Revision

Question 1

Strategic] risk

Answer 1

is the potential volatility of profits as a result of the type of business operations.

Question 2

Operational] risk

Answer 2

is the risk of loss from the failure of internal processes of a company.

Question 3

Strategic risk –

Answer 3

These arise from the overall strategic positioning of the company in its
environment e.g. financial risk. This arises partly as a result of the way it chooses to be financed
(debt or equity) but also where financial conditions are different to those expected (e.g. interest
rate risk, foreign exchange risk).

Question 4

Operational risk –

Answer 4

Operational risks refer to potential losses arising from the normal business
operations. Accordingly, they affect the day-to-day running of operations and business systems
in contrast to strategic risks that arise from the organisation’s strategic positioning.

Question 5

Risk mapping

Answer 5

Involves the evaluation, managing and reporting of risks 

Question 6

CGMA’s Risk Management Cycle

Answer 6

1 Establish a risk management group and set goals.
2 Identify risk areas.
3 Understand and assess the scale of risk.
4 Develop a risk response strategy.
5 Implement the strategy and allocate responsibilities.
6 Implement and monitor the suggested controls.
7 Review and refine the process and do it again.

Question 7

The Framework that COSO published has eight Components

The cube

Answer 7

Components:
 Internal Environment
 Objective Setting
 Event Identification
 Risk Assessment
 Risk Response
 Control Activities
 Information and Communication
 Monitoring

Question 8

ISO 31000 three main clauses

Answer 8

the principles of creating and protecting value within the
organisation (clause 4),

the organisational framework that governs risk (clause 5)

the risk management process itself (clause 6).

Question 9

The Framework that COSO published has four Objectives categories.

The cube

Answer 9

Strategy – high-level goals, aligned with and supporting the organisation’s mission
 Operations – effective and efficient use of resources
 Financial Reporting – reliability of operational and financial reporting
 Compliance – compliance with applicable laws and regulations

Question 10

policy on nominating the Chairman of the Board:

Answer 10

The Chairman should be re-elected annually

The Chairman should be selected by a majority Board vote.

A person should not serve more than six years in succession as Chairman to XY plc.

Question 11

roles of the nomination committee

Answer 11

Considers whether an individual is appropriate to serve on the board of directors,

Prepares a job specification for the Chairmanship of the company,

Evaluates the balance of skills, experience, independence and knowledge on the board

Question 12

professional competence.

Answer 12

A professional accountant has a [continuing] duty to maintain professional [knowledge] and [skill] at the level to ensure that the employer receives competent professional service.

Question 13

Stress testing

Answer 13

involves scrutinising and critically appraising an existing strategy. It is designed to challenge the status quo and is therefore particularly appropriate where there is stagnation or complacency.

Question 14

benefits of an internal control system

Answer 14

Improves quality of internal reporting,

Improves quality of external reporting,

Helps a company to comply with laws and regulations

Question 15

three primary objectives in designing an effective internal control system

Answer 15

(1) Reliability of Financial Reporting (
2) Efficiency and effectiveness of operations (
3) Compliance with laws and regulations

Question 16

internal control system is deemed to comprise two key elements:

Answer 16

Control environment” – the management’s attitude and philosophy regarding controls. This can be ascertained to a degree by the number of control procedures the company has

“Control procedures”/activities -the actual policies and procedures in place which ensure that risks and errors are minimised, e.g. performing a monthly inventory count provides evidence of a strong control environment surrounding inventory management.

Question 17

General controls

Answer 17

Password controls

Physical controls such as swipe cards restricting entry to computers.

Fire alarms and smoke detectors would also be included in this heading

Personnel controls – Ensuring that staff are aware of the importance of good computer security by recruiting motivated, intelligent staff and giving them sufficient training and supervision

Environmental controls – such as fire detectors

Contingency (or “disaster recovery”) plan – a document detailing the plan of action should a disaster such as a fire or flood occur.

Regular backups of key data

Virus protection

Firewalls

Spyware software

Question 18

Application Controls

Answer 18

Data verification controls e.g. having mandatory fields on an application form

Data validation e.g. credit card number validity

Exception reports – where any values over a certain value are highlighted in a separate report.

Question 19

Systems Development Lifecycle

Answer 19

Planning/Feasibility study – Initially, there will be recognition that “things can be done better”.

Systems analysis – This process ranks the available systems and will ultimately determine whether the company produces the new system in-house or outsources its design.

Systems design – Describes desired features and operations in detail, including screen layouts, business rules, process diagrams and other documentation (e.g. flowcharts).

Systems development – The system can then be built, with changes to the new system documented carefully so that future updates and developments can be carried out.

Implementation – The new system can be introduced, according to application or location, and the old system gradually replaced

Maintenance – The correction or enhancement of systems once they are in operation. A postimplementation review offers the opportunity to check that the system:

Question 20

problems with a value for money audit

Answer 20

The objectives of the activities being measured may not be clear.,

Effectiveness may be difficult to measure.

There may be a contradiction between focusing on efficiency and economy and focusing on effectiveness.

Pursuit of economy may lead to quality falling.

Question 21

The four objectives of cybersecurity

Answer 21

availability,

confidentiality,

integrity of data

integrity of processing.

Question 22

Place the steps in the system monitoring process in the correct order:

Answer 22

1st. → Establish a monitoring strategy based on business need and assessment of risk,

2nd. → Monitor all systems across the network, including network traffic and user activity,

3rd. → Establish a centralised capability to collect and analyse information,

4th. → Ensure that policies and processes are in place to manage and respond to incidents,

5th. → Conduct a ‘lessons learned’ review after any security incident

Question 23

Relating to the Balanced Scorecard

Market share

Value added

Answer 23

Market share → Non-financial, Value added → Financial

Question 24

Which one of the following sentences best describes risk?

Answer 24

The expected impact of uncertain future events on objectives

Question 25

The four levels to the COSO ERM framework

Answer 25

are subsidiary, business unit, division and entity

Question 26

Key features of assurance mapping

Answer 26

Assurance mapping will help the non-executive directors understand the compliance requirements of Jig Plc (Correct)

Assurance mapping will help the non-executive directors to understand any gaps where a mitigation strategy for a particular risk is lacking (Correct)

The transparency provided by assurance mapping will help directors to fulfil their duties (Correct)

It will not provide full briefing on the current internal audit plan.

Internal auditors will drive the assurance mapping exercise 

Question 27

COSO stated that effective internal control systems consist of five integrated elements

Answer 27

Control environment.

Risk assessment.

Control activities.

Information and communication.

Monitoring.

Question 28

An effective anti-fraud strategy has four main components –

Answer 28

prevention, detection, deterrence and response.

Question 29

Centralised management

Answer 29

is a key way to control and orchestrate important security features.

Question 30

The Turnbull guidance described three features of a sound internal control system:

Answer 30

Firstly, the principles of internal control should be embedded within the organisation’s structures, procedures and culture.

Secondly, internal control systems should be capable of responding quickly to evolving risks to the business arising from factors within the company and to changes in the business environment.

Thirdly, sound internal control systems include procedures for reporting immediately to appropriate levels of management any significant control failings or weaknesses that are identified, together with details of corrective action being undertaken.

Question 31

the three prerequisites for fraud

Answer 31

Rationalisation

Opportunity

Motive

Question 32

developing a sound ethical culture to ensure the long-term survival

Answer 32

CIMA recommends that organisations have:

a mission statement that refers to quality or, more unusually, to ethics and defines how the organization wants to be regarded externally

clear policy statements on business ethics and anti-fraud, with explanations about acceptable behaviour in risk prone circumstances

a route through which suspected fraud can be reported

an aggressive audit process that concentrates on areas of risk

management who are seen to be committed through their actions.

Question 33

The Audit Committee should be responsible for

Answer 33

Recommending appointment, or removal of the company’s external auditor (Correct)
Reviewing the company’s system of internal financial controls (Correct)

Question 34

Which THREE of the following are the key components of the AICPA cyber security risk management reporting framework?

Answer 34

Management’s description
Management’s assertion
The practitioner’s opinion

Question 35

Risk reduction can be achieved using which of the following theories?

Answer 35

Portfolio theory

Question 36

Inherent risk

Answer 36

A risk that exists regardless of internal controls

Question 37

Turnbull suggested that control systems should be

Answer 37

1) embedded in the operation and not a separate exercise
2) able to respond to changing risks within and outside the company
3) include procedures for reporting controls failings and weaknesses.

Question 38

A fraud response plan normally includes a section on

Answer 38

Corporate policy (Correct)
Roles and responsibilities (Correct)
Investigation and evidence (Correct)

Question 39

Inclusion in the report on the risk committee’s activities over the year as part of the company’s annual report.

Answer 39

The report should provide stakeholders with assurance that the committee is robust, comprised of suitable employees and able to carry out its roles effectively.

Description of purpose (Correct)
Details of membership (Correct)
Individual members attendance (Correct)
Roles and responsibilities (Correct)

Question 40

the most important aspects of cyber security.

Answer 40

AIC stands for:

Availability, Integrity, Confidentiality

Question 41

E-commerce

Answer 41

refers to the conducting of business electronically via some sort of communications link and may result in access to larger markets, targeted marketing, reduced costs and elimination of intermediaries.

Question 42

Compliance audits check the implementation of written rules, regulations and procedures. They verify that a check is taking place, so it is possible they may uncover that the required % of quality checks is not taking place.

Answer 42

check the implementation of written rules, regulations and procedures. They verify that a check is taking place, so it is possible they may uncover that the required % of quality checks is not taking place.

Question 43

Substantive tests concentrate on output (the end result) ensuring that it is as expected

Answer 43

concentrate on output (the end result) ensuring that it is as expected

Question 44

The principles of the UK governance code relate to:

Answer 44

Board Leadership and Company Purpose
Division of Responsibilities
Composition, Succession and Evaluation
Audit, Risk and Internal Control
Remuneration

Question 45

The risk of losses arising to a company due to theft is:

Answer 45

Pure risk

Downside risk

Question 46

Natural disaster risk

Answer 46

Event risk

Question 47

Which of the following statements are true of a steering committee?

Answer 47

The steering committee monitors the system implementation in comparison with the plan and ensures that specific deliverables are accepted at each stage of systems development. It has overall responsibility to ensure that the system meets requirements in terms of quality, time and cost.,

The steering committee brings together the sponsor of the project; the project manager who is responsible for the day-to-day delivery of the project; specialist IT staff with responsibility for delivering the project and user representatives with responsibility for accepting the system.

Not responsible for- budget creation, the needs of internal audit or considering ethical implications

Question 48

Post implementation audit (review)

Answer 48

The system is secure,
The system meets the needs of managers,
The system produces accurate information

Not-
Time taken or cost incurred.

Question 49

Which of the following are true with regard to a post-completion audit?

Answer 49

Post-completion audits could produce valuable insights.
Post-completion audits will not prevent dysfunctional behaviour by project sponsors.
It may be difficult to introduce post-completion audits.

Not-
Post-completion audits cannot be conducted until the project has reached its end

Question 50

ISO 31000
7 ways to deal with risk

Answer 50

Avoiding the risk

Excepting the risk

Removing the risk source

Changing the probability

Changing the outcome

Sharing the risk

Retaining the risk

Question 51

Economy

Answer 51

It’s considered by looking at the inputs such as the budget

Question 52

Effectiveness

Answer 52

Is considered by examining the outputs, so whether the objective was achieved

Question 53

Efficiency

Answer 53

Involves the examination of the relationship between inputs and outputs

Question 54

Four characteristics of technology has to find by AICPA

Answer 54

Type

Connection

Service providers

Delivery channels

Question 55

Appropriate controls to defend against the risks posed by laptops

Answer 55

Disc encryption

Policies regarding safe storage

Question 56

SIEM system
Security information and event management

Answer 56

Analyses all of the available data and looks for patterns the suggest unusual activity that could be a security compromise or a possible attack

Collect data from multiple sources enabling faster incident response to threats.

If an anomaly is detected it might collect more information, trigger an alert or quarantine an asset.

Question 57

COSO 2017 framework

Answer 57

Governance and culture

Strategy and objective setting

Performance

Review and revision

Information, communication and reporting