Professional Documents
Culture Documents
Index
Resources 2
P3 - Section A 2
P3 - Section B 2
P3 - Section C 3
P3 - Section D 3
Chapter 1 - RISK 4
P3 - Section A
P3 - Section B
Stress-Test Your Strategy: The 7 Questions to Ask
Ex-Nissan chief Ghosn hit with fresh corruption charge - Case Study and
report on ethics and behaviour
2
Ultimate Access Education
www.ultimateaccess.net
P3 - Section C
Enterprise Risk Management Framework: Integrating with Strategy and
Performance - slides
Enterprise Risk Management Integrating with Strategy and Performance -
Report
A CGMA guide to countering fraud and corruption
Deloitte - Internal Audit Insights
P3 - Section D
A threat of cyber crime.
3
Ultimate Access Education
www.ultimateaccess.net
Chapter 1 - RISK
1. hat is risk?
W
Uncertainty arises from ignorance and a lack of information. The future cannot
be predicted under conditions of uncertainty because there is insufficient
information about what the future outcomes might be or their probabilities of
occurrence.
It is generally the case that firms must be willing to take higher risks if they
want to achieve higher returns:
● To generate higher returns a business may have to take more risks in
order to be competitive.
● Incurring risk also implies that the returns from different activities will be
higher. “Benefits” can be financial – decreased costs, or intangible – better
quality information.
4
Ultimate Access Education
www.ultimateaccess.net
1. Some low-risk activities will provide higher competitive advantage – when
these can be identified.
For example, the mobile phone operator may find a way of easily altering mobile
phones to make them safer with regard to the electrical emissions generated.
5
Ultimate Access Education
www.ultimateaccess.net
2
. CIMA's risk management cycle
Risk management should be a proactive process that is an integral part of
strategic management.
6
Ultimate Access Education
www.ultimateaccess.net
3. Types and sources of risk for business organisations
7
Ultimate Access Education
www.ultimateaccess.net
Interest rate Risk that interest rates change.
Gearing Risk how a business is financed (debt vs. equity)
8
Ultimate Access Education
www.ultimateaccess.net
Key points to consider
Student Notes
9
Ultimate Access Education
www.ultimateaccess.net
Chapter 2 - Risk management
1. Risk management
Risk management - the process of understanding and managing the risks that
the organisation is subject to in attempting to achieve its corporate objectives.
The traditional view of risk management has been one of protecting the
organisation from loss through conformance procedures and hedging
techniques – this is about avoiding the downside risk.
10
Ultimate Access Education
www.ultimateaccess.net
ENTERPRISE RISK MANAGEMENT
11
Ultimate Access Education
www.ultimateaccess.net
1. 4 objectives (top tier)– reflect different executives
2. 4 organisational levels (right tier)– emphasise importance of risk
management across the organisation
3. 8 components:
● Internal Environment - the tone of the organisation, including the
risk management philosophy and risk appetite
● Objective setting - aligned with the organisation’s mission and need
to be consistent with the organisation’s defined risk appetite.
● Event identification - in-/external events which impact upon the
achievement of an entity’s objectives and must be identified.
● Risk assessment - risk’s likelihood and impact as a basis for
determining how they should be managed.
● Risk response - develop a set of actions to align risks with the entity’s
risk tolerances and risk appetite.
● Control activities - Policies and procedures help ensure the risk
responses are effectively carried out.
A. Information and communication - information is identified and
communicated in a style that enables carrying out responsibilities.
B. Monitoring - ERM process is monitored and modified as necessary.
12
Ultimate Access Education
www.ultimateaccess.net
RISK MANAGEMENT AND SHAREHOLDER VALUE
4 STAGES:
An update to COSO was introduced in 2017 that uses a new diagram – the
double helix. Key principle: to include ERM in every business activity including
setting the mission, vision and core values of an entity.
5 components:
13
Ultimate Access Education
www.ultimateaccess.net
T
he cube or the helix? Identify the framework that best suits an
organisation to help achieve its strategy and objectives.
14
Ultimate Access Education
www.ultimateaccess.net
FACTORS AFFECTING RISK APPETITE
Nature of product Certain products having high risk of product failure (e.g.:
being aircraft) must be avoided. It will help in reducing the risk
manufactured appetite of the organisation.
The need to The strategic need to move into a new market will result
increase sales in the business accepting a higher degree of risk and the
business will appear to have a high risk appetite.
Reputation of the If the company has a good reputation then the board will
company accept less risk – as they will not want to lose that good
reputation.
15
Ultimate Access Education
www.ultimateaccess.net
AN ALTERNATIVE RISK MANAGEMENT APPROACH
16
Ultimate Access Education
www.ultimateaccess.net
3. IDENTIFYING, MEASURING & ASSESSING RISKS:
REACTIVE PROACTIVE
1. PEST/SWOT analysis
2. External advisors
3. Interviews/questionnaires
4. Internal audit
5. Brainstorming
17
Ultimate Access Education
www.ultimateaccess.net
Company’s cash flows against the risk factors. Regression coefficients
indicate the sensitivities of the company’s cash flow to these risk factors.
● Simulation analysis - evaluate the sensitivity of the value of the
company, or its cash flows, to a variety of risk factors.
Impact/consequences
18
Ultimate Access Education
www.ultimateaccess.net
probability/
likelihood Low High
• Transfer of risks: R
isks are transferred to the third parties. E
g: Insurance
Here, the risks tend to cancel each other out, and are lower for the
pool as a whole than for each item individually. Eg: It is common in large
19
Ultimate Access Education
www.ultimateaccess.net
negatively correlated (or less than +1.0).
Problems of Diversification:
• There is a possible risk that by diversifying too much, an organisation
might become much more difficult to manage.
• Risks could therefore increase with diversification, due to loss of
efficiency and problems of management.
• Relatively little advantage accrues to the shareholders from
diversification.
• Anyway the investors diversify their risk by holding a portfolio of stocks
and shares from different industries and in different parts of the world.
Risk reduction: Even if a company cannot totally eliminate its risks, it may
reduce them to a more acceptable level by a form of internal control
20
Ultimate Access Education
www.ultimateaccess.net
Hedging risks: The concept of hedging is reducing risks by entering into
transactions with opposite risk profiles to deliberately reduce the overall risks
in a business operation or transaction.
Risk sharing: T
his can be a motivation for entering into a joint venture.
Risk Cube:
Risk is seen as some combination of a threat, exploiting some v
ulnerability,
that could cause harm to an asset.
6. Risk Reporting:
Managers of a business, and external stakeholders, will require information
regarding the risks facing the business. A risk reporting system would
include:
21
Ultimate Access Education
www.ultimateaccess.net
● A systematic review of the risk forecast (at least annually).
● A review of the risk strategy and responses to significant risks.
● A monitoring and feedback loop on action taken and
assessments of significant risks.
● A system indicating material change to business circumstances, to
provide an ‘early warning’.
● The incorporation of audit work as part of the monitoring an
information gathering process.
Example : Marks and Spencers plc. risk report extract.
7. RISK REPORTING
A risk reporting system would include:
● A systematic review (annual)
● The risk strategy and responses
● A monitoring and feedback loop on action taken.
● A system indicating material change to business circumstances.
● The incorporation of audit work
22
Ultimate Access Education
www.ultimateaccess.net
9. Risk management & Responsibilities
WHO RESPONSIBILITIES
Audit committee Board committee to review internal control systems & working
with internal and external auditors
23
Ultimate Access Education
www.ultimateaccess.net
● Provision of overall leadership for the risk management team.
● Identification and evaluation of the risks
● Implementation of risk mitigation strategies.
● Developing, implementing and managing risk management programmes
● Establishment of risk management awareness programmes.
● Ensuring compliance with any laws and regulations affecting the business.
● Liaising with insurance companies to mitigate risk
● Depending on specific laws of the jurisdiction in which the organisation is
based.
4. Possibility of mis-classification
Student Notes
24
Ultimate Access Education
www.ultimateaccess.net
Chapter 3 - Strategy risk
1. What is strategy?
Strategy - course of action, including the specification of resources required, to
achieve a specific objective.’
25
Ultimate Access Education
www.ultimateaccess.net
All three levels should be linked. A risk for the corporate or business level
strategy is that it will only succeed if it is supported by appropriate operational
strategies.
26
Ultimate Access Education
www.ultimateaccess.net
Johnson, Scholes and Whittington took the stages from the rational model and
grouped them into three main stages:
● Strategic analysis
● Strategic choice
● Strategic implementation
27
Ultimate Access Education
www.ultimateaccess.net
helps to ensure they are familiar with the organisation, as well as
providing a series of guidelines they can follow to help them develop a
strategy.
More informal approaches tend to suit organisations which:
● are in dynamic, fast changing industries where there is little time to
undertake formal strategic analysis
● have experienced, innovative managers who are able to quickly identify
and react to changes in the organisation and its environment
● do not need to raise significant external finance (external investors
typically prefer a formal planning approach).
The 3 E’S:
1. Economy: looks solely at the level of inputs, F
or e.g. did the hospital
spend more or less on drugs this year? Or on nurses’ wages?
28
Ultimate Access Education
www.ultimateaccess.net
4 Strategic analysis and choice
KEY DECISIONS TO MAKE:
5. Competitive strategy
Existing New
29
Ultimate Access Education
www.ultimateaccess.net
Approach: Different quality
versions or add new features
7. Acquisition
Business firm may use following ways for growth-
1. Acquisition- When a corporate buys most of target company’s ownership
stakes I order to assume control of target firm
2. Mergers- Creation of New reporting entity by combining two or more
parties
3. Organic Growth- Growth through internally generated projects,such as
increased output , customer base expansion etc.
30
Ultimate Access Education
www.ultimateaccess.net
Possible areas of focus for due diligence:
Financial Statements-
• Involves review of financial metrics ,reasonableness of financial forecasts,
verification of assets owned and their values
• It may reveal that information about performance of target company which
may impact the consideration price
• Strategic Fit-
• It is also important to understand how target will fit strategically within
combined entity
Employee Management Issue-
• Identification of any dispute or any organizational structure mismatch in
target company
Property-
• Premises that target owns or leases should be reviewed
• Best location should be identified in line with plans of acquirer
Intellectual Property
• It also requires proper valuation of intellectual property of target
• Due Diligence will involve to ensure whether target has taken appropriate
steps to protect its intellectual property
Contract Review –
• to review the material contracts the target holds in order to fully
understand its commitments. These may involve supplier or customer
contracts.
Pending Litigation
• The acquirer needs to know whether there are any ongoing claims, closed
claims or pending litigation.
Tax-
• Buyer would need to consider the tax situation of the target company,
reviewing any tax returns and getting an understanding of any tax balances
or correspondence with the tax authorities of the relevant countries
31
Ultimate Access Education
www.ultimateaccess.net
business units
• Very helpful approach for sharing risks , cost and expertise
2) Strategic alliance
• a cooperative business activity, formed by two or more separate
organizations for strategic purposes, that allocates ownership, operational
responsibilities, financial risks, and rewards to each member, while
preserving their separate identity/autonomy.
– Strategic synergy – more strength when combined than they have
independently. Positioning opportunity – at least one of the
companies should be able to gain a leadership position.
– Limited resource availability – a potentially good partner will
have strengths such as access to scarce resources that complement
weaknesses of the other partner.
– Less risk – forming the alliance reduces the risk of the venture.
– Co-operative spirit – both companies must want to do this and be
willing to cooperate fully.
– Clarity of purpose – results, milestones, methods and resource
commitments must be clearly understood.
– W
in-win – the structure, risks, operations and rewards must be
fairly apportioned among members
3) Franchising
• Purchase of right to use business brand in return for a-
• Capital sum and share of profit or turnover
• Example- McDonalds
4) Licensing
• Right to use invention or resource in return for a share of proceeds
5) Outsourcing
• Contracting out aspects of organization ,previously done in house, to
specialist providers
32
Ultimate Access Education
www.ultimateaccess.net
• Profit sharing – It depends on risk taken by each firm which is difficult to
measure
• Loss of control
• Loss of development opportunities
9. International growth
• While deciding to expand abroad , a business has several possible
strategies that it may adopt
1 .Exporting strategy – Firm sells product made in its home country and sells
abroad
2. Overseas manufacture- Firm manufactures products in foreign country and
then import in home country
3. M
ultinational- Firm coordinates value adding activities across nation
boundaries. For example, a multinational car manufacturer will have engine
plants in one country, car body plants in another and electrics in a third.
Production capacity is often duplicated around the world
4. T
ransnational – Nation less firm having no home country. Employees and
facilities are treated identically, regardless of where they are in the world.
10. Disruption
• New Development that changes existing market,leading to change in
existing market and can even lead to big firms having a drop in sales
• Example- Amazon.Its simplicity and competitive pricing have disrupted the retail
market
33
Ultimate Access Education
www.ultimateaccess.net
• Simplicity - for example, case of ordering on Amazon
• Resources - Using less of scarce resources and use environment friendly
resources
• Cost - VHS became ahead of Betamax in home video industry because it
was cheaper even it was technically inferior product
• Accessibility - Whatsapp is available in all smart phones as against
iMessage which is only for iOS devices
• Quality – doing something significantly better than it is currently done can
also be a source of disruption.
Benefits Drawbacks
34
Ultimate Access Education
www.ultimateaccess.net
Focuses management attention on the Costly and inaccurate – uses up
future and possibilities substantial resources and time
Encourages creative thinking Tendency for cultural distortion and
Can be used to justify a decision for people to get carried away
2. Measurement
– What critical performance variables are you tracking?-The key
is not to have too many measures on any scorecard but to identify
the key factors that drive performance and focus on those
– What strategic boundaries have you set?-Where to focus is often
viewed as the safer option, while where not to focus allows more
creativity.
3. Productivity
• How are you generating creative tension?- A positive outlook may
be lead to people insisting that everything will eventually work out
• How committed are your employees to helping each other? -If
employees feel that they are being treated fairly and trust each other
35
Ultimate Access Education
www.ultimateaccess.net
they will achieve greater results
4. F
lexibility
● What strategic uncertainties keep you awake at night? -. To
achieve this everyone must be focussed on what it happening in the
external environment and feedback anything unusual so that action
can be taken.
36
Ultimate Access Education
www.ultimateaccess.net
Questions to consider
1. Consider the risks associated with the chosen strategy - particularly are
Student Notes
37
Ultimate Access Education
www.ultimateaccess.net
Chapter 4 - Reputational risk
1 Reputational risk
38
Ultimate Access Education
www.ultimateaccess.net
Example: In Runnabout (CIMA pre-seen May & Aug 2020), the hoverboards when
passing on kribs cause an ankle fracture, this injury is increasing. This can cause
a reputational risk if the company did not respond.
Business ethics:
● Comprises of principle and standards that governs the organisation
● Actions can be judged right or wrong by the individuals inside or outside
the organisations. However, different individuals will have different views
on each of these issues.
● Examples: It is unethical to experiment on animals
3 Code of ethics
Integrity- fair dealing and truthfulness, maintain honest business relationship
Objectivity- no professional judgement is compromised due to bias or conflict
of interest.
Professional competence and due care- accountants have to possess
professional knowledge and follow professional standards and be up to date.
Confidentiality- information received must not be disclosed with proper
permission and the information must not be used for personal advantage.
Professional behaviour- to treat all people in a professional capacity
39
Ultimate Access Education
www.ultimateaccess.net
Conceptual framework approach: requires a management accountant to
identify, evaluate and address threats to compliance with the fundamental
principles, rather than merely comply with a set of specific rules which may be
arbitrary, is, therefore, in the public interest.
Ethical threats:
● Self interest threat- occurs due to personal financial interest that creates
conflict
● Advocacy threat- occurs when a point is promoted that compromises
the subsequent objectivity
● Familiarity or trust threat- occurs when a member becomes too
sympathetic to the interest of others
● Adverse interest threat- occurs when a member does not act with
integrity because of their interest opposed to their employer.
Ethical safeguards:
● External review by a legally empowered third party of report, returns,
information provided by a professional accountant.
● Regulatory monitoring and disciplinary procedures.
● Education, training and experience required for the profession
Ethical dilemma: It may arise out of conflict between personal values and
organisational goals, or organisational goals and social values.
40
Ultimate Access Education
www.ultimateaccess.net
4. Escalate issue further to your manager's boss, the Board or a non
procedure).
41
Ultimate Access Education
www.ultimateaccess.net
6. Points to consider
Student Notes
42
Ultimate Access Education
www.ultimateaccess.net
Chapter 5 - Corporate governance
1 What is corporate governance?
Corporate governance - the system by which companies are directed and
controlled in the interest of shareholders and other stakeholders’.
Ex: Securities and Exchange commission (SEC) in the US, Financial Conduct
Authority(FCA) in the UK and Securities and Exchange Board of India(SEBI) in India
● Not well run by its board of directors (Ex: Equitable Life, an insurance
company ran into losses as it was paying out more to policyholders than
its reserves. It ha a board of NEDs who had no idea what was going on at
the company)
● One individual dominated the board and exerted influence on
decision making ( Ex: Barings Bank had placed Nick Leeson in charge of
the desk office and the back office. This gave him the power to make
unauthorized dealings in derivatives and relay false information to the
head office. He went on to lose £800 million.)
● One person was chairperson as well as chief executive officer ( Ex:
Elon Musk was stripped of his role as chairperson as the dual power led to
him giving false and misleading information to the public about the
company going private.)
43
Ultimate Access Education
www.ultimateaccess.net
● Board lacked sufficient knowledge and experience. ( Ex: As with the
above case of Barings Bank, the board had only superficial knowledge of
derivatives and did not know the risks involved leading to a loss of $1.4
billion in total.)
● Interests of executive directors kept in mind ( Ex: Parmalat, Italian
dairy goods company, embezzled cash and falsified accounts. The
embezzlement worth $1 billion involved the founder Calisto Tanzi, his
family members and the board members).
● F
inancial reports were inaccurate and unreliable ( Ex: Enron made off-
balance sheet transactions with the help of special purpose entities(SPE’s)
for financing the company. The investors were not shown the true and fair
financial condition of Enron)
● Auditors are inefficient or misled by the management ( Ex: The
collapse of audit firm Arthur Andersen due to its involvement in the Enron
Scam)
● Ineffective internal control system – From the above examples, it is
clear they did not have effective internal controls to check and protect the
interests of the company
44
Ultimate Access Education
www.ultimateaccess.net
g) If 20% of shareholders vote against a board recommendation, explanation to
be given.
Division of Responsibilities
a) There should be a clear division between the responsibilities and one person
should not hold the position of the chair and CEO
b) The Chair has the responsibility of running the board. The chair should be
independent on appointment.
i) Provide leadership to the board
ii) Determine the composition and structure of the board
iii) Set the board’s agenda and plan board meetings
iv) Ensure the board receives appropriate, accurate, timely, and clear
information
v) Facilitate effective contribution from NEDs
vi) Discuss governance and major strategy with major shareholders
45
Ultimate Access Education
www.ultimateaccess.net
One NED should be the senior independent director who will be available to the
shareholders if they have any concern that can't go through the official channel.
Risk role: NEDs ensure the company has an adequate system of internal
controls and systems of risk management in place.
46
Ultimate Access Education
www.ultimateaccess.net
Composition, Succession and Evaluation
a) There should be a formal procedure of electing the directors
b) An appropriate succession plan for the board and senior executives must be
present.
c) All Directors should:
- Be able to allocate sufficient time to discharge their duties
- Be subject to an annual evaluation regarding their contributions
- Have appropriate balance of skills, experience, independence and
knowledge
- Be submitted for re-elections at regular intervals
Nomination Committees
Majority of the members of the nomination committee should be independent
non-executive directors. The chair can be on the committee, but should not chair
the committee when it is deciding on the appointment of a new chair.
Main responsibilities and duties
● Review regularly the structure, composition and size of the board and make
recommendations
● Consider the balance between the executives and the NEDs
● Regularly evaluate the knowledge skills and experience of the board
● Prepare description of roles and capabilities for any position in the board
● Give full consideration to succession planning
47
Ultimate Access Education
www.ultimateaccess.net
AUDIT COMMITTEE
The board should establish an audit committee of at least three, or in the case of
smaller companies two, independent non-executive directors. Chair should not
be a part of this committee. At least one member of committee must have
relevant financial knowledge and experience
REMUNERATION COMMITTEE
Role:
48
Ultimate Access Education
www.ultimateaccess.net
● Levels of remuneration for NEDs to show the time commitment and
responsibility of the role - in line with Articles of Association
● Notice or contract periods to be set at less than a year
● Avoid rewarding poor performance
The remuneration package should be motivational, not too small, not too easily
earned.
Components to consider: B
asic salary, Performance related pay, Pension
contributions, Benefits in kind.
49
Ultimate Access Education
www.ultimateaccess.net
4. Corporate governance and internal controls
● Control environment.
● Risk assessment.
● Control activities.
● Information and communication.
● Monitoring.
● consider the significant risks and how they have been identified,
evaluated and managed
● assess the effectiveness of the internal controls for managing each
significant risk
● consider whether any controls are weak and action is necessary to
strengthen them
● The annual assessment of the system of internal control should consider:
○ the changes since the assessment carried out in the previous year
○ the scope and quality of management’s ongoing monitoring of
risks and of the system of internal control
50
Ultimate Access Education
www.ultimateaccess.net
○ the extent and frequency of the communication of the results of
this monitoring to the board
○ the extent and frequency of internal control weaknesses and failing
that have been identified during the year
○ the effectiveness of the company’s public reporting processes
Reasons for having audit committee is that auditors were not sufficiently
independent of the board of directors, particularly
51
Ultimate Access Education
www.ultimateaccess.net
ii. Review internal controls
iii. Liaise with internal auditors
iv. Liaise with external auditors
6. International developments
Sarbanes-Oxley Act : after the Enron and worldcom scandal Sarbanes-Oxley Act
was introduced , In order to restore confidence in the US companies.
● Corporate Value
● Rise in Shareholder Activism
● Rise in Sustainable and Responsible Investing
52
Ultimate Access Education
www.ultimateaccess.net
The CSR Report - address issues most important to each of the company’s key
stakeholders, for example:
53
Ultimate Access Education
www.ultimateaccess.net
7. Governance and strategy
54
Ultimate Access Education
www.ultimateaccess.net
Points to consider
1. Review your case study organisation structure and critically evaluate the
senior management experience and qualification
2. Review the critically evaluate the governance committees of the
organisation.
3. The importance of CSR report as a strategic communication tool.
Student Notes
55
Ultimate Access Education
www.ultimateaccess.net
Chapter 6 - Internal Controls
Internal control:
Examples if the three areas of internal control mentioned in this definition are:
● Safeguarding assets
● Collecting receivables on time
● Paying suppliers and employees the correct amounts
● Ensuring working time and minimum wage laws are not broken
● Paying the correct amount of tax on time
● Ensuring health and safety laws are complied with
56
Ultimate Access Education
www.ultimateaccess.net
Note t hat the term encompasses more than just financial controls - though it is
financial controls that auditors will concentrate on.
Definition Commentary
57
Ultimate Access Education
www.ultimateaccess.net
The main point to note here is that the internal control system encompasses the
whole business, n
ot simply the financial records.
Turnbell Report:
58
Ultimate Access Education
www.ultimateaccess.net
3. Processes for monitoring the continuing effectiveness of the system of
internal control.
1. Control environment
The control environment provides the discipline and structure for the
achievement of the primary objectives of the system of internal control.
The principles that underpin the control environment component are:
59
Ultimate Access Education
www.ultimateaccess.net
● The board has appropriate expertise and oversees the five
competencies.
● Management must establish an appropriate organizational
structure to help achievement of the objectives
● Human resource policies and practices to help attract, develop
and retain suitable talent.
2. Risk assessment
The risk assessment should be conducted for each business within the
organization, and should consider, for example:
– internal factors, such as the complexity of the organization,
organizational changes, staff turnover levels, and the quality of staff
– external factors, s uch as changes in the industry and
economic conditions, technological changes, and soon.
The risk assessment process should also distinguish between:
3. Control activities
60
Ultimate Access Education
www.ultimateaccess.net
Control activities occur at all levels within an organization, and include
authorizations, verifications, reconciliations, approvals, segregation of duties,
performance reviews and asset security measures.
The principles that underpin the control activities component are:
5. Monitoring
61
Ultimate Access Education
www.ultimateaccess.net
DETAILS OF CONTROLS
Supervision,
Organisation,
Arithmetic and accounting,
Personnel,
Segregation of duties,
Physical,
Authorisation and approval and
Management.
62
Ultimate Access Education
www.ultimateaccess.net
eg: Recording the purchase and payment in the accounts.
Physical controls - to protect physical assets against theft or unauthorised
access and use.
eg:using a safe to hold cash and valuable documents
Authorisation and approval controls- to ensure that a transaction must not
proceed unless an authorised individual has given his approval, possibly in
writing.
eg:For spending transactions, an organisation might establish authorisation
limits, whereby an individual manager is authorised to approve
Management control -Top level reviews(BOD/ Senior managers)
eg: senior management might review a report on the progress of the
organisation toward achieving its budget targets.
Activity controls (department/divisional level)
eg: the provision of regular performance reports, such as variance reports,
comparing actual results with a target or budget.
Supervision -oversight of the work of other individuals, by someone in a
position of responsibility
Organisation controls- the controls provided by the organisation’s structure,
such as:
● the separation of an organisation’s activities into departments or
responsibility centres
● delegating authority within the organisation
● establishing reporting lines within the organisation
● coordinating the activities of different departments or groups, e.g. by
setting up committees or project teams.
Arithmetic and accounting Controls- eg:
● recording transactions properly in the accounting system
● being able to trace each individual transaction through the accounting
records
● checking arithmetical calculations, such as double-checking the figures in
an invoice before sending it to a customer (sales invoice) or approving it
for payment (purchase invoice) to make sure that they are correct.
63
Ultimate Access Education
www.ultimateaccess.net
Personnel controls - Controls should be applied to the selection and training of
employees.
Any controls recommended should cost less than the benefits they bring.
eg: you would not recommend the hiring of a security guard at £35,000 per
annum to watch over the petty cash tin which held £100.
CLASSIFICATION OF CONTROLS
● Financial controls;
● Non-financial quantitative controls;
● Non-financial qualitative controls.
Financial controls- These controls express financial targets and spending limits.
Examples include
– budgetary control
– controls over sales, purchases, payroll and inventory cycles.
64
Ultimate Access Education
www.ultimateaccess.net
The purchase cycle is similar to the sales cycle but concentrates upon the risk
of staff ordering goods for themselves, more goods being ordered than
necessary (leading to obsolescence or theft), payments being made to fictitious
suppliers (theft), and goods being overpriced by the supplier.
4
. BANK AND CASH CONTROLS
Objectives of controls: To ensure that cash balances are safeguarded; kept to a
minimum and; money can only be extracted from bank accounts for authorised
purposes.
Examples of possible risks to cash and bank accounts and the related controls:
Control procedures
Risks
65
Ultimate Access Education
www.ultimateaccess.net
Tills emptied regularly.
C
ontrols in other departments
despatched notes
66
Ultimate Access Education
www.ultimateaccess.net
Continuous training; Security guards at exits
Eligibility to work in the country Bag searches when staff leave their
shift.
Examples: Examples:
● Balanced scorecard ● employee training
targets ● management control
● TQM quality measures methods (such as
67
Ultimate Access Education
www.ultimateaccess.net
contracts of
employment)
● project management
implemented
68
Ultimate Access Education
www.ultimateaccess.net
Costs v benefits of Internal Control System
The benefits of maintaining the system must outweigh the costs of operating it.
Costs include:
· time of management involved in the design of the system
· implementation:
· maintenance of system:
· software upgrades
Benefits:
● A good internal control system cannot turn a poor manager into a good
one.
69
Ultimate Access Education
www.ultimateaccess.net
● Cannot completely eliminate the risk from mistakes or errors.
● Controls are only designed to cope with routine transactions and events.
effectiveness.
70
Ultimate Access Education
www.ultimateaccess.net
“COSO” MODEL APPLIED TO FRAUD PREVENTION ( deliberate
falsification**)
(organisational indicators )
( specific events)
71
Ultimate Access Education
www.ultimateaccess.net
FRAUD RISK MANAGEMENT STRATEGY
1.Fraud
prevention:
Internal environment
This can be regarded as the outlook and culture of the organisation, including its
enthusiasm for risk management and its risk appetite.
For example, some organisations are a bit happy-go-lucky when it comes to risk
management whereas others are extremely strict and want things to be done by
the book.
Objective setting
Objectives must exist before management can identify potential events affecting
their achievement. Enterprise risk management ensures that management has
in place a process to set objectives and that the chosen objectives support and
align with the entity’s mission and are consistent with its risk appetite.
Similarly, with regard to minimum wages, unless those are defined and
compared to actual wages, no control is possible.
72
Ultimate Access Education
www.ultimateaccess.net
Event identification
There are internal and external events (both positive and negative) which affect
the achievement of an entity’s objectives and must be identified. For example,
there must be a way of accounting for waste and quality control failures.
Risk assessment
Risks must be analysed to consider their likelihood and impact as a basis for
determining how they should be managed. The results of this exercise should be
noted on the risk register and the assurance mapping document.
Risk response
The aim is to align risks with the entity’s risk tolerance and risk appetite. Risk
tolerance is the acceptable variation in outcome compared to an original
objective. In setting risk tolerance, management considers the relative
importance of the related objective. So, if an objective is particularly important,
risk tolerances might be higher to recognise that achieving something really
worthwhile is worth accepting more risk.
Control activities
Policies, procedures and control methods help to ensure risk responses are
properly carried out. Examples of control activities include authorisation of
transactions, reconciliations, segregation of duties (splitting a transaction so that
several people are involved), physical controls (such as locking away valuable
inventory), the comparison of actual results to budgets. IT controls can also be
very important.
73
Ultimate Access Education
www.ultimateaccess.net
Information that monitors or identifies risks must be identified, recorded and
communicated quickly enough and in a way that lets people carry out their
responsibilities by making decisions. For example, if a product’s sales are lower
than expected, this information must be available quickly enough to change
prices, alter the advertising campaign – or to withdraw the product.
Monitoring
1. P
erforming regular checks, e.g. stocktaking and cash
counts.
2. W
arning signals or fraud risk indicators (see previous
section).
74
Ultimate Access Education
www.ultimateaccess.net
– Unusual behaviour by individual staff members
– Accounting difficulties.
3. W
histleblowers e
.g.SAM ANTAR-convicted for frauds committed
in 1980’s due to whistleblowers from within the company informing the
govt of crimes.
3.Fraud
Responses:
3. The fraud response plan also has a deterrent value and can
help to restrict damage and minimise losses to the organisation.
75
Ultimate Access Education
www.ultimateaccess.net
Points to consider
Student Notes
76
Ultimate Access Education
www.ultimateaccess.net
Chapter 7 - Internal Audit
Internal Audit
CIMA members and the P3 exam are primarily focussed on internal audit.
IA might fall under the control of the finance director and then IA staff would
potentially have to report problems with financial internal control to the director
who has prime responsibility for internal control. It is easy to see how the
finance director might like problems to be minimised or ‘hushed up’. It is
therefore strongly recommended that IA reports to the audit committee, chief
executive officer and board of directors rather than to the finance
director.
77
Ultimate Access Education
www.ultimateaccess.net
● There should be full access to people and documents.
● There should be clear access to the CEO, chairman and the audit
committee.
● Internal audit should report to a senior director or the audit committee.
● Internal audit should be independent of executive management so as to
maintain their independence.
● Best practice for auditing methodologies and the latest auditing standards
should be used.
● Internal audit should be consulted on all major business changes so that
suitable controls can be implemented promptly.
● The internal auditors should have no operational involvement elsewhere
in the organisation.
● There must be clear communication of findings.
● The performance of an internal audit should be regularly assessed.
● Scale
● diversity
● complexity of organization,
● no of employees,
● cost/benefit considerations,
● change in organization/key risks,
● problems with internal control system,
● increase in unexplained or unacceptable events.
78
Ultimate Access Education
www.ultimateaccess.net
NOTE-Risk management Vs Internal audit
Internal auditors can’t effectively fulfill both roles of referee and player. In their
professional capacity , they can provide a consulting service on risk
management, but can’t be the ones responsible for risk management. They can
review the process of governance, but can’t get involved in governing or do the
accounting.
79
Ultimate Access Education
www.ultimateaccess.net
● Appointment and termination (of Internal audit head)approved by audit
committee
Directors may consider that outsourcing the internal audit function represents
better value than an in-house provision.
80
Ultimate Access Education
www.ultimateaccess.net
To minimise risks associated with outsourcing the internal audit function will
include:
81
Ultimate Access Education
www.ultimateaccess.net
Effectiveness and efficiency of internal audit
Efficiency: compare actual costs and output against a target (the cost per
internal audit day – the cost per audit report – the number of audit reports
produced.)
NOTE: Internal audit report is often seen as a trigger for risk management
NOTE-The duties of both sets of auditors will differ and hence the work of
internal audit may be of very little relevance to the external auditor. However, in
some instances, the external auditors do rely on the internal auditors work if
areas of the external auditors audit program have been covered
82
Ultimate Access Education
www.ultimateaccess.net
Management letter-
includes a list of issues that the auditor came across during the course of his
audit work. ( issues concerning the auditor; recommendations to implement or
improve the controls.)
Fraud investigation-
not auditor’s primary objective but they are duty bound to report a fraud if
during the course of their work they identify fraudulent activities.
83
Ultimate Access Education
www.ultimateaccess.net
efficiency of its use of public funds.
● Management audits: analysis and assessment of competencies, abilities
and capabilities of a company's management in order to evaluate their
effectiveness, especially regarding the strategic objectives and the
implementation of the policies of the business.
● Social and environmental audits: A social and environmental audit looks
at factors such as a company's record of charitable giving, volunteer
activity, energy use, recycling waste, diversity in recruitment,
non-discrimination in appointments, the standard of the work
environment, workers’ remuneration to evaluate the social and
environmental impact the company is having.
● Special assignments such as investigating a case of fraud.
● Assisting the external auditors.
Social Audit
84
Ultimate Access Education
www.ultimateaccess.net
Environmental audit-
A management tool comprising a systematic, documented, periodic and
objective evaluation of how well organisations, management, and equipment
are performing, with the aim of contributing to safeguarding the environment by
facilitating management control of environmental practices, and assessing
compliance with company policies, which would include meeting regulatory
requirements and standards applicable.' (report to be assessed by a qualified
environmental assessor)
Audit Process
85
Ultimate Access Education
www.ultimateaccess.net
Audit planning:
86
Ultimate Access Education
www.ultimateaccess.net
– subject to confidentiality restrictions – external between competing entities.)
note-The activities which should be given priority for audit are those where the
inherent risk is high and the quality of control is low.
Types of Benchmarking
87
Ultimate Access Education
www.ultimateaccess.net
-focus on a single function e.g. Production, to improve the operation of that
function.complex functions (human resources) need to be disaggregated into
processes to make valid comparisons.
88
Ultimate Access Education
www.ultimateaccess.net
The audit risk model sets out the current, risk-based, approach to auditing.
Audit risk is the risk that the auditor comes to a wrong conclusion about a figure
in the financial statements or the accounting system. For example, the auditor,
whether internal or external, concludes that an amount is correct when, in fact,
it is wrong.
For that to happen, three problems must have occurred:
Inherent risk: this is the risk that an error is made in the first place before the
application of any controls of checks. Inherent risk is increased by factors such
as:
● Inexperienced staff
● Time pressure
● Complex transactions
● Figures requiring a high degree of estimation
● Pressure to perform well e.g. to make results look good.
Control risk:
This is the risk that the organisation's system of internal control does not
prevent or detect the error. For example, a junior employee might have
committed an error (inherent risk), but good supervision and checking of that
person’s work should detect and correct the error.
If both of these occur, then a wrong figure is in the financial statements or in the
accounting records.
Detection risk:
This is the last line of defence and this refers to work the auditor does. If the
the auditor performs a lot of work, detection risk will be low as there is a good
chance that the audit work detects the problem. If the auditor does relatively
little work, then the chance of picking up an error will be low.
Auditors can’t alter inherent risk or control risk in the short term (though they
should certainly be able to influence control risk in the long term). Therefore, to
keep the audit risk low (and this is essential), if the auditor perceives high
inherent and control risk, a large amount of audit work will have to be
performed. If, however, the auditor perceives inherent and control risk to be
low, the auditor will perform much less audit work yet still achieve a reasonable
degree of assurance about the figures in the accounting system.
89
Ultimate Access Education
www.ultimateaccess.net
Detection risk depends on:
‣ Sampling risk – if a sample is too small then errors might not be found. This
risk is decreased by increasing sample sizes.
‣ Non-sampling risk – typically because the auditors are too inexperienced, badly
supervised and their work poorly reviewed. Samples could be 100% but if the
auditor didn’t know what he or she was looking for, the risk will be very high.
Audit planning
Knowledge of the business. For example, a jewellery business will have high
risk in inventory (small, high-valued items).
Talking to staff. For example, they might tell the auditor of accounting
problems or that the new IT system was giving problems.
90
Ultimate Access Education
www.ultimateaccess.net
supermarkets get quite excited if their like for like sales rise by just a few
percentage points over a year so a GP% jump from 30% to 40% is
remarkable.
Even very small businesses will usually maintain their computer records on the
computer. There are many advantages to this, not least that trial balances will
usually balance and control accounts will reconcile to the underlying detailed
records. However, the absence of as many hand-written data and documents
data can make auditing more difficult. For example, it can be difficult to test
whether a computer is carrying out a procedure correctly and it can be more
difficult to ‘see’ and examine the information and records than in a manual
system.
Computer Assisted Audit Techniques (CAAT) have been developed to assist the
auditor when the client maintains computerised records.
Audit software (or audit programs) is software developed and used by auditors.
Audit software allows clients’ accounting data files to be read and examined.
91
Ultimate Access Education
www.ultimateaccess.net
The processes carried out by the auditor’s software commonly include:
Once it is set up, audit software can quickly, efficiently and economically
examine every item on a data file. This would often be difficult or impossible if
attempted manually. It can greatly speed up audit completion and reduce costs.
92
Ultimate Access Education
www.ultimateaccess.net
The internal audit report
At the end of the audit process, internal auditors will issue a report that will
detail:
● Deficiencies in the internal control system’s design
● Incidents where the internal control system was not complied with
● Errors discovered
Fraud
93
Ultimate Access Education
www.ultimateaccess.net
An anti-fraud strategy
94
Ultimate Access Education
www.ultimateaccess.net
(Fraud risk management: a guide to good practice, CIMA)
95
Ultimate Access Education
www.ultimateaccess.net
independent advice about behaviour. Audit committee being available to
support internal audit and whistleblowers.
Ethical culture: for example, making it clear that ‘shady’ practices are wrong
and will not be tolerated by the company. Training in ethical behaviour will be
important.
Student Notes
96
Ultimate Access Education
www.ultimateaccess.net
Chapter 8 - Cyber Risks
Overview
Networks
Only the very smallest of businesses will have stand-alone computers i.e.
computers not connected to other computers. Even in small businesses
employees need to share data and very soon after personal computers were
invented networks of computers were introduced.
Local area network (LAN): Here the network extends over only a relatively
small area, such as an office, a university campus or a hospital. The small area
97
Ultimate Access Education
www.ultimateaccess.net
means that these networks use specially installed wiring to connect the
machines.
Wide area networks (WAN): Here the network can extend between several
cities and countries. Each office would have its LAN, but that connects to LANs in
other offices and countries using commercial, public communications systems.
At one time this would have been done by the organisation leasing telephone
lines for their private use to transmit data from office to office. However, this is
expensive and inflexible and the common system now used is known as a virtual
private network (VPN).
Network layers
The presentation tier: this is what you see on your computer screen:
information, boxes in which to input data, buttons to click on, drop-down menus
to choose from. This will be on the client machine.
Application tier: this tier, sometimes known as the logic or business logic tier, is
where processing takes place. It can be on the client machine or in the cloud.
Data tier: where the data is stored, typically a database. It will normally be on
the server machine or in the cloud.
So, if you are posting a supplier’s invoice, you will enter the account number into
the presentation tier, the application will access the data tier, fetch the customer
name and this will be shown to you in the presentation tier. You will enter the
amount and nominal code in the presentation tier, the application tier might
split out VAT automatically, then post the amounts to the appropriate files in the
data tier.
98
Ultimate Access Education
www.ultimateaccess.net
Technology and Organizations
a. Availability: One of the reasons that the use of websites and applications
is so attractive to organisations and individuals is the flexibility of
continuous access to, and use of, information and systems.
Organisations can make sales 24 hours a day, and customers are not
limited to bricks and mortar store opening hours.
99
Ultimate Access Education
www.ultimateaccess.net
b. Confidentiality: organisations create and obtain a huge amount of
information, from proprietary information to personal information, and
it must be protected from unauthorised access and disclosure, including
complying with privacy requirements.
c. Integrity of data: organisations must make sure they take steps to
prevent unauthorised modification of or destruction of information.
d. Integrity of processing: Guarding against the improper use, modification,
or destruction of systems.
Changeover
Types:
a. Direct: This is where the old system is switched off and then the new
system is switched on. This is appropriate when the two systems are very
different, or it is too expensive to run two systems.
b. Parallel: The old and new systems are run together for a period of time,
until it is considered safe to switch the old system off. This method will be
costly (inputting data twice and possibly employing more staff to do this),
however, it will be less risky than direct changeover.
c. Pilot: This is where one part of the business changes over first. Once the
system operates correctly there, the rest of the business will change over.
The pilot department or division could be using direct or parallel
changeover.
d. Phased: This involves bringing in the new system one part of the business
at a time, say, by department or division. It differs from pilot changeover
in that all departments or divisions are staggered with respect to receiving
the new system. The downside is that this method is time-consuming.
Malware:
Malware is the term used for malicious software, regardless of the intended
purpose. It can do any number of things, ranging from the stealing of
credentials, other information or money to the general wreaking of havoc, or
denial of service.
Types:
100
Ultimate Access Education
www.ultimateaccess.net
a. Ransomware: Designed to prevent a business from accessing its data,
information or a whole computer system until a specified amount of
money is paid.
Application Attacks:
As with malware, application attacks is the broad term for a variety of different
ways of attacking a victim, this time by attacking an application (app).
Types:
101
Ultimate Access Education
www.ultimateaccess.net
sensitive data from the company’s database,modify (insert, update or
delete) database data, execute administration operations (such as
shutdown) on the database, recover the content of a given file, and, in
some cases, issue commands to the operating system.
3. Cross-site scripting attacks (XSS attacks) occur when a victim is attacked
when they visit another organisation’s website. The attacker uses the
third-party web resources to run scripts in the victim’s web browser or
scriptable application. Specifically, the attacker injects malicious code
(often associated with JavaScript) into a website’s database. When the
victim requests a page from the website, the website transmits the page,
with the attacker’s code as part of the HTML body, to the victim’s browser,
which executes the malicious script. For example, it might send the
victim’s cookie to the attacker’s server, and the attacker can extract it and
use it for session hijacking.
4. Buffer overflow attack – A buffer overflow occurs when a system cannot
store as much information as it has been sent and consequently starts to
overwrite existing content. A buffer overflow attack occurs when an
attacker sends a malicious programme which deliberately overloads the
system and starts to overwrite existing data.
Hackers
a. gain access to the file that holds all the user ID codes, passwords and
authorisations
b. discover the method used for generating/authorising passwords
c. interfere with the access control system, to provide the hacker with open
access to the system
d. obtain information which is of potential use to a competitor organisation
e. obtain, enter or alter data for a fraudulent purpose
102
Ultimate Access Education
www.ultimateaccess.net
f. cause data corruption by the introduction of unauthorised computer
programs and processing on to the system (computer viruses)
g. alter or delete files
Social engineering
These are:
Social Media
Social media is a catch-all term for a range of sites that may provide radically
different social interactions.
Uses:
103
Ultimate Access Education
www.ultimateaccess.net
V. Real-time information (Live twitter polls/Instragram Polls)
VI. Communication (Zoom/Skype)
VII. Recruitment and selection (Linkedin)
GDPR
The GDPR is a regulation in EU law and in the UK replaced the Data Protection
Act (DPA), on 25th May 2018. The GDPR has two main objectives.
Protection of the principle of free movement of personal data within the EU.
The UK Government has published its new Data Protection Bill that repeals the
DPA and enshrines the GDPR into UK law post-Brexit.
The aim is to keep personal data secure at all times. This means:
104
Ultimate Access Education
www.ultimateaccess.net
Chapter 9 - Cyber security processes
Cyber security organisational characteristics
To achieve the security objectives and mitigate the types of risk discussed in the
previous chapter, the AICPA cyber security framework recommends a security
mechanism based around three principles:
● Protection
● Detection
● Response
These three principles will be applied in different ways across the different levels
within the system. Key to their success are factors core to risk management in
general: corporate governance, tone from the top and communication of
appropriate information for decision making.
105
Ultimate Access Education
www.ultimateaccess.net
relevant financial experience on an audit committee, if a director has
recent relevant IT experience, it would help with board oversight, although
using external IT consultants could also help with this.
● Each organisation has different needs, but consideration should be given
to the appointment of a chief information officer (CIO) with overall IT
responsibility to the board, a risk committee, a chief risk officer (CRO) with
overall responsibility for risk, a chief technology officer (CTO) to look after
technology and resources to support internal operations reporting into
the CIO and a chief information security officer (CISO) to head up the
cyber security program and also report into the CIO.
● As well as appropriate reporting lines and accountability for cyber
security, a company needs to make sure it has competent personnel in
cyber security roles through the organisation. Hiring appropriately
qualified staff is a first step, but making sure they are given time and
training to stay up to date in this dynamic area is critical.
Risks in IT systems
Risks include:
106
Ultimate Access Education
www.ultimateaccess.net
carried out a routine update of its software, but the update had been
corrupted. Again, customers could not carry out transactions for up to a
week.
● Unauthorised access to data leading to destruction of data, improper
changes to data, or inaccurate recording of transactions. In 2018, British
Airways and Amazon both suffered data hacks which meant that
customers’ details were stolen.
● Particular risks may arise where multiple users access a common
database on which everyone in the organisation relies. The data could be
incorrectly amended and all users will be affected.
● Web application attacks. When you visit a website, you might simply
access a static web-page which, for example, shows the name and
address of the company which owns the web-site. Alternatively, the
web-site might load Javascript (a programming language) into your
browser and this is capable of carrying out processing. What you then
have is a web application. For example, when you enter your credit card
details into a site like Amazon, the validity of your card is checked locally
because your card number has to comply with certain construction rules.
Validity checking is carried out on your machine within your browser
running a web application. Web application attacks might therefore try to
interfere with the functionality of the web app you are running. For
example, whilst checking the validity of your credit card, the altered
application might now send details to the hacker.
This is high level and includes considering the organisation’s attitude to risk,
identifying and assessing risks, identifying essential services that must be
maintained and understanding interdependencies arising form suppliers of
hardware and software, and any interactions with subcontractors.
107
Ultimate Access Education
www.ultimateaccess.net
Digital resources are now so important and significant to many businesses that
the risks that potentially arise from poor cyber security are enormous so
organisations should have formal procedures in place to regularly:
● Identify potential cyber security risks. For example, regularly review access
control, stay aware of new threats, employ consultants to try to ‘break
into’ the system. Analyse past problems as these will remain problems
unless changes are made.
● Protect against those risks. For example, strict rules for changing
passwords, anti-virus software, firewalls and staff training.
● Detect when breaches have occurred. For example, review consumer
reports, analyse data flows, analyse processing patterns, continually
monitor network statistics.
● Respond to breaches in cyber security. For example, assess the effect of
any breach, start using back-up systems, reassure stakeholders, pay
compensation to those affected, take measures to block any reoccurrence
of the breach.
● System security needs to be assessed regularly and proactively and not
just as a reaction to a breach.
www.britishairways.com/en-gb/information/legal/website-security
This gives advice to customers about how to take care when on-line and also
sets out the measures taken by the company. Obviously, not every detail of BA’s
precautions will be made public.
108
Ultimate Access Education
www.ultimateaccess.net
● A set of comprehensive policies and processes must be developed that
will protect the organisation’s network and data so that essential services
can be delivered.
● Identity checks and access control must be implemented so that users
who have access to data are properly verified, authenticated and
authorised. Think of verification as checking that a person is who they say
they are (essential for issuing access credentials) and authentication is a
verified person having to prove who they are each time they log-on.
● Data security. Data being stored or transmitted must be protected against
unauthorised access, modification or deletion. For example, the use of
passwords, encryption and back-ups will help to ensure data security.
● System security. Opportunities to attack systems (vulnerabilities) arise
from:
‣ flaws in the design of systems
‣ features
‣ user error.
For example, there should be procedures in place to ensure that software
patches to counter flaws in software design are promptly implemented.
Features should be kept under review and removed if not required. Users
must be trained to avoid serious user error, such as leaving laptops
unattended in cars.
● Resilient networks. For example, are networks well-designed with,
perhaps, built-in spare capacity. Is a parallel system running at a
remote location so that it can be switched to if the main system
breaks down? Is the bandwidth of the network high enough to
comfortably deal with peak demand?
● Staff awareness and training. Staff behaviour should be in line with
the organisation’s data protection policies and procedures and
training is needed to ensure that this happens. It is also important
to foster a security culture in which staff take an active role in
maintaining and improving security.
109
Ultimate Access Education
www.ultimateaccess.net
Detecting cyber security events
IS27001
110
Ultimate Access Education
www.ultimateaccess.net
111
Ultimate Access Education
www.ultimateaccess.net
Chapter 10 - Cyber security tools, techniques and reporting
The chapter provides insights to companies to learn from any cyber attacks and
the ways to improve cyber security.
2. Forensic analysis
Analysing the attack and its after- effects to learn more about it and finding the
loopholes in the already developed systems that the attacker took advantage of,
to improve them.
3. Malware analysis
Analysing the software to identify the source of malware and its purpose and
whether it was particularly intended for the organisation to improve the systems
for future
112
Ultimate Access Education
www.ultimateaccess.net
3.1 Reverse engineering
Examining the software to understand how it was designed, how it works and
how the malware penetrated the system to prevent further such activities
LAYERING: Multiple layers of code designed to protect the malware code and
functionality by developers of malware
KEY AIM OF REVERSE ENGINEERING: to identify whether the attack was targeted
(of more concern) or not
Done after decoding all layers of code and accessing the malware.
AIM: To discover the motive of the attacker that will help the company to
understand what data/information is attractive and how it could be vulnerable.
4. Penetration testing
Testing how good is the cyber security of a company, often carried out by hiring
white hat hackers who try to penetrate the network/ system.
Identification of all the devices that are on a network and connect with the
internet and other external systems i.e. the scope of the network.
113
Ultimate Access Education
www.ultimateaccess.net
I nternet of things (IoT)
I oT for business
· A business must decide whether the convenience that the IoT provides is
worth the security risks it possesses.
114
Ultimate Access Education
www.ultimateaccess.net
1. Identify the devices on the network that are most vulnerable to
intrusion.
2. Software can be used to probe the system and identify, quantify and rank
the vulnerabilities in terms of their potential impact.
3. EXAMPLE: If the kettle( Starts to boil on a click) or toaster do not have
adequate security features they could become the access point for a
cyber-attack.
-To understand
if access is possible
how long it takes
what access can be gained.
-As with most thefts, if the attacker is given long enough - unauthorised
access, but if the process is too consuming -attacker is discouraged.
115
Ultimate Access Education
www.ultimateaccess.net
-Weak or unchanged passwords
-Inappropriate access.
-Also considers if unauthorised access could be possible.
Level 1- Prevent the attacker from gaining access to the software at all.
Level 2- If a breach occurs an alert notifies the appropriate parties,stating
breach at level 1.
116
Ultimate Access Education
www.ultimateaccess.net
Level 3-Automatic urgent action,
Example: locking down accounts and sensitive .
DIGITAL RESILIENCE
(Doing more than the minimum to protect the company and comply with
regulations, but to integrate cyber security into the business operations)
1. Identify all the issues
2.Aim toward a well-defined target
3.Work out how best to deliver the new cyber security system
4.Establish the risk resource trade offs
5.Develop a plan that aligns business and technology
117
Ultimate Access Education
www.ultimateaccess.net
6.Ensure sustained business engagement
Example:
118
Ultimate Access Education
www.ultimateaccess.net
produced the AICPA uses two sets of criteria:
● Description criteria
● Control criteria
●
DESCRIPTION CRITERIA
Completeness – that relevant factors (that could affect the decisions of the
users of the reports) are not omitted.
119
Ultimate Access Education
www.ultimateaccess.net
● Cyber security control processes - the key security processes
and policies to address the cyber security risks identified
CONTROL CRITERIA
● Detailed document
● Guidance on types of risks and control
● Examples of controls that can be used
● References to COSO Internal Control Framework
Example:
Consideration: The organisation has a structure, reporting lines and
responsibilities to aid the development, operation and monitoring of systems to
manage security risks.
Risk: The structure does not provide necessary resources or enable appropriate
flow of information to manage security risks.
Possible control: The organisation reviews organisational structure, reporting
lines and responsibilities as part of its ongoing risk assessment and revises these
as appropriate to meet system and security needs.
120
Ultimate Access Education
www.ultimateaccess.net
Core: provides a set of desired cybersecurity activities and outcomes using
simple easy to understand language.
The core is based on five principles:
1. Identify threats to an organisations systems and data
2. Protect against threats.
3. Detect when a system has been breached.
4. Respond effectively to systems breaches
5. Recover any compromised data and the systems affected.
Profiles:help the organisation map its own requirements and objectives, risk
appetite, and resources against the desired outcomes included in the core.
AIC Triad
Aimed at helping organisations understand information security and set up
policies to help protect the organisation
121
Ultimate Access Education
www.ultimateaccess.net
Business continuity data is accidentally – Data encryption
planning deleted backup can be
restored
Technological advances m
ean that all frameworks including the AIC triad must
evolve. Some developments that pose particular challenges include:
● Big data- huge volume of data is protected. accessibility, trustworthiness
and privacy can be very costly.
● Internet of things- ↑ size, ↑access points, ↑ threats
● Privacy - Fragments of data can collate to constitute personally identifiable
information.
● Security- eg: while computers get regular software patches and invariably
have good security configurations, many of the devices in the IoT that
connect to them don’t have the ability to receive software updates or do
not require passwords.
Big data
There are many definition the term ‘big data’ but most suggest something like
the following:
“Extremely large collections of data (data sets) that may be analysed to reveal
patterns, trends, and associations, especially relating to human behaviour and
interactions.”
In addition, many definitions also state that the data sets are so large that
conventional methods of storing and processing the data will not work.
● Volume
● Variety
● Velocity
122
Ultimate Access Education
www.ultimateaccess.net
These characteristics, and sometimes additional ones, have been generally
adopted as essential qualities of big data.
Volume
of these companies hold at least the data that could typically be held on 1
million PCs, perhaps even 10 to 20 million PCs.
123
Ultimate Access Education
www.ultimateaccess.net
These numbers probably mean little even when converted into equivalent PCs. It
is more instructive to list some of the types of data that large companies will
typically store.
Retailers:
‣ Via loyalty cards being swiped at checkouts: details of all purchases you make,
when, where, how you pay, use of coupons.
‣ Via websites: every product you have ever looked at, every page you have
visited, every product you have ever bought. (To paraphrase a Sting song “Every
click you make I’ll be watching you”.)
Friends and contacts, postings made, your location when postings are made,
photographs (that can be scanned for identification), any other data you might
choose to reveal to the universe.
Numbers you ring, texts you send (which can be automatically scanned for
keywords), every location your phone has ever been whilst switched on (to an
accuracy of a few metres), your browsing habits. Voice mails.
Every site and every page you visit. Information about all downloads and all
emails (again these are routinely scanned to provide insights into your interests).
Search terms you enter.
Banking systems
Every receipt, payment, credit card payment information (amount, date, retailer,
location), location of ATM machines used.
Variety
124
Ultimate Access Education
www.ultimateaccess.net
Some of the variety of information can be seen from the examples listed above.
In particular, the following types of information are held:
Financial transactions
● Interests
● Buying habits
● Reaction to ads on the internet or to advertising emails
● Geographical information
● Information about social and business contacts
● Text
● Numerical information
● Graphical information (such as photographs)
● Oral information (such as voice mails)
● Technical information, such as jet engine vibration and temperature
analysis
Structured data: this data is stored within defined fields (numerical, text, date
etc) often with defined lengths, within a defined record, in a file of similar
records. Structured data requires a model of the types and format of business
data that will be recorded and how the data will be stored, processed and
accessed. This is called a data model. Designing the model defines and limits the
data that can be collected and stored, and the processing that can be performed
on it.
125
Ultimate Access Education
www.ultimateaccess.net
Structured data is easily accessible by well-established database structured
query languages.
Velocity
You will understand that the volume and variety conspire against the third,
velocity. Methods have to be found to process huge quantities of non-uniform,
awkward data in real-time.
The processing of big data is generally known as big data analytics and includes:
Predictive analytics: a type of data mining which aims to predict future events.
126
Ultimate Access Education
www.ultimateaccess.net
Text analytics: scanning text such as emails and word processing documents to
extract useful information. It could simply be looking for key-words that indicate
an interest in a product or place.
● Better marketing
● Better customer service and relationship management
● Increased customer loyalty
● Increased competitive strength
● Increased operational efficiency
● The discovery of new sources of revenue.
One of the important European laws concerns data protection. The Data
Protection Act in the UK relates to personal data. We are not talking here about
data relating to companies: we are talking about data relating to people.
127
Ultimate Access Education
www.ultimateaccess.net
The people holding the data have to register with a government body and there
they have to say what data is held, why it is held and to whom it might be
supplied.
128
Ultimate Access Education
www.ultimateaccess.net