Revision Flashcards
Strategic] risk
is the potential volatility of profits as a result of the type of business operations.
Operational] risk
is the risk of loss from the failure of internal processes of a company.
Strategic risk –
These arise from the overall strategic positioning of the company in its
environment e.g. financial risk. This arises partly as a result of the way it chooses to be financed
(debt or equity) but also where financial conditions are different to those expected (e.g. interest
rate risk, foreign exchange risk).
Operational risk –
Operational risks refer to potential losses arising from the normal business
operations. Accordingly, they affect the day-to-day running of operations and business systems
in contrast to strategic risks that arise from the organisation’s strategic positioning.
Risk mapping
Involves the evaluation, managing and reporting of risks 
CGMA’s Risk Management Cycle
1 Establish a risk management group and set goals.
2 Identify risk areas.
3 Understand and assess the scale of risk.
4 Develop a risk response strategy.
5 Implement the strategy and allocate responsibilities.
6 Implement and monitor the suggested controls.
7 Review and refine the process and do it again.
The Framework that COSO published has eight Components
The cube
Components:
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and Communication
Monitoring
ISO 31000 three main clauses
the principles of creating and protecting value within the
organisation (clause 4),
the organisational framework that governs risk (clause 5)
the risk management process itself (clause 6).
The Framework that COSO published has four Objectives categories.
The cube
Strategy – high-level goals, aligned with and supporting the organisation’s mission
Operations – effective and efficient use of resources
Financial Reporting – reliability of operational and financial reporting
Compliance – compliance with applicable laws and regulations
policy on nominating the Chairman of the Board:
The Chairman should be re-elected annually
The Chairman should be selected by a majority Board vote.
A person should not serve more than six years in succession as Chairman to XY plc.
roles of the nomination committee
Considers whether an individual is appropriate to serve on the board of directors,
Prepares a job specification for the Chairmanship of the company,
Evaluates the balance of skills, experience, independence and knowledge on the board
professional competence.
A professional accountant has a [continuing] duty to maintain professional [knowledge] and [skill] at the level to ensure that the employer receives competent professional service.
Stress testing
involves scrutinising and critically appraising an existing strategy. It is designed to challenge the status quo and is therefore particularly appropriate where there is stagnation or complacency.
benefits of an internal control system
Improves quality of internal reporting,
Improves quality of external reporting,
Helps a company to comply with laws and regulations
three primary objectives in designing an effective internal control system
(1) Reliability of Financial Reporting (
2) Efficiency and effectiveness of operations (
3) Compliance with laws and regulations
internal control system is deemed to comprise two key elements:
Control environment” – the management’s attitude and philosophy regarding controls. This can be ascertained to a degree by the number of control procedures the company has
“Control procedures”/activities -the actual policies and procedures in place which ensure that risks and errors are minimised, e.g. performing a monthly inventory count provides evidence of a strong control environment surrounding inventory management.
General controls
Password controls
Physical controls such as swipe cards restricting entry to computers.
Fire alarms and smoke detectors would also be included in this heading
Personnel controls – Ensuring that staff are aware of the importance of good computer security by recruiting motivated, intelligent staff and giving them sufficient training and supervision
Environmental controls – such as fire detectors
Contingency (or “disaster recovery”) plan – a document detailing the plan of action should a disaster such as a fire or flood occur.
Regular backups of key data
Virus protection
Firewalls
Spyware software
Application Controls
Data verification controls e.g. having mandatory fields on an application form
Data validation e.g. credit card number validity
Exception reports – where any values over a certain value are highlighted in a separate report.
Systems Development Lifecycle
Planning/Feasibility study – Initially, there will be recognition that “things can be done better”.
Systems analysis – This process ranks the available systems and will ultimately determine whether the company produces the new system in-house or outsources its design.
Systems design – Describes desired features and operations in detail, including screen layouts, business rules, process diagrams and other documentation (e.g. flowcharts).
Systems development – The system can then be built, with changes to the new system documented carefully so that future updates and developments can be carried out.
Implementation – The new system can be introduced, according to application or location, and the old system gradually replaced
Maintenance – The correction or enhancement of systems once they are in operation. A postimplementation review offers the opportunity to check that the system:
problems with a value for money audit
The objectives of the activities being measured may not be clear.,
Effectiveness may be difficult to measure.
There may be a contradiction between focusing on efficiency and economy and focusing on effectiveness.
Pursuit of economy may lead to quality falling.
The four objectives of cybersecurity
availability,
confidentiality,
integrity of data
integrity of processing.
Place the steps in the system monitoring process in the correct order:
1st. → Establish a monitoring strategy based on business need and assessment of risk,
2nd. → Monitor all systems across the network, including network traffic and user activity,
3rd. → Establish a centralised capability to collect and analyse information,
4th. → Ensure that policies and processes are in place to manage and respond to incidents,
5th. → Conduct a ‘lessons learned’ review after any security incident
Relating to the Balanced Scorecard
Market share
Value added
Market share → Non-financial, Value added → Financial
Which one of the following sentences best describes risk?
The expected impact of uncertain future events on objectives
The four levels to the COSO ERM framework
are subsidiary, business unit, division and entity
Key features of assurance mapping
Assurance mapping will help the non-executive directors understand the compliance requirements of Jig Plc (Correct)
Assurance mapping will help the non-executive directors to understand any gaps where a mitigation strategy for a particular risk is lacking (Correct)
The transparency provided by assurance mapping will help directors to fulfil their duties (Correct)
It will not provide full briefing on the current internal audit plan.
Internal auditors will drive the assurance mapping exercise 
COSO stated that effective internal control systems consist of five integrated elements
Control environment.
Risk assessment.
Control activities.
Information and communication.
Monitoring.
An effective anti-fraud strategy has four main components –
prevention, detection, deterrence and response.
Centralised management
is a key way to control and orchestrate important security features.
The Turnbull guidance described three features of a sound internal control system:
Firstly, the principles of internal control should be embedded within the organisation’s structures, procedures and culture.
Secondly, internal control systems should be capable of responding quickly to evolving risks to the business arising from factors within the company and to changes in the business environment.
Thirdly, sound internal control systems include procedures for reporting immediately to appropriate levels of management any significant control failings or weaknesses that are identified, together with details of corrective action being undertaken.
the three prerequisites for fraud
Rationalisation
Opportunity
Motive
developing a sound ethical culture to ensure the long-term survival
CIMA recommends that organisations have:
a mission statement that refers to quality or, more unusually, to ethics and defines how the organization wants to be regarded externally
clear policy statements on business ethics and anti-fraud, with explanations about acceptable behaviour in risk prone circumstances
a route through which suspected fraud can be reported
an aggressive audit process that concentrates on areas of risk
management who are seen to be committed through their actions.
The Audit Committee should be responsible for
Recommending appointment, or removal of the company’s external auditor (Correct)
Reviewing the company’s system of internal financial controls (Correct)
Which THREE of the following are the key components of the AICPA cyber security risk management reporting framework?
Management’s description
Management’s assertion
The practitioner’s opinion
Risk reduction can be achieved using which of the following theories?
Portfolio theory
Inherent risk
A risk that exists regardless of internal controls
Turnbull suggested that control systems should be
1) embedded in the operation and not a separate exercise
2) able to respond to changing risks within and outside the company
3) include procedures for reporting controls failings and weaknesses.
A fraud response plan normally includes a section on
Corporate policy (Correct)
Roles and responsibilities (Correct)
Investigation and evidence (Correct)
Inclusion in the report on the risk committee’s activities over the year as part of the company’s annual report.
The report should provide stakeholders with assurance that the committee is robust, comprised of suitable employees and able to carry out its roles effectively.
Description of purpose (Correct)
Details of membership (Correct)
Individual members attendance (Correct)
Roles and responsibilities (Correct)
the most important aspects of cyber security.
AIC stands for:
Availability, Integrity, Confidentiality
E-commerce
refers to the conducting of business electronically via some sort of communications link and may result in access to larger markets, targeted marketing, reduced costs and elimination of intermediaries.
Compliance audits check the implementation of written rules, regulations and procedures. They verify that a check is taking place, so it is possible they may uncover that the required % of quality checks is not taking place.
check the implementation of written rules, regulations and procedures. They verify that a check is taking place, so it is possible they may uncover that the required % of quality checks is not taking place.
Substantive tests concentrate on output (the end result) ensuring that it is as expected
concentrate on output (the end result) ensuring that it is as expected
The principles of the UK governance code relate to:
Board Leadership and Company Purpose
Division of Responsibilities
Composition, Succession and Evaluation
Audit, Risk and Internal Control
Remuneration
The risk of losses arising to a company due to theft is:
Pure risk
Downside risk
Natural disaster risk
Event risk
Which of the following statements are true of a steering committee?
The steering committee monitors the system implementation in comparison with the plan and ensures that specific deliverables are accepted at each stage of systems development. It has overall responsibility to ensure that the system meets requirements in terms of quality, time and cost.,
The steering committee brings together the sponsor of the project; the project manager who is responsible for the day-to-day delivery of the project; specialist IT staff with responsibility for delivering the project and user representatives with responsibility for accepting the system.
Not responsible for- budget creation, the needs of internal audit or considering ethical implications
Post implementation audit (review)
The system is secure,
The system meets the needs of managers,
The system produces accurate information
Not-
Time taken or cost incurred.
Which of the following are true with regard to a post-completion audit?
Post-completion audits could produce valuable insights.
Post-completion audits will not prevent dysfunctional behaviour by project sponsors.
It may be difficult to introduce post-completion audits.
Not-
Post-completion audits cannot be conducted until the project has reached its end
ISO 31000
7 ways to deal with risk
Avoiding the risk
Excepting the risk
Removing the risk source
Changing the probability
Changing the outcome
Sharing the risk
Retaining the risk
Economy
It’s considered by looking at the inputs such as the budget
Effectiveness
Is considered by examining the outputs, so whether the objective was achieved
Efficiency
Involves the examination of the relationship between inputs and outputs
Four characteristics of technology has to find by AICPA
Type
Connection
Service providers
Delivery channels
Appropriate controls to defend against the risks posed by laptops
Disc encryption
Policies regarding safe storage
SIEM system
Security information and event management
Analyses all of the available data and looks for patterns the suggest unusual activity that could be a security compromise or a possible attack
Collect data from multiple sources enabling faster incident response to threats.
If an anomaly is detected it might collect more information, trigger an alert or quarantine an asset.
COSO 2017 framework
Governance and culture
Strategy and objective setting
Performance
Review and revision
Information, communication and reporting
