P3 RM Flashcards

Question

Chapter: 7 Topic: How to Deliver Internal Audit Question: Aims of Audit Planning + Prodedures Involved Hint: A = P Eo Er / P = Aors Ppap Tea

Answer 1

AIMS - Priorities activities for review [nature / high risk areas] - Establish objectives of the audit [improve cost controls / ensure compliance with GDPR...] - Ensure necessary resources available + used effectively & efficicently. PROCEDURES - Ascertain business objectives / risks / strategies in place to manage. - Prelimary analytical procedures on relevant areas / systems. - Utilise / take account of External Auditors reports.

Answer 2

PRINCIPLES How to Design: Proportionate - Aligned - Comprehensive - Embedded - Dynamic How to Operate: Limitations of available info - Influence of Human & Cultural Factors - Continuous Improvement FRAMEWORK Design -> Implement -> Evaluate -> Improve Allocation of Roles, Responsibilities and Resources. PROCESS - iterative, fully sequential process. Support Activities: Comm & Consult - Monitor & Review - Record & Report.

Answer 3

TIER 1 - stop CS attacks only. TIER 2 - stop CS attacks + alert relevant security functions. TIER 3 - stop CS attacks + altert + protect sensitive data.

Answer 4

POOR TRAINING POOR MOTIVATION VALUES NOT ALIGNED PROBLEMS NOT MANAGED Lead to Malfunctions within the ICs

Answer 5

Background to Assignment Work Outstanding Key Action Points Major Outcomes of Work Management Responses

Answer 6

BEHAVIOURAL ANALYTICS - outside of set parameters DETECTION TECH - zero day attack identified VIRUTAL DISPERSIVE NETWORKING - splits messages into encrypted parts SMART GRID TECH - monitor and comm between data points

Answer 7

UNDERSTAND SYSTEM HOW TO TEST SECURITY ARRANGEMENTS / ACCESS DATA INPUT [Encryption / Validation] OUTPUT [Accuracy] ALL TRANSACTIONS AUTHORISED? BACK UPS + DISASTER RECOVERY PLANS CaaT's can be used to review system controls. Allows IA to review larger samples, efficient use of time + pinpoint trends.

Answer 8

AIM: Company run for the benefit of its Shareholders [address Agency Problem]. PROVIDES: - System which firms are directed / controlled - Structure through which objectives are SET / OBTAINED & MONITORED. INVOLVES a set of relationship between Directors, Shareholders and Stakeholders.

Answer 9

POOR APPROACH TO CG - wrong policies / focus. E.g. ST Financial Goals. POOR STRUCTURE IN PLACE - insufficnet scrutiny over decisions / absence of NEDs. E.g. CEO and Chair the same person.

Answer 10

PROFESSIONALISM - systematic + organised approach. AUTHORITY - findings acted upon? Timely responses backed up by the board? INDEPENDENCE - whom report to? Physically separate from workforce? Ability to Whistleblow? RESOURCES - enough personnel + right training, skills and expertise. [Specific qualification not required].

Answer 11

IF INTERNAL AUDITORS: DEEMED OBJECTIVE WORK SUPERVISED + REVIEWED COMPETENT SYSTEMATIC, WELL DOCUMENTED AND DISCIPLINED APPROACH TAKEN [Think, Professionalism]

Answer 12

PEOPLE MAXIMISE HOW THEY LOOK + ACT IN THEIR OWN SELF-INTEREST, irrespective of whether this causes Dysfunctional Behaviour. SMART targets set to reduce this risk.

Answer 13

FORMAL PROCESS - CS objectives aligned with wider firm objectives. BOARD APPROVAL - either through dedicated committe / expert [CIO] or 3rd party consultancy. MONITOR SUCCESS - feedback loop [similar to how Internal Control objectives are monitored].

Answer 14

INCORRECT SUPPORTING ASSUMPTIONS COMPLEXITY AND DYNAMISM CREATES LONG TERM UNCERTAINTY LEADS TO: PLANNING HORIZONS SHORTENED / STRATEGIES MORE CONSERVATIVE / EMERGENT STRATEGIES OVER PLANNED. MITIGATED BY: PESTLE / SWOT ANALYSIS.

Answer 15

VALUE CHAIN - Inbound Logistics, Operations, Outbound Logistics, Marketing & Sales, Service. OPERATING MODEL - how value is created. Processes in which value is generated. E.g. Lean Process design. STRUCTURE OF FIRM - Governance, Board Membership, Rules / Roles/ Responsibilties etc. INTERNAL CONTROLS - 'Reasonable assurance regarding Operational, Reporting and Compliance objectives'.

Answer 16

GATHER FACTS / EVIDENCE IDENTIFY THE PROBLEM / RELEVANT ETHICAL ISSUES + FUNDAMENTAL PRINCIPALS INVESTIGATE ALTERNATIVE ACTIONS MAKE A RECOMMENDATION JUSTIFY RECOMMENDATION

Answer 17

STANDBY PROCEDURES - back-up sites to allow operations to continue. RECOVERY - of sensitive data + restoring 'back to normal'. Implemented after the event. PERSONNEL MANAGEMENT - key roles and responsibilties. Recovery Plan operates 'as intended'.

Answer 18

Delivery Channels - used to deliver data. Inc website, email, intranet, social media + epos. Connection Types - wired or wireless / in-house or networked / national or international. Technologies - proportion of activity online / amount of digital interaction. Data collection, storage & transmission.

Answer 19

Generate value for shareholders? How quickly is growth / expansion required? Links to SH Expectations. Fit with mission and values? Does the firm need to retain control over operations? [Think, outsourcing]. Required resources to deliver chosen strategy? Inc. competencies, availability and access. Cultural Fit with external parties [Mergers / Acquistions]? Integration of people, systems and organisational culture [how things and done and why?].

Answer 20

2018 UK CORPORATE GOVERNANCE CODE [Principals Based - 'Comply and Explain'] 'Fair, balanced and understandable assessment of a firms position + prospects'. Disclosures inc: - Description of Audit Committeee work - Board Responsiblities for preparing annual report + accounts. - Company's Going Concern status - How Risk Management and Internal Controls are reviewed. - Board assessment of Principal + Emerging risks - Prospects and timelines SARBANES OXLEY ACT [Rules Based - 'Non-compliance unacceptable']. Provides consistent minimum standard of Governance + RM. Requires a firm to report on an entity's Internal Controls. Esp: - Those related to Financial Reporting - Assessment of their effectiveness [Verified by independent practitioner]

Answer 21

WORK WITH STEERING COMMITTEE TO ENSURE REPONSIBILITES OUTLINED + DESIGN INDEPENDENTLY REVIEWED ENSURE ONGOING TESTING AND TRAINING INSPECT VARIANCES IN BUDGETS PERFORM POST IMPLEMENTATION REVIEW [Focus on compliance with targetted performance].

Answer 22

PORTFOLIO APPROACH [known as Diversification] - build both positively and negatively correlated risks to reduce exposure to certain circumstances. Requires understanding of the interrelationships between the risks a firm faces.

Answer 23

CORRELATED RISK - can be either +ve or -ve. Postive Correlated Risks move together. Fatty foods inc. risk of heart disease. Negative Correlated Risk move in opposite directions. Brushing teeth reduces chance of fillings. RELATED RISK - two risks that are connection due to the same cause. Natural disaster increases chance of job losses and house damages.

Answer 24

'Used to manage, monitor and report risks' Defines the list of Principal Risks a firm faces [+ the interdependencies with other risks]. Details the treatment of those risks based on priortisation [monetary value]. Details who is responsible.

Answer 25

GROSS - before controls implemented RESIDUAL - risk remaining after controls performed EXPECTED - projected risk based on forecasts ACTUAL - based on the events that occured

Answer 26

SYSTEM LEVEL ANALYSIS - threat impacted entire system? STORAGE LEVEL ANALYSIS - threat impacted data held ? NETWORK LEVEL ANALYSIS - threat come from outside source ?

Answer 27

PURPOSE - test + evaluate internal controls present within any system. OBJECTIVES [Think: Gov, RM, ICs are operating effectively - SCREAM]. - Ensure suitable and accurate Management Information [Ar] - Compliance with procedures / laws / regs. [C] - Safeguarding Assets [Sa] - Securing economies and efficiencies [Ro] - Assess stages of IC Process: x4 stages [Ec / Mr]

Answer 28

PREPARATION - reduce impact of incident before it occurs. DETECTION AND ANALYSIS - incidents priortised and communicated. CONTAINMENT, ERADICATION AND RECOVERY - recovery procedures. POST INCIDENT ACTIVITY - what have we learnt for next time? What can we improve?

Answer 29

IDENTIFY BUSINESS OBJECTIVES UNDERSTAND THE THREAT TO THESE OBJECTIVES DEVELOP CONTROLS TO HELP MITIGATE IMPLEMENT AND MONITOR THE PROCESS

Answer 30

ERM - Defines process of RM across the entire firm. Connects core values with enhanced performance. BELIEFS - risk considered part of strategy / culturally embedded BENEFITS - helps to apply TARA / allocate capital & resources effectively.

Answer 31

GOVERNANCE AND CULTURE - board leads way. Sets core values, ethicals and culture. STRATEGY AND OBJECTIVE SETTING - ERM considers risk as part of strategy. PERFORMANCE - unless risks identified, assessed, priotised and managed, performance will suffer. REVIEW AND REVISION - continuous review due to changing nature of risks. Requires Feedback Loop. INFORMATION, COMMUNICATION AND REPORTING - to support DM and ensure alignment across entire firm. Internal / External reporting needs.

Answer 32

Global Bazaar - tech thrives, digital focus. Customers less loyal + hard to maintain market postion. Cautious Capitalism - loss of trust between firms and consumers due to data breaches / cyber risks. Reduces tech opportunities / innovation for firms. Territorial Dominance - protection of local industries. Greater protectionism, regulation + lower growth. Regional Marketplace - government regulations limiting international business / collaboration. Expanision + supply chain networks impacted.

Answer 33

PURPOSE - formal way of explaining the approach taken by a firm to manage its Cybersecurity Risks APPRAOCH - practical such as agreeing policy with CS suppliers / User training to identify CS threats / Balancing costs vs benefits / Content driven, firm needs to be understood. FOCUS - either: a) Component Driven - focus on specific aspects within a system, and the individiual risks they face. b) System Driven - holistic viewpoint, looking at overall performance of system and the risks it faces. Inc. communication links across devices + systems.

Answer 34

Reponsibile for recommending applicants to join the board. Ultimately decision of SHs who decide who gets appointed. Appointments made on merit, based on Objective Criteria. All NEDs.

Answer 35

ENCRYPTION - 'scrambling' data to reduce risk of sensitive information being intercepted DIGITAL SIGNATURE - private key sent alongside transmission DIGITAL ENVELOPE - private key sent separately to transmission AUTHENTICATION - proves the send is who they claim to be through sharing previously agreed algorithm [helps to unscramble the message] DIAL BACK SECURITY - helps ensure the right person is being contacted securly through dialing into a network BLOCKCHAIN TECHNOLOGY - records virtually impossible to manipulate. Globally aligned data.

Answer 36

RISK MANAGEMENT GROUP - Builds an overall strategy [as prescribed by the board] - Focus on Risk Reporting + Monitoring RISK MANAGER [CRO] - 'combines technical, leadership and persuaive skills'. - Active lead on risk + developing poicy - Leads ERM [establish + promote] - Common RM policies agreed - Risk Language formed - Deals w. Insurance - Risk Indicators - Allocation of Resources Both share findings with Risk or Audit Committee

Answer 37

- Considers competitor actions - Move away from purely financial goals - Encourages team rewards + focus - Rolling budgets to reflect dynamic / evolving markets - Rewards linked to value adding activities

Answer 38

HACKING - illegally gaining access wo user knowledge PHISING - theft of user details for personal gain [inc. bank cards / pw / login access] RANSOMWARE - blocking access / interprupting usual business processes until fee is paid DISTRIBUTED DENIAL OF SERVICE / BUFFER OVERFLOW - flooding systems with external activity in order to make the system crash / vulnerable to attack [install malware] SQL - coded software used to infilrate a system through data entry CROSS SITE SCRIPT - embed malware into innocent 3rd party site CRYPTOJACKING - obtaining cryptocurrency via 3rd party site

Answer 39

``` MACRO P: new legisation, new standards E: lack of CS investment costly S: data sensitivity T: exploited by both firms and criminals E: need for disaster planning L: laws lags behind innovation ``` SPECIFIC - to IT systems and networks. Inc remote access risks / 3rd party risks / natural disaster risks. POILICY - weak CS governance / lack of training + awareness of risks / poor design of controls...

Answer 40

PURPOSE - monitor, supervise and oversee RM to determine how prepared the firm is to respond to possible threats [identification / RM]. RESPONSIBILITY - Approve RM strategy + Review ICs - Review principal and emerging risks - Monitor overall exposure [compared against risk appetite] + weightings [for performance purposes] - Assess effectiveness of RM systems FEATURES - Flexibility in appointment of NEDs or EXECs - Broad risk focus, move away from mainly financial [Audit Committee] - Ability to drive change / strategy

Answer 41

RECIPROCATION - repay good deed COMMITMENT - avoid 'hypocritcal' suggestions SOCIAL PROOF - mimicking behaviour in uncertain situations LIKABILITY - behaving in a similar way to those you like AUTHORITY - instructional SCARCITY - sense of need / urgency Ulimately can lead to people being Socially Engineered...

Answer 42

DIRECT CHANGEOVER - One clean swoop. High risk. PARRALEL RUNNING - old + new together. Expensive. PILOT OPERATION - systems implemented within certain functions. Req. targetted training, but does help to address weaknesses. PHASED CHANGEOVER - releasing systems 'bit by bit' across entire organisation. Least risky option - however 'time to market' impacted.

Answer 43

TUNNEL VISON - focus too much on one measure, to the detreiment of others. Think, BS. OSSIFICATION - unwillingness to change measures once set. Impt to keep PM's under constant review. MYTOPIA - short terms goals over long term value. MISREPRESENTATION - intentionally skewing figures in one's self interests. Known as 'creative reporting'. Impt to limit Pressure, Rationalisation + Opportunity. MEASURE FIXATION - focusing on achieving a measure which is considered ineffective, due to the behaviours required to achieve.

Answer 44

``` VALIDITY - cleansed VALUE - potential VARIABILITY - inconsitencies *VARIETY - types *VELOCITY - speed [especially collection of Ext Data] VERACITY - trust [can all data held be trusted?] VISULISATION - graphical VOLATILITY - useful life *VOLUME - amount VULNERABILITY - exploitation ``` * Significant differences between 'earlier approaches' to data collection / storage / analytics.

Answer 45

PURPOSE - ensures firms have systems 'fit for purpose' + make efficient use of resources. FEASILITY STUDY - review current system vs alternative options SYSTEM INVESTIGATION - understand user needs + problems faced SYSTEM ANALYSIS - ask the why's, establish better alternatives / methods STRATEGIC DESIGN - detailed spec / test / create + determine inputs + outputs + security + storage + design etc [form of Prototyping] STRATEGIC IMPLEMENTATION - write or aquire proposed software / monitor / train / test / convert / commit!

Answer 46

BUSINESS OBJECTIVES - purpose of the function being assessed. OPERATIONAL STANDARDS - form of benchmarking. ACTUAL VS EXPECTED - ToC / Substantive Testing / Walkthrough. Comparing test evidence with expected. WEAKNESSES IDENTIFIED - within the area tested. CAUSE AND EFFECT OF WK IDENTIFIED - why its happen and looking at impact. RECOMMENDATIONS TO BOARD - best way to resolve / improve areas to ensure business objectives are aligned. Includes Timescales / Staff Responsible. Overall focus of IA is on effectiveness of ICs / RM / Governance [IA should provide an objective view + independent assurance].

Answer 47

``` COMPLIANCE / SYSTEMS FRAUD VALUE FOR MONEY MANAGEMENT SOCIAL & ENVIRONMENTAL EXTERNAL AUDIT ```

Answer 48

INHERENT - risk faced due to the nature of operation. Considered 'uncontrollable'. RESIDUAL - risk left once control has been put in place. Should align with a firms Risk Appetite. CONTROL - risk of internal control failing / being absent / inadequate. DETECTION - internal auditor failure to spot material misstatements. Function of Sampling Risk. SAMPLING - risk of not testing whole population. NON-SAMPLING - risk that assumption of whole population is incorrect based on sample

Answer 49

DEVELOPMENT - collection of idea ANALYSIS - Suitability [core values / strategy alignment?] / Feasibility [can we do it?] / Acceptability [StkH reaction?] CONTROL - Post Implementation Review [What did we learn?] / Post Completition Audit [outcomes achieved?]

Answer 50

FLEXIBILITY - ability to adapt to different client needs. INNOVATION - being able to deliver on time + create value for firms in new ways. RESOURCE UTILISATION - links to efficiency of operations. Streamlining services to maximise margins. EXCELLENCE - performing a service which retains and attracts. FINANCIAL - meeting financial goals set by the board / shareholders / stakeholders. COMPETITIVENESS - maintaining market position and pursuing growth through benchmarking against rival performers.

Answer 51

INSIDER THREAT TEAMS [internal] - aim to intercept threats. THREAT INTELLIGENCE TEAMS [external] - aim to intercept threats. HUNT TEAMS - seek out unidentified breaches. INCIDENT RESPONSE TEAMS - deal w. immediate aftermath. Use techniques such as SIEM [Security info & Event management] to monitor data + detect patterns.

Answer 52

LEADERSHIP ROLES DEFINED SIZE, REGULATION AND FUNCTION CONSIDERED CS OBJECTIVES LINKED W. FIRM OBJECTIVES SYSTEM OF FEEDBACK

Answer 53

OPPORTUNITIES - Uncover weaknesses - Simulate CS attacks [helps to train staff] - Test response teams + actions of internal staff - Peer review / benchmarking THREATS - Loss of key data - Expensive to recover + opportunity costs [operational downtime] - Reputational damage + increased vulnerability - Compliance issues [failure to alert authorities]

Answer 54

Liase with Bank Liquidity Management Borrowing Activities [debt] Funding Arrangements [equity] Currency Management Helps to mitigate risks of a firm being unable to source capital.

Answer 55

PRESSURE - external / internal factors OPPORTUNITY - poor controls / position of power RATIONALISATION - staff motivation / grudge against company Used to help with Prevention / Detection.

Answer 56

FINANCIAL - LT impact on CFs OPERATIONAL [Process Risk] - failure of ICs REPUTATIONAL - impact an adverse consequence of an event has on a firm EXTERNAL / THIRD PARTY - outsourcing / regulators BEHAVIOURAL - staff motivation / productivity ORGANISATIONAL - Pestel

Answer 57

TRANSLATION - assets and liabilities converted into domestic reporting currency. M: matching. TRANSACTION - agreed at one rate, settled at another [FX Gain/Loss]. M: hedging. CULTURAL - exposure to the 'new norms' [customs, tastes, language, laws]. M: Market Research. POLITICAL - tariffs / local protection of industry. M: relationship building / supporting. ECONOMIC - interest rates, inflation, tax rates [CFs impacted in LT]. M: diversifying supplier / customer base. MARKET - risk from changes in the value / availability of resources. M: Scenorio planning. CREDIT - default, liquidity, trading damages. M: Insurance / Cash Flow Forecasts / Factoring / Screening.

Answer 58

Determine the occurence of a breach [known or suspected], if occured: CONSEQUENCE - impact / scope / severity of the CS attack CAUSE - how did it happen: weakness in system or failure of staff members? CULPRIT - who did it? Important to preserve evidence in case legal action taken.

Answer 59

RULES AND PROCEUDRES - inc Structure + Methods of imposing control CORE + ETHICAL VALUES PERFORMANCE SCHEMES ATTITUTES AND BEHAVIOURS OPERATING STYLE OF MANAGERS HOW FIRM ATTRACTS + RETAINS STAFF TCE influence / drive Internal Control procedures.

Answer 60

OPERATIONAL ASSURANCE - owns the risk and controls necessary to manage risk. Business Unit Level. MANAGEMENT ASSUARANCE - management monitoring / reviewing of internal controls, RM and performance. variances investigated? is the work being done correctly / as intended? are the controls functioning as they should? [oversight function] INTERNAL AUDIT - independent assurance that RM, IC and Gov. are operating effectively / in line with a firms objectives? First two lines under control of Senior Management. 4th line inc. External Auditors.

Answer 61

RISK APPETITE - desired level RISK TOLERANCE - boundaries RISK CAPACITY - ability to absorb losses / take on risk if necessary RISK UNIVERSE - all possible risk a firm is exposed to

Answer 62

RISK SEEKING - focus on Return Level. Actively pursuing higher levels of risk, in the hope of greater returns. Volatility in returns viewed as an opportunity. RISK ADVERSE - focus on Risk Level. Acceptance of lower risk to gurantee returns. Unwillingness to take on project that exceed a certain level. Higher risk projects only taken on if sufficient levels of return offered / justified.

Answer 63

FAMILIAR RISK - known to a firm / identified in their assessment of risk. Likely to have occured histrocially. UNFAMILAR RISK - outside of a firms usual radar. Viewed as exceptional + atypical , hence more difficult to manage. Risk Manager tasked with assessing likely impact / occurance.

Answer 64

BRAINSTORMING INDUSTRY TRENDS COMPETITOR ACTIONS / BENCHMARKING PESTEL / SWOT REGULATIONS INTERNAL AUDITS CHECKLIST OF COMMON RISK AREAS

Answer 65

ASSESS CURRENT POSITION IDENTIFY PRINCIPAL RISK ASSESS SIGNIFICANCE + PRIORTISE RISKS [Impact vs Likelihood] DEVELOP WAYS TO MANAGE [TARA] IMPLEMENT CONTROLS BY ALLOCATING RESOURCES Important to have a Feedback loop in place

Answer 66

PURPOSE - plot risk to decide best way to manage. HOW - assesses Impact vs Likelihood. OPTIONS inc: Accept - keep under review. concious decision. d/n ignoring risk. Reduce - most common. ALARP. Transfer - insurance. contigency. includes Risk Sharing. Avoid - immediate action require. inherent risk cannot be avoided [aim to reduce].

Answer 67

STRICT LIMITS ON NON-AUDIT WORK DETAILED AND RIGID CODE [SET OUT IN LAW] NON-COMPLIANCE NOT JUSTIFABLE MANAGEMENT TO ASSESS INTERNAL CONTROLS + FINANCIAL REPORTING [EXTERNAL AUDITOR VERIFY] CEO'S & CFO'S VERIFY ACCOUNTS

Answer 68

COMPLY OR EXPLAIN PRINCIPLE SHAREHOLDERS TO DECIDE ON DEVIATIONS BEST PRACTICE FOCUS ON BALANCE OF NEDs FLEXIBILITY ACROSS JUSIDICTIONS LACK OF CONSISTENCY + INCORRECTLY VIEWED AS 'VOLUNTARY' CAN LEAD TO ISSUES.

Answer 69

HUMAN ERROR / FRAUD - intentionally / unintentionally ignoring controls in place LACK / WRONG FOCUS - controls over immaterial areas. Costs > Benefits. or Non-Routine events outside of controls scope. TOO RIGID / STIFLE INNOVATION - reduce a firms agliness COST TO IMPLEMENT - vs benefits. Requires human and financial resources. MANAGEMENT OVERRIDE - not following set procedures CHANGE - system no longer 'fit for purpose' OPPORTUNITY COSTS - testing, training, supervision and maintainence.

Answer 70

FINANCIAL / NON FINANCIAL Financial ICs - budgets, standard costing, investment appraisal. Non Financial ICs - KPIs, performance appraisal, codes of conduct. PREVENT, DETECT, CORRECT, DIRECT Preventive ICs - stop risks from occuring in the first place. TQM. Invoices checked against goods received. Detective ICs - identify risks once they have occured. Bank Recs. Corrective ICs - reduce impact of errors back to acceptable level. Back-ups. Directive ICs - guide behaviour towards desired outcome. Credit control chasing invoices / Customer service training. INPUT, PROCESS, OUTPUT Input ICs - what goes in. Sourcing materials at best price. Process ICs - focus on optimisation, effeciencies, performance, waste. Output ICs - meeting expectations in terms of quality, speed, service and accuracy. OUTSOURCING Adhoc - ST skill gaps covered. Project - new IS system needs. Partial - multiple services outsourced [payroll, finance, storage] Total - entire service outsourced [licensing]. SEVICE LEVEL AGREEMENTS - minimum standards laid out. Focus on timescale, change process, exit routes.

Answer 71

REVERSE ENGINEERING: DECOMPLILATION - turns binary code into source code. Easy to understand DISASSEMBLY - turns binary code into assembly code. Difficult to understand

Answer 72

REGRESSSION - impact of one variable on another. Assessing volatility of future CFs based on impact of risk factors. EXPECTED VALUE - Probability x Impact SIMULATION - focus on mean and standard deviation. SENSITIVITY ANALYSIS - impact change in one variable has on NPV. CERTAINTY EQUAIVALENT - quantified amount a firm is willing to accept now, whilst giving up their future returns.

Answer 73

CURRENT RATIO / ACID TEST - liquidity. GEARING [Int.D / Equity + Int.D] - sustainable structure? DEBT VS EQUITY - Stakeholder reaction / impact on dividends INTEREST COVER [Pbit / Int Charges] or CASH FLOW [NCF / D] - Short term obligations

Answer 74

CHANGES IN REVENUE: +ve - able to keep up with demand? Infrastructure able to support growth? -ve - LT decrease in value indicator? Investor confidence impacted? Temporary issue / or sign of future problems? CHANGES IN COSTS +ve - poor controls, financial performance impacted? -ve - ability to create value impacted? Aligned with strategy? INCREASED RECEIVABLES - cash flow issues / poor controls on customers? INCREASE SHORT TERM PAYABLES - reliance / working capital issues?

Answer 75

STATISTICAL PROJECTIONS [expected future trends] - based on historic data [has its limitations]. Quantitative research to drive decision making. Bias may be built into modelling + uncertainty often underestimated. Cannot account for special events. JUDGEMENTAL FORECASTS [prediction of future events] - use of industry knowledge and acumen to drive decisions. Move away from scientific focus to future events. Harder to justify incorrect predictions + discussions may be dominated one one persons view / hunch.

Answer 76

STATISTICAL PROJECTIONS Trend Analysis - past data to predict future Time Series Analysis - establish seasonal trends Regression Analysis - correlation between x and y Econonmetrics - interrelationships JUDGEMENTAL FORECASTS Think Tanks - unstrcuture, experts meeting Delphi Method - anonymous, concensus reached Brainstorming - all levels, opinions and ideas in unstructured setting Jury Forecasts - panel of experts, structured Derived Demand - predicting future movements in demand for goods

Answer 77

ASSUMPTIONS - firms to seek Win-Win outcomes. Firms better off working together, to reduce risk of Lose-Lose. USE - Competitor reaction to strategy to be considered. DRAWBACK - collusion is illegal in UK / generally lack of transparency of how competitors will react. AIM - to maximise chance of W/W scenario.

Answer 78

Scenario planning has value in any situation in which there is SIGNIFICANT UNCERTAINTY about aspects of the future that could MATERIALLY change an organisation’s STRATEGY, PLANS or DECISION. Known as DISRUPTIONS: 'interuption in the usual way a system, process or event works'. Focus on LEARNING / Form of FORESIGHT. +ve's: Challenge assumptions / Proactive strategy -ve's: Future shaped by only actions imagined NOW.

Answer 79

PURPOSE - to protect systems, networks and programs from digital attacks. CONFIDENTIALITY - 'keeping out' through encryption / access codes / legal requirements INTEGRITY OF DATA - records of data kept securly, accurately, not lost or corrupted INTEGRITY OF PROCESSING - data is not used in a malicious way, or a way that the user of data did not intend AVAILABILITY - 'opening up' to the right personnel / those with legitimate business purpose

Answer 80

REVIEW OF COMPUTER USAGE RECRIUTMENT JOB ROTATION ENFORCED VACATIONS SUPERVISION TERMINATION PROCEDURES

Answer 81

HOT SITE - functional, 'ready to go' back up site. Both hardware and software. WARM SITE - similar to HS, but additonal time before functional. COLD SITE - location only. No software or hardware installed. MIRROR SITE - software only. Used in event of information overflow or reponse to disaster.

Answer 82

PRIVACY BREACHES / UNAUTHORISED ACCESS LOSS OF DATA VIRUS / HACKING DOWNTIME / HIGH MAINTENANCE COSTS THIRD PARTY RISK INTERNAL PARTY RISKS

Answer 83

EMPLOYEE / CUSTOMER / SUPPLIER PERSONAL DATA FINANCIAL RECORDS [which are not widely available] DATA STORED WITHIN A FIRMS INFRASTRUCTURE [inc. Medical Data] INTELECTUAL PROPERTY ALL COMMERCIALLY VALUABLE DATA.

Answer 84

ANTI VIRUS PROTECTION - regularly updated EMPLOYEE TRAINING - defined protocols EMAIL / SPAM FILTERS - either manual or auto FIREWALLS - contain impact thru segmentation ADAPTIVE / INNOVATION DETECTIVE TECHNOLOGY inc Gatekeeping Controls ['I am not a robot'] BYOD - minimum standards of software security BACK-UP COPIES

Answer 85

RELATED - outside of usual course of business however within a firms capabilities. Inc Vertical [supplier vs customer] and Horizontal [megers] integration. UNRELATED - outside of usual course of business + capabilities.

Answer 86

USES - anticipate change / design appropriate strategies / support decisions to drive growth RISKS - shared when it needs to be / timescales of usefulness / historical data does not necessarily help to predict the future

Answer 87

DEGREE OF BUSINESS ASSURANCE EFFICIENCY AND EFFECTIVENESS OF OPERATIONS VALIDATION BY EXTERNAL AUDITORS INCREASES STAKEHOLDER CONFIDENCE HELPS TO REDUCE THE COST OF FAILURE

Answer 88

STRATEGY - mission and values determine the amount of risk a firm is willing to accept. Strategy is formulated to achieve the mission. CORPORATE OBJECTIVES - in order to achieve objectives, risk has to be taken. RISK - inherent within operations. Important that a firm understands the likely risk when setting strategy. Allocation of resources to match risk appetite.

Answer 89

PERFORMANCE RELATED PAY - leading to excessive risk taking / focus on short term deliverables. MITIGATED THRU - creation of long-term interest: - Share Options - Performance assess over multiple years

Answer 90

RISKS - Misassessment [Intro, Growth, Shakeout, Mature, Decline] impacts marketing / commercial decisions - Product stages vary upon industry / product behaviours MITIGATE - Balanaced, well diversified portfolio - Understanding stage of industry improves strategic decision making. E.g. decision to divest.

Answer 91

NOT PRIORTISING KEY PLAYERS - must be satified as a minimum CONFLICTING DEMANDS - even once interest vs power determined. IGNORING INTEREST - assessment helps to understand those Stakeholders likely to inhibit success

Answer 92

BEING STUCK IN THE MIDDLE TRYING TO ADOPT BOTH - lower costs may impact premium nature LOW COSTS DN EQUAL LOW PRICES DIFFERENT DN EQUAL VALUE FOCUS SACRIFIES EoS + SEMENTS LESS DISTINCT

Answer 93

MARKET PENETRATION - least risky, minimum capital investment required MARKET DEVELOPMENT - low to medium risk, same prdouct new market. PRODUCT DEVELOPMENT - medium risk, requires capital investment to develop new products. DIVERSIFICATION - high risk and uncertainty attached. High investment likely in order to achieve return.

Answer 94

MARKETS DIFFICULT TO DEFINE HIGH MARKET SHARE REQUIRES SIGNIFICANT INVESTMENT [WC] + DN SUPPORT NICHE STRATEGY NOT SUPPORTING QUESTION MARKS OR STARS THROUGH CASH COWS - linked to balanced portfolio FAILURE (NOT) TO DIVEST DOGS - ignoring market trends

Answer 95

PURPOSE - attempts to gain unauthorised access in order to damage software or steal sensitive data VIRUS - attaches to program, spreads upon usage WORM - does not attach, spreads without user knowledge. Standalone, without need for user to launch. TROJAN - sits within network [does not spread], deloying various functions [pop-up ads / malware links / allows external access] BOT... Web Crawlers: gather information in the background Botnet: allow external users to access network Keyloggers: touch pad sensors to gain password access MALVERTISING - online ads which contain hidden malware

Answer 96

CONTROLS: Due Dilligence SLA [confirming the processes to be used] Review of ISO 27001 Accreditation [a way to assess the CS controls in place within the 3rd party] Setting KPIs / Performance Measures Screening

Answer 97

BALANCE [NEDs / EXECs] + SIZE + DIVERSITY INDUSTRY EXPERIENCE, KNOWLEDGE, SKILLS AND DEVELOPMENT [CPD] FORMAL SCHEDULE OF TASKS COMMITMENT inc regular meet-ups, sufficent time allocation to fulfil responsibilities. Link to Accountability. FAIR REMUNERATION / APPRAISAL based on objectives factors: - Independence & Innovation - Industry Familiarity - Active Participation - Enthusiasm - Business and Personal Development

Answer 98

CHAIR - responsible for managing the board of directors. Ensures company is functioning in the best interests of the SHs. CEO - reponsible for managing the company. Helps to implement the strategy set by the board.

Answer 99

CHAIR - Leadership to board - Encourage participation / communication across board - Transparency with shareholders - Resolve conflicts between NEDs and EXECs - Induct new directors - Appraise CEO and Board members - Accurate, timely information shared with Board CEO - Leadership to company - Effective implementation of Board decisions / vision - Firm performance accurately reported to Board - New investment initiatives - Communication with stakeholders - Involvment with induction - Involvement with appraisal

Answer 100

AVOIDS CONFLICT OF INTEREST - relationship to remain professional REDUCES BURDEN IMPROVES ACCOUNTABILITY - implementation or vision? ENHANCED SCRUNITY OVER DECISION MAKING

Answer 101

PATCH MANAGEMENT - quick fix software update to address vulnerabilities spotting within system. Either Corrective [in response to breach] or Preventive [in anticipation to potential breach]. Key focus is TIME.

Answer 102

INTERNAL : - TRAINING, to ensure staff understand importance of compliance. - CORPORATE COMMUNICATION, via intranet and emails. EXTERNAL: to meet regulatory and stakeholder needs - REPORTING - CONTRACTS - STATEMENTS

Answer 103

PROFESSIONAL BEHAVIOUR - engaging in a way that does not discredit the proffesion INTEGRITY - truthful, honest actions + not engaging in activities known to be corrupt / false PROFESSIONAL DUE CARE - keeping up to date on developments and knowledge CONFIDENTIALITY - not sharing informaiton unless for a justifiable business purpose OBJECTIVENESS - removing bias, conflict of interest or undue influence.

Answer 104

LOAD TESTING - testing a system at expected capacity STRESS TESTING - testing the breaking point of a system Value at Risk = the maximum expected losses based on current activity / normal probability distributions.

Answer 105

FUNDAMENTAL RISK - macro level, cannot influence at an individual level SPECULATIVE RISK - return either positive or negative outcomes PURE RISK - only negative outcomes [no upside] PARTICULAR RISK - individual has control over. E.g. Decision to stop smoking reduces chance of lung cancer

Answer 106

STRATEGIC RISK - possible outcomes [due to internal decisions vs external factors] which have material impact on future strategies. Assessed in terms of source, scale and duration. Impact should be felt long term [volatility of long-term performance] OPERATIONAL RISK - day to day business risks. Includes risk of IC controls failure, key staff resigning, industry disputes, IS and RM problems.

Answer 107

CONFIDENTIAL INFO NOT SHARED WITH EXTERNAL SOURCES [unless commercially justifiable - impt to encrypt] SENISTIVE EMAILS STORED SECURELY [in case of legal purposes] ATTACHMENTS CHECKED FOR VIRUSES [and reported if suspicious]

Answer 108

COMMERCIALLY VALUABLE INFORMATION SHARED WITH COMPETITORS MISINTERPRETATION BY RECEIVER DYNAMIC ENVIRONMENT MAY LEAD TO DISCLOSURES BEING OUTDATED

Answer 109

ETHICAL - work for owners, look for gaps. Spot weaknesses + improve. BUG-BOUNTY - reward hackers for breaking system UNETHICAL - exploitation, malicious purposes GREY HAT - fix for fee / post online SOCIAL ENGINEERS - expolit trust to gain access either physically or virtually. Inc. 'Dump Diving'

Answer 110

ECONOMY - sourcing resources at best price. EFFICIENCY - processes streamlined, minimum waste. EFFECTIVENESS - in achieving the firms objectives in terms of Speed / Quality / Delivery / Service etc.

Answer 111

SELF REVIEW - difficult to spot own errors. INTIMIDATION - actual / perceived threat. FAMILIARITY - too close to party. ADVOCACY - objectivitiy compromised. SELF INTEREST - financial or other gain impacting judgment.

Answer 112

BUDGET CONSTRAINED - most likely cause of DFB. Short term focus - High tension - High manipulation - Impacted staff relations. PROFIT CONSCIOUS - medium risk of DFB. Assessment against hitting profit targets / financial goals. Medium tension - Little manipulation - Good staff relations. NON ACCOUNTING - low risk of DFB. Move away from financial factors. DFB occurs through ignoring the financial goals [which ultimately is the best way to measure a firm's performance]. Medium tenision - Little Manipulation - Good relations.

Answer 113

EXTERNAL FACTORS EVERCHANGING [PESTEL] DECISION MAKING AT AN INDIVIDUAL LEVEL CONTROL FAILURES [inc. bypassing] UNEXPECTED HAZARDS ['Unknown unknowns']

Answer 114

GREATER DEMAND FROM SHAREHOLDERS GREATER DEMAND FROM CUSTOMERS KEEPING UP WITH COMPETITION INNOVATION NEEDS

Answer 115

OECD - advises Governments on best practice for Corporate Governance for companies. Focus on 'Disclosure & Transparency'. ICGN - practical guidance for Board of Directors, to meet expectations of shareholders. Focus on Disclosure of Risk Management / Risk Responsibility / Sound governance policies [independence / culture / oversight / fair remuneration / SH rights].

Answer 116

NEDs - provide independent perspective / balanced viewpoint inc. scrutiny over Execs. Removes risk associated with PRP. EXECs - provide skills, knowledge and experience when setting Risk Management approaches + Strategy.

Answer 117

``` THE RIGHT: to be Informed [on how your data will be used] to Access to Rectify to be Erased to Restrict to be Portable to Object to have a Person decide [on how your data will be used] ``` FIRMS SHOULD: - Supply copies of data if requested - Obtain consent from user to hold sensitive data [including consideration of data already held] - Not pass on data to unauthorised parties - Hold themselves accountable

Answer 118

COMPENSATION TO DATA USER FOR DAMAGES / LOSS INACCURATE DATA TO BE CORRECTED OR WIPED SUPPLY USER WITH COPIES OF DATA HELD

Answer 119

CONFORMANCE COSTS - incurred to avoid sub-par output. Inc. Appraisal [checking goods before they go out] and Prevention [stopping errors in the first place!]. NON-CONFORMANCE COSTS - incurred in order to rectify errors in quality [product recall] / internal failures [wastage].

Answer 120

Examination of financial records Report on the truth and fairness of financial statements Responsible to shareholders Use of rigorous testing to collect evidence to support their findings Deputy to the laws, regulations, auditing + accounting standards

Answer 121

SOCIAL AUDIT - sustainable use of HR, Health and Safety, labour conditions and equal opportunities. ENVIRONMENTAL AUDIT - sageguarding environment.

Answer 122

Independent appraisal of effectiveness of managers / corporate structure in achieveing entity's objectives. Focus across both financial and non-financial objectives. Looks for ways to rectify. Important to understand the objectives of the business before 'Carrying out Investigation -> Gathering Evidence -> Report the Result'.

Answer 123

EXTERNAL EVENT - opps vs threats [economic changes / political developments / tech] INTERNAL EVENTS - strengths vs weaknesss [equipment failure / human error / product defects] LEADING EVENT INDICATOR - give rise to another event ESCALATION TRIGGERS - require immediate action

Answer 124

PURPOSE - determine general policy on remuneration of Execs, Chair, CEO and Senior Management. STRUCTURE - NEDs [independently agreed, transparently disclosed] FOCUS - clarity, simplicity, proportional [to performance], alignment with culture [best practice], market factors. AIM - attract, retain sufficient calibre. Motivate in line with SH's best interests. CONSIDERATIONS [both] - Fixed & Variable, Immediare & Deffered, Long Term & Short Term, Cash & Non-Cash.

Answer 125

STRATEGIC MANAGEMENT / PLANNING - Trends / Pestel - Market Characteristics - Technology Developments - Customer Competitor Info TACTICAL MANAGEMENT / MANAGEMENT CONTROL [acts as the link / facilitator] - Strategic decisions [helps them to implement] - Operational reports [filtered through to senior management] - Financial and performance targets - Cost information OPERATIONAL CONTROL [Detail & Data] - Orders - Staff Feedback - Customer Feedback - Bottlenecks - Volume and availability of resources

Answer 126

DIGITAL NATIVES - milenials DIGITAL IMMIGRANTS - adopted DIGITAL VISITORS - purpose only DIGITAL RESIDENTS - leave clear trace

Answer 127

PROFESSIONAL SCEPTISM - addressing the limitations of lack of information + the subjectivity within assumptions + why information is necessary to drive DM. Helps to assess Feasibility & Acceptability of a project / strategy.

Answer 128

SUITABILITY - does it fit with a firms direction / core values / help to fulfil objectives? Address key opps or threats? ACCEPTABILITY - how will the 'key players' / shareholders react to the decision? Consideration of Risk Appetite / Financial + Non Financial factors / CSR / Existing Agreements. FEASIBILITY - do we have or access to the resources in order to carry out the strategy? Within current / potential strategic capabilities? Can we implement?

Answer 129

USE - Government / Not-for-Profit PURPOSE - how well public money is being used to provide services? FOCUS - a) Economy / Efficiency / Effectivness b) Challenge / Compare / Consult / Compete

Answer 130

COMPLIANCE W. LEGAL AND REGULATORY FRAMEWORKS [inc signing docs & registers + annual accounts] INFORMATION NEEDS TO THE BOARD + ARRANGE MEETINGS FOR SH'S COMMUNICATION WITH SHAREHOLDERS BOARD DECISIONS BROADCASTED TO EMPLOYEES AND WIDER STKHOLDERS FINANCIAL OR LEGAL EXPERTISE

Answer 131

SINGLE - unitary DUAL a) Supervisory, overall responsibility b) Management, daily running of firm THREE TIER a) Policy, strategic b) Functional, operational c) Monocratic, PR

Answer 132

PROBLEM - Information Asymmetry ['trust issues'] + Conflicts of Self- Interest ['balancing act'] SOLUTION - Transparency, disclosures + LT interest of firm instilled into directors, SH power [removal / exercise control] ULTIMATE AIM - introduce control mechanisms to control board without impacting their ability to function effectively.

Answer 133

PROMOTING SUCCESS OF FIRM DRIVE DIRECTION OF FIRM THRU ENTREPRENEURIAL LEADERSHIP w.i EFFECTIVE CONTROLS. ACCOUNTABILITY TO SHAREHOLDERS MONITOR PERFORMANCE OF COMPANY IN ACHIEVING AIMS ENSURE FIRM IS ACTING WITHIN A COMMERCIALLY + SOCIALLY ACCEPTABLE MANNER MAINTAIN AN EXTERNAL FOCUS ENSURE NECESSARY RESOURCES / SKILLS SET STRATEGIC AIMS ENABLE RISK TO BE ASSESSED + MANAGED

Answer 134

FATHER CONFESSOR - act as confidant OIL CAN - manage conflict HIGH SHERIF - removal of high positions

Answer 135

FOCUS - Strategy: contribute and challenge - Scrutiny: performance of Execs and Management - Risk: ensure systems are robust - People: safeguard interests of SHs ISSUES - Lack of true independence: cross dictatorships / remuneration / pensions / shareholdings / previous employment - Lack of effectiveness: industry experience / availability / commitment

Answer 136

PURPOSE - systematic process of PROBING for VULNERABILITIES in applications + networks EXAMPLES - Connections w. internet / Simulating phising and social engineering

Answer 137

WHITE BOX - full access to system / network. Comprehensive assessment of both internal and external vulnerabilities. GREY BOX - partial access to system [user level privileges only]. Focus assessment on systems with greatest risk and value from the start. BLACK BOX - no access provided prior to test. Exposes external vulnerabilites of a system.

Answer 138

IP SECURITY - secure private comms TRANSPORT LAYER SECURITY - secure private comms with bespoke encryption MIKEY-SAKKE - end-to-end encryption

Answer 139

PROTECTION - what to protect [software vs hardware] + ICs in place to do so. DETECTION - monitoring, recording and escalating threats. RESPONSE - proactive vs reactive measures. Inc. Patch Management vs Specialist Teams [hunt teams]

Answer 140

CSR ISSUES - not extending reach beyond commericial responsibilties. CUSTOMER SERVICE - not understanding why the customer buys from you. Link to expectation LEGAL ISSUES - data protection / impact industry dependent STAFF POLICIES - link to ethics. FAILURE TO INNOVATE - viewed as 'outdated' POOR GOVERNANCE STRUCTURE - lack of diversity / accountability? INVOLVEMENT IN BRIBERY / CORRUPTION - mitigated through strong ICs + whistleblowing arrangements POOR ETHICS - increases compliance / external auditor focus

Answer 141

PROBITY - untruthful or misleading behaviour BRIBERY & CORRUPTION - borders no boundaries for prosecution [UK Bribery Act + US Foreign Corruption Practice Act]. Leads to fiancial, legal and reputational risk REPUTATIONAL RISK - caused as a result of adverse consequences of another risk. 'Years to build, but can disappear overnight'.