P3 - Summary Notes - Ultimate Access

P3 - Strategic Risk - Summary Notes
Index
Resources 2
P3 - Section A 2
P3 - Section B 2
P3 - Section C 3
P3 - Section D 3
Chapter 1 - RISK 4
Chapter 2 - Risk management 10
Chapter 3 - Strategy risk 25
Chapter 4 - Reputational risk 37
Chapter 5 - Corporate governance 42
Chapter 6 - Internal Controls 55
Chapter 7 - Internal Audit 75
Chapter 8 - Cyber Risks 95
Chapter 9 - Cyber security processes 103
Chapter 10 - Cyber security tools, techniques and reporting 110
Ultimate Access Education

www.ultimateaccess.net
1
Resources
Please click on the link of each of the resources below (articles/videos) to access the
original.
P3 - Section A
Six habits fueling smarter risk taking in digital transformations

The benefits of a digitally fit risk function
Simple Ethics Rules for risk management
Re-thinking Risk from digital disruption

ERM Professional Insights
P3 - Section B
Stress-Test Your Strategy: The 7 Questions to Ask
Uniting risk management with strategic planning
Enabling the accountant’s role in effective enterprise risk management
Responding to ethical dilemmas
Ex-Nissan chief Ghosn hit with fresh corruption charge - Case Study and
report on ethics and behaviour
2
P3 - Section C
Enterprise Risk Management Framework: Integrating with Strategy and
Performance - slides
Enterprise Risk Management Integrating with Strategy and Performance -
Report
A CGMA guide to countering fraud and corruption
Deloitte - Internal Audit Insights
P3 - Section D
A threat of cyber crime.
What do cyber criminals use ?
How to manage cyber risk
Comprehend cyber security
System and system organizational controls
Cyber Security Risk Management reporting
4 ways to protect data from dark web
Equifax hackers targeted 15.2 million UK records
3
Chapter 1 - RISK
1. hat is risk?
W
Uncertainty arises from ignorance and a lack of information. The future cannot
be predicted under conditions of uncertainty because there is insufficient
information about what the future outcomes might be or their probabilities of
occurrence.
Risk is inherent in a situation whenever an outcome is not inevitable.

Risk can be further divided into 2 types:
1. Downside (pure) risk - which is a risk involving the possibility of loss, with
no chance of gain.
2. Speculative risk - is a risk, where actual outcomes might be either better
or worse than expected.
It is generally the case that firms must be willing to take higher risks if they
want to achieve higher returns:
● To generate higher returns a business may have to take more risks in
order to be competitive.
● Incurring risk also implies that the returns from different activities will be
higher. “Benefits” can be financial – decreased costs, or intangible – better
quality information.
4
1. Some low-risk activities will provide higher competitive advantage – when
these can be identified.
For example, the mobile phone operator may find a way of easily altering mobile
phones to make them safer with regard to the electrical emissions generated.
2. Focusing on low-risk activities can easily result in a low ability to obtain

competitive advantage – although where there is low risk there is also
only a limited amount of competitive advantage to be obtained.
For example, a mobile in a wide range of colours
3. High-risk activities may generate significant amounts of competitive

advantage. These activities may be worth investigating because of the
high returns that can be generated.
For example, a new type of mobile withGPS features for use while travelling.
4. High-risk activities with low competitive advantage will generally be

avoided. There remains the risk that the activity will not work, and that the
small amount of competitive advantage that would be generated is not
worth that risk.
5
2
. CIMA's risk management cycle
Risk management should be a proactive process that is an integral part of
strategic management.
6
3. Types and sources of risk for business organisations
Political Political Risk due to political instability. Generally

considered to be external to the business.
Legal Risk that legal action will be brought up.
Regulatory Risk of changes in regulation/rules.
Risk of non-compliance with the law resulting in
Compliance fines/penalties, etc.
Business Strategic Risk that business strategies (e.g.

acquisitions/product launches) will fail.
Product Risk of failure of new product launches/loss of
interest in existing products.
Commodity Risk of a rise in commodity prices (e.g. oil).
price
Product Risk of change in product’s reputation or image.
reputation
Operational Risk that business operations may be
inefficient or business processes may fail.
Contractual Risk that the terms of a contract do not fully cover
inadequacy a business against all potential outcomes.
Fraud Risk of the vulnerability of an organisation to
fraud.
Malfeasance Risks of being exposed to actions by employees
that result in an offence or crime.
Economic Risk that changes in the economy might affect

the business. (inflation, fiscal policy etc)
Financial Credit Risk of non-payment by customers.

Political Risk arising from government actions that
affect financial aspects of the business.
Currency Risk of fluctuations in the exchange rate.
7
Interest rate Risk that interest rates change.
Gearing Risk how a business is financed (debt vs. equity)
Technology Technology Risk that technology either presents new

opportunities or makes existing processes
obsolete or inefficient.
Cyber Risk of financial loss, disruption, or damage caused
by issues with the information technology systems
they use.
Environment Risk that arises from changes in the

al environment such as climate change or natural
disasters.
!! Insurance companies have to take
environmental risks into account when
deciding policy premiums !!
Corporate Down-side risk as the better the reputation of the

reputation business the more risk there is of losing that
reputation.
Adverse opinion could arise from:
● environmental performance
● social performance
● health & safety performance.
International Culture Good knowledge of local culture can give

operations companies an advantage.
Litigation Risk of not understanding the foreign legislation
well and are therefore more at risk of breaching it.
Credit Greater difficulty in controlling credit risk on
overseas sales. Chasing debts is more difficult
and expensive.
Items in transit Risk of losses or damage in transit if companies are
transporting goods great distances
Financial Include foreign exchange risks, and interest
rate risk and.
8
Key points to consider
1. Consider the activity risk & competitive advantage of proposed options
2. What is the advantage of applying the CIMA risk management framework?
3. Identify the types and sources of risk in the case study.
Student Notes
9
Chapter 2 - Risk management
1. Risk management
Risk management - the process of understanding and managing the risks that
the organisation is subject to in attempting to achieve its corporate objectives.
The traditional view of risk management has been one of protecting the
organisation from loss through conformance procedures and hedging
techniques – this is about avoiding the downside risk.
The new approach is about taking advantage of the opportunities to increase

overall returns within a business – benefiting from the u
pside risk.
10
ENTERPRISE RISK MANAGEMENT
● Incorporating risk management culture into business operations by

aligning it with business strategy.
● Identify potential risky events
● Controlling risk to be within risk appetite
● Integrating everything to achieve organisational objectives
● ‘Department focused’ approach à ‘Organisation focussed’ approach
● Key principles:
1. Aligning risk management with business strategy
2. Responsibility runs from top to bottom to everyone
3. Building risk aware culture
4. Considering broad ranges of risk
· COSO ERM framework – 3-D matrix to study relationship between

objectives, components and different organisational levels
11
1. 4 objectives (top tier)– reflect different executives
2. 4 organisational levels (right tier)– emphasise importance of risk
management across the organisation
3. 8 components:
● Internal Environment - the tone of the organisation, including the
risk management philosophy and risk appetite
● Objective setting - aligned with the organisation’s mission and need
to be consistent with the organisation’s defined risk appetite.
● Event identification - in-/external events which impact upon the
achievement of an entity’s objectives and must be identified.
● Risk assessment - risk’s likelihood and impact as a basis for
determining how they should be managed.
● Risk response - develop a set of actions to align risks with the entity’s
risk tolerances and risk appetite.
● Control activities - Policies and procedures help ensure the risk
responses are effectively carried out.
A. Information and communication - information is identified and
communicated in a style that enables carrying out responsibilities.
B. Monitoring - ERM process is monitored and modified as necessary.
12
RISK MANAGEMENT AND SHAREHOLDER VALUE
Shareholder value = Static NPV of existing business model + Value of future

growth options
4 STAGES:
A. Establish what shareholders value about the company

B. Identify the risks against the shareholder’s value drivers
C. Determine the preferred treatment for the risks
D. Communicate risk treatments to shareholders
ERM – Integrating strategy with performance 2017
An update to COSO was introduced in 2017 that uses a new diagram – the
double helix. Key principle: to include ERM in every business activity including
setting the mission, vision and core values of an entity.
5 components:
1. Governance and culture

2. Strategy and objective setting
3. Performance
4. Review and revision
5. Information, communication and reporting
13
T
he cube or the helix? Identify the framework that best suits an
organisation to help achieve its strategy and objectives.
2. Risk management strategy
14
FACTORS AFFECTING RISK APPETITE
Nature of product Certain products having high risk of product failure (e.g.:
being aircraft) must be avoided. It will help in reducing the risk
manufactured appetite of the organisation.
The need to The strategic need to move into a new market will result
increase sales in the business accepting a higher degree of risk and the
business will appear to have a high risk appetite.
The background of Some board members may accept increased risk

the board personally and this may be reflected in the way they
manage the company.
Amount of change Operating in a marketplace with significant change (e.g.

in the market mobile telephones) will mean that the board has to
accept a higher degree of risk.
Reputation of the If the company has a good reputation then the board will
company accept less risk – as they will not want to lose that good
reputation.
15
AN ALTERNATIVE RISK MANAGEMENT APPROACH
(developed by IRM stating that a risk management approach has 3 elements)
16
3. IDENTIFYING, MEASURING & ASSESSING RISKS:
Risk identification process -controlled by risk committee---identified risk

entered in risk register.
REACTIVE PROACTIVE
INTERNAL internal audit inspections, Brainstorming, PEST/SWOT,

complaints and claims Strategic objectives, scenario
planning, interview
questionnaire
EXTERNAL customer surveys, external external advisors, consulting

audit reports, health & shareholders, bench marketing,
safety reports, professional mandatory targets
body recommendations
Some of the common methods of risk identification include:
1. PEST/SWOT analysis
2. External advisors
3. Interviews/questionnaires
4. Internal audit
5. Brainstorming
“QUANTIFICATION “ of risk exposures - u

nderstanding the extent and
significance of risk exposure. Risk identified should be measured and assessed
depending on the information available. Some quantitative techniques include:
● Expected values and standard deviation

● Volatility
● Value at risk (VaR) - VaR of a portfolio is the maximum loss on a
portfolio occurring within a given period of time with a given probability
(usually small).
● Regression analysis - measures Company’s exposure to several risk
factors at the same time. It’s done by regression changes in the
17
Company’s cash flows against the risk factors. Regression coefficients
indicate the sensitivities of the company’s cash flow to these risk factors.
● Simulation analysis - evaluate the sensitivity of the value of the
company, or its cash flows, to a variety of risk factors.
Other methods of assessing the severity of an identified risk include:
➔ Scenario planning – forecasting various outcomes of an event
➔ Decision trees – use of probabilities to estimate an outcome
➔ Sensitivity analysis – asking 'what-if?' questions to test

the robustness of a plan. Altering one variable at a time
identifies the impact of that variable.
● Drawback of Quantification of Risk: U nless you are a trainee or

qualified accountant (or similar) you might not understand the quantified
risks. Hence risks are often unquantified.
● Assurance Mapping - common qualitative way of assessing the

significance of risk is to produce a ‘risk map’
➔ It is prepared by the board, risk committee, audit committee
and senior management.
➔ It identifies whether a risk will have a significant impact on the
organisation and helps prioritizing risks.
The potential loss from an adverse outcome could be :
● The probability or likelihood that the adverse outcome
might occur.
● The impact of the outcome if it occurs.
Example:
The following simple risk map might be prepared for a firm of auditors
Impact/consequences
18
probability/
likelihood Low High
New audit regulation for Loss of non-audit work

High the profession from existing clients
Increases in salaries Loss of audit clients within

Low above the general rate of the next 2 years
inflation
4. Risk response strategy.
The next area is to look at the formulation of a strategy to respond to

those risks, the general methods that can be used to treat risks and the
implementation of such a strategy.
The management of risks involves trying to ensure that:
➔ Exposure to severe risks is minimised.
➔ Unnecessary risks are avoided.
➔ Appropriate measures of control are taken.
➔ The balance between risk and return is appropriate.
Risk Treatment Methods:

• Avoid risks : The company may decide to avoid certain risks that are so
risky except for the ones that are necessary to make profits
• Transfer of risks: R
isks are transferred to the third parties. E
g: Insurance
• Pooling of risks: different transactions risks can be pooled together.
Here, the risks tend to cancel each other out, and are lower for the
pool as a whole than for each item individually. Eg: It is common in large
group structures for financial risk to be managed centrally.
• Diversification: ‘spreading the risk’.
o Works best where returns from different businesses are
19
negatively correlated (or less than +1.0).
o Example of poor diversification – swimming costumes and

ice cream – both reliant on sunny weather for sales.
Spreading risk by portfolio management:
Problems of Diversification:
• There is a possible risk that by diversifying too much, an organisation
might become much more difficult to manage.
• Risks could therefore increase with diversification, due to loss of
efficiency and problems of management.
• Relatively little advantage accrues to the shareholders from
diversification.
• Anyway the investors diversify their risk by holding a portfolio of stocks
and shares from different industries and in different parts of the world.
Risk reduction: Even if a company cannot totally eliminate its risks, it may
reduce them to a more acceptable level by a form of internal control
20
Hedging risks: The concept of hedging is reducing risks by entering into
transactions with opposite risk profiles to deliberately reduce the overall risks
in a business operation or transaction.
Risk sharing: T
his can be a motivation for entering into a joint venture.
RISK MANAGEMENT METHODS in short:

T A R A
Transparency Avoidance Reduction/Mitigation Acceptance
Risk Cube:
Risk is seen as some combination of a threat, exploiting some v
ulnerability,
that could cause harm to an asset.
Residual risk is the combined function of:
● a threat less the effect of threat-reducing safeguards;

● a vulnerability less the effect of vulnerability-reducing safeguards
● an asset less the effect of asset value-reducing safeguards.
6. Risk Reporting:
Managers of a business, and external stakeholders, will require information
regarding the risks facing the business. A risk reporting system would
include:
21
● A systematic review of the risk forecast (at least annually).
● A review of the risk strategy and responses to significant risks.
● A monitoring and feedback loop on action taken and
assessments of significant risks.
● A system indicating material change to business circumstances, to
provide an ‘early warning’.
● The incorporation of audit work as part of the monitoring an
information gathering process.
Example : Marks and Spencers plc. risk report extract.
7. RISK REPORTING
A risk reporting system would include:
● A systematic review (annual)
● The risk strategy and responses
● A monitoring and feedback loop on action taken.
● A system indicating material change to business circumstances.
● The incorporation of audit work
Gross risk = an assessment of risk before the application of any controls,

transfer or management responses.
Net risk (or residual risk) = an assessment of risk,after taking into account the
controls, transfer and management responses.
Example: danger of injury due to accidents is gross risk. The danger of injury
due to accidents happening even after installation of seatbelts is net risk.
8. EVALUATING RISK MANAGEMENT STRATEGY

The purpose of the evaluation:
1. Has the strategy achieved its objectives?
2. Do the benefits outweigh costs?
22
9. Risk management & Responsibilities
WHO RESPONSIBILITIES
Board of Directors Ultimate responsibility, Define risk appetite for company
Audit committee Board committee to review internal control systems & working
with internal and external auditors
Risk committee Board with direct responsibility for risk management
Risk management Group of senior and middle management with operational

group responsibility, report into the board via audit committee, identify
risks, monitor the effectiveness of the process and provide
suggestions
Internal Audit Review of internal control, support management in the risk

management process
Roles of the risk committee
PRIMARY ROLES
● Raising risk awareness and ensuring appropriate risk management.
● Establishing policies
● Ensuring that adequate and efficient processes are in place to identify,
report and monitor risks. Updating the company’s risk profile, reporting
to the board and making recommendations.
SECONDARY OBJECTIVES
● Overseeing the risk assurance process within the company.
● Continual review of the company’s risk management policy.
● Ensuring appropriate communication of risks, policies and controls.
● Ensuring adequate risk management training arrangements.
● Where necessary, obtaining appropriate external advice regarding risk
management processes.
● Ensuring that best practices in risk management are used by the
company, including obtaining and implementing external advice.
Activities carried out by a risk manager
23
● Provision of overall leadership for the risk management team.
● Identification and evaluation of the risks
● Implementation of risk mitigation strategies.
● Developing, implementing and managing risk management programmes
● Establishment of risk management awareness programmes.
● Ensuring compliance with any laws and regulations affecting the business.
● Liaising with insurance companies to mitigate risk
● Depending on specific laws of the jurisdiction in which the organisation is
based.
10.Key points to consider
1. Impact of risk management and shareholder value
2. Factors driving a company’s risk
3. Identify, assess and measure the risk of the company
4. Possibility of mis-classification
5. How best to treat the risk (risk response strategy)
6. Risk reporting the framework to adopt.
7. Application of risk framework to a company or a functional area or process
8. The role of a risk committee in the organisation
9. What are the risks pertaining to digital assets?
10. The role of Board of directors in Risk management.
Student Notes
24
Chapter 3 - Strategy risk
1. What is strategy?
Strategy - course of action, including the specification of resources required, to
achieve a specific objective.’
The core of a company's strategy is about choosing: w

here to compete and h
ow
to compete. It is a means to achieve sustainable competitive advantage.
25
All three levels should be linked. A risk for the corporate or business level
strategy is that it will only succeed if it is supported by appropriate operational
strategies.
Whichever approach is chosen, remember that most different types of

organisation will need a strategy. This will include companies (large and small),
unincorporated businesses, multinational organisations and not-for-profit
organisations such as charities, schools and hospitals, etc.
The rational model - is a logical, step-by-step approach. It requires the

organisation to analyse its existing circumstances, generate possible
strategies, select the best one(s) and then implement them.
The rational model follows a series of set stages as shown in the diagram
below:
26
Johnson, Scholes and Whittington took the stages from the rational model and
grouped them into three main stages:
● Strategic analysis
● Strategic choice
● Strategic implementation
Emergent strategies - strategies that evolve in response to unexpected events

that impact on the organisation.
This approach to strategy has a number of advantages:
● it is often more acceptable to stakeholders as consultation, compromise
and accommodation are built into the process.
● it is less of a cultural shift for the organisation to adopt an incremental
approach to strategy as the organisation will not be trying to implement
major shifts in its activities.
Problems with a lack of formal planning

● Failure to identify threats
● Strategic drift
● Difficulty in raising finance
● Management skill
Which approach to strategy should we adopt?

More formal planning approaches, such as the rational model (and to a degree
the emergent model) tend to suit organisations which:
● exist in relatively stable industries, meaning there is sufficient time to
undertake detailed strategic analysis
● have relatively inexperienced managers, as the formal planning approach
27
helps to ensure they are familiar with the organisation, as well as
providing a series of guidelines they can follow to help them develop a
strategy.
More informal approaches tend to suit organisations which:
● are in dynamic, fast changing industries where there is little time to
undertake formal strategic analysis
● have experienced, innovative managers who are able to quickly identify
and react to changes in the organisation and its environment
● do not need to raise significant external finance (external investors
typically prefer a formal planning approach).
STRATEGIC PLANNING FOR NFPs
The 3 E’S:
1. Economy: looks solely at the level of inputs, F
or e.g. did the hospital
spend more or less on drugs this year? Or on nurses’ wages?
2. Efficiency:This approach looks at how well inputs have been used to

achieve outputs – it is a measure of efficiency. For e.g., what was the
average cost per patient treated? What was the average spend per bed
over the period?
3. Effectiveness: (the goal approach). This looks at the ultimate objectives of

the organisation, i.e. at output measures. F or e.g., for an NHS hospital,
have the waiting lists been reduced? Have mortality rates gone down?
How many patients have been treated?
3. APPROACHES TO STRATEGIC PLANNING
TRADITIONAL APPROACH - looks at stakeholders and their objectives - then

formulated plans to achieve those objectives - particularly helpful in NFPs.
MARKET-LED APPROACH - POSITIONING approach - predict changes
sufficiently far in advance to control change rather than always having to react
to it - analyze markets & competitors and then set objectives & develop
strategies
RESOURCE-BASED APPROACH - COMPETENCY-BASED approach - emphasis is
on what the firm is good at & do that to succeed in its given market
28
4 Strategic analysis and choice
KEY DECISIONS TO MAKE:
1. WHERE TO COMPETE? Which Markets

2. HOW TO COMPETE? Basis of Competitive advantage
3. WHICH INVESTMENT VEHICLE TO USE? O rganic growth, acquisition,
franchising or merger?
5. Competitive strategy
Cost Leadership - being the lowest cost producer

Differentiation - Creating customer perception that our product is superior
(differentiation in p
rocess or product)
Focussed Cost Leadership - competing based on price to target a narrow
market
Focussed Differentiation: offer unique features to fulfill demand of narrow
market.
6. PRODUCT-MARKET STRATEGY: ANSOFF’S MATRIX

Products
Existing New
market Existing Marketing penetration - w hen Product development -

s market is growing; strong brand Approach: New geographical
presence; weak competitors; area, New demographics
market not saturated (age/sex) or New distribution
channels
New Market development - Diversification - I nnovation
29
Approach: Different quality
versions or add new features
7. Acquisition
Business firm may use following ways for growth-
1. Acquisition- When a corporate buys most of target company’s ownership
stakes I order to assume control of target firm
2. Mergers- Creation of New reporting entity by combining two or more
parties
3. Organic Growth- Growth through internally generated projects,such as
increased output , customer base expansion etc.
Benefits of Acquisition over Organic Growth-

1. High speed access to resources
2. Asset Valuation
3. Relative P/E ratio
4. Avoids barriers to entry
Risks with growth by Acquisition

• May be costlier than internal growth
• Cultural mismatch
• Disposal of Assets- Companies may be forced to dispose off assetsthey had
before acquisition
• Lack of Due Diligence
• May lead to reduction in return on Capital employed
Key Control for an Acquisition

Due Diligence
• Process of evaluation of target company before acquisition
• Provides information for decision making
• Reduces uncertainty and control risks that acquirer will face as they go
through acquisition
30
Possible areas of focus for due diligence:
Financial Statements-
• Involves review of financial metrics ,reasonableness of financial forecasts,
verification of assets owned and their values
• It may reveal that information about performance of target company which
may impact the consideration price
• Strategic Fit-
• It is also important to understand how target will fit strategically within
combined entity
Employee Management Issue-
• Identification of any dispute or any organizational structure mismatch in
target company
Property-
• Premises that target owns or leases should be reviewed
• Best location should be identified in line with plans of acquirer
Intellectual Property
• It also requires proper valuation of intellectual property of target
• Due Diligence will involve to ensure whether target has taken appropriate
steps to protect its intellectual property
Contract Review –
• to review the material contracts the target holds in order to fully
understand its commitments. These may involve supplier or customer
contracts.
Pending Litigation
• The acquirer needs to know whether there are any ongoing claims, closed
claims or pending litigation.
Tax-
• Buyer would need to consider the tax situation of the target company,
reviewing any tax returns and getting an understanding of any tax balances
or correspondence with the tax authorities of the relevant countries
8. Joint methods of expansion

1) Joint Venture
• Separate business entity is formed whose share are owned by two or more
31
business units
• Very helpful approach for sharing risks , cost and expertise
2) Strategic alliance
• a cooperative business activity, formed by two or more separate
organizations for strategic purposes, that allocates ownership, operational
responsibilities, financial risks, and rewards to each member, while
preserving their separate identity/autonomy.
– Strategic synergy – more strength when combined than they have
independently. Positioning opportunity – at least one of the
companies should be able to gain a leadership position.
– Limited resource availability – a potentially good partner will
have strengths such as access to scarce resources that complement
weaknesses of the other partner.
– Less risk – forming the alliance reduces the risk of the venture.
– Co-operative spirit – both companies must want to do this and be
willing to cooperate fully.
– Clarity of purpose – results, milestones, methods and resource
commitments must be clearly understood.
– W
in-win – the structure, risks, operations and rewards must be
fairly apportioned among members
3) Franchising
• Purchase of right to use business brand in return for a-
• Capital sum and share of profit or turnover
• Example- McDonalds
4) Licensing
• Right to use invention or resource in return for a share of proceeds
5) Outsourcing
• Contracting out aspects of organization ,previously done in house, to
specialist providers
Key risks of Joint Development Methods:

• Strategic fit- Firms affect each other’s position
• Cost sharing – Agreement to share costs can be difficult
• Knowledge sharing- Risk that secrets of firm can be revealed
32
• Profit sharing – It depends on risk taken by each firm which is difficult to
measure
• Loss of control
• Loss of development opportunities
9. International growth
• While deciding to expand abroad , a business has several possible
strategies that it may adopt
1 .Exporting strategy – Firm sells product made in its home country and sells
abroad
2. Overseas manufacture- Firm manufactures products in foreign country and
then import in home country
3. M
ultinational- Firm coordinates value adding activities across nation
boundaries. For example, a multinational car manufacturer will have engine
plants in one country, car body plants in another and electrics in a third.
Production capacity is often duplicated around the world
4. T
ransnational – Nation less firm having no home country. Employees and
facilities are treated identically, regardless of where they are in the world.
Risks of International Growth

• Political Risk
• Foreign Exchange risk
• Need for Capital Investment
• Risks to customers relationships
• Ethical Risks
• Cultural Risks
10. Disruption
• New Development that changes existing market,leading to change in
existing market and can even lead to big firms having a drop in sales
• Example- Amazon.Its simplicity and competitive pricing have disrupted the retail
market
Considerations for successful disruption
33
• Simplicity - for example, case of ordering on Amazon
• Resources - Using less of scarce resources and use environment friendly
resources
• Cost - VHS became ahead of Betamax in home video industry because it
was cheaper even it was technically inferior product
• Accessibility - Whatsapp is available in all smart phones as against
iMessage which is only for iOS devices
• Quality – doing something significantly better than it is currently done can
also be a source of disruption.
11. Scenario planning

It is capturing a picture or scenario of where world may be in few years time
The steps involved in scenario planning

1. Identify high-impact, high-uncertainty factors in the environment. - For
example, in the oil industry there may be a need to form a view of the
business environment up to twenty-five years ahead and issues such as
crude oil availability, price and economic conditions are critical.
2. F
or each factor, identify different possible futures-At 3M, for example,
the general manager of each business unit is required annually to
describe what his or her industry will look like in fifteen years.
3. C
luster together different factors to identify various consistent future
scenarios. – if new legislation is passed that reduces industry profit
potential, then the likelihood of new entrants will fall.
4. build a detailed analysis to identify and assess future implications.-
planners typically develop assumptions about the impact of key variables
on the company’s future strategy.
5. For each scenario, identify and assess possible courses of action for
the firm.
6. Monitor reality to see which scenario is unfolding.
7. Revise ("redeploy") scenarios and strategic options as appropriate.
Benefits Drawbacks
34
Focuses management attention on the Costly and inaccurate – uses up
future and possibilities substantial resources and time
Encourages creative thinking Tendency for cultural distortion and
Can be used to justify a decision for people to get carried away
Encourages communication via the The risk of the self-fulfilling

participation process prophecy, i.e. thinking about the
scenario may be the cause of it
Can identify the sources of uncertainty
Many scenarios considered will not
Encourages to consider fundamental
actually occur.
changes in the external environment.
12. Stress testing

Way of analyzing a business to consider how well it could cope with difficult
conditions
keys areas to stress testing:
1. Prioritisation
– Who is your primary customer?- Once your primary customer is
established the majority of resources should be used to make sure
the company is delivering for their needs.
– How do your core values prioritise shareholders, employees,
and customers? - the core values of a business must be clearly
defined and statements that list multiple desirable actions don’t
work.
2. Measurement
– What critical performance variables are you tracking?-The key
is not to have too many measures on any scorecard but to identify
the key factors that drive performance and focus on those
– What strategic boundaries have you set?-Where to focus is often
viewed as the safer option, while where not to focus allows more
creativity.
3. Productivity
• How are you generating creative tension?- A positive outlook may
be lead to people insisting that everything will eventually work out
• How committed are your employees to helping each other? -If
employees feel that they are being treated fairly and trust each other
35
they will achieve greater results
4. F
lexibility
● What strategic uncertainties keep you awake at night? -. To
achieve this everyone must be focussed on what it happening in the
external environment and feedback anything unusual so that action
can be taken.
The need for stress testing

● The results of a stress test can indicate why strategy may not be
successfully realised or implemented, it can identify areas of inefficiency
● Stress testing allows risks to be quantified.
● Stress tests may be imposed on the business by lenders. If, say, a
company is borrowing money in order to finance a new project and the
loan will last 10 years, a lender may want to know how the company will
cope with a rise in interest rates or if the project returns are only half of
what the company are expecting.
Sources of business stress

There are many sources of stress that may be placed on an organisation (both
internally and externally) such as:
● Technology which makes the product obsolete or uncompetitive
● Changes in customer or consumer tastes
● The economy changes from a boom to a recession (or vice versa)
● Rivals creating a better product or finding ways to stand out better to
customers a cybersecurity attack
● Workforce strike
● Failure of or faults in production systems.
36
Questions to consider
1. Consider the risks associated with the chosen strategy - particularly are
there digital & cyber risks?
2. What is the digital strategy for the proposed business strategy?
3. Do we have the expertise?
4. What are the potential cyber threats?
Student Notes
37
Chapter 4 - Reputational risk
1 Reputational risk
Reputational risk - is likelihood of losses occurring due to a deterioration in the

belief or opinion held about someone or something.
Reputation is an area that organisations are increasing their focus upon, partially
because there have been some high profile instances of reputational damage in
recent times, and partially because of the r ise in social media giving more
customers a voice.
2 Sources of reputational risk

● Accounting deficiencies
● Poor customer services
● Lack of IT security
● Failure to meet expected quality standard
All of these could lead to media coverage resulting in negative perceptions of the
brand and company. These negative perceptions can then lead to investors and
customers going elsewhere.
Social and environmental considerations:

● PESTEL framework can be implemented to identify the sources of
reputational risks.
● The key areas to be considered are social and environmental aspects.
● Some obvious factors like encouraging an unhealthy lifestyle,causing
damage to the environment can cause immediate deterioration to
reputation.
38
Example: In Runnabout (CIMA pre-seen May & Aug 2020), the hoverboards when
passing on kribs cause an ankle fracture, this injury is increasing. This can cause
a reputational risk if the company did not respond.
Business ethics:
● Comprises of principle and standards that governs the organisation
● Actions can be judged right or wrong by the individuals inside or outside
the organisations. However, different individuals will have different views
on each of these issues.
● Examples: It is unethical to experiment on animals
Corporate social responsibility: refers to the idea that a company should be

sensitive to the needs of all stakeholders in its business operations and not just
shareholders. As such, ethics is just one dimension of corporate social
responsibility.
● The company should be sensitive to all the stakeholders but not only
shareholders
● Ethics is one of the dimensions of CSR
● By aligning the company’s core values to society’s one, it can improve its
reputation.
Benefits of CSR
● Attracts staffs
● Brand strengthening.
● Identification of new strategy opportunities and social
expectations
● Differentiation
3 Code of ethics
Integrity- fair dealing and truthfulness, maintain honest business relationship
Objectivity- no professional judgement is compromised due to bias or conflict
of interest.
Professional competence and due care- accountants have to possess
professional knowledge and follow professional standards and be up to date.
Confidentiality- information received must not be disclosed with proper
permission and the information must not be used for personal advantage.
Professional behaviour- to treat all people in a professional capacity
39
Conceptual framework approach: requires a management accountant to
identify, evaluate and address threats to compliance with the fundamental
principles, rather than merely comply with a set of specific rules which may be
arbitrary, is, therefore, in the public interest.
Ethical threats:
● Self interest threat- occurs due to personal financial interest that creates
conflict
● Advocacy threat- occurs when a point is promoted that compromises
the subsequent objectivity
● Familiarity or trust threat- occurs when a member becomes too
sympathetic to the interest of others
● Adverse interest threat- occurs when a member does not act with
integrity because of their interest opposed to their employer.
Ethical issues at sources of risk

● When a threat is found, a management accountant has to apply
safeguards steps to eliminate it or reduce it to acceptance level.
● Ethical threat does not relate to personal threat but could focus on
business decisions.
Ethical safeguards:
● External review by a legally empowered third party of report, returns,
information provided by a professional accountant.
● Regulatory monitoring and disciplinary procedures.
● Education, training and experience required for the profession
4 Ethical dilemmas and conflict resolution
Ethical dilemma: It may arise out of conflict between personal values and
organisational goals, or organisational goals and social values.
Ethical conflict resolution:

1. Gather all facts and relevant information.
2. Ascertain the ethical issues involved and identify the fundamental
principles related to the matter in question.
3. Escalate concern internally, i.e. to direct management.
40
4. Escalate issue further to your manager's boss, the Board or a non
executive director (following any internal grievance or whistleblowing
procedure).
5. Seek advice from CIMA.
6. Report externally to auditors or relevant trade/regulatory bodies.
7. Remove yourself from the situation.
5 Conflicts within employee organisation
● The professional accountant and the organisation’s professional

obligations to comply with the principles are in conflict.
● The professional accountant must support the ethics established by the
employer.
● When a compliance with business ethics was threatened the professional
accountant must take responsibility to deal with the circumstances.
The professional accountant may be asked by the directors or managers to do

immoral and unethical actions. The significance of threats arising from such
pressures should be evaluated. If they are other than clearly insignificant,
safeguards should be considered and applied:
● obtaining advice where appropriate from within the employing
organisation, an independent professional advisor or a relevant
professional body.
● the existence of a formal dispute resolution process within the employing
organisation.
● seeking legal advice.
41
6. Points to consider
1. Impact of CSR on reputational risk

2. Board of Directors influence of company’s reputational risk
3. What are the possible ethical issues that may come up in your case study
4. How will you resolve them (refer to the Ethical conflict resolution framework)
5. What ethical issues may arise of digital technology strategy?
Student Notes
42
Chapter 5 - Corporate governance
1 What is corporate governance?
Corporate governance - the system by which companies are directed and
controlled in the interest of shareholders and other stakeholders’.
Importance of corporate governance
● Listed companies required to operate systems of corporate governance laid

down either by statute or professional organisations.
Ex: Securities and Exchange commission (SEC) in the US, Financial Conduct
Authority(FCA) in the UK and Securities and Exchange Board of India(SEBI) in India
● Support of stock exchanges – built into listing rules.

● Good Corporate governance cannot prevent risks or stop failure however it
is a major help to achieve goals in a less risky way.
Reasons for Company collapses
● Not well run by its board of directors (Ex: Equitable Life, an insurance
company ran into losses as it was paying out more to policyholders than
its reserves. It ha a board of NEDs who had no idea what was going on at
the company)
● One individual dominated the board and exerted influence on
decision making ( Ex: Barings Bank had placed Nick Leeson in charge of
the desk office and the back office. This gave him the power to make
unauthorized dealings in derivatives and relay false information to the
head office. He went on to lose £800 million.)
● One person was chairperson as well as chief executive officer ( Ex:
Elon Musk was stripped of his role as chairperson as the dual power led to
him giving false and misleading information to the public about the
company going private.)
43
● Board lacked sufficient knowledge and experience. ( Ex: As with the
above case of Barings Bank, the board had only superficial knowledge of
derivatives and did not know the risks involved leading to a loss of $1.4
billion in total.)
● Interests of executive directors kept in mind ( Ex: Parmalat, Italian
dairy goods company, embezzled cash and falsified accounts. The
embezzlement worth $1 billion involved the founder Calisto Tanzi, his
family members and the board members).
● F
inancial reports were inaccurate and unreliable ( Ex: Enron made off-
balance sheet transactions with the help of special purpose entities(SPE’s)
for financing the company. The investors were not shown the true and fair
financial condition of Enron)
● Auditors are inefficient or misled by the management ( Ex: The
collapse of audit firm Arthur Andersen due to its involvement in the Enron
Scam)
● Ineffective internal control system – From the above examples, it is
clear they did not have effective internal controls to check and protect the
interests of the company
2 Principles of good corporate governance
Leadership and Company purpose

a) Company should be headed by an effective and entrepreneurial board.
b) Board members should lead by example and behave with integrity
c) Make sure appropriate resources are available to help company achieve its
objectives
d) Board must ensure sufficient dialogue with shareholders and stakeholders.
The chair must discuss strategy with major shareholders
e) Engage with the workforce through:
- Director appointed from the workforce
- Formal workforce advisory panel
- Designated non-executive director
f) A formal Whistle-blowing policy for the workforce to raise concerns in
confidence and if desired anonymously
44
g) If 20% of shareholders vote against a board recommendation, explanation to
be given.
Division of Responsibilities
a) There should be a clear division between the responsibilities and one person
should not hold the position of the chair and CEO
b) The Chair has the responsibility of running the board. The chair should be
independent on appointment.
i) Provide leadership to the board
ii) Determine the composition and structure of the board
iii) Set the board’s agenda and plan board meetings
iv) Ensure the board receives appropriate, accurate, timely, and clear
information
v) Facilitate effective contribution from NEDs
vi) Discuss governance and major strategy with major shareholders
c) The CEO has the executive responsibility of running the company’s

business
i) Develop and implement policies to execute the strategy
ii) Assume accountability for all aspects of the company's operations
iii) Manage financial and physical resources
iv) Build and manage an efficient management team
v) Closely monitor operations and financial results
vi) Act as an interface between board and employees
vii) Represent the company to major suppliers, customers, professional
associations etc.
NON - EXECUTIVE DIRECTORS (NEDs) - s crutinize the performance of the

management in meeting the set goals and objectives and monitor the reporting.
The board should include a balance of NEDs and Executives.
45
One NED should be the senior independent director who will be available to the
shareholders if they have any concern that can't go through the official channel.
NEDs must question intelligently, debate constructively, challenge rigorously and

decide dispassionately.
Strategy role: NEDs have the right and responsibility to contribute to

strategic success, challenging strategy and offering advice on direction.
Scrutinising role: NEDs are required to hold executive colleagues to account

for decisions taken and results obtained. They should meet without the chair
present at least annually to review the chair’s performance.
Risk role: NEDs ensure the company has an adequate system of internal
controls and systems of risk management in place.
People role: NEDs oversee a range of responsibilities with regard to the

appointment and remuneration of executives and will be involved in
contractual and disciplinary issues.
46
Composition, Succession and Evaluation
a) There should be a formal procedure of electing the directors
b) An appropriate succession plan for the board and senior executives must be
present.
c) All Directors should:
- Be able to allocate sufficient time to discharge their duties
- Be subject to an annual evaluation regarding their contributions
- Have appropriate balance of skills, experience, independence and
knowledge
- Be submitted for re-elections at regular intervals
Nomination Committees
Majority of the members of the nomination committee should be independent
non-executive directors. The chair can be on the committee, but should not chair
the committee when it is deciding on the appointment of a new chair.
Main responsibilities and duties
● Review regularly the structure, composition and size of the board and make
recommendations
● Consider the balance between the executives and the NEDs
● Regularly evaluate the knowledge skills and experience of the board
● Prepare description of roles and capabilities for any position in the board
● Give full consideration to succession planning
47
AUDIT COMMITTEE
The board should establish an audit committee of at least three, or in the case of
smaller companies two, independent non-executive directors. Chair should not
be a part of this committee. At least one member of committee must have
relevant financial knowledge and experience
Role of the committee
● To monitor the integrity of financial statements

● To provide guidance to the board if the annual report is fair clear and true
● To review the company’s internal financial control and risk management
systems
● To monitor the effectiveness of internal audit function
● To make recommendations to the board - appointment, re-appointment,
removal of external auditor
● To review external auditor’s independence, objectivity and effectiveness
● To develop policy for engagement of external auditor to supply non-audit
services
REMUNERATION COMMITTEE
The committee should consist of at least three, or in case of smaller companies

two, independent non-executive directors. The chair can be a member of the
committee but cannot be the chair. To be the chair of this committee, the
person should be a member of the remuneration committee for at least 12
months
Role:
● Should delegate the responsibility of setting remuneration for the executives

and the chair
● Monitor the level and structure of the remuneration of senior management
● Consider overall company remuneration policy and rewards and incentives
● Pension contributions for executives to be in line with rest of the company
48
● Levels of remuneration for NEDs to show the time commitment and
responsibility of the role - in line with Articles of Association
● Notice or contract periods to be set at less than a year
● Avoid rewarding poor performance
Director remuneration policy and procedures
The remuneration package should be motivational, not too small, not too easily
earned.
Elements to consider: clarity, simplicity, risk, predictability, proportionality and

alignment to culture.
Components to consider: B
asic salary, Performance related pay, Pension
contributions, Benefits in kind.
Executive Share Options (ESOPs)
An ESOP is part of a manager’s remuneration package. Reasons to reward

directors to reward with ESOPs:
● Directors have a financial incentive to maximize the share price.

● Align the interests of executive directors with shareholders.
● Reassure that directors will work hard to increase the share price and
accept realistic risks.
● Encourage the directors to take a long term view and to remain with the
company rather than move elsewhere and lose their options.
Cautions to be given on that the directors are honest and upright

individuals otherwise they may make personal profit. For example, major
scandals such as WorldCom and credit crunch.
49
4. Corporate governance and internal controls
Turnbull Report - requires that internal controls should be established using a

risk-based approach. Specifically a company should:
● Establish business objectives.

● Identify the associated key risks.
● Decide upon the controls to address the risks.
● Set up a system to implement the required controls, including regular
feedback.
Turnbull suggested that directors should review internal controls under

the five headings identified by COSO in 1992:
● Control environment.
● Risk assessment.
● Control activities.
● Information and communication.
● Monitoring.
More on reviewing the effectiveness of internal controls
When reviewing reports on internal control, the board should:
● consider the significant risks and how they have been identified,
evaluated and managed
● assess the effectiveness of the internal controls for managing each
significant risk
● consider whether any controls are weak and action is necessary to
strengthen them
● The annual assessment of the system of internal control should consider:
○ the changes since the assessment carried out in the previous year
○ the scope and quality of management’s ongoing monitoring of
risks and of the system of internal control
50
○ the extent and frequency of the communication of the results of
this monitoring to the board
○ the extent and frequency of internal control weaknesses and failing
that have been identified during the year
○ the effectiveness of the company’s public reporting processes
5. Corporate governance and the audit committee
Reasons for having audit committee is that auditors were not sufficiently
independent of the board of directors, particularly
● Remuneration of the auditors – decided by the directors.

● Appointment of the auditors – at the discretion of the directors in
practice.
● Reports of the auditors – received by the directors.
● The directors had the power to give other lucrative work to auditors.
Responsibilities of an audit committee
➔ Review of the financial statements, and any interim reports produced.

➔ Review of the company's system of internal financial controls.
➔ Discussion with the auditors about any significant matters that arose on
the audit.
➔ Review of the internal audit programme and significant findings of the
internal auditors.
➔ Recommendations on the appointment and removal of the auditors.
➔ The setting of the audit fee in discussion with the auditors.
➔ Review of the audit report and any management letter provided by the
external auditors.
➔ Review all the company’s internal control and risk management systems.
➔ Ensure that a system is in place for whistleblowing
➔ The audit committee should
i. Review financial statements
51
ii. Review internal controls
iii. Liaise with internal auditors
iv. Liaise with external auditors
6. International developments
Sarbanes-Oxley Act : after the Enron and worldcom scandal Sarbanes-Oxley Act
was introduced , In order to restore confidence in the US companies.
Why should the Board be responsible for managing stakeholders'

interests?
● Corporate Value
● Rise in Shareholder Activism
● Rise in Sustainable and Responsible Investing
Why CSR and CSR report
1. Influence both consumer behaviour and corporate reputation.

2. A medium for transparency
3. Provides existing and potential investors with CSR information to assist in
analyzing investment decisions.
52
The CSR Report - address issues most important to each of the company’s key
stakeholders, for example:
● Shareholders – addressing the company’s business model and corporate

governance, including disclosing the role of the board in risk
management, in sustainability reporting and in evaluating CSR
performance.
● Employees – addressing diversity, health and safety, training and
mentoring, employee relations, and wages and benefits.
● Customers – addressing customer service and privacy.
● Suppliers – addressing labour standards and whether suppliers are
required to implement their own CSR programs.
● Communities – addressing corporate philanthropy and charitable
contributions, community investment and partnerships, volunteerism and
the environmental impact of operations.
● Governments and Regulators – addressing lobbying, public policy and
the effects of and compliance with environmental regulations.
● Other Considerations- W
ith respect to CSR, the CSR report and
stakeholder engagement, a company and/or its board of directors may
also want to consider the following:
1. CEO Responsibility and Board Oversight

2. Focus on CSR issues having greatest impact
3. Stock Exchange Reporting Initiatives
4. Identify Corporate Team
5. Other Components of Stakeholder Engagement
53
7. Governance and strategy
The results of the increasing focus on governance issues are as follows:
● Increasing power of governance bodies.

● Increasing shareholder power
● Greater pressure on boards to formulate strategy and be seen to control
the businesses concerned.
● Greater scrutiny of quoted businesses, resulting in more short- termism.
● Greater emphasis on risk assessments
● Greater scrutiny of mergers and acquisitions in particular.
How does corporate governance impact organisational strategy?
1. Ensures that no individual can dominate BOD

2. Improves the diversity of BOD
3. Establish Adequate internal audit and control systems which enables
more effective strategy and its implementation
4. Attracts investors- easy to raise funding for a new strategy.
54
Points to consider
1. Review your case study organisation structure and critically evaluate the
senior management experience and qualification
2. Review the critically evaluate the governance committees of the
organisation.
3. The importance of CSR report as a strategic communication tool.
Student Notes
55
Chapter 6 - Internal Controls
Internal control:
‘The management system of controls, financial and otherwise, established in

order to provide reasonable assurance of:
(a) effective and efficient operation
(b) internal financial control
(c) compliance with laws and regulations’
(CIMA Official Terminology, 2005)
Examples if the three areas of internal control mentioned in this definition are:
Effective and efficient operation
● Enough inventory to meet production requirements

● Low wastage
● Full use of machinery through clever scheduling
Internal financial control
● Safeguarding assets
● Collecting receivables on time
● Paying suppliers and employees the correct amounts
Compliance with laws and regulations
● Ensuring working time and minimum wage laws are not broken
● Paying the correct amount of tax on time
● Ensuring health and safety laws are complied with
56
Note t hat the term encompasses more than just financial controls - though it is
financial controls that auditors will concentrate on.
Definition of an internal control system:
Definition Commentary
… the orderly and efficient There will be systems in place from

conduct of its business, ensuring that all transactions are recorded
including adherence to internal (so the business is conducted in an orderly
policies’ manner) to following policies such as
provision of good customer service.
… the safeguarding of assets’ Assets:
· Material - buildings, cars, cash etc.

· Immaterial – intellectual property etc.

… the prevention and This include fraud and error at the

detection of fraud and error’ operational level through to the strategic
level (Enron)
… the accuracy and Ensure that all transactions are recorded –

completeness of the so liabilities are not ’hidden’ and assets are
accounting records and … not overstated.
… the timely preparation of Ensure information is available to produce

financial information reports in a timely fashion
57
The main point to note here is that the internal control system encompasses the
whole business, n
ot simply the financial records.
Turnbell Report:
● States the Importance of Internal Control.

● Issued by the Financial Reporting Council as 'Internal Control – Revised
Guidance for Directors on the Combined Code'
Importance of Internal Control:
● A sound system of internal control contributes to safeguarding

the shareholders' investment and the company’s assets.
● Assists compliance with laws and regulations.
● Effective financial controls, including the maintenance of proper
accounting records, are an important element of internal control
● Since profits are, in part, the reward for successful risk-taking in
business, the purpose of internal control is to help manage and
control risk appropriately rather than to eliminate it.
People who are responsible for Internal Control:
· B
oard of Directors:
It should set appropriate policies on internal control and seek regular
reassurance to ensure that the system is functioning efficiently.
· E
mployees:
They, collectively, should have the necessary knowledge, skills,
information, and authority to establish, operate and monitor the
system of internal control
Elements of a sound Internal Control system:
The system will include:
1. Control activities
2. Information and communications processes; and
58
3. Processes for monitoring the continuing effectiveness of the system of
internal control.
· The system of Internal control should:
● form part of a company’s culture

● be capable of responding quickly to evolving risks to the
business arising from factors within and outside the company
● include procedures for reporting immediately to appropriate
levels of management any significant control failings or
weaknesses that are identified together with details of corrective
action being undertaken.
· A sound system of internal control reduces, but cannot eliminate, the

possibility of poor judgement in decision-making; human error etc.
· A sound system of internal control therefore provides reasonable, but not

absolute, assurance that a company will not be hindered in achieving its
business objectives.
COSO identifies five components of an effective control system.
1. Control environment
The control environment provides the discipline and structure for the
achievement of the primary objectives of the system of internal control.
The principles that underpin the control environment component are:
● The organization shows a commitment to ethical values.
59
● The board has appropriate expertise and oversees the five
competencies.
● Management must establish an appropriate organizational
structure to help achievement of the objectives
● Human resource policies and practices to help attract, develop
and retain suitable talent.
Accountability of employees for their areas of responsibilities
2. Risk assessment
The risk assessment should be conducted for each business within the
organization, and should consider, for example:
– internal factors, such as the complexity of the organization,
organizational changes, staff turnover levels, and the quality of staff
– external factors, s uch as changes in the industry and
economic conditions, technological changes, and soon.
The risk assessment process should also distinguish between:
– risks that are controllable

– risks that are not controllable
The principles that underpin the risk assessment component are:
● Clear objectives to allow risk identification and assessment

● That risk identification and analysis does take place across the entity.
● The potential for fraud arising in pursuit of the stated objectives must
be considered.
● The internal controls system must be reviewed for changes in the
external environment.
3. Control activities
60
Control activities occur at all levels within an organization, and include
authorizations, verifications, reconciliations, approvals, segregation of duties,
performance reviews and asset security measures.
The principles that underpin the control activities component are:
● Select appropriate controls to mitigate the risks to the achievement of

objectives.
● Specifically controls over technology are included.
● Policies and procedures establish how the controls are implemented.
4. Information and communication
An organisation must gather information and communicate it to the right

people so that they can carry out their responsibilities.
The principles that underpin the Information and communication
component are:
● Appropriate information is generated and used to assess control
● The information is communicated appropriately internally to support
the internal control process.
● The information is communicated to appropriate external parties.
5. Monitoring
The internal control system must be monitored.

The principles that underpin the monitoring component are:
● Appropriate evaluations of the controls are carried out.

● Any issues with controls are communicated to appropriate
people (including the board where necessary).
OPERATIONAL FEATURES OF INTERNAL CONTROL SYSTEM
61
DETAILS OF CONTROLS
The controls can be remembered using the mnemonic S

OAPSPAM.
Supervision,
Organisation,
Arithmetic and accounting,
Personnel,
Segregation of duties,
Physical,
Authorisation and approval and
Management.
Segregation of duties- steps
Initiation of the transaction

eg: Making a purchase
The handling of the asset that is the subject of the transaction
eg: Making the payment
The recording of the transaction
62
eg: Recording the purchase and payment in the accounts.
Physical controls - to protect physical assets against theft or unauthorised
access and use.
eg:using a safe to hold cash and valuable documents
Authorisation and approval controls- to ensure that a transaction must not
proceed unless an authorised individual has given his approval, possibly in
writing.
eg:For spending transactions, an organisation might establish authorisation
limits, whereby an individual manager is authorised to approve
Management control -Top level reviews(BOD/ Senior managers)
eg: senior management might review a report on the progress of the
organisation toward achieving its budget targets.
Activity controls (department/divisional level)
eg: the provision of regular performance reports, such as variance reports,
comparing actual results with a target or budget.
Supervision -oversight of the work of other individuals, by someone in a
position of responsibility
Organisation controls- the controls provided by the organisation’s structure,
such as:
● the separation of an organisation’s activities into departments or
responsibility centres
● delegating authority within the organisation
● establishing reporting lines within the organisation
● coordinating the activities of different departments or groups, e.g. by
setting up committees or project teams.
Arithmetic and accounting Controls- eg:
● recording transactions properly in the accounting system
● being able to trace each individual transaction through the accounting
records
● checking arithmetical calculations, such as double-checking the figures in
an invoice before sending it to a customer (sales invoice) or approving it
for payment (purchase invoice) to make sure that they are correct.
63
Personnel controls - Controls should be applied to the selection and training of
employees.
Any controls recommended should cost less than the benefits they bring.
eg: you would not recommend the hiring of a security guard at £35,000 per
annum to watch over the petty cash tin which held £100.
CLASSIFICATION OF CONTROLS
● Financial controls;
● Non-financial quantitative controls;
● Non-financial qualitative controls.
Financial controls- These controls express financial targets and spending limits.
Examples include
– budgetary control
– controls over sales, purchases, payroll and inventory cycles.
SALES CYCLE CONTROLS
64
The purchase cycle is similar to the sales cycle but concentrates upon the risk
of staff ordering goods for themselves, more goods being ordered than
necessary (leading to obsolescence or theft), payments being made to fictitious
suppliers (theft), and goods being overpriced by the supplier.
4
. BANK AND CASH CONTROLS
Bank and cash
Objectives of controls: To ensure that cash balances are safeguarded; kept to a
minimum and; money can only be extracted from bank accounts for authorised
purposes.
Examples of possible risks to cash and bank accounts and the related controls:
Control procedures
Risks
Safes/ strong room/ locked cash box

with restricted access.
Cash is stolen from the premises.
65
Tills emptied regularly.
Money is taken from bank accounts Restricted list of cheque signatories.

for unauthorised purposes (i.e.
stolen).
Regular bank reconciliations

reviewed by a person with suitable
level of authority.
C
ontrols in other departments
HUMAN RESOURCES DISTRIBUTION DEPARTMENT
Recruitment policies Signed goods received and goods
despatched notes
Contract of employment. Regular inventory counts
References being taken up prior to Monitored CCTV cameras around the
appointment distribution depot
66
Continuous training; Security guards at exits
Eligibility to work in the country Bag searches when staff leave their
shift.
Non-financial quantitative Non-financial qualitative controls

controls
Focuses on targets against which Day-to-day controls over most

performance is to be measured employees in organisations
Examples: Examples:
● Balanced scorecard ● employee training
targets ● management control
● TQM quality measures methods (such as
67
contracts of
employment)
● project management
5. Evaluation of an internal control system
Developing an adequate control system
1. Ascertaining objectives of the system. e.g.: the system may be human
resources and their objectives may be sourcing, recruiting, etc.
2. Conducting research on current systems
3. Communicating with employees to collect information
4. Checking input requirements to achieve desired output
5. Setting targets to achieve
6. If problems are found within control systems, new policies to be
implemented
7. Suitable controls to be placed for formulating these policies effectively
8. Ascertain whether new controls have reduced the problems. If not,
further corrective actions need to be taken
68
Costs v benefits of Internal Control System
The benefits of maintaining the system must outweigh the costs of operating it.
Costs include:
· time of management involved in the design of the system
· implementation:
· costs of IT consultants to implement new software
· training all staff in new procedures
· maintenance of system:
· software upgrades
· monitoring and review.
Benefits:
Reduction of the risks;
Achievement of business objectives, etc.
Limitations of internal control systems
● A good internal control system cannot turn a poor manager into a good
one.
69
● Cannot completely eliminate the risk from mistakes or errors.
● ICS can be by- passed by collusion and management override.
● Controls are only designed to cope with routine transactions and events.
● Resource constraints in provision of internal control systems, limiting their
effectiveness.
70
“COSO” MODEL APPLIED TO FRAUD PREVENTION ( deliberate
falsification**)
Prerequisites for fraud to occur:
● Dishonesty on the part of the perpetrator.

● O
pportunity for fraud to occur.
● M
otive for fraud.
EX: Employee fraud against employers------- payroll fraud, falsifying expense

claims, theft of cash .
FRAUD RISK INDICATORS
Warning signs -Absence of an anti-fraud policy
-Poor physical security of assets
-Lack of management supervision of staff
(organisational indicators )
Fraud alerts -Anonymous emails/letters/telephone
-Alteration of documents and records
-Inappropriate/ unusual journal

entries,Confirmation letters noteturned
( specific events)
71
FRAUD RISK MANAGEMENT STRATEGY
1.Fraud
prevention:
Internal environment
This can be regarded as the outlook and culture of the organisation, including its
enthusiasm for risk management and its risk appetite.
For example, some organisations are a bit happy-go-lucky when it comes to risk
management whereas others are extremely strict and want things to be done by
the book.
Objective setting
Objectives must exist before management can identify potential events affecting
their achievement. Enterprise risk management ensures that management has
in place a process to set objectives and that the chosen objectives support and
align with the entity’s mission and are consistent with its risk appetite.
The objectives of a manufacturing department is to make the right goods to the

right quality and at the right cost. The department cannot be managed without
objectives and performance measurement.
The objectives the accounts receivable department will be to achieve a certain

collection period and to minimise bad debts. Again, objectives and targets are
needed to manage and appraise this process.
Similarly, with regard to minimum wages, unless those are defined and
compared to actual wages, no control is possible.
72
Event identification
There are internal and external events (both positive and negative) which affect
the achievement of an entity’s objectives and must be identified. For example,
there must be a way of accounting for waste and quality control failures.
Risk assessment
Risks must be analysed to consider their likelihood and impact as a basis for
determining how they should be managed. The results of this exercise should be
noted on the risk register and the assurance mapping document.
Risk response
Management selects risk response(s) to transfer, avoid, reduce or accept risk

(TARA).
The aim is to align risks with the entity’s risk tolerance and risk appetite. Risk
tolerance is the acceptable variation in outcome compared to an original
objective. In setting risk tolerance, management considers the relative
importance of the related objective. So, if an objective is particularly important,
risk tolerances might be higher to recognise that achieving something really
worthwhile is worth accepting more risk.
Control activities
Policies, procedures and control methods help to ensure risk responses are
properly carried out. Examples of control activities include authorisation of
transactions, reconciliations, segregation of duties (splitting a transaction so that
several people are involved), physical controls (such as locking away valuable
inventory), the comparison of actual results to budgets. IT controls can also be
very important.
Information and communication
73
Information that monitors or identifies risks must be identified, recorded and
communicated quickly enough and in a way that lets people carry out their
responsibilities by making decisions. For example, if a product’s sales are lower
than expected, this information must be available quickly enough to change
prices, alter the advertising campaign – or to withdraw the product.
Monitoring
The entire process must be monitored and modifications made as necessary, to

improve current methodologies and to adapt to emerging risks, so that the
system stays relevant. For example, if the company starts to trade on the
internet a whole new set of risks arises. For example, their system could be
‘hacked’.
2.Fraud detection: (IT IS NOT AN AUDITOR’S

RESPONSIBILITY)
Some methods of discovering fraud are:
1. P
erforming regular checks, e.g. stocktaking and cash
counts.
2. W
arning signals or fraud risk indicators (see previous
section).
For example: – Failures in internal control procedures
– Lack of information provided to auditors
74
– Unusual behaviour by individual staff members
– Accounting difficulties.
3. W
histleblowers e
.g.SAM ANTAR-convicted for frauds committed
in 1980’s due to whistleblowers from within the company informing the
govt of crimes.
3.Fraud
Responses:
1. The fraud response plan sets out the arrangements for

dealing with suspected cases of fraud, theft or corruption.
2. It provides procedures for evidence-gathering that will

enable decision making and that will subsequently be admissible in
any legal action.
3. The fraud response plan also has a deterrent value and can
help to restrict damage and minimise losses to the organisation.
The organisation's response to fraud may include:
1. Internal disciplinary action, in accordance with personnel

policies.
2. Civil litigation for the recovery of loss.
3. Criminal prosecution through the police.
75
Points to consider
1. Identify the critical processes in your organisation

2. Identify the critical assets both digital and others in your organisation
3. What risks may impact these critical processes and assets?
4. What are the controls that we can put in place?
5. Application of COSO framework to these processes, functional areas and
organisation.
Student Notes
76
Chapter 7 - Internal Audit
Internal Audit
An effective internal control system should keep management properly

informed about the progress of the organisation (or lack of it) towards the
achievement of its objectives.Internal control might also be monitored by an
internal audit function.
Internal Audit helps an organisation accomplish its objectives by bringing a
systematic approach to evaluating and improving the effectiveness of risk
management, control, and governance processes.
CIMA members and the P3 exam are primarily focussed on internal audit.
Whereas external auditors are employed by an independent firm (such as one of

the ‘big four: PWC,KPMG, EY and Deloittes) internal auditors (IA) are usually
employees of the company (though the process of internal audit can be
outsourced) and this can interfere with the independence and of the internal
audit function.
IA might fall under the control of the finance director and then IA staff would
potentially have to report problems with financial internal control to the director
who has prime responsibility for internal control. It is easy to see how the
finance director might like problems to be minimised or ‘hushed up’. It is
therefore strongly recommended that IA reports to the audit committee, chief
executive officer and board of directors rather than to the finance
director.
CIMA guidance for internal auditors is:
● The aims of internal audit should be agreed by the board.

● Should cover all controls, not just accounting.
77
● There should be full access to people and documents.
● There should be clear access to the CEO, chairman and the audit
committee.
● Internal audit should report to a senior director or the audit committee.
● Internal audit should be independent of executive management so as to
maintain their independence.
● Best practice for auditing methodologies and the latest auditing standards
should be used.
● Internal audit should be consulted on all major business changes so that
suitable controls can be implemented promptly.
● The internal auditors should have no operational involvement elsewhere
in the organisation.
● There must be clear communication of findings.
● The performance of an internal audit should be regularly assessed.
Factors affecting the need of internal audit:
● Scale
● diversity
● complexity of organization,
● no of employees,
● cost/benefit considerations,
● change in organization/key risks,
● problems with internal control system,
● increase in unexplained or unacceptable events.
78
NOTE-Risk management Vs Internal audit
Internal auditors can’t effectively fulfill both roles of referee and player. In their
professional capacity , they can provide a consulting service on risk
management, but can’t be the ones responsible for risk management. They can
review the process of governance, but can’t get involved in governing or do the
accounting.
Structure and independence of internal audit
● Independent of executive management (but have direct access to the

highest level of management if required) - free from operational
responsibility
● Report directly to a snr. Director-have direct access to the chairman of the
board of directors, and to the audit committee- should be accountable to
the audit committee.
79
● Appointment and termination (of Internal audit head)approved by audit
committee
Standards of Internal Audit Work
Outsourcing internal audit;
Directors may consider that outsourcing the internal audit function represents
better value than an in-house provision.
80
To minimise risks associated with outsourcing the internal audit function will
include:
● Controls over acceptance of internal audit

● contracts to ensure no impact on independence or ethical issues.
● Regular reviews of the quality of audit work performed.
● Separate departments covering internal and external audit.
● Clearly agreed scope, responsibilities and reporting lines.
● Performance measures, management information and risk reporting.
● Procedure manuals for internal audit.
Ethical threats to Independence- Examples
● Pressure from higher authorities-affects accounting integrity

● Misleading info. On experience and expertise given by auditor (to retain
his/her position)
● Divided loyalty between the auditor’s superior and professional standards
of conduct.
81
Effectiveness and efficiency of internal audit
Efficiency: compare actual costs and output against a target (the cost per
internal audit day – the cost per audit report – the number of audit reports
produced.)
Effectiveness: Extent of assurance to Management,audit committee and the

board.
Considerations in preparing Internal audit report: Executive summary-scope of

the assignment-observations and recommendations-graded by
importance-statement of responsibility.
NOTE: Internal audit report is often seen as a trigger for risk management
Internal and External Audit
Relation of internal audit to external audit- External audit plan is drawn up

considering the extent of findings of the internal audit work.
NOTE-The duties of both sets of auditors will differ and hence the work of
internal audit may be of very little relevance to the external auditor. However, in
some instances, the external auditors do rely on the internal auditors work if
areas of the external auditors audit program have been covered
82
Management letter-
includes a list of issues that the auditor came across during the course of his
audit work. ( issues concerning the auditor; recommendations to implement or
improve the controls.)
Fraud investigation-
not auditor’s primary objective but they are duty bound to report a fraud if
during the course of their work they identify fraudulent activities.
Internal audit – types of assignment
● Transactions audit: tracing transactions through the system, often from

start to finish, to see if they are treated correctly.
● Systems audit: an information technology or information systems audit, is
an examination of the management controls within an Information
technology (IT) infrastructure.
● Risk-based audits: an internal audit which is primarily focused on the
inherent risk involved in the activities or system and provides assurance
that risk is being managed by the organisation to the defined risk appetite
level.
● Accounting systems audit: ensuring, for example, that the proper
accounting controls are being applied consistently.
● Operational audits: a systematic review of effectiveness, efficiency and
economy of operation. For example, examining how customer complaints
are dealt with.
● Value for money and best value. Usually associated with public or
non-profit organisations. Its purpose is to assess the effectiveness and
83
efficiency of its use of public funds.
● Management audits: analysis and assessment of competencies, abilities
and capabilities of a company's management in order to evaluate their
effectiveness, especially regarding the strategic objectives and the
implementation of the policies of the business.
● Social and environmental audits: A social and environmental audit looks
at factors such as a company's record of charitable giving, volunteer
activity, energy use, recycling waste, diversity in recruitment,
non-discrimination in appointments, the standard of the work
environment, workers’ remuneration to evaluate the social and
environmental impact the company is having.
● Special assignments such as investigating a case of fraud.
● Assisting the external auditors.
Value for money audit (VFM or best values audit)

It is an investigation into whether proper arrangements have been made for
securing economy, efficiency and effectiveness in the use of resources.
Note: Economy does not mean achieving the lowest cost possible but keeping
costs within acceptable limits for obtaining resources of the desired quality
Problems with VFM Audit:
● Difficult to measure outputs

● objectives of the activity might be difficult to establish
● The focus must be EITHER on economy and efficiency OR on effectiveness
( costs can almost always be reduced by cutting back on the quality of
service, while outputs can almost always be improved by spending
more.Quality might be ignored when economy and efficiency are
measured)
Social Audit
● looks at the company's contribution to society and the community.

● confirm statements made by the directors, or make recommendations for
social policies that the company should perform.
84
Environmental audit-
A management tool comprising a systematic, documented, periodic and
objective evaluation of how well organisations, management, and equipment
are performing, with the aim of contributing to safeguarding the environment by
facilitating management control of environmental practices, and assessing
compliance with company policies, which would include meeting regulatory
requirements and standards applicable.' (report to be assessed by a qualified
environmental assessor)
Management audit (operational audit)-
An objective and independent appraisal of the effectiveness of managers and

the corporate structure in the achievement of the entities' objectives and
policies.
The findings of a management audit might focus not so much on compliance

with policies and procedures, but on Management practices (absence of clear
leadership,failure to achieve targets/standards,poor
communications/management etc)
System based audit-
identifies weaknesses in the system (often with accounting system)

Identify the objectives of each system- the procedures- why the system might
not meet its objectives- ways to manage the above- if current controls are
adequate- report
Audit Process
85
Audit planning:
● Objectives-For example, to check whether the internal controls within a

particular operation are adequate and are applied properly.
● Conduct of the audit- investigations and informations needed to carry out
● Timing and resources required
● Risk based approach (assessing key risks in the system.)
Benchmarking- comparing one's business processes to best practice from

other industries. (Benchmarking may be internal within a single organisation, or
86
– subject to confidentiality restrictions – external between competing entities.)
● Quality of control- perceived quality of the existing controls for the

activity
note-The activities which should be given priority for audit are those where the
inherent risk is high and the quality of control is low.
Materiality - An item in the financial statements is material if its omission or a

misstatement of its value would be likely to influence a user of the financial
statements. It has a qualitative as well as a quantitative aspect. Eg- the risk of
valuing an asset incorrectly by $100,000 would be material in the context of a
company with assets of $1 million, but far less material in the context of a
company with assets of $100 million.
Systems investigation and documentation- Auditors need to ascertain what

the system is and also the controls that operate over the system.
● Ascertaining systems- flowcharts-interviews/ questionnaires- systems
documentation- observation.
● Ascertaining controls- Documents(standard control questionnaires) are
structured so as to identify all key internal controls and also enable the
auditor to assess the quality of the controls.
Types of Benchmarking
Process benchmarking- benchmark cost and efficiency. This is increasingly

applied to back-office processes where outsourcing may be a consideration.
Product benchmarking- upgrade or design new products or reverse

engineering ( taking apart competitor’s products to assess their strengths and
weaknesses.)
87
-focus on a single function e.g. Production, to improve the operation of that
function.complex functions (human resources) need to be disaggregated into
processes to make valid comparisons.
Competitor benchmarking- studying the leading competitor or the company

that best carries out a specific function.
Environmental benchmarking- a tool for comparing the environmental and

sustainability performance of different organisations.
Annual audit plan and risk analysis

● Inherent risk (risk in activity or operation ignoring system controls) eg-a
cash based business such as a market stall or a taxi business is inherently
risky due to possible theft or misdeclaration of tax payable
The Audit Risk Model
88
The audit risk model sets out the current, risk-based, approach to auditing.
Audit risk is the risk that the auditor comes to a wrong conclusion about a figure
in the financial statements or the accounting system. For example, the auditor,
whether internal or external, concludes that an amount is correct when, in fact,
it is wrong.
For that to happen, three problems must have occurred:
Inherent risk: this is the risk that an error is made in the first place before the
application of any controls of checks. Inherent risk is increased by factors such
as:
● Inexperienced staff
● Time pressure
● Complex transactions
● Figures requiring a high degree of estimation
● Pressure to perform well e.g. to make results look good.
Control risk:
This is the risk that the organisation's system of internal control does not
prevent or detect the error. For example, a junior employee might have
committed an error (inherent risk), but good supervision and checking of that
person’s work should detect and correct the error.
If both of these occur, then a wrong figure is in the financial statements or in the
accounting records.
Detection risk:
This is the last line of defence and this refers to work the auditor does. If the
the auditor performs a lot of work, detection risk will be low as there is a good
chance that the audit work detects the problem. If the auditor does relatively
little work, then the chance of picking up an error will be low.
Auditors can’t alter inherent risk or control risk in the short term (though they
should certainly be able to influence control risk in the long term). Therefore, to
keep the audit risk low (and this is essential), if the auditor perceives high
inherent and control risk, a large amount of audit work will have to be
performed. If, however, the auditor perceives inherent and control risk to be
low, the auditor will perform much less audit work yet still achieve a reasonable
degree of assurance about the figures in the accounting system.
89
Detection risk depends on:
‣ Sampling risk – if a sample is too small then errors might not be found. This
risk is decreased by increasing sample sizes.
‣ Non-sampling risk – typically because the auditors are too inexperienced, badly
supervised and their work poorly reviewed. Samples could be 100% but if the
auditor didn’t know what he or she was looking for, the risk will be very high.
Audit planning
The first step in any audit is to plan:

What are the main risks?
How will they be addressed?
How many auditors do we need and with what experience?
How long will it take?
How many locations do we need to visit?
Risk can be assessed by:
Knowledge of the business. For example, a jewellery business will have high
risk in inventory (small, high-valued items).
Talking to staff. For example, they might tell the auditor of accounting
problems or that the new IT system was giving problems.
Analytical procedures or analytical review. Compare this period’s results with

last period’s results and with budgets. Analytical reviews are quick to carry out
and can be used to highlight areas where something might have gone wrong
and therefore where risk is high.
For example, if receivables collection periods have increased from 34 days to 56
days the auditors need to know why. Is it a deliberate change to the credit
terms? Are there more export customers where the transportation of the goods
can take time so that payment is delayed? Has the credit control department
become sloppy? Is it an error? Is there a large unrecoverable amount that should
perhaps be written off? Another example would be if the gross profit percentage
had risen from 30% to 40%. How can that happen in a competitive
market? Perhaps the company had a technical breakthrough so that it could
make and sell a uniquely good product? However, it might be more likely that an
accounting error or change in accounting policy is the cause. Remember,
90
supermarkets get quite excited if their like for like sales rise by just a few
percentage points over a year so a GP% jump from 30% to 40% is
remarkable.
Collecting audit evidence
Auditors collect evidence in the following ways (AEIOU):
Analytical procedures – ratios and comparisons as explained above.

Enquiry and confirmation: for example, ask employees how they carry out
certain operations.
Write to customers and ask how much they think they owe.
Inspection: for example, inspect orders to ensure they have been properly
authorised
Observation: for example, watch operations in the receiving bay to ensure that
personnel count and inspect the goods delivered.
Recalculation and reperformance. For example, redo a bank reconciliation to
ensure that it was carried out correctly.
Computer assisted audit techniques
Even very small businesses will usually maintain their computer records on the
computer. There are many advantages to this, not least that trial balances will
usually balance and control accounts will reconcile to the underlying detailed
records. However, the absence of as many hand-written data and documents
data can make auditing more difficult. For example, it can be difficult to test
whether a computer is carrying out a procedure correctly and it can be more
difficult to ‘see’ and examine the information and records than in a manual
system.
Computer Assisted Audit Techniques (CAAT) have been developed to assist the
auditor when the client maintains computerised records.
Types of CAAT – audit software
Audit software (or audit programs) is software developed and used by auditors.
Audit software allows clients’ accounting data files to be read and examined.
91
The processes carried out by the auditor’s software commonly include:
● Adding up the records. For example, inventory values and receivables

balances. The totals are the amounts that should appear in the statement
of financial position.
● Performing calculations for analytical reviews.
● Identifying and printing details of unusual items for further investigation,
such as credit balances on a receivables ledger or negative inventory
balances.
● Picking samples. For example, that audit software can be programmed to
create a stratified sample or a pure random sample.
● Picking all items with particular characteristics, such as all sales orders
approved by a certain employee.
Once it is set up, audit software can quickly, efficiently and economically
examine every item on a data file. This would often be difficult or impossible if
attempted manually. It can greatly speed up audit completion and reduce costs.
Problems with CAAT techniques
● Technical/set-up problems. Initially, additional time and technical

expertise will be needed to set up audit software and test data properly.
The time and expenses of this should be repaid in subsequent years.
● Clients or departments can be reluctant to let auditors interfere with their

computer records. This is more of a problem with test data where
deliberately false transactions are processed to test the system. The
normal way round this is for the auditor to use a copy of the system and
to process their test data against that. This technique is known as ‘dead’
test data. There is a risk, of course, that the programs being used are
different to the copies being used by the auditor.
92
The internal audit report
At the end of the audit process, internal auditors will issue a report that will
detail:
● Deficiencies in the internal control system’s design
● Incidents where the internal control system was not complied with
● Errors discovered
Fraud
Fraud is an intentional act involving deception to gain unjust or illegal advantage.
There are two types:
● Fraudulent financial reporting. For example, overstating profits to

generate high directors’ bonuses, boost the share price or to achieve a
good sale price for the company.
● Misappropriation of assets. For example theft of cash or inventory.
Managers and those charged with governance are responsible for the
prevention or detection of fraud. Auditors should always be aware of an
organisation’s susceptibility to fraud.
Fraud can be difficult to detect because:

● It is often carried out by repeatedly misappropriating small amounts that
escape individual scrutiny.
● Fraudsters take steps to conceal their actions, for example, forging
documents. These can be very difficult to identify.
The pre-conditions for fraud:
Three conditions or risk factors are necessary for fraud to be committed:

● Incentive
● Opportunity
● Attitude/dishonesty
93
An anti-fraud strategy
An anti-fraud strategy has three elements:

● prevention
● detection
● response
CIMA shows that these interrelate as follows:
94
(Fraud risk management: a guide to good practice, CIMA)
Deterrence is the result of prevention (too difficult to get to the inventory to

steal it), detection (you will be subject to random searches as you leave the
factory), response (you will definitely be prosecuted).
Surrounding these specific anti-fraud strategies there are:
Legislation: f or example, what types of actions (such as insider trading) are

illegal?
Risk management: an awareness by the organisations senior managers and

directors of where the main dangers of fraud lie and then suitable controls being
put in place.
Corporate governance. For example, non-executive directors providing
95
independent advice about behaviour. Audit committee being available to
support internal audit and whistleblowers.
Ethical culture: for example, making it clear that ‘shady’ practices are wrong
and will not be tolerated by the company. Training in ethical behaviour will be
important.
Important points to consider
Student Notes
96
Chapter 8 - Cyber Risks
Overview
Organizations deal with a wide variety of sensitive information on a daily basis. It

is important to understand what constitutes sensitive information, how it is
used, what an organization’s objectives regarding cyber security might be and
how different organizations may interact with technology.
Types of Sensitive Information:
a. Personal Information: Name, Address, DOB, Credit Card, Bank Account

Information.
b. Business Information: Research data, Marketing Data, New Products.
c. Classified Information: Restricted information from the government.
Physical arrangements for IT systems
Networks
Only the very smallest of businesses will have stand-alone computers i.e.
computers not connected to other computers. Even in small businesses
employees need to share data and very soon after personal computers were
invented networks of computers were introduced.
There are two main types:
Local area network (LAN): Here the network extends over only a relatively
small area, such as an office, a university campus or a hospital. The small area
97
means that these networks use specially installed wiring to connect the
machines.
Wide area networks (WAN): Here the network can extend between several
cities and countries. Each office would have its LAN, but that connects to LANs in
other offices and countries using commercial, public communications systems.
At one time this would have been done by the organisation leasing telephone
lines for their private use to transmit data from office to office. However, this is
expensive and inflexible and the common system now used is known as a virtual
private network (VPN).
Network layers
Most client-server networks comprise of three tiers:
The presentation tier: this is what you see on your computer screen:
information, boxes in which to input data, buttons to click on, drop-down menus
to choose from. This will be on the client machine.
Application tier: this tier, sometimes known as the logic or business logic tier, is
where processing takes place. It can be on the client machine or in the cloud.
Data tier: where the data is stored, typically a database. It will normally be on
the server machine or in the cloud.
So, if you are posting a supplier’s invoice, you will enter the account number into
the presentation tier, the application will access the data tier, fetch the customer
name and this will be shown to you in the presentation tier. You will enter the
amount and nominal code in the presentation tier, the application tier might
split out VAT automatically, then post the amounts to the appropriate files in the
data tier.
Security problems can happen at any tier. For example:
● A presentation tier might be hijacked so that it looks like, for example,

your bank’s web-page, but it is actually a page mocked up to look official
(phishing)
● The application tier might be changed to calculate invoices incorrectly.
● The data tier might be accessed so that confidential data is stolen or
records altered.
98
Technology and Organizations
a. ERP systems are used by organizations: Data Centers.

b. VPNs are used to connect to private servers.
c. Web services, Cloud etc.
d. Delivery of service through online channels.
Changes that affect cyber security risk management:
a) Expansion – for example adding an additional manufacturing operation.

This will require an additional connection to the local area network, which
in turn leads to an additional area for protection.
b) Acquisition – an acquisition or merger is a very challenging time for an
organisation, but part of that challenge often links to integrating different
software packages, leading to risks such as data loss during the
changeover process and potential breaches through additional access
points.
c) Restructure – if an organisation were to undertake an internal restructure
that would impact cyber security. Reporting lines would change, and IT
users would require their access to be updated to match their new roles.
d) Hardware update – rolling out any kind of update poses a risk as it means
people will need to change the way they do things. Also old hardware
must be disposed of securely, as data stored on the hard drive could be
accessed if it wasn’t correctly wiped and fell into the wrong hands.
e) Regulations – Any changes in legal requirements or regulatory
frameworks can have an effect on cyber security risk management. For
example the introduction of GDPR in the EU has put pressure
organisations that operate in the EU, but has also led other government
organisations to consider improvements to their data privacy laws and so
could have implications for other companies.
Cyber Security Objectives
a. Availability: One of the reasons that the use of websites and applications
is so attractive to organisations and individuals is the flexibility of
continuous access to, and use of, information and systems.
Organisations can make sales 24 hours a day, and customers are not
limited to bricks and mortar store opening hours.
99
b. Confidentiality: organisations create and obtain a huge amount of
information, from proprietary information to personal information, and
it must be protected from unauthorised access and disclosure, including
complying with privacy requirements.
c. Integrity of data: organisations must make sure they take steps to
prevent unauthorised modification of or destruction of information.
d. Integrity of processing: Guarding against the improper use, modification,
or destruction of systems.
Changeover
Types:
a. Direct: This is where the old system is switched off and then the new
system is switched on. This is appropriate when the two systems are very
different, or it is too expensive to run two systems.
b. Parallel: The old and new systems are run together for a period of time,
until it is considered safe to switch the old system off. This method will be
costly (inputting data twice and possibly employing more staff to do this),
however, it will be less risky than direct changeover.
c. Pilot: This is where one part of the business changes over first. Once the
system operates correctly there, the rest of the business will change over.
The pilot department or division could be using direct or parallel
changeover.
d. Phased: This involves bringing in the new system one part of the business
at a time, say, by department or division. It differs from pilot changeover
in that all departments or divisions are staggered with respect to receiving
the new system. The downside is that this method is time-consuming.
Malware:
Malware is the term used for malicious software, regardless of the intended
purpose. It can do any number of things, ranging from the stealing of
credentials, other information or money to the general wreaking of havoc, or
denial of service.
Types:
100
a. Ransomware: Designed to prevent a business from accessing its data,
information or a whole computer system until a specified amount of
money is paid.
b. Botnets: Networks of private computers that are infected with a malware

and controlled by a “botnet agent” designed to follow the attacker’s
instructions without the knowledge of the owner of the computer.
c. Trojans: This type of malware does a very similar thing: it pretends to be a
useful piece of software whilst secretly releasing malware into the system,
usually with the capability to be controlled by the attacker from a different
location
d. Malvertising: Online advertisements have malware written into their code.
It can involve hiding the malicious code in legitimate online advertising
networks and web pages.
e. Spyware: Designed to spy on the victim’s systems without being detected
and gather information to send to the hacker.
Application Attacks:
As with malware, application attacks is the broad term for a variety of different
ways of attacking a victim, this time by attacking an application (app).
A very common approach by people as applications are increasing in today's

world. The intention remains the same: to steal personal data.
Types:
1. DOS or Denial of Service: A cyber-attack in which the perpetrator seeks to

make a machine or network resource unavailable to its intended users by
temporarily or indefinitely disrupting services of a host connected to the
Internet.
2. SQL injection has become a common issue with database-driven websites.
It occurs when the attacker uses an unprotected input box on the
company’s website to execute a SQL query to the database via the input
data from the client to server. A successful SQL injection can read
101
sensitive data from the company’s database,modify (insert, update or
delete) database data, execute administration operations (such as
shutdown) on the database, recover the content of a given file, and, in
some cases, issue commands to the operating system.
3. Cross-site scripting attacks (XSS attacks) occur when a victim is attacked
when they visit another organisation’s website. The attacker uses the
third-party web resources to run scripts in the victim’s web browser or
scriptable application. Specifically, the attacker injects malicious code
(often associated with JavaScript) into a website’s database. When the
victim requests a page from the website, the website transmits the page,
with the attacker’s code as part of the HTML body, to the victim’s browser,
which executes the malicious script. For example, it might send the
victim’s cookie to the attacker’s server, and the attacker can extract it and
use it for session hijacking.
4. Buffer overflow attack – A buffer overflow occurs when a system cannot
store as much information as it has been sent and consequently starts to
overwrite existing content. A buffer overflow attack occurs when an
attacker sends a malicious programme which deliberately overloads the
system and starts to overwrite existing data.
Hackers
Hacking is the gaining of unauthorised access to a computer system. It might be

a deliberate attempt to gain access to an organisation’s systems and files to
obtain information or to alter data (perhaps fraudulently). Once hackers have
gained access to the system, there are several damaging options available to
them.
For example, they may:
a. gain access to the file that holds all the user ID codes, passwords and
authorisations
b. discover the method used for generating/authorising passwords
c. interfere with the access control system, to provide the hacker with open
access to the system
d. obtain information which is of potential use to a competitor organisation
e. obtain, enter or alter data for a fraudulent purpose
102
f. cause data corruption by the introduction of unauthorised computer
programs and processing on to the system (computer viruses)
g. alter or delete files
Social engineering
Social engineering is the manipulation of people to make them perform specific

actions or reveal confidential information. The principle relies heavily on the
ability to influence people to do something that they wouldn’t normally do, or in
a lot of cases should not be doing. Six principles used to persuade or influence
someone.
These are:
1. Reciprocity – this is the idea that people often feel obliged to do

something in return for a favour or a gift they have received.
2. Scarcity – something that is in short supply is perceived to be more
valuable.
3. Authority – if someone is deemed to be an expert, they carry more power.
4. Consistency – it is human nature to like rhythms or routines – people like
to behave as expected, and like people who behave as expected.
5. Liking – people sharing some common traits are more inclined to like each
other. People are more likely to do something for someone they like.
6. Consensus – people like to follow the behavioural norms of others. In the
context of cyber security, social engineering relies on these principles to
carry out techniques known as phishing or spear phishing to gain access
to a system or network.
Social Media
Social media is a catch-all term for a range of sites that may provide radically
different social interactions.
Uses:
I. Advertising (Consumer Reach)

II. Brand development (Online presence is big in any industry)
III. Big Data (Analysis of data collected)
IV. Method of listening (Customers feedback on twitter)
103
V. Real-time information (Live twitter polls/Instragram Polls)
VI. Communication (Zoom/Skype)
VII. Recruitment and selection (Linkedin)
Risk Of Social Media:
1. Human Error (Sensitive Information Leak)

2. Productivity (Employees at Work)
3. Data Protection (Proper steps in place)
4. Hacking (Firewall)
5. Reputational Risk (Due to human error)
6. Inactivity (Continuous updating of information is very important)
GDPR
General Data Protection Regulation (GDPR)
The GDPR is a regulation in EU law and in the UK replaced the Data Protection
Act (DPA), on 25th May 2018. The GDPR has two main objectives.
Protection of fundamental rights and freedoms of individual persons with

regard to processing personal data.
Protection of the principle of free movement of personal data within the EU.
The UK Government has published its new Data Protection Bill that repeals the
DPA and enshrines the GDPR into UK law post-Brexit.
It is overseen and enforced in the UK by the Information Commissioner’s Office

(ICO).
The aim is to keep personal data secure at all times. This means:
● Passwords should protect files and digital devices

● Sensitive documents should be locked away whenever they are not
in use (and printouts should be picked up promptly.
● Personal data must sent/transmitted securely
● When it is no longer needed, personal data must be securely
disposed of (e.g. shredded or securely deleted)
104
Chapter 9 - Cyber security processes
Cyber security organisational characteristics
To achieve the security objectives and mitigate the types of risk discussed in the
previous chapter, the AICPA cyber security framework recommends a security
mechanism based around three principles:
● Protection
● Detection
● Response
These three principles will be applied in different ways across the different levels
within the system. Key to their success are factors core to risk management in
general: corporate governance, tone from the top and communication of
appropriate information for decision making.
Cyber security risk governance
There are various ways for a company to address these governance

considerations, they include, but are not limited to:
● A company handbook detailing policies and procedures relating to IT

(acceptable use, confidentiality, information security).
● Regular board meetings, potentially quarterly but more or less often as
appropriate, where cyber security risk management is discussed.
● In the same way the corporate governance guidelines require recent
105
relevant financial experience on an audit committee, if a director has
recent relevant IT experience, it would help with board oversight, although
using external IT consultants could also help with this.
● Each organisation has different needs, but consideration should be given
to the appointment of a chief information officer (CIO) with overall IT
responsibility to the board, a risk committee, a chief risk officer (CRO) with
overall responsibility for risk, a chief technology officer (CTO) to look after
technology and resources to support internal operations reporting into
the CIO and a chief information security officer (CISO) to head up the
cyber security program and also report into the CIO.
● As well as appropriate reporting lines and accountability for cyber
security, a company needs to make sure it has competent personnel in
cyber security roles through the organisation. Hiring appropriately
qualified staff is a first step, but making sure they are given time and
training to stay up to date in this dynamic area is critical.
Risks in IT systems
IT poses particular risks to organisations’ internal control and information

systems and organisations must try to safeguard their data and IT systems
otherwise problems can lead to their operations being severely disrupted and
subsequently to lost sales, increased costs, incorrect decisions and reputational
damage. Some security breaches might leave an organisation open to
prosecution.
Risks include:
● Reliance on systems or programs that are inaccurately processing data,

processing inaccurate data so that they report inaccurate, misleading
results. For example, in 2018 a UK bank, TSB, transferred its customers’
accounts to another computer system run by Sabadell, TSB’s Spanish
owner. Many customers then had great difficulty accessing their accounts
over the Internet or via ATM machines. In 2012 RBS, another British bank
106
carried out a routine update of its software, but the update had been
corrupted. Again, customers could not carry out transactions for up to a
week.
● Unauthorised access to data leading to destruction of data, improper
changes to data, or inaccurate recording of transactions. In 2018, British
Airways and Amazon both suffered data hacks which meant that
customers’ details were stolen.
● Particular risks may arise where multiple users access a common
database on which everyone in the organisation relies. The data could be
incorrectly amended and all users will be affected.
● Web application attacks. When you visit a website, you might simply
access a static web-page which, for example, shows the name and
address of the company which owns the web-site. Alternatively, the
web-site might load Javascript (a programming language) into your
browser and this is capable of carrying out processing. What you then
have is a web application. For example, when you enter your credit card
details into a site like Amazon, the validity of your card is checked locally
because your card number has to comply with certain construction rules.
Validity checking is carried out on your machine within your browser
running a web application. Web application attacks might therefore try to
interfere with the functionality of the web app you are running. For
example, whilst checking the validity of your credit card, the altered
application might now send details to the hacker.
Managing security risk
This is high level and includes considering the organisation’s attitude to risk,
identifying and assessing risks, identifying essential services that must be
maintained and understanding interdependencies arising form suppliers of
hardware and software, and any interactions with subcontractors.
107
Digital resources are now so important and significant to many businesses that
the risks that potentially arise from poor cyber security are enormous so
organisations should have formal procedures in place to regularly:
● Identify potential cyber security risks. For example, regularly review access
control, stay aware of new threats, employ consultants to try to ‘break
into’ the system. Analyse past problems as these will remain problems
unless changes are made.
● Protect against those risks. For example, strict rules for changing
passwords, anti-virus software, firewalls and staff training.
● Detect when breaches have occurred. For example, review consumer
reports, analyse data flows, analyse processing patterns, continually
monitor network statistics.
● Respond to breaches in cyber security. For example, assess the effect of
any breach, start using back-up systems, reassure stakeholders, pay
compensation to those affected, take measures to block any reoccurrence
of the breach.
● System security needs to be assessed regularly and proactively and not
just as a reaction to a breach.
Therefore, management should appoint a specialist committee or team whose

brief is to manage cyber risks. Identified should be recorded in a risk register
where decisions and actions will also be recorded.
It is common for organisations to also issue customers with a privacy policy
statement explaining what data is held and how it is used. Some also issue a
website security document. The British Airways web-page can be seen here:
www.britishairways.com/en-gb/information/legal/website-security
This gives advice to customers about how to take care when on-line and also
sets out the measures taken by the company. Obviously, not every detail of BA’s
precautions will be made public.
Protecting against cyber attack
108
● A set of comprehensive policies and processes must be developed that
will protect the organisation’s network and data so that essential services
can be delivered.
● Identity checks and access control must be implemented so that users
who have access to data are properly verified, authenticated and
authorised. Think of verification as checking that a person is who they say
they are (essential for issuing access credentials) and authentication is a
verified person having to prove who they are each time they log-on.
● Data security. Data being stored or transmitted must be protected against
unauthorised access, modification or deletion. For example, the use of
passwords, encryption and back-ups will help to ensure data security.
● System security. Opportunities to attack systems (vulnerabilities) arise
from:
‣ flaws in the design of systems
‣ features
‣ user error.
For example, there should be procedures in place to ensure that software
patches to counter flaws in software design are promptly implemented.
Features should be kept under review and removed if not required. Users
must be trained to avoid serious user error, such as leaving laptops
unattended in cars.
● Resilient networks. For example, are networks well-designed with,
perhaps, built-in spare capacity. Is a parallel system running at a
remote location so that it can be switched to if the main system
breaks down? Is the bandwidth of the network high enough to
comfortably deal with peak demand?
● Staff awareness and training. Staff behaviour should be in line with
the organisation’s data protection policies and procedures and
training is needed to ensure that this happens. It is also important
to foster a security culture in which staff take an active role in
maintaining and improving security.
109
Detecting cyber security events
An effective monitoring system must be in place so that security breaches

and attempted security breaches are discovered. Once discovered there
should be appropriate processes in place to make appropriate responses.
For example, organisations can monitor the web addresses that

employees are accessing. Email traffic might allow phishing attacks (where
a malicious site poses as a legitimate one). Threat intelligence can be used
to identify connections to IP addresses of sites known to be dangerous,
In addition to monitoring known indicators of cyber threats, organisations

should also develop the capability of identifying unknown or expected
threats. For example, unusual patterns of data flows around the network,
user activity outside normal hours, the retrieval of a large volume of
design documents.
IS27001
ISO27001 sets out international standards on information technology security

techniques. It is a detailed document which lists 114 controls in 14 sections. We
will list the14 sections with just a few examples of the controls that might be
relevant:
110
111
Chapter 10 - Cyber security tools, techniques and reporting
1. Cyber security tools and techniques
The chapter provides insights to companies to learn from any cyber attacks and
the ways to improve cyber security.
2. Forensic analysis
Analysing the attack and its after- effects to learn more about it and finding the
loopholes in the already developed systems that the attacker took advantage of,
to improve them.
There are 3 types of forensic analysis:
3. Malware analysis
Analysing the software to identify the source of malware and its purpose and
whether it was particularly intended for the organisation to improve the systems
for future
112
3.1 Reverse engineering
Examining the software to understand how it was designed, how it works and
how the malware penetrated the system to prevent further such activities
LAYERING: Multiple layers of code designed to protect the malware code and
functionality by developers of malware
KEY AIM OF REVERSE ENGINEERING: to identify whether the attack was targeted
(of more concern) or not
3.2 Decompilation and disassembly
Done after decoding all layers of code and accessing the malware.
AIM: To discover the motive of the attacker that will help the company to
understand what data/information is attractive and how it could be vulnerable.
4. Penetration testing
Testing how good is the cyber security of a company, often carried out by hiring
white hat hackers who try to penetrate the network/ system.
4.1 Network discovery (External Network test)
Identification of all the devices that are on a network and connect with the
internet and other external systems i.e. the scope of the network.
113
I nternet of things (IoT)
· Controlling and monitoring simple tasks from a remote location through

sensors and software installed in devices and connecting via Wi- Fi or
Bluetooth
I oT for business
· In the business environment, this facilitates greater levels of automation

or central control often providing an opportunity for efficiency savings
· Not always sufficiently secure i.e. they can be hacked as it is a wireless

connection protected with codes
· A business must decide whether the convenience that the IoT provides is
worth the security risks it possesses.
(b) Vulnerability probing :
114
1. Identify the devices on the network that are most vulnerable to
intrusion.
2. Software can be used to probe the system and identify, quantify and rank
the vulnerabilities in terms of their potential impact.
3. EXAMPLE: If the kettle( Starts to boil on a click) or toaster do not have
adequate security features they could become the access point for a
cyber-attack.
(c) Exploiting vulnerabilities :

To attempt to exploit the potential weaknesses by seeing:
-To understand
if access is possible
how long it takes
what access can be gained.
-As with most thefts, if the attacker is given long enough - unauthorised
access, but if the process is too consuming -attacker is discouraged.
Example-In 2018 a Youtuber urged his followers to increase his subscribers

count as he found one new youtuber gaining more popularity than him.His
followers went on to hack wireless printers worldwide which could make the
owners to subscribe to that youtuber’s vlog by clicking “FIX YOUR PRINTER”. But
after the hack,people improved the security systems of their vulnerable
printers.
(d) Internal network penetration testing :

Identifies any vulnerabilities that exist and are accessible to both approved and
unapproved users.
-Damage an internal user could do
115
-Weak or unchanged passwords
-Inappropriate access.
-Also considers if unauthorised access could be possible.
(e) Web application penetration (f) Wireless network penetration

testing : testing
( Identify any security issues from (Access points which should not be in
poor design, coding and publishing) an organisation environment)
i ssues identified by this type of test I ssues identified by this type of test
are: are:
-Identify potential for injection (lack of -Open access points or rogue access
validating processes) points
-Cross-site scripting opportunities -Badly configured wireless networks
-The ability for a user to gain access to -Accidental duplication of wireless
more of the application or site than networks
they should ( called privilege -Insecure wireless encryption
escalation).
(g) Simulated phishing testing :
Deceptive mails/malicious emails are sent by organisations to employees to

gauge their response to phishing(fraudulent way of sending emails to extract
personal information) and similar email attacks.
SOFTWARE SECURITY (security into the software)
Level 1- Prevent the attacker from gaining access to the software at all.
Level 2- If a breach occurs an alert notifies the appropriate parties,stating
breach at level 1.
116
Level 3-Automatic urgent action,
Example: locking down accounts and sensitive .
1.DESIGN REVIEW- An organisation should go right back to the design stage of

key processes and systems to make sure that security is part of the design.
2. CODE REVIEW- Looks at how code is written, with a focus on how someone
proves they should be allowed access to a system that contains sensitive
information.
Two step verification Two factor authentication

( users to input two forms of the same ( user to prove they should access the
type of information, each from a system in two different ways)
different source) Ex: First step could be the password
Ex: A password that you remember as that you must remember, but the
a first step, then a password that you second step requires something
are sent via email or SMS as a second different – like a fingerprint or pattern
step. lock.
3.SECURITY TESTING- assessing the strength of the controls in key areas of

vulnerability, an internal audit-type review--to test whether the controls are
actually being carried out and are appropriate.
(NOW A DAYS-VERSION CONTROL AND PATCH MANAGEMENT ARE KEY
SOFTWARE CONTROLS)
DIGITAL RESILIENCE
(Doing more than the minimum to protect the company and comply with
regulations, but to integrate cyber security into the business operations)
1. Identify all the issues
2.Aim toward a well-defined target
3.Work out how best to deliver the new cyber security system
4.Establish the risk resource trade offs
5.Develop a plan that aligns business and technology
117
6.Ensure sustained business engagement
Cyber security frameworks:
● No regulatory framework as of now to report to the stakeholders.
● This is because of the complexity and rapidly changing

environment in which cyber security sits
● As a result, frameworks have been created that, although they
are not mandatory, it gives an organization something credible
to show stakeholders to confirm that they do have robust
processes and controls in place.
Example:
In 2017 the AICPA launched a cyber security risk

management reporting framework that would:
“Assist organizations as they communicate relevant and useful
information about the effectiveness of their cyber security risk
management programs.”
Cyber security risk management reporting:

The report has three key components:
● Management’s description - This first section provides a description
of the firm’s cyber security activities, including how the organization
identifies its most sensitive information etc.
● Management’s assertion - T
his section gives management the
opportunity to state whether, in their opinion, the risks were
described in accordance with the criteria and whether
appropriate controls were in place and effective.
● The practitioner’s opinion - The final section is where a
qualified CPA accountant gives their opinion on the description
of the risks
Criteria:
To assist with the writing and evaluation of the management
description and to improve the comparability of the reports
118
produced the AICPA uses two sets of criteria:
● Description criteria
● Control criteria
●
DESCRIPTION CRITERIA
The description criteria incorporate the a

ttributes o
f suitable criteria as:
Relevance – to the business operation
Objectivity – free from bias
Measurability – the criteria can be reasonably measured using a consistent

approach.
Completeness – that relevant factors (that could affect the decisions of the
users of the reports) are not omitted.
Nine categories of description criteria:
● Nature of business and operations – explanation of day to day

activities
● Nature of information at risk – consideration of all types of sensitive info.
● Cyber security objectives - availability, confidentiality,
integrity of data and processing, plus the process for
establishing, maintaining and approving the objectives.
● Factors that have a significant effect on inherent cyber
security – includes technologies, connection types, service
providers and delivery channels
● Cyber security risk governance structure – consideration of
integrity and ethical values.
● Cyber security risk assessment process – studying changes
in risk and possibility of new risks
● Cyber security communications and quality of cyber
security information – Disclosure about how the cyber security
framework is communicated with stakeholders both internally &
externally.
● Monitoring of the cyber security risk management program
– disclosure of the process used to assess effectiveness of key
controls
119
● Cyber security control processes - the key security processes
and policies to address the cyber security risks identified
CONTROL CRITERIA
● Detailed document
● Guidance on types of risks and control
● Examples of controls that can be used
● References to COSO Internal Control Framework
Example:
Consideration: The organisation has a structure, reporting lines and
responsibilities to aid the development, operation and monitoring of systems to
manage security risks.
Risk: The structure does not provide necessary resources or enable appropriate
flow of information to manage security risks.
Possible control: The organisation reviews organisational structure, reporting
lines and responsibilities as part of its ongoing risk assessment and revises these
as appropriate to meet system and security needs.
NIST cybersecurity framework
NIST- National Institute of Standards and Technology- voluntary guidance to

help organisations mitigate cyber security risk.
Three main components:
Implementation Tiers: provide context – help organisations to choose the

appropriate level of rigor for their cybersecurity programmes used as a
communication tool to discuss risk appetite, mission priority, and budget.
120
Core: provides a set of desired cybersecurity activities and outcomes using
simple easy to understand language.
The core is based on five principles:
1. Identify threats to an organisations systems and data
2. Protect against threats.
3. Detect when a system has been breached.
4. Respond effectively to systems breaches
5. Recover any compromised data and the systems affected.
Profiles:help the organisation map its own requirements and objectives, risk
appetite, and resources against the desired outcomes included in the core.
AIC Triad
Aimed at helping organisations understand information security and set up
policies to help protect the organisation
Availability Integrity Confidentiality
systems must be online m

aking sure that people when data is being
and available, otherwise who modify data are stored and when it is in
organisations cannot do authorised to do so use or in transit there
business. means the data is more need to be rules in place
likely to be accurate and to limit access to those
trustworthy. who are authorised to
use it.
– Keeping up to date with – User access controls – Training on risk factors

software patches – Checks on data to and protecting against
– Understanding ensure it is the same them including:
networks requirements before and after – Social engineering
and busy times – Disaster transmission approaches
recovery planning – – Version controls, so if – Password best practices
121
Business continuity data is accidentally – Data encryption
planning deleted backup can be
restored
Technological advances m
ean that all frameworks including the AIC triad must
evolve. Some developments that pose particular challenges include:
● Big data- huge volume of data is protected. accessibility, trustworthiness
and privacy can be very costly.
● Internet of things- ↑ size, ↑access points, ↑ threats
● Privacy - Fragments of data can collate to constitute personally identifiable
information.
● Security- eg: while computers get regular software patches and invariably
have good security configurations, many of the devices in the IoT that
connect to them don’t have the ability to receive software updates or do
not require passwords.
Big data
There are many definition the term ‘big data’ but most suggest something like
the following:
“Extremely large collections of data (data sets) that may be analysed to reveal
patterns, trends, and associations, especially relating to human behaviour and
interactions.”
In addition, many definitions also state that the data sets are so large that
conventional methods of storing and processing the data will not work.
In 2001 Doug Laney, an analyst with Gartner (a large US IT consultancy company)

stated that big data has the following characteristics, known as the 3Vs:
● Volume
● Variety
● Velocity
122
These characteristics, and sometimes additional ones, have been generally
adopted as essential qualities of big data.
Volume
The volume of big data held by large companies such as Walmart

(supermarkets), Apple and eBay is measured in multiple petabytes. What’s a
petabyte? It’s 1015 bytes (characters) of information. A typical disc on a personal
computer (PC) holds 109 bytes (a gigabyte), so the big data depositories
of these companies hold at least the data that could typically be held on 1
million PCs, perhaps even 10 to 20 million PCs.
123
These numbers probably mean little even when converted into equivalent PCs. It
is more instructive to list some of the types of data that large companies will
typically store.
Retailers:
‣ Via loyalty cards being swiped at checkouts: details of all purchases you make,
when, where, how you pay, use of coupons.
‣ Via websites: every product you have ever looked at, every page you have
visited, every product you have ever bought. (To paraphrase a Sting song “Every
click you make I’ll be watching you”.)
‣ Social media (such as Facebook and Twitter)
Friends and contacts, postings made, your location when postings are made,
photographs (that can be scanned for identification), any other data you might
choose to reveal to the universe.
Mobile phone companies
Numbers you ring, texts you send (which can be automatically scanned for
keywords), every location your phone has ever been whilst switched on (to an
accuracy of a few metres), your browsing habits. Voice mails.
Internet providers and browser providers
Every site and every page you visit. Information about all downloads and all
emails (again these are routinely scanned to provide insights into your interests).
Search terms you enter.
Banking systems
Every receipt, payment, credit card payment information (amount, date, retailer,
location), location of ATM machines used.
Variety
124
Some of the variety of information can be seen from the examples listed above.
In particular, the following types of information are held:
Browsing activities: sites, pages visited, membership of sites, downloads,

searches
Financial transactions
● Interests
● Buying habits
● Reaction to ads on the internet or to advertising emails
● Geographical information
● Information about social and business contacts
● Text
● Numerical information
● Graphical information (such as photographs)
● Oral information (such as voice mails)
● Technical information, such as jet engine vibration and temperature
analysis
This data can be both structured and unstructured:
Structured data: this data is stored within defined fields (numerical, text, date
etc) often with defined lengths, within a defined record, in a file of similar
records. Structured data requires a model of the types and format of business
data that will be recorded and how the data will be stored, processed and
accessed. This is called a data model. Designing the model defines and limits the
data that can be collected and stored, and the processing that can be performed
on it.
An example of structured data is found in banking systems, which record the

receipts and payments from your current account: date, amount,
receipt/payment, short explanations such as payee or source of the money.
125
Structured data is easily accessible by well-established database structured
query languages.
Unstructured data: refers to information that does not have a pre-defined

data-model. It comes in all shapes and sizes and this variety and irregularities
make it difficult to store it in a way that will allow it to be analysed, searched or
otherwise used. An often quoted statistic is that 80% of business data is
unstructured, residing it in word processor documents, spreadsheets,
PowerPoint files, audio, video, social media interactions and map data.
Velocity
Information must be provided quickly enough to be of use in decision making.

For example, in the above store scenario, there would be little use in obtaining
the price-comparison information and texting customers once they had left the
store. If facial recognition is going to be used by shops and hotels, it has to be
more-or less instant so that guests can be welcomed by name.
You will understand that the volume and variety conspire against the third,
velocity. Methods have to be found to process huge quantities of non-uniform,
awkward data in real-time.
Software for big data
The processing of big data is generally known as big data analytics and includes:
Data mining: analysing data to identify patterns and establish relationships

such as associations (where several events are connected), sequences (where
one event leads to another) and correlations.
Predictive analytics: a type of data mining which aims to predict future events.
For example, the chance of someone being persuaded to upgrade a flight.
126
Text analytics: scanning text such as emails and word processing documents to
extract useful information. It could simply be looking for key-words that indicate
an interest in a product or place.
Voice analytics: as above with audio.
Statistical analytics: used to identify trends, correlations and changes in

behaviour.
The analytical findings can lead to:
● Better marketing
● Better customer service and relationship management
● Increased customer loyalty
● Increased competitive strength
● Increased operational efficiency
● The discovery of new sources of revenue.
Data Protection Act implements Directive 95/46/EC
One of the important European laws concerns data protection. The Data
Protection Act in the UK relates to personal data. We are not talking here about
data relating to companies: we are talking about data relating to people.
The act sets out certain principles:
● Data shall be processed fairly and lawfully.

● It can only be obtained for one or more specified and lawful purposes.
● It mustn’t be excessive to what’s required.
● It must be accurate and kept up-to-date.
● It mustn’t be kept for longer than necessary.
● Personal data shall be processed only in accordance with the rights of
data subjects. The data subject is a person about whom the data is held
and that person has certain rights. For example they have a right to see
the data and they have a right to insist that it’s corrected.
127
The people holding the data have to register with a government body and there
they have to say what data is held, why it is held and to whom it might be
supplied.
Appropriate measures shall be taken against unauthorised and unlawful

processing and also care has to be taken over the accidental loss or damage to
personal data.
Finally, personal data must not be transferred to a country or territory outside

the European Economic Area unless there is similar legislation giving similar
protection in that area.
128

P3 - Summary Notes - Ultimate Access

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

P3 - Summary Notes - Ultimate Access

Uploaded by

Copyright:

Available Formats

P3 - Strategic Risk - Summary Notes

Chapter 2 - Risk management 10

Chapter 3 - Strategy risk 25

Chapter 4 - Reputational risk 37

Chapter 5 - Corporate governance 42

Chapter 6 - Internal Controls 55

Chapter 7 - Internal Audit 75

Chapter 8 - Cyber Risks 95

Chapter 9 - Cyber security processes 103

Chapter 10 - Cyber security tools, techniques and reporting 110

Ultimate Access Education

Six habits fueling smarter risk taking in digital transformations

Re-thinking Risk from digital disruption

Uniting risk management with strategic planning

Enabling the accountant’s role in effective enterprise risk management

Responding to ethical dilemmas

What do cyber criminals use ?

How to manage cyber risk

Comprehend cyber security

System and system organizational controls

Cyber Security Risk Management reporting

4 ways to protect data from dark web

Equifax hackers targeted 15.2 million UK records

Risk​ is inherent in a situation whenever an outcome is not inevitable.

2. Focusing on low-risk activities can easily result in a low ability to obtain

3. High-risk activities may generate significant amounts of competitive

4. High-risk activities with low competitive advantage will generally be

Political Political Risk due to political instability. Generally

Business Strategic Risk that business strategies (e.g.

Economic Risk that changes in the economy might affect

Financial Credit Risk of non-payment by customers.

Technology Technology Risk that technology either presents new

Environment Risk that arises from changes in the

Corporate Down-side risk as the better the reputation of the

International Culture Good knowledge of local culture can give

1. Consider the activity risk & competitive advantage of proposed options

2. What is the advantage of applying the CIMA risk management framework?

3. Identify the types and sources of risk in the case study.

The new approach is about taking advantage of the opportunities to increase

● Incorporating risk management culture into business operations by

· COSO ERM framework​ – 3-D matrix to study relationship between

Shareholder value = Static NPV of existing business model + Value of future

A. Establish what shareholders value about the company

ERM – Integrating strategy with performance 2017

1. Governance and culture

2. Risk management strategy

The background of Some board members may accept increased risk

Amount of change Operating in a marketplace with significant change (e.g.

(developed by IRM stating that a risk management approach has 3 elements)

Risk identification process -​controlled by risk committee---identified risk

INTERNAL internal audit inspections, Brainstorming, PEST/SWOT,

EXTERNAL customer surveys, external external advisors, consulting

“QUANTIFICATION “ of risk exposures - u

● Expected values and standard deviation

Other methods of assessing the severity of an identified risk include:

➔ Scenario planning​ – forecasting various outcomes of an event

➔ Decision trees​ – use of probabilities to estimate an outcome

➔ Sensitivity analysis​ – asking 'what-if?' questions to test

● Drawback of Quantification of Risk: U ​ nless you are a trainee or

● Assurance Mapping - ​common qualitative way of assessing the

New audit regulation for Loss of non-audit work

Increases in salaries Loss of audit clients within

4. Risk response strategy​.

Risk is inherent in a situation whenever an outcome is not inevitable.

· COSO ERM framework – 3-D matrix to study relationship between

Risk identification process -controlled by risk committee---identified risk

➔ Scenario planning – forecasting various outcomes of an event

➔ Decision trees – use of probabilities to estimate an outcome

➔ Sensitivity analysis – asking 'what-if?' questions to test

● Drawback of Quantification of Risk: U nless you are a trainee or

● Assurance Mapping - common qualitative way of assessing the

4. Risk response strategy.

• Pooling of risks: different transactions risks can be pooled together.

• Diversification: ‘spreading the risk’.

Spreading risk by portfolio management:

Residual risk is the combined function of:

Gross risk = an assessment of risk before the application of any controls,

The rational model - is a logical, step-by-step approach. It requires the

Which approach to strategy should we adopt?

2. Efficiency:This approach looks at how well inputs have been used to

3. Effectiveness: (the goal approach). This looks at the ultimate objectives of

TRADITIONAL APPROACH - looks at stakeholders and their objectives - then

1. WHERE TO COMPETE? Which Markets

Cost Leadership - being the lowest cost producer

market Existing Marketing penetration - w hen Product development -

New Market development - Diversification - I nnovation

Reputational risk - is likelihood of losses occurring due to a deterioration in the

Corporate social responsibility: refers to the idea that a company should be