Revision Flashcards
1
Q
What is ERM?
A
Enterprise Risk Management
Term given to the alignment of risk management with business strategy and the embedding of a risk management culture into business operations.
2
Q
What are the four objective of COSO?
A
Strategic
Operations
Reporting
Compliance
3
Q
What are the four organisational levels of COSO?
A
Subsidiary
BU
Division
Entity
4
Q
What are the eight components of COSO?
A
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
5
Q
What are the five components that breaks down the double helix?
A
Governance and Culture
Strategy and Objective Setting
Performance
Review and revision
Information, communication and reporting
6
Q
What are the three elements of the risk management process developed by the institute of risk management?
A
Risk assessment
Risk reporting
Risk treatment
7
Q
Who controls the risk identification process?
A
Risk committee
8
Q
What should risks be recorded in once identified?
A
Risk register
9
Q
How do we identify risks internally if we are proactive?
A
Brainstorming
PEST/SWOT analysis
Strategic objectives
Staff questionnaires
Scenario planning
10
Q
How do we identify risks internally if we are reactive?
A
Internal audit inspections
Complaints, incidents and claims
11
Q
How do we identify risks externally if we are proactive?
A
External advisors
Consultation with shareholders
Mandatory/statutory targets
Benchmarking
12
Q
How do we identify risks externally if we are reactive?
A
Customer surveys
External auditor reporting
Professional bodies recommendations
H&S Reports
13
Q
How is the risk register laid out?
A
Risk title
Likelihood
Impact
Risk owner
Date
Mitigation actions
Overall risk rating
Further actions
Action lead
Due date
14
Q
What are some quantitative techniques of risk exposure?
A
EV & Standard deviation
Volatility
Value at risk
regression analysis
Simulation analysis
15
Q
What is diversification?
A
Similar concept to pooling but usually relates to different industries or countries
Idea that risk in one area can be reduced by investing in another area where the risks are different or ideally opposite
16
Q
What is ISO 31000?
A
Group of standards designed to provide guidance on risk management
17
Q
What should a risk reporting system include?
A
Systematic review of the risk forecast
Review of the risk strategy and responses to significant risks
Monitoring and feedback loop on action taken and assessments of significant risks
System indicating material change to business circumstances, to provide an ‘early warning’
Incorporation of audit work as part of the monitoring an information gathering process
18
Q
What is gross risk?
A
Assessment of risk before application of any controls, transfer or management responses
19
Q
What is net risk (residual risk)?
A
Assessment of risk, taking into account the controls, transfer and management responses
20
Q
What are the three levels of strategy?
A
- Corporate Strategy
- Business Strategy
- Functional Strategy
21
Q
What are the stages in the rational model?
A
Mission & Objectives
Position & Appraisal
Strategic Options
Evaluation & Choice
Implementation
Review & Control
22
Q
What are the problems with a lack of formal planning?
A
Failure to identify threats
Strategic drifts
Difficulty in raising finance
Management skill
23
Q
What are the problems with Porter’s generic strategies model?
A
Porter argues that any business that attempts to adopt more than one of the strategies will become ‘stuck in the middle’
Cost leadership in itself may not give competitive advantage
Differentiation may not always lead to a business being able to command a high price for its goods
24
Q
What is market penetration?
A
Increase market share using existing porducts within existing markets
25
What is market development?
Increase sales by taking the present product to new markets
26
What is product development?
Development of new products for existing markets
27
What is diversification?
New products to new markets
28
What is due diligence?
Investigation of a business prior to signing a contract
29
What is a Joint venture?
Seperate business entity whose shares are owned by two or more business entities
30
What is franchising?
Purchase of the right to exploit a business brand in return for a capital sum and share of profits or turnover
31
What is disruptive innovation?
New development, commonly involving advancement in technology that changes an existing market or potentially creates a new market.
32
What are the four key areas of stress test?
Prioritisation
Measurement
Productivity
Flexibility
33
What is CSR?
Corporate social responsibility
Refers to idea that a company should be sensitive to the needs of all stakeholders in its business operations and not just shareholders
34
What are the six ethical threats?
Self-interest
Self-review
Advocacy
Familiarity or trust
Intimidation
Adverse interest
35
What is the advocacy threat?
Occurs when a member promotes a position or opinion to the point that subsequent objectivity may be compromised
36
What are the four steps to ethical conflict resolution?
1. Check facts
2. Escalate internally
3. Escalate externally
4. Refuse to remain associated with the conflict
37
Where does strategic alignment start?
At the very top of an organisation and is about the board making sure that the strategic goals, the company culture and business processes align for the reason the organisation exists.
38
What are the objectives of transfer pricing?
Goal congruence
Performance Measurement
Maintaing Divisional Autonomy
Minimising global tax liability
Recording movement of goods and services
Fair allocation of profits between divisions
39
What is fraud?
Dishonesty obtaining an advantage, avoiding an obligation or causing a loss to another party
40
What is corporate governance?
System by which companies are directed and controlled in the interest of shareholders and other stakeholders
41
The Listing Rules of London Stock Exchange require what to be listed in its annual report?
How it has applied the principles of the UK Corporate Governance Code
Whether or not it has complied with the provisions of the Code throughout the accounting period
42
What areas does the UK Corporate governance code relate to?
Board leadership and company purpose
Division of responsibilities
Composition, succession and evaluation
Audit, risk and internal control
Remuneration
43
What is the chair of the board responsible for?
Leadership of the board and ensuring its effectiveness
Set boards agenda and plan board meetings
Ensures board receives appropriate information
Chair AGM
Discuss governance and major strategy with major shareholders
44
What situations could appear to impair independence of the chair?
An employee within last 5 years
Represents significant shareholder
Close family ties with Co
Holds cross-directorship or has significant links with directors through in other companies or bodies
Receives other pay or benefits in addition to a directors' fee
Had material business relationship with the Co. within last 3 years
Served on board for more than 9 years
45
What is the time limit for a chair to remain the chair?
9 years from date of first appointment to the board
46
What are the responsibilties of the CEO?
Develop and implement policies to execute strategy
Asumme full accountability to the board for all aspects of Co.
Manage financial and physical resources
Build and maintain an effective management team
Put controls in place
Monitor financial and operations results
Assist in selection and evaluation of board members
47
What should NEDs do?
Scrutinise performance of management in meeting agreed goals and objectives and monitor the reporting of performance
48
What are the four roles of an NED?
Strategy role - contribute to development of strategy
Scrutinising role - review performance of managment in meeting objectives
People role - Deciside remuneration of executies and ensure appropriate succession planning
Risk role - Adequate system of internal controls and systems of risk management in place
49
What are the main responsibilties and duties of the nomination committee?
Review structure, size and composition of the board
Consider balance between NEDs and exec on board
Ensure appropriate management of diversity to board composition
Evaluate skills, knowledge and experience of board
Give full consideration to succession planning for directors
50
What is the role of the audit committee?
Monitor integrity of financial statements
Review company's internal financial controls
Monitor and review effectiveness of the company's internal audit function
Review and monitor external auditor's independence and objectivity and the effectiveness of audit process
51
What is the board responsible for?
Maintaining a sound system of internal control
Reviewing effectiveness of internal controls
Reporting to shareholders that this review has been carried out
52
What does the Turnbull report require?
Internal controls should be established using a risk-based approach.
Specifically a company should:
Establish business objectives
Identify associated key risks
Decide upon controls to address the risk
Set up a system to implement the required controls, including regular feedback
53
What are the five headings that directors should review internal controls?
Control environment
Risk assessment
Control activities
Information and communication
Monitoring
54
What is an internal control system?
Whole system of controls, financial and otherwise, established by the management in order to carry out the business of the enterprise in an orderly and efficient manner, ensure adherence to management policies, safeguard the assets, prevent and detect fraud and error and secure as far as possible the completeness and accuracy of the records.
55
In 2014 what was the Turnbull Guidance superseded by?
Guidance on Risk Management, Internal Control and Related Financial and Business Reporting
56
What can the control environment be thought as?
Management's attitude, actions and awareness of the need for internal controls
57
What should a risk assessment identify?
Controllable Risks
Uncontrollable risk
58
What are the five components of an effective control system identified by COSO?
Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
59
What are the three features of a sound internal control system?
Embedded within operations and not treated as a seperate exercise
Able to respond to changing risks within and outside the company
Includes procedures for reporting control failings or weaknesses
60
What are some examples of organisational controls?
Segregation of duties
Physical controls
Authorisation and approval
Management control - top level reviews, activity controls
Supervision
Organisation
Arithmetic and accounting
Personnel controls
61
What does SOAPSPAM stand for when looking at organisational controls?
Supervision
Organisation
Artithmetic and accounting
Personnel
Segregation of duties
Physical
Authorisation and approval
Management
62
If an individual is found guilt of committing bribery what will they face?
10 years in prison and an unlimited fine
63
What are the costs of an internal control system?
Time of management involved in design of the system
Implementation: Cost of IT consultants to implement new software, training all staff in new procedures
Maintenance of system: Software upgrades, monitoring and review
64
What are the three prerequisites for fraud to occur?
Dishonesty
Opportunity
Motive
65
What are the three key elements in a fraud risk management strategy?
Fraud prevention
Fraud detection
Fraud response
66
What are some methods of discovering fraud?
Performing regular checks
Warning signals or fraud risk indicators
Whistleblowers
67
What is a control environment?
Attitude and actions of the board and management regarding the significance of control within the organisaiton.
It provides the discipline and structure for the acheivement of the primary objectives of the system of internal control.
68
What is internal auditing?
Independent and objective assurance activity designed to add value and improve an organisation's operations
69
What is the role of risk management?
Considered to own the entire risk management process
Ultimately responsible for all aspects of this process including identification and maintenance of the company's risk register, assessment, prioritisation, treatment of risks and establishment of controls to manage risks.
Lead the company to develop a risk response strategy
Provision of training and development by risk staff would facilitate operational managers' ability to identify risks
70
What is the role of internal audit?
Monitoring and reviewing effectiveness of the control implemented by operational managers
Those who design controls should not test them
Carry out specia investigations as directed by management
Provide support and assistance to senior management in a range of projects
Contribute to work of operational teams in identifying risks due to extensive knowledge of the business
71
What is the scope of internal audit?
Examine financial and operating information
Review Economy, Efficiency and Effectiveness of operations
Review complaince with laws, regulations or internal policies
Special Investigations
Assisting with identification of significant risks
Assist in carrying out external audit procedures
Review accounting and internal control systems
72
What is attributable standards for internal audit?
Deal with characteristics of organisations and the parties performing internal auditing activies
Objective of standard:
Independence
Objectivity
Professional care
73
What are the performance standards for internal audit?
Describe nature of internal audititing activities and provide quality criteria for evaluating internal auditing services.
Area of work:
Managing internal audit
Risk management
Control
Governance
Internal audit work
Communicating results
74
Who can carry out a fraud investigation?
Auditor.
It is not their primary objective, but they are duty bound to report a fraud if during the course of their work they identify fradulent activities.
75
What steps should be covered in a fraud investigation?
1. Ascertaining the facts
2. Gathering evidence
3. Collaborating evidence
4. Consider whether you have the right to access the evidence
5. Maintaining confidentiality
6. Consider cost of the investigation
7. Ascertain the value of fraud
8. Consider loss of reputation if fraud becomes public
76
What are some types of audit work?
Compliance audit
Transactions audit
Risk-based audit
Quality audit
Post-completion audit
Value for money audit
Social & Environmental audit
Management audit
Systems-based audit
77
What is a compliance audit?
Checks implementation of written rules, regulations and procedures
78
What is a risk-based audit?
Auditors use their judgement to decide on level of risk that exists in different areas of the system
79
What is a post-completion audit?
Objective and independent appraisal of the measure of success of a project
80
What is a management audit?
An objective and independent appraisal of the effectiveness of managers and the corporate structure in the achievement of the entities' objectives and policies
81
What are the eight stages in the audit process?
Agree objectives of the audit
Plan the audit
Find out about systems and controls
Confirm the operation of the system
Assess if controls are adequate
Test compliance with controls
Test application of controls
Review, report and recommend
82
What is inherent risk?
Risk in activity or operation, ignoring the controls in the system.
Risk that amount in the financial statements might be stated as a materially incorrect amount.
83
What is compliance testing?
Test of controls should be carried out to ensure that the controls identified at planning stage operate as they should
84
What is substantive testing?
Concentrates on the output and ensuring that the output is as expected
85
What is an analytical review?
Examination of ratios, trends and changes in the business from one period to the next, to obtain a broad understanding of the results of operations and to identify an items requiring further investigation
86
What parts are expected to feature in an audit report?
Objectives of the audit work
Summary of the process undertaken by the auditor
Results of tests carried out
Audit opinion
Recommendations for action
87
Why do we audit computer systems?
Check whether system is acheiving its intended objective
In the case of accounting systems, to check that the information produced is reliable
88
What are the problems with auditing computer systems?
Lack of primary records
Encoded data
Loss of audit trail
Overwriting of data
Program controls
Concentration of controls in the IT department
89
What are embedded audit facilities?
Might be written into a program, particularly in on-line/real-time systems.
Facilities carry out automatic checks or provide information for subsequent audit.
90
What is cyber risk?
Risk of financial loss, disruption or damage to the reputation of an organisation caused by issues with the IT systems they use.
91
What are three main types of sensitive information?
Personal information
Business information
Classified information
92
What are data centres?
Large groups of networked computer servers that are usually used by organisations for storage, processing or distributing large amounts of data
93
What is the dark web?
Part of the internet, but a section that allows further anonymity and the ability to obscure the source or location
94
What are some types of changes that could affect cyber security risk management?
Expansion
Acquisition
Restructure
Hardware update
Regulations
95
What are the four types of changeover methods?
Direct changeover
Parallel running
Pilot changeover
Phased changeover
96
What is malware?
Malicious software, regardless of the intended purpose
97
What are some ways to execute malware?
Ransomware
Botnets
Trojans
Malvertising
Viruses
Spyware
98
What is ransomware?
Designed to prevent a business from accessings its data until a specified amount of money is paid
99
What are botnets?
Network of private computers that are infected with a malware and controlled by a botnet agent designed to follow the attackers instructions without the knowledge of the owner of the computer
100
What are trojans?
pretends to be a useful piece of software whilst secretly releasing malware into the system
101
What is malvertising?
Online adverts have malware written into their code
102
What are viruses?
designed to endlessly replicate themselves and infect programs and files to damage or destroy data
103
What is spyware?
Designed to spy on the victim's systems without being detected and gather information to send to the hacker
104
What is hacking?
Gaining of unauthorised access to a computer system
105
What is a weaponised document?
Document that is downloaded from a source that contains some code, a link or even a video that once activated releases malware onto a system or network
106
What is social engineering?
Manipulation of people to make them perform specific actions or reveal confidential information
107
What are six principles used to persuade or influence someone according to Dr Robert Cialdini?
Reciprocity
Consistency and commitment
Consensus
Liking
Authority
Scarcity
108
What is phishing?
Use of fraudulent messages to try to steal sensitive informations
109
What is spear phishing?
Phishing attemp targets a specific user rather than a blanket communication sent to many people
110
What is the internet of things?
Network of devices, most commonly associated with devices around the house
111
What are the risks presented by social media to organisations?
Human error
Productivity
Data protection
Hacking
Reputation
Inactivity
Costs
112
What are the risks of social media to individuals?
Going viral
Internet trolling
Employment
Legal saction
Physical theft
Identify fraud
Permamence
113
What are the implications to an organsation that is compromised in some way?
Down time
Reputation damage
Customer flight
Industry consequences
Termination of employees
Loss of intellectual property or trade secrets
Legal consequences
