Learn or revise key terms and concepts for your CIMA P3 Risk Management exam using OpenTuition interactive CIMA P3 Flashcards.
There are over 50 CIMA P3 Risk Management flashcards available
What are the eight principles of the European Data Protection Act implements Directive 95/46/EC?
- Data shall be processed lawfully and fairly
- Obtained only for specified and lawful purposes
- Not excessive
- Accurate and up-to-date
- Kept no longer than necessary
- Processed in line with rights of the data subjects
- Guard against loss and unauthorised processing
- Not to transferred outside EEA unless similar legislation in destination.
What are the four Vs of big data?
Velocity
Volume
Variety
[Veracity]
What are the three essential steps or elements of security in a virtual private network?
(1) Access control and authentication – this ensures that unauthorized users do not access the system. Typically this will be accomplished through a log-in procedure.
(2) Confidentiality – this ensures that data cannot be intercepted and read by a third party whilst being transmitted. This is achieved using encryption.
(3) Data integrity – this ensures that the data has not been altered or distorted whilst in transit. To ensure this, the message could have special check digits added to ensure that the data complies with a mathematical rule.
What are VPNs?
VPN = virtual private network. These allow data to be transmitted securely over the internet between any two locations.
Most client-server networks comprise of three tiers or layers. What are these?
- Presentation tier
- Application tier
- Data tier
What are LANs and WANs?
LAN = local area network
WAN = wide area network
What are CIMA’s five fundamental ethical principles?
- Integrity
- Objectivity
- Professional competence and due care
- Confidentiality
- Professional behaviour
What are the elements of an anti-fraud policy which lead to fraud deterrence?
- Prevention
- Detection
- Response
What are the three pre-conditions for fraud?
- Incentive
- Opportunity
- Attitude/dishonesty
What are the two classes of fraud?
- Fraudulent financial reporting
- Misappropriation of assets
What are the four desirable requirements for an internal audit department?
- Staff should be qualified
- Staff should be experienced
- The department should be independent
- Staff and approach should be professional
What are the two techniques available in computer auditing?
- Audit software (examine client data)
- Test data (examines client programs)
What is the AEIOU mnemonic for ways of collecting audit evidence?
- Analytical procedures
- Enquiry and confirmation
- Inspection: for example
- Observation
- RecalcUlation and reperformance.
What should go into each column and row of the table below?
| Internal audit | External audit | |
| Reports to | ||
| Appointed by | ||
| Power from | ||
| Employed by | ||
| Coverage | ||
| Responsibility for improving the organisation |
| Internal audit | External audit | |
| Reports to | Management – must have a clear route to the board though day-to-day reporting to the audit committee. | Shareholders |
| Appointed by | Management | Shareholders |
| Power from | Management | Statute – allows external auditors to insist on seeing all documents and to be given full explanations. |
| Employed by | Company (unless outsourced) | External firm |
| Coverage | All categories of risk and investigation | Financial statements: true and fair view |
| Responsibility for improving the organisation | A major function of internal audit | Will report to management on internal control weaknesses |
What are the two missing labels in the COSO framework, below?
What TARA response should go into each quadrant of the risk map, below?
If the standard deviation of a portfolio’s value from day to day is $5,000, what is the appropriate standard deviation to use over a 25 day period?
?period = ?day ?n
So, the appropriate standard deviation would be $5,000 x ?25 = $25,000.
What is ‘value at risk’?
Generally it uses normal distribution tables to work out, for example, the minimum value of a portfolio of shares at the end of a period to a 95% probability (or conversely the maximum amount of fall in value to a 95% probability).
What is the expected value of the following project?
| State of the world | P of that state occurring | NPV of project $000 |
| I | 0.7 | 10,000 |
| II | 0.3 | 7,000 |
| State of the world | P of that state occurring | NPV of project $000 | P x NPV $000 |
| I | 0.7 | 10,000 | 7,000 |
| II | 0.3 | 7,000 | 2,100 |
| Expected value | 9,100 |
What is risk consolidation?
This the process of aggregating divisional/subsidiary risks at the corporate level. Some risks can be handled together and be subject to a common approach, or they might even substantially cancel.
What is assurance mapping?
The aim of an assurance map is to identify where the safeguards against risks are to be found.
Assurance maps usually identify that an organisation has various lines of defences against risk.
Typically these are:
- Management-based assurance
- Internal procedures
- Independent assurance
What is a risk register?
It notes identified risks, their probability of occurrence, impact, responses to them and the date by which they should be addressed. The person in charge of dealing with the risk needs to be identified and it needs to be signed off when the risk has been mitigated (if needs be).
What is the difference between gross and net risks?
- Gross risk = the risk before any mitigation (reduction) procedures. Gross risk is sometimes referred to as inherent risk.
- Net risk = the residual risk after reduction and mitigation.
What is meant by ‘stress testing’ a strategy?
A stress test is an assessment of how a system or strategy is likely to function if severe adverse events occur.
What is scenario planning?
Scenario planning looks at all the things that could happen (and there can be many permutations of future events) and from those builds viable scenarios: a number of believable, internally consistent futures.
What is a risk report?
UK quoted companies are now required to include risk reports as part of their annual reports. This informs shareholders and others about the organisation’s main risks and what the company is doing about them.
Present value of a project’s outflows = $100,000.
Present value of the project’s inflows (all from sales) = £120,000
What is the project sensitivity to selling price?
NPV = 20,000. For this to become Zero, NPV from sales must fall by $20,000.
Therefore, the percentage sensitivity = 20,000/120,000 = 0.17 or 17%
What does a coefficient of correlation, r, of 0.5 indicate?
r is Positive, so as one variable increases so does the other.
r2 = coefficient of determination = 0.25. This means that 25% of the variation in one variable can be explained by variation in the other. 75% of the change seems to be for other reasons.
What is ‘corporate governance’?
Corporate governance is a system by which companies are directed and controlled.
What are the five OECD principles of corporate governance?
Corporate governance frameworks should:
- Protect shareholders’ rights
- Recognise the rights of all shareholders
- Ensure disclosure and transparency
- Ensure timely and accurate information is available
- The board should determine and be accountable for the strategy of the company
What are the fie headings of the UK Corporate Governance CODE?
- Leadership
- Effectiveness
- Accountability
- Remuneration
- Relations with shareholders
Which of the UK Corporate Governance Code and the USA’s Sarbanes Oxley has the force of law?
UKCGC = not in statute. Enforced for listed companies by the stock exchange: comply or explain
SA Act = US law.
The UK Corporate Governance Code mentions three board sub-committees that are entirely (or principally) staffed by non-executive directors.
What are these committees?
- Nomination committee appointment of new directors)
- Audit committee (liaison with internal and external auditors)
- Remuneration committee (directors’ remuneration)
What are the five elements of an internal control system?
- The control environment
- The risk assessment process
- The information system
- The control activities
- Monitoring
What is an internal control system?
‘The management system of controls, financial and otherwise, established in order to provide reasonable assurance of:
(a) effective and efficient operation
(b) internal financial control
(c) compliance with laws and regulations’
(CIMA Official Terminology, 2005).
Who is responsible for establishing procedures to manage risk, overseeing the internal control framework and determine the nature and extent of the principle risks that the company is willing to take in order to achieve its long-term strategic objectives.
The Board
What is external audit?
‘A periodic examination of the books of account and records of an entity carried out by an independent third party (the auditor), to ensure that they have been properly maintained, are accurate and comply with established concepts, principles, accounting standards, legal requirements and give a true and fair view of the financial state of the entity.’ (CIMA’s Management Accounting Official Terminology)
What is internal audit?
‘An independent appraisal activity established within an organisation as a service to it. It is a control which functions by examining and evaluating the adequacy and effectiveness of other controls; a management tool which analyses the effectiveness of all parts of an entity’s operations and management.’ (CIMA’s Management Accounting Official Terminology)
In auditing, what is meant by ‘inherent risk’?
Inherent risk: this is the risk that an error is made in the first place before the application of any controls of checks.
What two labels are missing in the diagram below?
What are the two components of risk appetite?
Risk appetite is determined by two factors:
- Stakeholder’s attitude to risk
- Risk capacity, which is the amount of risk that the organisation can bear.
What is an organisation’s risk appetite?
‘Risk appetite’ is the term given to describe the amount of risk an organisation is willing to accept in pursuit of value.
What is the difference between strategic risks and operational risks?
Strategic risks: arise from long term effects such as those relating to the nature and type of business, changes in competitive and legal environments, poor long-term decisions being made.
Operational risks: short-term, day-to-day problems.
What is malware?
Malware is a term that covers all software intentionally designed to cause damage to a client computer, a server, the network or data.
What is cloud computing?
Data, programs and processing are (mostly) not held locally, but are held remotely on servers (the cloud). Software updates are easy and heavy processing can be carried out on powerful cloud computers rather than each user having to have a powerful machine.
What is a DOS attack?
Denial of service (DOS) attacks. Typically, the overwhelming of internet sites with demands for responses so that legitimate users are denied service.
What is a bot?
Bots: derived from ‘robot, this is a piece of software that carries out automated processes. For example, emails or posts on social media can be generated to give the appearance of support for particular causes.
“In cyber-security, what is meant by ‘penetration testing?”
Penetration testing (‘a pen test’) is an authorised simulated cyberattack on a computer system. It is a controlled form of hacking where the hackers act on behalf of the client to probe the system for vulnerabilities.
“In cyber-security, what is meant by ‘malware analysis’?”
what is meant by ‘malware analysis’?”
This aims process aims to understand what a piece of malware does and how it does it. The analysis might discover ways in which the malware can be countered.
In cyber-security, what is meant by ‘forensic analysis’?
‘Forensic’ implies that findings will be presented in a court of law or possibly some legal argument or negotiation. Computer forensics techniques discover, preserve and analyse information on computer systems.
What are the labels for the two blank quadrants in the diagram below?
What is the relationship between ‘conformance’ and ‘performance’?
Conformance (compliance with rules) is necessary to avoid failure, but it does not produce success. Performance implies taking some risks.
What is meant by the term ’speculative risk’?
This is where there can be both good and bad outcomes. It might occasionally be called ‘two-way risk’.
What is meant by the term ‘pure risk’?
This is where there is a chance of loss but no gain. There is downside risk only.
It the following statement true or false? Risk covers the occurrence of both good and bad outcomes.
True
What is the difference between risk and uncertainty?
Risk is when both the probability that a particular outcome occurs and its impact are known. If the probabilities of different outcomes occurring are not known then we are working under conditions of uncertainty, not risk.
CIMA P3 flashcards are interactive and only work on line, flashcards are NOT downloadable/printable