - immediate action require. inherent risk cannot be avoided [aim to reduce].
91
Chapter: 4 Topic: Corporate Governance and Agency Theory Question: Rules Based Approach Hint: US SOX.
STRICT LIMITS ON NON-AUDIT WORK DETAILED AND RIGID CODE [SET OUT IN LAW] NON-COMPLIANCE NOT JUSTIFABLE MANAGEMENT TO ASSESS INTERNAL CONTROLS + FINANCIAL REPORTING [EXTERNAL AUDITOR VERIFY] CEO'S & CFO'S VERIFY ACCOUNTS
92
Chapter: 4 Topic: Corporate Governance and Agency Theory Question: Principles Based Approach Hint: UK Corporate Governance Code
COMPLY OR EXPLAIN PRINCIPLE SHAREHOLDERS TO DECIDE ON DEVIATIONS BEST PRACTICE FOCUS ON BALANCE OF NEDs FLEXIBILITY ACROSS JUSIDICTIONS LACK OF CONSISTENCY + INCORRECTLY VIEWED AS 'VOLUNTARY' CAN LEAD TO ISSUES.
93
Chapter: 6 Topic: Control Weakness and Compliance Failures Question: Internal Controls Limitations Hint: HuE / LFo / TooR / Co / MgmtO / Ch / OCs
HUMAN ERROR / FRAUD - intentionally / unintentionally ignoring controls in place LACK / WRONG FOCUS - controls over immaterial areas. Costs > Benefits. or Non-Routine events outside of controls scope. TOO RIGID / STIFLE INNOVATION - reduce a firms agliness COST TO IMPLEMENT - vs benefits. Requires human and financial resources. MANAGEMENT OVERRIDE - not following set procedures CHANGE - system no longer 'fit for purpose' OPPORTUNITY COSTS - testing, training, supervision and maintainence.
94
Chapter: 6 Topic: COSO Internal Control Question: Types of Internal Control x5 Hint: (N)FIN / PDCD / IPO / OS / SLA
FINANCIAL / NON FINANCIAL Financial ICs - budgets, standard costing, investment appraisal. Non Financial ICs - KPIs, performance appraisal, codes of conduct. PREVENT, DETECT, CORRECT, DIRECT Preventive ICs - stop risks from occuring in the first place. TQM. Invoices checked against goods received. Detective ICs - identify risks once they have occured. Bank Recs. Corrective ICs - reduce impact of errors back to acceptable level. Back-ups. Directive ICs - guide behaviour towards desired outcome. Credit control chasing invoices / Customer service training. INPUT, PROCESS, OUTPUT Input ICs - what goes in. Sourcing materials at best price. Process ICs - focus on optimisation, effeciencies, performance, waste. Output ICs - meeting expectations in terms of quality, speed, service and accuracy. OUTSOURCING Adhoc - ST skill gaps covered. Project - new IS system needs. Partial - multiple services outsourced [payroll, finance, storage] Total - entire service outsourced [licensing]. SEVICE LEVEL AGREEMENTS - minimum standards laid out. Focus on timescale, change process, exit routes.
95
Chapter: 10 Topic: Cybersecurity Tools and Techniques Question: Combating Malware Threats Hint: Understanding the code behind the Malware Note: Solutions only created once code understood
REVERSE ENGINEERING: DECOMPLILATION - turns binary code into source code. Easy to understand DISASSEMBLY - turns binary code into assembly code. Difficult to understand
96
Chapter: 1 Topic: Assessing Scale of Risk Question: Quantitative Techniques to Assess Risk Hint: R / EV / S / SA / CE
REGRESSSION - impact of one variable on another. Assessing volatility of future CFs based on impact of risk factors. EXPECTED VALUE - Probability x Impact SIMULATION - focus on mean and standard deviation. SENSITIVITY ANALYSIS - impact change in one variable has on NPV. CERTAINTY EQUAIVALENT - quantified amount a firm is willing to accept now, whilst giving up their future returns.
97
Chapter: 1 Topic: Understanding / Accessing Scale of Risk Question: Key Accounting Ratios Hint: CR / G / DvE / IntC
CURRENT RATIO / ACID TEST - liquidity. GEARING [Int.D / Equity + Int.D] - sustainable structure? DEBT VS EQUITY - Stakeholder reaction / impact on dividends INTEREST COVER [Pbit / Int Charges] or CASH FLOW [NCF / D] - Short term obligations
98
Chapter: 1 Topic: Understanding / Accessing Scale of Risk Question: Signs of Danger in Accounting Ratios Hint: Rev / Cost / Receiv / Paybles
CHANGES IN REVENUE: +ve - able to keep up with demand? Infrastructure able to support growth? -ve - LT decrease in value indicator? Investor confidence impacted? Temporary issue / or sign of future problems? CHANGES IN COSTS +ve - poor controls, financial performance impacted? -ve - ability to create value impacted? Aligned with strategy? INCREASED RECEIVABLES - cash flow issues / poor controls on customers? INCREASE SHORT TERM PAYABLES - reliance / working capital issues?
99
Chapter: 3 Topic: Forecasting / Projections Question: Statistical Projections vs Judgemental Forecasts Assumptions
STATISTICAL PROJECTIONS [expected future trends] - based on historic data [has its limitations]. Quantitative research to drive decision making. Bias may be built into modelling + uncertainty often underestimated. Cannot account for special events. JUDGEMENTAL FORECASTS [prediction of future events] - use of industry knowledge and acumen to drive decisions. Move away from scientific focus to future events. Harder to justify incorrect predictions + discussions may be dominated one one persons view / hunch.
100
Chapter: 3 Topic: Forecasting / Projections Question: Statistical Projections vs Judgemental Forecasts Methods
STATISTICAL PROJECTIONS Trend Analysis - past data to predict future Time Series Analysis - establish seasonal trends Regression Analysis - correlation between x and y Econonmetrics - interrelationships JUDGEMENTAL FORECASTS Think Tanks - unstrcuture, experts meeting Delphi Method - anonymous, concensus reached Brainstorming - all levels, opinions and ideas in unstructured setting Jury Forecasts - panel of experts, structured Derived Demand - predicting future movements in demand for goods
101
Chapter: 3 Topic: Foresight and Game Theory Question: Game Theory in Strategy Setting Hint: WW / WL / LL
ASSUMPTIONS - firms to seek Win-Win outcomes. Firms better off working together, to reduce risk of Lose-Lose. USE - Competitor reaction to strategy to be considered. DRAWBACK - collusion is illegal in UK / generally lack of transparency of how competitors will react. AIM - to maximise chance of W/W scenario.
102
Chapter: 3 Topic: Scenario Planning Question: Conditions in which Scenerio Planning is useful Hint: Impact on Future Events
Scenario planning has value in any situation in which there is SIGNIFICANT UNCERTAINTY about aspects of the future that could MATERIALLY change an organisation’s STRATEGY, PLANS or DECISION. Known as DISRUPTIONS: 'interuption in the usual way a system, process or event works'. Focus on LEARNING / Form of FORESIGHT. +ve's: Challenge assumptions / Proactive strategy -ve's: Future shaped by only actions imagined NOW.
103
Chapter: 8 Topic: Cubersecurity Objectives Question: Purpose + Four Main Objectives of Cybersecurity Hint: CIIA Triad
PURPOSE - to protect systems, networks and programs from digital attacks. CONFIDENTIALITY - 'keeping out' through encryption / access codes / legal requirements INTEGRITY OF DATA - records of data kept securly, accurately, not lost or corrupted INTEGRITY OF PROCESSING - data is not used in a malicious way, or a way that the user of data did not intend AVAILABILITY - 'opening up' to the right personnel / those with legitimate business purpose
104
Chapter: 9 Topic: Centralised Management of Cybersecurity Policy Question: Policy / Procedure to control Personnel Risk Hint: Rvw CU / Recr / JoRo / EnVa / SupV / TerPro Note: Personnel Risk = risk that person in a position of trust will breach CS of a firm.
REVIEW OF COMPUTER USAGE RECRIUTMENT JOB ROTATION ENFORCED VACATIONS SUPERVISION TERMINATION PROCEDURES
105
Chapter: 9 Topic: Centralised Management of Cybersecurity Controls Question: Business Continuity Arrangements [in the event of a disaster] Hint: HS / WS / CS / MR
HOT SITE - functional, 'ready to go' back up site. Both hardware and software. WARM SITE - similar to HS, but additonal time before functional. COLD SITE - location only. No software or hardware installed. MIRROR SITE - software only. Used in event of information overflow or reponse to disaster.
106
Chapter: 8 Topic: Information Systems and Cybersecurity. Question: Information System Risks
PRIVACY BREACHES / UNAUTHORISED ACCESS LOSS OF DATA VIRUS / HACKING DOWNTIME / HIGH MAINTENANCE COSTS THIRD PARTY RISK INTERNAL PARTY RISKS
107
Chapter: 8 Topic: Nature and Impact of Cybersecurity Risks Question: Types of Sensitive Information Hint: Think, ACCESSIBILITY
EMPLOYEE / CUSTOMER / SUPPLIER PERSONAL DATA FINANCIAL RECORDS [which are not widely available] DATA STORED WITHIN A FIRMS INFRASTRUCTURE [inc. Medical Data] INTELECTUAL PROPERTY ALL COMMERCIALLY VALUABLE DATA.
108
Chapter: 8 Topic: Web Application Attacks + Defenses Question: Best Web Application Attack / Malware Defences x6 Hint: AVP / EmT / SpF / FW / DTech / BYOD / BU's Note: Contigency plan has combat / contain virus, however does not defend against it in the first place.
ANTI VIRUS PROTECTION - regularly updated EMPLOYEE TRAINING - defined protocols EMAIL / SPAM FILTERS - either manual or auto FIREWALLS - contain impact thru segmentation ADAPTIVE / INNOVATION DETECTIVE TECHNOLOGY inc Gatekeeping Controls ['I am not a robot'] BYOD - minimum standards of software security BACK-UP COPIES
109
Chapter: 3 Topic: Understanding Current Position Question: Related and Unrelated Diversification Hint: Ansoff's Growth Vector Matrix
RELATED - outside of usual course of business however within a firms capabilities. Inc Vertical [supplier vs customer] and Horizontal [megers] integration. UNRELATED - outside of usual course of business + capabilities.
110
Chapter: 3 Topic: Types of Data Question: Usefulness and Risks of using Data when Formulating Strategy Hint:
USES - anticipate change / design appropriate strategies / support decisions to drive growth RISKS - shared when it needs to be / timescales of usefulness / historical data does not necessarily help to predict the future
111
Chapter: 6 Topic: Internal Controls Question: Benefits of Internal Controls Hint:
DEGREE OF BUSINESS ASSURANCE EFFICIENCY AND EFFECTIVENESS OF OPERATIONS VALIDATION BY EXTERNAL AUDITORS INCREASES STAKEHOLDER CONFIDENCE HELPS TO REDUCE THE COST OF FAILURE
112
Chapter: 3 Topic: Formulating Strategy Question: Link between Strategy, Corporate Objectives and Risk Hint:
STRATEGY - mission and values determine the amount of risk a firm is willing to accept. Strategy is formulated to achieve the mission. CORPORATE OBJECTIVES - in order to achieve objectives, risk has to be taken. RISK - inherent within operations. Important that a firm understands the likely risk when setting strategy. Allocation of resources to match risk appetite.
113
Chapter: 6 Topic: Dysfunctional Behaviour Question: Common Issue with Governance / Pay Structures Hint: PRP
PERFORMANCE RELATED PAY - leading to excessive risk taking / focus on short term deliverables. MITIGATED THRU - creation of long-term interest: - Share Options - Performance assess over multiple years
114
Chapter: 3 Topic: Understanding Current Position Question: Risk associated with Product Life Cycle / Industry Life Cycle
RISKS - Misassessment [Intro, Growth, Shakeout, Mature, Decline] impacts marketing / commercial decisions - Product stages vary upon industry / product behaviours MITIGATE - Balanaced, well diversified portfolio - Understanding stage of industry improves strategic decision making. E.g. decision to divest.
115
Chapter: 3 Topic: Understanding Current Position Question: Risks associated with Stakeholders Hint: Mendelow's Matrix
NOT PRIORTISING KEY PLAYERS - must be satified as a minimum CONFLICTING DEMANDS - even once interest vs power determined. IGNORING INTEREST - assessment helps to understand those Stakeholders likely to inhibit success
116
Chapter: 3 Topic: Understanding Current Position Question: Risks associated with 'Generic Strategies' Hint: Porter's Generic Stratgies [Cost Leadership vs Differentiation vs Stuck in the Middle vs Focus]
BEING STUCK IN THE MIDDLE TRYING TO ADOPT BOTH - lower costs may impact premium nature LOW COSTS DN EQUAL LOW PRICES DIFFERENT DN EQUAL VALUE FOCUS SACRIFIES EoS + SEMENTS LESS DISTINCT
117
Chapter: 3 Topic: Understanding Current Position Question: Risks associated with Growth Options Hint: Market Pen / Product + Market Development / Diversification
MARKET PENETRATION - least risky, minimum capital investment required MARKET DEVELOPMENT - low to medium risk, same prdouct new market. PRODUCT DEVELOPMENT - medium risk, requires capital investment to develop new products. DIVERSIFICATION - high risk and uncertainty attached. High investment likely in order to achieve return.
118
Chapter: 3 Topic: Understanding Current Position Question: Risks associated with Products / Markets in respect to their Market Share vs Market Growth Hint: Boston Consulting Matrix
MARKETS DIFFICULT TO DEFINE HIGH MARKET SHARE REQUIRES SIGNIFICANT INVESTMENT [WC] + DN SUPPORT NICHE STRATEGY NOT SUPPORTING QUESTION MARKS OR STARS THROUGH CASH COWS - linked to balanced portfolio FAILURE (NOT) TO DIVEST DOGS - ignoring market trends
119
Chapter: 8 Topic: Malware Threats and Defense Question: Five Types of Malware [Malicous Software] Hint: V / W / Tj / B / Ma
PURPOSE - attempts to gain unauthorised access in order to damage software or steal sensitive data VIRUS - attaches to program, spreads upon usage WORM - does not attach, spreads without user knowledge. Standalone, without need for user to launch. TROJAN - sits within network [does not spread], deloying various functions [pop-up ads / malware links / allows external access] BOT... Web Crawlers: gather information in the background Botnet: allow external users to access network Keyloggers: touch pad sensors to gain password access MALVERTISING - online ads which contain hidden malware
120
Chapter: 9 Topic: Cybersecurity Governance and Policy Question: Third Party Relationship Controls Hint:
CONTROLS: Due Dilligence SLA [confirming the processes to be used] Review of ISO 27001 Accreditation [a way to assess the CS controls in place within the 3rd party] Setting KPIs / Performance Measures Screening
121
Chapter: 4 Topic: Board Membership, Roles and Structure Question: Five Characteristics of an Effective Board Hint: Bal / InKn / FoSchTk / CMT / Fair Rem&Ap
BALANCE [NEDs / EXECs] + SIZE + DIVERSITY INDUSTRY EXPERIENCE, KNOWLEDGE, SKILLS AND DEVELOPMENT [CPD] FORMAL SCHEDULE OF TASKS COMMITMENT inc regular meet-ups, sufficent time allocation to fulfil responsibilities. Link to Accountability. FAIR REMUNERATION / APPRAISAL based on objectives factors: - Independence & Innovation - Industry Familiarity - Active Participation - Enthusiasm - Business and Personal Development
122
Chapter: 4 Topic: Board Membership, Roles and Structure Question: Responsibility of Chair & CEO Hint: Board vs Company.
CHAIR - responsible for managing the board of directors. Ensures company is functioning in the best interests of the SHs. CEO - reponsible for managing the company. Helps to implement the strategy set by the board.
123
Chapter: 4 Topic: Board Membership, Roles and Structure Question: Roles of Chair & CEO Hint:
CHAIR - Leadership to board - Encourage participation / communication across board - Transparency with shareholders - Resolve conflicts between NEDs and EXECs - Induct new directors - Appraise CEO and Board members - Accurate, timely information shared with Board CEO - Leadership to company - Effective implementation of Board decisions / vision - Firm performance accurately reported to Board - New investment initiatives - Communication with stakeholders - Involvment with induction - Involvement with appraisal
124
Chapter: 4 Topic: Board Membership, Roles and Structure Question: Purpose of splitting the role of Chair & CEO Hint: Accountability
AVOIDS CONFLICT OF INTEREST - relationship to remain professional REDUCES BURDEN IMPROVES ACCOUNTABILITY - implementation or vision? ENHANCED SCRUNITY OVER DECISION MAKING
125
Chapter: 9 Topic: Cybersecurity Preventive and Detective Controls Question: Patch Management Hint: Focus on Time.
PATCH MANAGEMENT - quick fix software update to address vulnerabilities spotting within system. Either Corrective [in response to breach] or Preventive [in anticipation to potential breach]. Key focus is TIME.
126
Chapter: 9 Topic: Cybersecurity Governance and Policy Question: Methods to Communicate Cybersecurity Policies Hint: Internal vs External Responsibility Note: Cybersecurity Policy - emcompassess objectives, expectations, responsibilities via a formal policy statement.
INTERNAL : - TRAINING, to ensure staff understand importance of compliance. - CORPORATE COMMUNICATION, via intranet and emails. EXTERNAL: to meet regulatory and stakeholder needs - REPORTING - CONTRACTS - STATEMENTS
127
Chapter: 5 Topic: Integrity and Ethical Values Question: Fundamental Principals Hint: PIPCO
PROFESSIONAL BEHAVIOUR - engaging in a way that does not discredit the proffesion INTEGRITY - truthful, honest actions + not engaging in activities known to be corrupt / false PROFESSIONAL DUE CARE - keeping up to date on developments and knowledge CONFIDENTIALITY - not sharing informaiton unless for a justifiable business purpose OBJECTIVENESS - removing bias, conflict of interest or undue influence.
128
Chapter: 3 Topic: Stress Testing Question: Load Testing vs Stress Testing Hint:
LOAD TESTING - testing a system at expected capacity STRESS TESTING - testing the breaking point of a system Value at Risk = the maximum expected losses based on current activity / normal probability distributions.
129
Chapter: 1 Topic: Nature of Risk Question: Four main types of Risk Hint: F / S / Pu / Par
FUNDAMENTAL RISK - macro level, cannot influence at an individual level SPECULATIVE RISK - return either positive or negative outcomes PURE RISK - only negative outcomes [no upside] PARTICULAR RISK - individual has control over. E.g. Decision to stop smoking reduces chance of lung cancer
130
Chapter: 1 Topic: Categories of Risk Question: Strategic Risk vs Operational Risk Hint:
STRATEGIC RISK - possible outcomes [due to internal decisions vs external factors] which have material impact on future strategies. Assessed in terms of source, scale and duration. Impact should be felt long term [volatility of long-term performance] OPERATIONAL RISK - day to day business risks. Includes risk of IC controls failure, key staff resigning, industry disputes, IS and RM problems.
131
Chapter: 9 Topic: Cybersecurity Preventive and Detective Controls Question: CS Email Policy x3 Hint: ConExt / SeSt / AttF
CONFIDENTIAL INFO NOT SHARED WITH EXTERNAL SOURCES [unless commercially justifiable - impt to encrypt] SENISTIVE EMAILS STORED SECURELY [in case of legal purposes] ATTACHMENTS CHECKED FOR VIRUSES [and reported if suspicious]
132
Chapter: 2 Topic: External Risk Reporting Question: Limitations of Risk Disclosures Hint: Think changes in external environment - is the information relevant?
COMMERCIALLY VALUABLE INFORMATION SHARED WITH COMPETITORS MISINTERPRETATION BY RECEIVER DYNAMIC ENVIRONMENT MAY LEAD TO DISCLOSURES BEING OUTDATED
133
Chapter: 8 Topic: Hackers and Social Engineering Question: Five Types of Hackers? Hint: E BUGS
ETHICAL - work for owners, look for gaps. Spot weaknesses + improve. BUG-BOUNTY - reward hackers for breaking system UNETHICAL - exploitation, malicious purposes GREY HAT - fix for fee / post online SOCIAL ENGINEERS - expolit trust to gain access either physically or virtually. Inc. 'Dump Diving'
134
Chapter: 5 Topic: Performance Controls / Review Question: Focus for Non-Commercial Firms [N4P] Hint: Three E's
ECONOMY - sourcing resources at best price. EFFICIENCY - processes streamlined, minimum waste. EFFECTIVENESS - in achieving the firms objectives in terms of Speed / Quality / Delivery / Service etc.
135
Chapter: 5 Topic: Integrity and Ethical Values Question: Threat to Fundamental Principals Hint: Sr / In / Fam / Ad / Si
SELF REVIEW - difficult to spot own errors. INTIMIDATION - actual / perceived threat. FAMILIARITY - too close to party. ADVOCACY - objectivitiy compromised. SELF INTEREST - financial or other gain impacting judgment.
136
Chapter: 6 Topic: Dysfunctional Behaviour Question: Three Management Styles that may cause Dysfunctional Behaviour Hint: BC / PC / NA
BUDGET CONSTRAINED - most likely cause of DFB. Short term focus - High tension - High manipulation - Impacted staff relations. PROFIT CONSCIOUS - medium risk of DFB. Assessment against hitting profit targets / financial goals. Medium tension - Little manipulation - Good staff relations. NON ACCOUNTING - low risk of DFB. Move away from financial factors. DFB occurs through ignoring the financial goals [which ultimately is the best way to measure a firm's performance]. Medium tenision - Little Manipulation - Good relations.
137
Chapter: 2 Topic: Risk and Return Question: Why Risk is always present?
EXTERNAL FACTORS EVERCHANGING [PESTEL] DECISION MAKING AT AN INDIVIDUAL LEVEL CONTROL FAILURES [inc. bypassing] UNEXPECTED HAZARDS ['Unknown unknowns']
138
Chapter: 2 Topic: Risk and Return Question: Why do firms embrace Risk? Hint: Higher Risk should equate to Higher Returns Note: Taking on risk is not the issue; not managing risk effectively is where the problems lies.
GREATER DEMAND FROM SHAREHOLDERS GREATER DEMAND FROM CUSTOMERS KEEPING UP WITH COMPETITION INNOVATION NEEDS
139
Chapter: 2 Topic: External Risk Reporting / Corporate Governance Question: Global Regulators x2 Hint: G20/OECD vs ICGN Note: Risk Reporting to Primary Stakeholders [does not include Employees]
OECD - advises Governments on best practice for Corporate Governance for companies. Focus on 'Disclosure & Transparency'. ICGN - practical guidance for Board of Directors, to meet expectations of shareholders. Focus on Disclosure of Risk Management / Risk Responsibility / Sound governance policies [independence / culture / oversight / fair remuneration / SH rights].
140
Chapter: 2 Topic: Risk Approach Question: NEDs vs EXECs Hint:
NEDs - provide independent perspective / balanced viewpoint inc. scrutiny over Execs. Removes risk associated with PRP. EXECs - provide skills, knowledge and experience when setting Risk Management approaches + Strategy.
141
Chapter: 6 Topic: Data Protection Risks Question: Compliant measures with Data Protection Hint: IA RERP OP
``` THE RIGHT: to be Informed [on how your data will be used] to Access to Rectify to be Erased to Restrict to be Portable to Object to have a Person decide [on how your data will be used] ``` FIRMS SHOULD: - Supply copies of data if requested - Obtain consent from user to hold sensitive data [including consideration of data already held] - Not pass on data to unauthorised parties - Hold themselves accountable
142
Chapter: 6 Topic: Data Protection Risks Question: Consequences of Non-Compliance with Data Protection Hint: CCC
COMPENSATION TO DATA USER FOR DAMAGES / LOSS INACCURATE DATA TO BE CORRECTED OR WIPED SUPPLY USER WITH COPIES OF DATA HELD
143
Chapter: 5 Topic: Cost of Quality Question: Types of 'Costs' regarding Quality Hint: CC vs N-CC
CONFORMANCE COSTS - incurred to avoid sub-par output. Inc. Appraisal [checking goods before they go out] and Prevention [stopping errors in the first place!]. NON-CONFORMANCE COSTS - incurred in order to rectify errors in quality [product recall] / internal failures [wastage].
144
Chapter: 7 Topic: Types of Audit Question: Key Features of External Audit Hint: 'True and fair reflection...' Note: External Audit = Financial Audit
Examination of financial records Report on the truth and fairness of financial statements Responsible to shareholders Use of rigorous testing to collect evidence to support their findings Deputy to the laws, regulations, auditing + accounting standards
145
Chapter: 7 Topic: Types of Audit Question: Social and Environmental Audit Hint: CSR - responsibilties extending beyond the scope of commercial relations.
SOCIAL AUDIT - sustainable use of HR, Health and Safety, labour conditions and equal opportunities. ENVIRONMENTAL AUDIT - sageguarding environment.
146
Chapter: 7 Topic: Types of Audit Question: Management Audit Hint: Broad Focus
Independent appraisal of effectiveness of managers / corporate structure in achieveing entity's objectives. Focus across both financial and non-financial objectives. Looks for ways to rectify. Important to understand the objectives of the business before 'Carrying out Investigation -> Gathering Evidence -> Report the Result'.
147
Chapter: 1 Topic: Risk Factors Question: Event Categories [that impact implementation of strategy] Hint: EE / IE / LEI / ET
EXTERNAL EVENT - opps vs threats [economic changes / political developments / tech] INTERNAL EVENTS - strengths vs weaknesss [equipment failure / human error / product defects] LEADING EVENT INDICATOR - give rise to another event ESCALATION TRIGGERS - require immediate action
148
Chapter: 4 Topic: Sub Committee Directors Question: Remuneration Committee Hint: Purpose / Structure / Focus / Aim / Considerations
PURPOSE - determine general policy on remuneration of Execs, Chair, CEO and Senior Management. STRUCTURE - NEDs [independently agreed, transparently disclosed] FOCUS - clarity, simplicity, proportional [to performance], alignment with culture [best practice], market factors. AIM - attract, retain sufficient calibre. Motivate in line with SH's best interests. CONSIDERATIONS [both] - Fixed & Variable, Immediare & Deffered, Long Term & Short Term, Cash & Non-Cash.
149
Chapter: 6 Topic: Information of a form of Control Question: Three levels of Information Needs Hint: Information up [narrows] vs. Objectives down [widen]
STRATEGIC MANAGEMENT / PLANNING - Trends / Pestel - Market Characteristics - Technology Developments - Customer Competitor Info TACTICAL MANAGEMENT / MANAGEMENT CONTROL [acts as the link / facilitator] - Strategic decisions [helps them to implement] - Operational reports [filtered through to senior management] - Financial and performance targets - Cost information OPERATIONAL CONTROL [Detail & Data] - Orders - Staff Feedback - Customer Feedback - Bottlenecks - Volume and availability of resources
150
Chapter: 3 Topic: Digital Technology Question: Four Types of Digital Characters / Groupings Hint: DN / DI / DV / DR Note: Risk involves natives ignoring 'tactful business acumen' [Scientific approach only] vs Immigrants retaining 'accent' / stifle innovation or tech solutions.
DIGITAL NATIVES - milenials DIGITAL IMMIGRANTS - adopted DIGITAL VISITORS - purpose only DIGITAL RESIDENTS - leave clear trace
151
Chapter: 3 Topic: Evaluating Strategic Options Question: Management Accounting x Appropriate Strategy Hint: PS
PROFESSIONAL SCEPTISM - addressing the limitations of lack of information + the subjectivity within assumptions + why information is necessary to drive DM. Helps to assess Feasibility & Acceptability of a project / strategy.
152
Chapter: 3 Topic: Evaluating Strategic Options Question: Evaluation of Strategy Hint: S A F Note: Resources = capacity to delivery Capabilities = people and skills
SUITABILITY - does it fit with a firms direction / core values / help to fulfil objectives? Address key opps or threats? ACCEPTABILITY - how will the 'key players' / shareholders react to the decision? Consideration of Risk Appetite / Financial + Non Financial factors / CSR / Existing Agreements. FEASIBILITY - do we have or access to the resources in order to carry out the strategy? Within current / potential strategic capabilities? Can we implement?
153
Chapter: 7 Topic: Types of Audit Question: Value for Money [VfM] Audit Hint: Three E's / Four C's
USE - Government / Not-for-Profit PURPOSE - how well public money is being used to provide services? FOCUS - a) Economy / Efficiency / Effectivness b) Challenge / Compare / Consult / Compete
154
Chapter: 4 Topic: Board Membership, Roles and Structure Question: Company Secretary Hint: 'Ultimate Loyalty is the Company'
COMPLIANCE W. LEGAL AND REGULATORY FRAMEWORKS [inc signing docs & registers + annual accounts] INFORMATION NEEDS TO THE BOARD + ARRANGE MEETINGS FOR SH'S COMMUNICATION WITH SHAREHOLDERS BOARD DECISIONS BROADCASTED TO EMPLOYEES AND WIDER STKHOLDERS FINANCIAL OR LEGAL EXPERTISE
155
Chapter: 4 Topic: Board Membership, Roles and Structure Question: Board Structures x3 Note: More tier'd; +ve Greater Indepedence / Broader Rep -ve Conflicting viewpoints / lack of accountability + authority / more bureaucratic
SINGLE - unitary DUAL a) Supervisory, overall responsibility b) Management, daily running of firm THREE TIER a) Policy, strategic b) Functional, operational c) Monocratic, PR
156
Chapter: 4 Topic: Corporate Governance and Agency Theory Question: Agency Problem x Solution Hint: Principal [SH's] needs the help of an Agent [Directors] to carry out activities on their behalf.
PROBLEM - Information Asymmetry ['trust issues'] + Conflicts of Self- Interest ['balancing act'] SOLUTION - Transparency, disclosures + LT interest of firm instilled into directors, SH power [removal / exercise control] ULTIMATE AIM - introduce control mechanisms to control board without impacting their ability to function effectively.
157
Chapter: 4 Topic: Board Membership, Roles and Structure Question: The Board, responsibilities and aims. Hint:
PROMOTING SUCCESS OF FIRM DRIVE DIRECTION OF FIRM THRU ENTREPRENEURIAL LEADERSHIP w.i EFFECTIVE CONTROLS. ACCOUNTABILITY TO SHAREHOLDERS MONITOR PERFORMANCE OF COMPANY IN ACHIEVING AIMS ENSURE FIRM IS ACTING WITHIN A COMMERCIALLY + SOCIALLY ACCEPTABLE MANNER MAINTAIN AN EXTERNAL FOCUS ENSURE NECESSARY RESOURCES / SKILLS SET STRATEGIC AIMS ENABLE RISK TO BE ASSESSED + MANAGED
158
Chapter: 4 Topic: Non Executive Directors Question: Three Specific Roles of NEDs Hint: FC / OC / HS
FATHER CONFESSOR - act as confidant OIL CAN - manage conflict HIGH SHERIF - removal of high positions
159
Chapter: 4 Topic: Non Executive Directors Question: Areas of Focus of NEDs + Issues Hint: S S R P + I E
FOCUS - Strategy: contribute and challenge - Scrutiny: performance of Execs and Management - Risk: ensure systems are robust - People: safeguard interests of SHs ISSUES - Lack of true independence: cross dictatorships / remuneration / pensions / shareholdings / previous employment - Lack of effectiveness: industry experience / availability / commitment
160
Chapter: 10 Topic: Cybersecurity Tools and Techniques Question: Penetration Testing Hint: Controlled form of hacking Note: GDPR Compliant to adopt PT
PURPOSE - systematic process of PROBING for VULNERABILITIES in applications + networks EXAMPLES - Connections w. internet / Simulating phising and social engineering
161
Chapter: 10 Topic: Cybersecurity Tools and Techniques Question: Types of Penetration Testing Hint: Box - classified on level of knowledge / access granted to Pentester at beginning of assignment
WHITE BOX - full access to system / network. Comprehensive assessment of both internal and external vulnerabilities. GREY BOX - partial access to system [user level privileges only]. Focus assessment on systems with greatest risk and value from the start. BLACK BOX - no access provided prior to test. Exposes external vulnerabilites of a system.
162
Chapter: 10 Topic: Cybersecurity Tools and Techniques Question: Three Software Communication Options Hint: IP / TLP / MS
IP SECURITY - secure private comms TRANSPORT LAYER SECURITY - secure private comms with bespoke encryption MIKEY-SAKKE - end-to-end encryption
163
Chapter: 9 Topic: Cybersecurity Processess Question: Key Principals in Developing Cybersecurity Policies Hint: PDR
PROTECTION - what to protect [software vs hardware] + ICs in place to do so. DETECTION - monitoring, recording and escalating threats. RESPONSE - proactive vs reactive measures. Inc. Patch Management vs Specialist Teams [hunt teams]
164
Chapter: 3 Topic: Risk of Unethical Behaviour Question: Reputational Risk Causes Hint: Response to Rep Risk involves LISTENING. Note: Strategy / Brand / Reputation all interdependent.
CSR ISSUES - not extending reach beyond commericial responsibilties. CUSTOMER SERVICE - not understanding why the customer buys from you. Link to expectation LEGAL ISSUES - data protection / impact industry dependent STAFF POLICIES - link to ethics. FAILURE TO INNOVATE - viewed as 'outdated' POOR GOVERNANCE STRUCTURE - lack of diversity / accountability? INVOLVEMENT IN BRIBERY / CORRUPTION - mitigated through strong ICs + whistleblowing arrangements POOR ETHICS - increases compliance / external auditor focus
165
Chapter: 3 Topic: Risks of Unethical Behaviour Question: Three Main Risks of Unethical Behaviour Hint: P B R Note: Ethics = set of moral principals that guide behaviour
PROBITY - untruthful or misleading behaviour BRIBERY & CORRUPTION - borders no boundaries for prosecution [UK Bribery Act + US Foreign Corruption Practice Act]. Leads to fiancial, legal and reputational risk REPUTATIONAL RISK - caused as a result of adverse consequences of another risk. 'Years to build, but can disappear overnight'.