P3 RM Flashcards
Chapter: 3
Topic: Banking
Question: Princiapls of Basel III / Dodd Frank Act / Bank of England
Hint: Do banks have sufficient capital to withstand anticipated losses during financially stressful situations?
Basel III : Three pillars [sound banking practices]
Min Amounts of Capital Required
Visability of Risks
Disclosure to encourage better behaviour
DFA : Three Scenarios
Baseline
Adverse
Serverly Adverse
BoE : using variables to predict unfavourable macro scenarios Global Economy Unemployment Rates Commodity Prices House Prices Interest Rates
Chapter: 9
Topic: Centralised Management of CS Controls
Question: Four main controls present within Information System
Hint: SANG
1) Software Controls - ensuring correct software is used. Buying from recognised supplier.
2) Application Controls - completeness / accuracy of records + validity of entries made to a specific application. Inc. Input [data entry checks] / Processing [accuracy during computer processing] / Output [exception reports].
3) Network Controls - protect IS from CS risks across entire network. Inc Firewalls, Virus protection, spyware, encryption.
4) General Controls - prevent or detect errors / irregularities in for all accounting systems. Inc both software and hardware, personnel, access and password controls.
Chapter: 10
Topic: Cyber Risk Reporting Frameworks
Question: SOC 2 Framework
Hint: Service Organisations
Describes CRMP + effectiveness of controls when processing clients data. Features inc:
- Specific SOC 2 Criteria [to CRMP’s description and controls] - CPA approved
- Description criteria inc. type of service provided [payroll / finance], systems used to provide + boundaries. DN inc. description of specific controls in a service organisation.
- Written assertion from management [Re: description in line with criteria + controls suitably designed] + CPA opinion to validate description and controls.
- Detailed list of controls tests carried out by CPA.
- Limited availability.
Chapter: 10
Topic: Cyber Risk Reporting Frameworks
Question: SOC Framework
Hint: Offers accredititation for overall CS [AICPA]
Delivers a review of entity’s CRMP. Features inc:
- Description criteria of the CRMP in line with agreed criteria [nature of operations / key info assets / inherent CS risk factors / governance / risk assessment / monitoring]. Written assertion by management req.
- Control criteria assessed by management and assertion that it is effective in achieving organisation CS objectives.
- Opinion by CPA on description and control criteria.
- Prepared for general distribution to stakeholders.
- DN contain list of detailed tests carried out.
Chapter: 4
Topic: Sub-Committee of Directors
Question: Audit Committee
Hint: Review + Monitor
Review and monitor:
Annual accounts.
Adequacy of Internal controls [fin + non-fin].
Risk Management systems.
Liases with External Auditors on queries, appoint, denote non-audit services, compensate.
Supervises Internal Audit + scruitnise output.
All independent [financially literate] NEDs with at least one financial expert.
Chapter: 9
Topic: CS Governance + Policy
Question: Three strategies used to avoid being Hacked?
Hint: RSD
Reconnasissance - awareness of how you appear to third parties. Do you look vulnerable?
Simulation - assume you will be hacked at some point. Have contingency plans in place. Are you prepared?
Digital Identity - understanding how you interact with all things digitally. Focus on IoT’s.
Chapter: 5
Topic: Purpose of Internal Controls
Question: Objectives of IC
Hint: ORC
Reasonable Assurance regarding the objectives for:
Operational - financial + operational performance / safeguarding assets.
Reporting - internal / external / financial / non-financial ensuring timeliness, accuracy and transparency.
Compliance - with laws and regulations
Chapter: 5
Topic: Features of Internal Controls
Question: COSO IC Integrated Framework
Hint: Objectives [ORC] / Levels [F / OU / D / EL] / Components [CE / RA / CA / I&C / MA]
Objectives - Operational / Reporting / Compliance
Levels - Functional / Operational Unit / Divisional / Entity Level
Components - Control Environment / Risk Assessment / Control Activities / Information & Comms / Monitoring Activities
Chapter: 1
Topic: Risk Management Institutes
Question: Four Categories of Risk [‘Institute of RM’]
Hint: FOSH [int / ext]
Financial - long term CFs / ST liquidity / fraud / economic factors.
Operational - day to day business risks.
Strategic - long term outcomes impacted.
Hazard - natural / human.
Chapter: 10
Topic: Cyber Risk Reporting Frameworks
Question: Internal & External forms of CS reporting.
Hint: Int - CV + RA / Ext - RM & DM + 3rd Party R + Risk P & Why?
Internal CS Reporting: to board / management / employees.
Core Values
Risk Appetite
External CS Reporting: to regulators / stakeholders / investors / media.
Risk Management and Decision Making
Third Party Reliance
What needs Protecting and their Importance [why?]
Chapter: 6
Topic: Internal Control Systems in Practice
Question: Control Activities in Any System
Hint: x5 - A S Ip Pr Pc
Expectations of External Auditors:
Authorisation - transactions approved by right personnel
Segregation of Duties - no one person having total control of a process.
Information Processing - general + application controls.
Performance Review - actual vs expected.
Physical Controls - safeguarding of assets / access to data files / periodic counting.
Chapter: 7
Topic: How to deliver Internal Audit
Question: Three types of Testing
Hint: WT / ToC / ST [inc. AR + BM]
Walkthrough Testing: sequential, through documenting events from start to finish.
Test of Controls: known as compliance test. Whether or not the controls in place have operated. Testing the process.
Substantive Testing: ignores the control that has happened, instead, verifies the actual amount itself. Looks at whether individual events are valid [sums received recorded in the correct accounting period]. Testing the content.
Chapter: 7
Topic: How to deliver an Internal Audit
Question: The Five Stages involved in delivery
Hint: OF -> P -> RA -> T -> Bm
1) Organisational Factors - assessment of need.
Inc: Scale, size, complexity, diversity / Cost vs Benefit / Changes in processes, structure, IC, IS? / Changes in key risks? / Increased number of ‘unexplained events’?
2) Planning - prioritise / establish objectives of audit / effective use of resources
3) Risk Assessment - inherent / control / residual / detection
4) Testing - walkthrough / test of controls / substantive testing in order to collect evidence to help achieve audit objectives.
5) Benchmarking - comparing financial and non-financial performance [type of Analytical Review / Substantive Testing].
Chapter: 7
Topic: How to deliver an IA
Question: Three basis for Sampling
Hint: R / N / V
Random - exposes firms to sampling risk [not true representation of whole population]
Nature - inherent risk
Value - materiality
Chapter: 5
Topic: Management Accounting Techniques
Question: 8 Key Areas + Core Fundamentals
Hint:
Marginal Costing - low volume, high complexity. Differentiating between fixed and variable costs.
Just in Time - continuous improvement + reduced inventory handling.
Kaizen - incremental improvements, waste elimination.
Target Costing - viability of production?
EVA - economic profit, reflecting true profit based on value from invested funds. Best for asset-rich companies not for those with intangible assets, such as technology businesses. Can lead to dysfunctional behaviour.
TQM - considers cost of quality. ‘First time, every time’.
Throughput - lead time / efficiency. All costs fixed besides material costs. Success based on how quickly product can be made available to customer.
Life Cycle Costing - matching costs and revenues to the specific product. Focus on profitability and long term planning.
Lean MA - value streams + elimination.
Chapter: 9
Topic: Centralised Monitoring of CS Controls
Question: 14 ISO 27001 Control Sets
Hint: Mgment x3 / Security x5 / C’s x3 / S’s x2 / Other’s x1
Management x3
Information System Incident - monitor / detect / respond
Business Continuity - contingency plans
Asset - access / safeguarding / recovery
Security x5 Information Policy - SANG HR Resources - policy / procedural com Physical & Environmental - natural disaster Operational - malware / back-up policies Communications - network controls
S’s
Supplier Relationships - screening
Systems Development - updating software
C’s
Compliance with Laws & Regs - GDPR
Cryptography - encryption
Access Controls - physical / virtual pw’s
Other’s
Organisation of IS - BYOD
Chapter: 2
Topic: Strategies for Risk Mitigation
Question: Four Methods of Risk Reduction & Control [High Likelihood, Low Impact]
Hint: LC / D / PA / CP
Loss Control - physical devices / psychological awareness + commitment to minimise losses.
Risk Diversification - portfolio approach thru geographical [TLC], product base [PLC], activities [integration].
Procedural Approach - adherence to policies, codes and regulations.
Contingency Planning - post loss needs understood. Regularly reviewed + simulations performed. THINK - 6 Key Elements.
Chapter: 9
Topic: Centralised Management of CS Controls
Question: Six key elements within Contingency Plans
Hint: CC RR BP
Continuity Plans - hotsites / mirror sites.
Communication - internal / external.
Responsibilities - list of staff / accountability.
Risk Assessment - assessing impact.
Back up Procedures - standby / recovery / personnel management.
Priorities - what are we protecting?
Chapter: 6
Topic: Information of a Form of Control
Question: Five key teams required for Sucessful Implementation of a New System?
Hint: SC [Sp / Pm / Ur / ITs / IA]
Sponsor
Project Manager
User Representation
IT Specialist
Internal Audit Function
All form part of the Steering Comitteee. Help to monitor implementation / deliverables / ensure quality + control + costs are met / forum for discussion.
Chapter: 6
Topic: Information of a Form of Control
Question: Ten Types of Information Systems
Hint: D’s x2 / E’s x3 / K / M / O / S / T
OAS - Office Automation, basic spreadsheets
ERPS - Enterprise Resource Planning, organisation wide integration of functions
KWS - Knowledge Work, new knowledge creation inc. training.
EIS - Executive Information, usually presented in graphical format with drill down features.
ES - Expert, stores info and applies rules to make easy decisions [inc. diagnosis of illness]
DSS - Decision Support, data analytics to model scenarios.
SEMS - Strategic Enterprise Management, high level tools such as ABM.
MIS - Management Information, mid level analysis of transactions for DM and control purposes [inc. Standardised Reports]
TPS - Transaction Processing, billing + payroll.
DC - Data Centres, stores data in warehouses. Inc Big Data.
Chapter: 9
Topic: Centralised Monitoring of Cybersecurity Controls
Question: Six step response to CS - ISO 27001
Hint: Me -> AoDR -> TARA -> Rpt -> App CS Profile -> Imp R Treat P
METHODOLOGY - agreed / consistency
ASSESSMENT - impact vs likelihood of Data Risks
TREATMENT - record whether to Control / Avoid / Transfer / Accept risks.
REPORT [all results] - accrediation [ISO 27001] + own interest purposes.
APPLICABILITY - security profile showing all controls and status.
IMPLEMENTATION - risk treatment plan. What, who, how and when.
Chapter: 9
Topic: Cyerbsecurity Risk Governance Structure
Question: CS Risk Governance Structure elements.
Hint: H / CON BT EV / BO / MR / CON BT R
Note: Formal, codified statement which outlines aims. Overseen by board of directors… CS to be embedded.
HIRING - qualified staff inc. CIO [Risk Manager]
CONNECTION B/T CS AND ETHICAL VALUES
BOARD OVERSIGHT - dedicated committee or CIO
MONITORING AND REPORTING - active engagement by board members. Increases accountability.
CONNECTION B/T CS RISKS AND OTHER RISKS - in line with Risk Appetite.
Chapter: 7
Topic: Internal Audit
Question: Purpose + Overall Objectives + Reporting of Internal Audit function
Hint: Sa C Ro Ec Ar Mr
PURPOSE - Independent Assurance that RM, Gov., IC processes are operating effectively. Ultimate aim is OBJECTIVITY in their findings.
OBJECTIVES - Safeguarding Assets Compliance [policy + regulations] Reduce Overheads [business units alignment] Effective Controls [IC] Accounting Records Managing Risk [RM]
REPORTING - to NEDs through Audit Committee.
Chapter: 9
Topic: Centralised Monitoring of CS Controls
Question: Seven Outputs of CS Monitoring Systems
Hint: SR SU AT TN PC CT RI
Staff Responsible System Upgrades Audit Trails Training Needs Policy Changes Consitent Trends Regulators Informed
Chapter: 7
Topic: How to Deliver Internal Audit
Question: Aims of Audit Planning + Prodedures Involved
Hint: A = P Eo Er / P = Aors Ppap Tea
AIMS
- Priorities activities for review [nature / high risk areas]
- Establish objectives of the audit [improve cost controls / ensure compliance with GDPR…]
- Ensure necessary resources available + used effectively & efficicently.
PROCEDURES
- Ascertain business objectives / risks / strategies in place to manage.
- Prelimary analytical procedures on relevant areas / systems.
- Utilise / take account of External Auditors reports.
Chapter: 2
Topic: Risk Management Frameworks
Question: Three Part Risk Management Structure [ISO 31000]
Hint: P F P - constitues effective RM.
PRINCIPLES
How to Design: Proportionate - Aligned - Comprehensive - Embedded - Dynamic
How to Operate: Limitations of available info - Influence of Human & Cultural Factors - Continuous Improvement
FRAMEWORK
Design -> Implement -> Evaluate -> Improve
Allocation of Roles, Responsibilities and Resources.
PROCESS - iterative, fully sequential process.
Support Activities: Comm & Consult - Monitor & Review - Record & Report.
Chapter: 10
Topic: CS Tools and Techniques
Question: Three Tiers of Software Security
Hint: Security must be Secure & Resilient. Focus on Coding / Design / Testing.
TIER 1 - stop CS attacks only.
TIER 2 - stop CS attacks + alert relevant security functions.
TIER 3 - stop CS attacks + altert + protect sensitive data.
Chapter: 6
Topic: Dysfunctional Behaviour
Question: Human Element of Internal Controls
Hint: Training / Motivation / Values / Management
POOR TRAINING
POOR MOTIVATION
VALUES NOT ALIGNED
PROBLEMS NOT MANAGED
Lead to Malfunctions within the ICs
Chapter: 7
Topic: Internal Audit
Question: Five key areas an Internal Audit Report covers
Hint: BgAss / WO / KaP / MOc / MR
Background to Assignment
Work Outstanding
Key Action Points
Major Outcomes of Work
Management Responses
Chapter: 9
Topic: CS Preventive and Dective Controls
Question: Innovative Techniques used for CS
Hint: BhA / DtT / VdN / SmGr
BEHAVIOURAL ANALYTICS - outside of set parameters
DETECTION TECH - zero day attack identified
VIRUTAL DISPERSIVE NETWORKING - splits messages into encrypted parts
SMART GRID TECH - monitor and comm between data points
Chapter: 7
Topic: Auditing in IS Environment
Question: Auditing a Computer / Information System
Hint: UndS / HowT / ScA / DI / Oupt / Autho / BUs
UNDERSTAND SYSTEM
HOW TO TEST
SECURITY ARRANGEMENTS / ACCESS
DATA INPUT [Encryption / Validation]
OUTPUT [Accuracy]
ALL TRANSACTIONS AUTHORISED?
BACK UPS + DISASTER RECOVERY PLANS
CaaT’s can be used to review system controls. Allows IA to review larger samples, efficient use of time + pinpoint trends.
Chapter: 4
Topic: Corporate Governance
Question: Aim of CG + what it provides + who it involves?
Hint: Agency Problem
AIM: Company run for the benefit of its Shareholders [address Agency Problem].
PROVIDES:
- System which firms are directed / controlled
- Structure through which objectives are SET / OBTAINED & MONITORED.
INVOLVES a set of relationship between Directors, Shareholders and Stakeholders.
Chapter: 4
Topic: Corporate Governance
Question: Causes of Poor CG
Hint: Approach vs Structure
POOR APPROACH TO CG - wrong policies / focus. E.g. ST Financial Goals.
POOR STRUCTURE IN PLACE - insufficnet scrutiny over decisions / absence of NEDs. E.g. CEO and Chair the same person.
Chapter: 7
Topic: Assessing Performance of Internal Auditors
Question: Criteria used to assess IA Function
Hint: P A I R
PROFESSIONALISM - systematic + organised approach.
AUTHORITY - findings acted upon? Timely responses backed up by the board?
INDEPENDENCE - whom report to? Physically separate from workforce? Ability to Whistleblow?
RESOURCES - enough personnel + right training, skills and expertise. [Specific qualification not required].
Chapter: 7
Topic: Assessing Performance of Internal Auditors
Question: Conditions under which External Auditors can use Internal Auditors work?
Hint: DO / WCS
IF INTERNAL AUDITORS:
DEEMED OBJECTIVE
WORK SUPERVISED + REVIEWED
COMPETENT
SYSTEMATIC, WELL DOCUMENTED AND DISCIPLINED APPROACH TAKEN [Think, Professionalism]
Chapter: 6
Topic: Dysfunctional Behaviour
Question: Main issue with Performance Measurement + Main Tactic to Mitigate?
Hint: Self Interest vs SMART
PEOPLE MAXIMISE HOW THEY LOOK + ACT IN THEIR OWN SELF-INTEREST, irrespective of whether this causes Dysfunctional Behaviour.
SMART targets set to reduce this risk.
Chapter: 8
Topic: CS Objectives
Question: How firms Establish, Maintain and Approve Cybersecurity Objectives?
Hint: FP / BA / MS
FORMAL PROCESS - CS objectives aligned with wider firm objectives.
BOARD APPROVAL - either through dedicated committe / expert [CIO] or 3rd party consultancy.
MONITOR SUCCESS - feedback loop [similar to how Internal Control objectives are monitored].
Chapter: 3
Topic: Understanding Current Position
Question: External Environment challenges when setting Strategic Plans.
Hint: ISA / C&D -> PHS / SC / EM | PS -> PESTEL + SWOT
INCORRECT SUPPORTING ASSUMPTIONS
COMPLEXITY AND DYNAMISM CREATES LONG TERM UNCERTAINTY
LEADS TO: PLANNING HORIZONS SHORTENED / STRATEGIES MORE CONSERVATIVE / EMERGENT STRATEGIES OVER PLANNED.
MITIGATED BY: PESTLE / SWOT ANALYSIS.
Chapter: 3
Topic: Understanding Current Postion
Question: Resources and Capabilities asigned to within a firm.
Hint: VC / OM / STR / IC
Note:
Resources = capacity to delivery
Capabilities = people and skills
VALUE CHAIN - Inbound Logistics, Operations, Outbound Logistics, Marketing & Sales, Service.
OPERATING MODEL - how value is created. Processes in which value is generated. E.g. Lean Process design.
STRUCTURE OF FIRM - Governance, Board Membership, Rules / Roles/ Responsibilties etc.
INTERNAL CONTROLS - ‘Reasonable assurance regarding Operational, Reporting and Compliance objectives’.
Chapter: 2
Topic: Social, Ethical and Environmental Issues
Question: Approach to Solving an Ethical Issue
Hint: GFs / IP / IAA / MR / JR
GATHER FACTS / EVIDENCE
IDENTIFY THE PROBLEM / RELEVANT ETHICAL ISSUES + FUNDAMENTAL PRINCIPALS
INVESTIGATE ALTERNATIVE ACTIONS
MAKE A RECOMMENDATION
JUSTIFY RECOMMENDATION
Chapter: 9
Topic: Centralised Management of CS Controls
Question: Information Contigency Plan - what does it provide for?
Hint: St Re PM
STANDBY PROCEDURES - back-up sites to allow operations to continue.
RECOVERY - of sensitive data + restoring ‘back to normal’. Implemented after the event.
PERSONNEL MANAGEMENT - key roles and responsibilties. Recovery Plan operates ‘as intended’.
Chapter: 8
Topic: Cybersecurity Objectives
Question: Three Organisational Characteristics to grasp before setting CS Objectives. What is ‘Vulnerable’ / at Risk?
Hint: Dc Ct T
Delivery Channels - used to deliver data. Inc website, email, intranet, social media + epos.
Connection Types - wired or wireless / in-house or networked / national or international.
Technologies - proportion of activity online / amount of digital interaction. Data collection, storage & transmission.
Chapter: 3
Topic: Methods of Development
Question: Questions to consider when choosing Method of Growth
Hint: SH V / M&V / RR / CF
Generate value for shareholders? How quickly is growth / expansion required? Links to SH Expectations.
Fit with mission and values? Does the firm need to retain control over operations? [Think, outsourcing].
Required resources to deliver chosen strategy? Inc. competencies, availability and access.
Cultural Fit with external parties [Mergers / Acquistions]? Integration of people, systems and organisational culture [how things and done and why?].
Chapter: 2
Topic: External Risk Reporting
Question: Two main National Regulators for Risk Reporting?
Hint: UK vs US
2018 UK CORPORATE GOVERNANCE CODE [Principals Based - ‘Comply and Explain’]
‘Fair, balanced and understandable assessment of a firms position + prospects’.
Disclosures inc:
- Description of Audit Committeee work
- Board Responsiblities for preparing annual report + accounts.
- Company’s Going Concern status
- How Risk Management and Internal Controls are reviewed.
- Board assessment of Principal + Emerging risks
- Prospects and timelines
SARBANES OXLEY ACT [Rules Based - ‘Non-compliance unacceptable’].
Provides consistent minimum standard of Governance + RM.
Requires a firm to report on an entity’s Internal Controls. Esp:
- Those related to Financial Reporting
- Assessment of their effectiveness [Verified by independent practitioner]
Chapter: 7
Topic: How to Deliver an Interal Audit
Question: How IA’s reduce risks involved in System Development
Hint: SC / T&T / VAR / PIR
WORK WITH STEERING COMMITTEE TO ENSURE REPONSIBILITES OUTLINED + DESIGN INDEPENDENTLY REVIEWED
ENSURE ONGOING TESTING AND TRAINING
INSPECT VARIANCES IN BUDGETS
PERFORM POST IMPLEMENTATION REVIEW [Focus on compliance with targetted performance].
Chapter: 1
Topic: Risk Management Process
Question: Portfolio Approach to Risk Management
Hint: +ve / -ve R
PORTFOLIO APPROACH [known as Diversification] - build both positively and negatively correlated risks to reduce exposure to certain circumstances.
Requires understanding of the interrelationships between the risks a firm faces.
Chapter: 1
Topic: Risk Management Process
Question: Difference between Correlated and Related Risks
CORRELATED RISK - can be either +ve or -ve.
Postive Correlated Risks move together. Fatty foods inc. risk of heart disease.
Negative Correlated Risk move in opposite directions. Brushing teeth reduces chance of fillings.
RELATED RISK - two risks that are connection due to the same cause. Natural disaster increases chance of job losses and house damages.
Chapter: 2
Topic: Risk Reporting
Question: Purpose and Components of Risk Register
‘Used to manage, monitor and report risks’
Defines the list of Principal Risks a firm faces [+ the interdependencies with other risks].
Details the treatment of those risks based on priortisation [monetary value].
Details who is responsible.
Chapter: 2
Topic: Risk Reporting
Question: Difference between Gross / Residual / Expected / Actual Risk
Hint: Detailed within Risk Register
GROSS - before controls implemented
RESIDUAL - risk remaining after controls performed
EXPECTED - projected risk based on forecasts
ACTUAL - based on the events that occured
Chapter: 10
Topic: CS Tools and Techniques
Question: Forensic Analysis levels
Hint: Sy / St / Net
SYSTEM LEVEL ANALYSIS - threat impacted entire system?
STORAGE LEVEL ANALYSIS - threat impacted data held ?
NETWORK LEVEL ANALYSIS - threat come from outside source ?
Chapter: 7
Topic: Types of Audit
Question: Purpose of Systems Audit
Hint: SCREAM
PURPOSE - test + evaluate internal controls present within any system.
OBJECTIVES [Think: Gov, RM, ICs are operating effectively - SCREAM].
- Ensure suitable and accurate Management Information [Ar]
- Compliance with procedures / laws / regs. [C]
- Safeguarding Assets [Sa]
- Securing economies and efficiencies [Ro]
- Assess stages of IC Process: x4 stages [Ec / Mr]
Chapter: 10
Topic: CS Tools and Techniques
Question: Forensic Analysis Principals used to handle Computer Security Incident
Hint: Prep / Dt&A / Con,Era,Rec / PiA
PREPARATION - reduce impact of incident before it occurs.
DETECTION AND ANALYSIS - incidents priortised and communicated.
CONTAINMENT, ERADICATION AND RECOVERY - recovery procedures.
POST INCIDENT ACTIVITY - what have we learnt for next time? What can we improve?
Chapter: 7
Topic: Systems Audit
Question: Four stages of the Internal Control Process
Hint: Iden / Under / Devel / Imple
IDENTIFY BUSINESS OBJECTIVES
UNDERSTAND THE THREAT TO THESE OBJECTIVES
DEVELOP CONTROLS TO HELP MITIGATE
IMPLEMENT AND MONITOR THE PROCESS
Chapter: 2
Topic: Risk Management Frameworks
Question: COSO Enterprise Risk Management [RM and IC Methodologies]
Hint: ERM / Beliefs / Benefits
ERM - Defines process of RM across the entire firm. Connects core values with enhanced performance.
BELIEFS - risk considered part of strategy / culturally embedded
BENEFITS - helps to apply TARA / allocate capital & resources effectively.
Chapter: 2
Topic: Risk Management Frameworks
Question: COSO ERM Framework Components
Hint: G&C / S&O / P / R&R / I,C&R
GOVERNANCE AND CULTURE - board leads way. Sets core values, ethicals and culture.
STRATEGY AND OBJECTIVE SETTING - ERM considers risk as part of strategy.
PERFORMANCE - unless risks identified, assessed, priotised and managed, performance will suffer.
REVIEW AND REVISION - continuous review due to changing nature of risks. Requires Feedback Loop.
INFORMATION, COMMUNICATION AND REPORTING - to support DM and ensure alignment across entire firm. Internal / External reporting needs.
Chapter: 3
Topic: Banking
Question: Four Scenarios for 2025. [Wade, 2016]
Hint: GB / CC / TD / RM
Highlights need for firms to become more algile…
Global Bazaar - tech thrives, digital focus. Customers less loyal + hard to maintain market postion.
Cautious Capitalism - loss of trust between firms and consumers due to data breaches / cyber risks. Reduces tech opportunities / innovation for firms.
Territorial Dominance - protection of local industries. Greater protectionism, regulation + lower growth.
Regional Marketplace - government regulations limiting international business / collaboration. Expanision + supply chain networks impacted.
Chapter: 10
Topic: Cybersecurity Risk Reporting Frameworks
Question: Cybersecurity Risk Management Program
Hint: Formal / Pragmatic / Comp vs System Driven
Note: https://www.ncsc.gov.uk/collection/risk-management-collection/component-system-driven-approaches/introducing-component-driven-and-system-driven-risk-assessments
PURPOSE - formal way of explaining the approach taken by a firm to manage its Cybersecurity Risks
APPRAOCH - practical such as agreeing policy with CS suppliers / User training to identify CS threats / Balancing costs vs benefits / Content driven, firm needs to be understood.
FOCUS - either:
a) Component Driven - focus on specific aspects within a system, and the individiual risks they face.
b) System Driven - holistic viewpoint, looking at overall performance of system and the risks it faces. Inc. communication links across devices + systems.
Chapter: 4
Topic: Sub-Committee Directors
Question: Nomination Committee
Reponsibile for recommending applicants to join the board. Ultimately decision of SHs who decide who gets appointed.
Appointments made on merit, based on Objective Criteria.
All NEDs.
Chapter: 9
Topic: Cybersecurity Preventive and Detective Controls
Question: Encryption + five main techniques.
Hint: DS / DE / Auth / DB / BC Tech
Note: Encypted data = Cipher Text / Unencrypted Data = Plain Text
ENCRYPTION - ‘scrambling’ data to reduce risk of sensitive information being intercepted
DIGITAL SIGNATURE - private key sent alongside transmission
DIGITAL ENVELOPE - private key sent separately to transmission
AUTHENTICATION - proves the send is who they claim to be through sharing previously agreed algorithm [helps to unscramble the message]
DIAL BACK SECURITY - helps ensure the right person is being contacted securly through dialing into a network
BLOCKCHAIN TECHNOLOGY - records virtually impossible to manipulate. Globally aligned data.
Chapter: 5
Topic: Senior Roles to Support Board
Question: Risk Management Group vs Risk Manager
Hint: Both report to Risk Committee
RISK MANAGEMENT GROUP
- Builds an overall strategy [as prescribed by the board]
- Focus on Risk Reporting + Monitoring
RISK MANAGER [CRO] - ‘combines technical, leadership and persuaive skills’.
- Active lead on risk + developing poicy
- Leads ERM [establish + promote]
- Common RM policies agreed
- Risk Language formed
- Deals w. Insurance
- Risk Indicators
- Allocation of Resources
Both share findings with Risk or Audit Committee
Chapter: 5
Topic: Business Unit Performance and Appraisal
Question: Beyond Budgeting
Hint:
- Considers competitor actions
- Move away from purely financial goals
- Encourages team rewards + focus
- Rolling budgets to reflect dynamic / evolving markets
- Rewards linked to value adding activities
Chapter: 8
Topic: Web Application Attacks
Question: x7 Methods of Cyber Attacks
Hint: H / Ph / Rw / Ddos or BOF / SQL / XSS / CJ
Note: Cyberattacks aim to access, change or destroy sensitive information.
HACKING - illegally gaining access wo user knowledge
PHISING - theft of user details for personal gain [inc. bank cards / pw / login access]
RANSOMWARE - blocking access / interprupting usual business processes until fee is paid
DISTRIBUTED DENIAL OF SERVICE / BUFFER OVERFLOW - flooding systems with external activity in order to make the system crash / vulnerable to attack [install malware]
SQL - coded software used to infilrate a system through data entry
CROSS SITE SCRIPT - embed malware into innocent 3rd party site
CRYPTOJACKING - obtaining cryptocurrency via 3rd party site
Chapter: 8
Topic: Cybersecurity Risks [dependent upon nature of business + firms objectives]
Question: Macro, Specific and Policy impacts on CS Risks
Hint: Pestel / IT + Network / Governance
MACRO P: new legisation, new standards E: lack of CS investment costly S: data sensitivity T: exploited by both firms and criminals E: need for disaster planning L: laws lags behind innovation
SPECIFIC - to IT systems and networks. Inc remote access risks / 3rd party risks / natural disaster risks.
POILICY - weak CS governance / lack of training + awareness of risks / poor design of controls…
Chapter: 4
Topic: Sub-Committees Directors
Question: Risk Committee
PURPOSE - monitor, supervise and oversee RM to determine how prepared the firm is to respond to possible threats [identification / RM].
RESPONSIBILITY
- Approve RM strategy + Review ICs
- Review principal and emerging risks
- Monitor overall exposure [compared against risk appetite] + weightings [for performance purposes]
- Assess effectiveness of RM systems
FEATURES
- Flexibility in appointment of NEDs or EXECs
- Broad risk focus, move away from mainly financial [Audit Committee]
- Ability to drive change / strategy
Chapter: 8
Topic: Hackers and Social Engineering
Question: Influences upon People
Hint: Rep / Comit / SP / Li / Au / Sc
RECIPROCATION - repay good deed
COMMITMENT - avoid ‘hypocritcal’ suggestions
SOCIAL PROOF - mimicking behaviour in uncertain situations
LIKABILITY - behaving in a similar way to those you like
AUTHORITY - instructional
SCARCITY - sense of need / urgency
Ulimately can lead to people being Socially Engineered…
Chapter: 6
Topic: Information as a Form of Control
Question: System Implementation x4 methods
Hint: DC / PR / PO / PC
DIRECT CHANGEOVER - One clean swoop. High risk.
PARRALEL RUNNING - old + new together. Expensive.
PILOT OPERATION - systems implemented within certain functions. Req. targetted training, but does help to address weaknesses.
PHASED CHANGEOVER - releasing systems ‘bit by bit’ across entire organisation. Least risky option - however ‘time to market’ impacted.
