Revision Flashcards
What is ERM?
Enterprise Risk Management
Term given to the alignment of risk management with business strategy and the embedding of a risk management culture into business operations.
What are the four objective of COSO?
Strategic
Operations
Reporting
Compliance
What are the four organisational levels of COSO?
Subsidiary
BU
Division
Entity
What are the eight components of COSO?
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
What are the five components that breaks down the double helix?
Governance and Culture
Strategy and Objective Setting
Performance
Review and revision
Information, communication and reporting
What are the three elements of the risk management process developed by the institute of risk management?
Risk assessment
Risk reporting
Risk treatment
Who controls the risk identification process?
Risk committee
What should risks be recorded in once identified?
Risk register
How do we identify risks internally if we are proactive?
Brainstorming
PEST/SWOT analysis
Strategic objectives
Staff questionnaires
Scenario planning
How do we identify risks internally if we are reactive?
Internal audit inspections
Complaints, incidents and claims
How do we identify risks externally if we are proactive?
External advisors
Consultation with shareholders
Mandatory/statutory targets
Benchmarking
How do we identify risks externally if we are reactive?
Customer surveys
External auditor reporting
Professional bodies recommendations
H&S Reports
How is the risk register laid out?
Risk title
Likelihood
Impact
Risk owner
Date
Mitigation actions
Overall risk rating
Further actions
Action lead
Due date
What are some quantitative techniques of risk exposure?
EV & Standard deviation
Volatility
Value at risk
regression analysis
Simulation analysis
What is diversification?
Similar concept to pooling but usually relates to different industries or countries
Idea that risk in one area can be reduced by investing in another area where the risks are different or ideally opposite
What is ISO 31000?
Group of standards designed to provide guidance on risk management
What should a risk reporting system include?
Systematic review of the risk forecast
Review of the risk strategy and responses to significant risks
Monitoring and feedback loop on action taken and assessments of significant risks
System indicating material change to business circumstances, to provide an ‘early warning’
Incorporation of audit work as part of the monitoring an information gathering process
What is gross risk?
Assessment of risk before application of any controls, transfer or management responses
What is net risk (residual risk)?
Assessment of risk, taking into account the controls, transfer and management responses
What are the three levels of strategy?
- Corporate Strategy
- Business Strategy
- Functional Strategy
What are the stages in the rational model?
Mission & Objectives
Position & Appraisal
Strategic Options
Evaluation & Choice
Implementation
Review & Control
What are the problems with a lack of formal planning?
Failure to identify threats
Strategic drifts
Difficulty in raising finance
Management skill
What are the problems with Porter’s generic strategies model?
Porter argues that any business that attempts to adopt more than one of the strategies will become ‘stuck in the middle’
Cost leadership in itself may not give competitive advantage
Differentiation may not always lead to a business being able to command a high price for its goods
What is market penetration?
Increase market share using existing porducts within existing markets
What is market development?
Increase sales by taking the present product to new markets
What is product development?
Development of new products for existing markets
What is diversification?
New products to new markets
What is due diligence?
Investigation of a business prior to signing a contract
What is a Joint venture?
Seperate business entity whose shares are owned by two or more business entities
What is franchising?
Purchase of the right to exploit a business brand in return for a capital sum and share of profits or turnover
What is disruptive innovation?
New development, commonly involving advancement in technology that changes an existing market or potentially creates a new market.
What are the four key areas of stress test?
Prioritisation
Measurement
Productivity
Flexibility
What is CSR?
Corporate social responsibility
Refers to idea that a company should be sensitive to the needs of all stakeholders in its business operations and not just shareholders
What are the six ethical threats?
Self-interest
Self-review
Advocacy
Familiarity or trust
Intimidation
Adverse interest
What is the advocacy threat?
Occurs when a member promotes a position or opinion to the point that subsequent objectivity may be compromised
What are the four steps to ethical conflict resolution?
- Check facts
- Escalate internally
- Escalate externally
- Refuse to remain associated with the conflict
Where does strategic alignment start?
At the very top of an organisation and is about the board making sure that the strategic goals, the company culture and business processes align for the reason the organisation exists.
What are the objectives of transfer pricing?
Goal congruence
Performance Measurement
Maintaing Divisional Autonomy
Minimising global tax liability
Recording movement of goods and services
Fair allocation of profits between divisions
What is fraud?
Dishonesty obtaining an advantage, avoiding an obligation or causing a loss to another party
What is corporate governance?
System by which companies are directed and controlled in the interest of shareholders and other stakeholders
The Listing Rules of London Stock Exchange require what to be listed in its annual report?
How it has applied the principles of the UK Corporate Governance Code
Whether or not it has complied with the provisions of the Code throughout the accounting period
What areas does the UK Corporate governance code relate to?
Board leadership and company purpose
Division of responsibilities
Composition, succession and evaluation
Audit, risk and internal control
Remuneration
What is the chair of the board responsible for?
Leadership of the board and ensuring its effectiveness
Set boards agenda and plan board meetings
Ensures board receives appropriate information
Chair AGM
Discuss governance and major strategy with major shareholders
What situations could appear to impair independence of the chair?
An employee within last 5 years
Represents significant shareholder
Close family ties with Co
Holds cross-directorship or has significant links with directors through in other companies or bodies
Receives other pay or benefits in addition to a directors’ fee
Had material business relationship with the Co. within last 3 years
Served on board for more than 9 years
What is the time limit for a chair to remain the chair?
9 years from date of first appointment to the board
What are the responsibilties of the CEO?
Develop and implement policies to execute strategy
Asumme full accountability to the board for all aspects of Co.
Manage financial and physical resources
Build and maintain an effective management team
Put controls in place
Monitor financial and operations results
Assist in selection and evaluation of board members
What should NEDs do?
Scrutinise performance of management in meeting agreed goals and objectives and monitor the reporting of performance
What are the four roles of an NED?
Strategy role - contribute to development of strategy
Scrutinising role - review performance of managment in meeting objectives
People role - Deciside remuneration of executies and ensure appropriate succession planning
Risk role - Adequate system of internal controls and systems of risk management in place
What are the main responsibilties and duties of the nomination committee?
Review structure, size and composition of the board
Consider balance between NEDs and exec on board
Ensure appropriate management of diversity to board composition
Evaluate skills, knowledge and experience of board
Give full consideration to succession planning for directors
What is the role of the audit committee?
Monitor integrity of financial statements
Review company’s internal financial controls
Monitor and review effectiveness of the company’s internal audit function
Review and monitor external auditor’s independence and objectivity and the effectiveness of audit process
What is the board responsible for?
Maintaining a sound system of internal control
Reviewing effectiveness of internal controls
Reporting to shareholders that this review has been carried out
What does the Turnbull report require?
Internal controls should be established using a risk-based approach.
Specifically a company should:
Establish business objectives
Identify associated key risks
Decide upon controls to address the risk
Set up a system to implement the required controls, including regular feedback
What are the five headings that directors should review internal controls?
Control environment
Risk assessment
Control activities
Information and communication
Monitoring
What is an internal control system?
Whole system of controls, financial and otherwise, established by the management in order to carry out the business of the enterprise in an orderly and efficient manner, ensure adherence to management policies, safeguard the assets, prevent and detect fraud and error and secure as far as possible the completeness and accuracy of the records.
In 2014 what was the Turnbull Guidance superseded by?
Guidance on Risk Management, Internal Control and Related Financial and Business Reporting
What can the control environment be thought as?
Management’s attitude, actions and awareness of the need for internal controls
What should a risk assessment identify?
Controllable Risks
Uncontrollable risk
What are the five components of an effective control system identified by COSO?
Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
What are the three features of a sound internal control system?
Embedded within operations and not treated as a seperate exercise
Able to respond to changing risks within and outside the company
Includes procedures for reporting control failings or weaknesses
What are some examples of organisational controls?
Segregation of duties
Physical controls
Authorisation and approval
Management control - top level reviews, activity controls
Supervision
Organisation
Arithmetic and accounting
Personnel controls
What does SOAPSPAM stand for when looking at organisational controls?
Supervision
Organisation
Artithmetic and accounting
Personnel
Segregation of duties
Physical
Authorisation and approval
Management
If an individual is found guilt of committing bribery what will they face?
10 years in prison and an unlimited fine
What are the costs of an internal control system?
Time of management involved in design of the system
Implementation: Cost of IT consultants to implement new software, training all staff in new procedures
Maintenance of system: Software upgrades, monitoring and review
What are the three prerequisites for fraud to occur?
Dishonesty
Opportunity
Motive
What are the three key elements in a fraud risk management strategy?
Fraud prevention
Fraud detection
Fraud response
What are some methods of discovering fraud?
Performing regular checks
Warning signals or fraud risk indicators
Whistleblowers
What is a control environment?
Attitude and actions of the board and management regarding the significance of control within the organisaiton.
It provides the discipline and structure for the acheivement of the primary objectives of the system of internal control.
What is internal auditing?
Independent and objective assurance activity designed to add value and improve an organisation’s operations
What is the role of risk management?
Considered to own the entire risk management process
Ultimately responsible for all aspects of this process including identification and maintenance of the company’s risk register, assessment, prioritisation, treatment of risks and establishment of controls to manage risks.
Lead the company to develop a risk response strategy
Provision of training and development by risk staff would facilitate operational managers’ ability to identify risks
What is the role of internal audit?
Monitoring and reviewing effectiveness of the control implemented by operational managers
Those who design controls should not test them
Carry out specia investigations as directed by management
Provide support and assistance to senior management in a range of projects
Contribute to work of operational teams in identifying risks due to extensive knowledge of the business
What is the scope of internal audit?
Examine financial and operating information
Review Economy, Efficiency and Effectiveness of operations
Review complaince with laws, regulations or internal policies
Special Investigations
Assisting with identification of significant risks
Assist in carrying out external audit procedures
Review accounting and internal control systems
What is attributable standards for internal audit?
Deal with characteristics of organisations and the parties performing internal auditing activies
Objective of standard:
Independence
Objectivity
Professional care
What are the performance standards for internal audit?
Describe nature of internal audititing activities and provide quality criteria for evaluating internal auditing services.
Area of work:
Managing internal audit
Risk management
Control
Governance
Internal audit work
Communicating results
Who can carry out a fraud investigation?
Auditor.
It is not their primary objective, but they are duty bound to report a fraud if during the course of their work they identify fradulent activities.
What steps should be covered in a fraud investigation?
- Ascertaining the facts
- Gathering evidence
- Collaborating evidence
- Consider whether you have the right to access the evidence
- Maintaining confidentiality
- Consider cost of the investigation
- Ascertain the value of fraud
- Consider loss of reputation if fraud becomes public
What are some types of audit work?
Compliance audit
Transactions audit
Risk-based audit
Quality audit
Post-completion audit
Value for money audit
Social & Environmental audit
Management audit
Systems-based audit
What is a compliance audit?
Checks implementation of written rules, regulations and procedures
What is a risk-based audit?
Auditors use their judgement to decide on level of risk that exists in different areas of the system
What is a post-completion audit?
Objective and independent appraisal of the measure of success of a project
What is a management audit?
An objective and independent appraisal of the effectiveness of managers and the corporate structure in the achievement of the entities’ objectives and policies
What are the eight stages in the audit process?
Agree objectives of the audit
Plan the audit
Find out about systems and controls
Confirm the operation of the system
Assess if controls are adequate
Test compliance with controls
Test application of controls
Review, report and recommend
What is inherent risk?
Risk in activity or operation, ignoring the controls in the system.
Risk that amount in the financial statements might be stated as a materially incorrect amount.
What is compliance testing?
Test of controls should be carried out to ensure that the controls identified at planning stage operate as they should
What is substantive testing?
Concentrates on the output and ensuring that the output is as expected
What is an analytical review?
Examination of ratios, trends and changes in the business from one period to the next, to obtain a broad understanding of the results of operations and to identify an items requiring further investigation
What parts are expected to feature in an audit report?
Objectives of the audit work
Summary of the process undertaken by the auditor
Results of tests carried out
Audit opinion
Recommendations for action
Why do we audit computer systems?
Check whether system is acheiving its intended objective
In the case of accounting systems, to check that the information produced is reliable
What are the problems with auditing computer systems?
Lack of primary records
Encoded data
Loss of audit trail
Overwriting of data
Program controls
Concentration of controls in the IT department
What are embedded audit facilities?
Might be written into a program, particularly in on-line/real-time systems.
Facilities carry out automatic checks or provide information for subsequent audit.
What is cyber risk?
Risk of financial loss, disruption or damage to the reputation of an organisation caused by issues with the IT systems they use.
What are three main types of sensitive information?
Personal information
Business information
Classified information
What are data centres?
Large groups of networked computer servers that are usually used by organisations for storage, processing or distributing large amounts of data
What is the dark web?
Part of the internet, but a section that allows further anonymity and the ability to obscure the source or location
What are some types of changes that could affect cyber security risk management?
Expansion
Acquisition
Restructure
Hardware update
Regulations
What are the four types of changeover methods?
Direct changeover
Parallel running
Pilot changeover
Phased changeover
What is malware?
Malicious software, regardless of the intended purpose
What are some ways to execute malware?
Ransomware
Botnets
Trojans
Malvertising
Viruses
Spyware
What is ransomware?
Designed to prevent a business from accessings its data until a specified amount of money is paid
What are botnets?
Network of private computers that are infected with a malware and controlled by a botnet agent designed to follow the attackers instructions without the knowledge of the owner of the computer
What are trojans?
pretends to be a useful piece of software whilst secretly releasing malware into the system
What is malvertising?
Online adverts have malware written into their code
What are viruses?
designed to endlessly replicate themselves and infect programs and files to damage or destroy data
What is spyware?
Designed to spy on the victim’s systems without being detected and gather information to send to the hacker
What is hacking?
Gaining of unauthorised access to a computer system
What is a weaponised document?
Document that is downloaded from a source that contains some code, a link or even a video that once activated releases malware onto a system or network
What is social engineering?
Manipulation of people to make them perform specific actions or reveal confidential information
What are six principles used to persuade or influence someone according to Dr Robert Cialdini?
Reciprocity
Consistency and commitment
Consensus
Liking
Authority
Scarcity
What is phishing?
Use of fraudulent messages to try to steal sensitive informations
What is spear phishing?
Phishing attemp targets a specific user rather than a blanket communication sent to many people
What is the internet of things?
Network of devices, most commonly associated with devices around the house
What are the risks presented by social media to organisations?
Human error
Productivity
Data protection
Hacking
Reputation
Inactivity
Costs
What are the risks of social media to individuals?
Going viral
Internet trolling
Employment
Legal saction
Physical theft
Identify fraud
Permamence
What are the implications to an organsation that is compromised in some way?
Down time
Reputation damage
Customer flight
Industry consequences
Termination of employees
Loss of intellectual property or trade secrets
Legal consequences
