P3

Question 1

Risk Management Cycle

Answer 1

Establish risk management group & set goals THEN

1. identify risk areas
2. measure - assess scale of risk
3. manage - risk response strategy, implemt strategy & allocate responsibilities, monitor controls
4. review & refine process

Question 2

COSO ERM Framework - 8 components to managing risk (2003 version)

Answer 2

1. internal environment
2. Objective setting
3. Event identification
4. Risk assessment
5. Risk response
6. Control activities
7. Information & communication
8. Monitoring

Question 3

COSO 1992 version

Answer 3

1. control environment
2. Risk assessment
3. Control activities
4. information & communication
5. Monitoring

Question 4

Risk appetite =
Risk capacity =
Risk attitude =
Residual risk =

Answer 4

Risk appetite = amount willing to accept
Risk capacity = amount can bear
Risk attitude = approach e.g. seeking/averse
Residual risk = risk remaining after controls

Question 5

VAR =

Answer 5

VAR = Standard deviation x Z score x sq. root no. days

Question 6

Z scores

95% =

99% =

Answer 6

95% = 1.645
99% =2.33

Question 7

Economy =
Effectiveness =
Efficiency =

Answer 7

Economy = inputs
Effectiveness = outputs
Efficiency = inputs/outputs relationship

Question 8

Scenario Planning (7 stages)

Answer 8

1. high impact, high uncertainty factors
2. identify possible futures
3. cluster factors to identify consistent futures
4. write scenarios
5. identify courses of action
6. monitor reality
7. revise as needed

Question 9

5 key principles to UK corporate governance code:

Answer 9

1. board leadership & company purpose
2. division of responsibilities
3. composition, succession & evaluation
4. audit, risk & internal control
5. remuneration

Question 10

composition of (no. INEDs)

whole board
nomination committee
remuneration committee
audit committee

Answer 10

whole board = 50% INEDs
nomination committee = 50% INEDs
remuneration committee = 100% INEDs
audit committee = 100% INEDs

Question 11

A director IS NOT independent if: (6)

Answer 11

• employee in last 5 yrs
• significant shareholder
• close family ties
• receive other pay/benefits
• business relationship
• on board >9yrs
  Note: rigorous review after 6 yrs to ensure independence

Question 12

Control environment =

Answer 12

managements attitudes, actions and awareness of the need for internal controls

Question 13

COSO 5 integrated elements for effective internal control:

Answer 13

Control environment (tone at the top)
Risk assessment
Control Activities
Information & communication
Monitoring

Question 14

INTERNAL AUDIT

Required by:

Appointed by:

Reports to:

Reports on:

Opinions on:

Scope of assignment:

Answer 14

test & evaluate controls, special investigations, contribute to risk identification

Required by: management

Appointed by: audit committee

Reports to: audit committee

Reports on: internal controls

Opinions on: adequacy of control

Scope of assignment: prescribed by audit committee

Question 15

The need for internal audit (3 reasons)

Answer 15

1. size e.g. complex activities, no. employees
2. Changes e.g. org structure, key risks
3. Something has gone wrong

Question 16

Internal audit attribute standards (3)

Answer 16

Independence (from executive management)
Objectivity
Professional care

Question 17

Internal audit performance standards (6)

Answer 17

Manage internal audit
Risk management
Control (evaluate & maintain)
Governance (assess)
Internal audit work
Communicate results

Question 18

3 types of audit risk

Answer 18

Inherent Risk - when no controls in place
Control Risk - controls not sufficient
Detection Risk - Auditors fail to detect

Note: if you can’t control or detect it then it must be inherent!

Question 19

Types of Malware

Ransomware

Botnets

Spyware

Trojans

Malvertising

Viruses

Answer 19

Ransomware - ‘kidnaps ‘’ data until paid

Botnets - attacker controls infected computers

Spyware - spys on victim & reports back

Trojans - poses as something else

Malvertising - malicious software written into advert

Viruses - replicates & spreads

Question 20

Application Attacks:

Denial of Service (DoS)

Distributed denial of service (DDoS)

Structured Query Language (SQL)

Cross Site Scripting (XSS)

Man in the middle

Buffer Overflow

Answer 20

Denial of Service (DoS) - overwhelm app to prevent it working

Distributed denial of service (DDoS) - as above on mass

Structured Query Language (SQL) - unprotected input boxes

Cross Site Scripting (XSS) - malicious code from website

Man in the middle - intercepting

Buffer Overflow - attack & data overwritten

Question 21

3 Cyber security objectives (AIC Triad)

Answer 21

Integrity
Confidentiality
Availability

Question 22

Penetration Testing Types (4)

Answer 22

simulated phishing
web applications
internal network
Wireless network

Question 23

NIST Framework Core Activities

Answer 23

Identify, Protect, Detect, Respond, Recover

Question 24

Digital Resilience: 6 Actions

Answer 24

Identify all issues
Aim to well-defined target
How best to deliver new system
Establish risk/resource trade offs
A plan that aligns to business & tech
Ensure sustained business engagement

Question 25

COSO (2017 version) (integrating strategy with performance!)

Answer 25

Governance & culture strategy & objective setting performance review & revision Info, communication & reporting

Question 26

Good control environment

Answer 26

no blame culture Training encourage reporting 'tone at the top'

Question 27

CIMA picks out 5 specific threats to self-interest:

Answer 27

1. Holding a financial interest in/receiving a loan from the org 2. Participating in incentive compensation arrangements 3. Inappropriate use of corporate assets 4. Concern over employment security 5. Commercial pressure from outside of the org

Question 28

A fraud response plan should include: (8)

Answer 28

Purpose of the fraud response plan Corporate policy Definition of fraud Roles and responsibilities The response The investigation Organisation's objectives with respect to fraud Follow up action

Question 29

Audit risk affected by...(3 other risk types)

Answer 29

Inherent risk = an amount in the financial statements (for an asset or liability, or a transaction) might be stated as a materially incorrect amount, ignoring the existence of existing internal controls. Control risk = the existing controls are not sufficient to prevent or detect a material misstatement of a value in the financial statements, use of computerised (or digital) controls may give the auditors more confidence in the controls (or potentially less confidence if the computer system is poor). Detection risk = the auditors’ substantive tests will not reveal a materially incorrect amount in the financial statements, if such an error exists. The use of technology and algorithms to assist with this has led to concerns over automation bias. Automation bias is where the data used to train the algorithm is flawed and leads the algorithm to be biased. Audit risk will be affected by changes in any of the three above risks including inherent risk.