CIMA P3 Flashcards

• Data shall be processed lawfully and fairly
• Obtained only for specified and lawful purposes
• Not excessive
• Accurate and up-to-date
• Kept no longer than necessary
• Processed in line with rights of the data subjects
• Guard against loss and unauthorised processing
• Not to transferred outside EEA unless similar legislation in destination.

Velocity

Volume

Variety

[Veracity]

(1) Access control and authentication – this ensures that unauthorized users do not access the system. Typically this will be accomplished through a log-in procedure.

(2) Confidentiality – this ensures that data cannot be intercepted and read by a third party whilst being transmitted. This is achieved using encryption.

 (3) Data integrity – this ensures that the data has not been altered or distorted whilst in transit. To ensure this, the message could have special check digits added to ensure that the data complies with a mathematical rule.

VPN = virtual private network. These allow data to be transmitted securely over the internet between any two locations.

• Presentation tier
• Application tier
• Data tier

LAN = local area network

WAN = wide area network

• Integrity
• Objectivity
• Professional competence and due care
• Confidentiality
• Professional behaviour

• Prevention
• Detection
• Response

• Incentive
• Opportunity
• Attitude/dishonesty

• Fraudulent financial reporting
• Misappropriation of assets

• Staff should be qualified
• Staff should be experienced
• The department should be independent
• Staff and approach should be professional

• Audit software (examine client data)
• Test data (examines client programs)

• Analytical procedures 
• Enquiry and confirmation
• Inspection: for example
• Observation
• RecalcUlation and reperformance. 

?_period = ?_day ?n

So, the appropriate standard deviation would be $5,000 x ?25 = $25,000.

Generally it uses normal distribution tables to work out, for example, the minimum value of a portfolio of shares at the end of a period to a 95% probability (or conversely the maximum amount of fall in value to a 95% probability).

This the process of aggregating divisional/subsidiary risks at the corporate level. Some risks can be handled together and be subject to a common approach, or they might even substantially cancel.

The aim of an assurance map is to identify where the safeguards against risks are to be found.

Assurance maps usually identify that an organisation has various lines of defences against risk. 

Typically these are:

• Management-based assurance
• Internal procedures
• Independent assurance

It notes identified risks, their probability of occurrence, impact, responses to them and the date by which they should be addressed. The person in charge of dealing with the risk needs to be identified and it needs to be signed off when the risk has been mitigated (if needs be).

• Gross risk = the risk before any mitigation (reduction) procedures. Gross risk is sometimes referred to as inherent risk. 
• Net risk = the residual risk after reduction and mitigation.

A stress test is an assessment of how a system or strategy is likely to function if severe adverse events occur.

Scenario planning looks at all the things that could happen (and there can be many permutations of future events) and from those builds viable scenarios: a number of believable, internally consistent futures. 

UK quoted companies are now required to include risk reports as part of their annual reports. This informs shareholders and others about the organisation’s main risks and what the company is doing about them.

NPV = 20,000. For this to become Zero, NPV from sales must fall by $20,000.

Therefore, the percentage sensitivity = 20,000/120,000 = 0.17 or 17%

r is Positive, so as one variable increases so does the other.

r² = coefficient of determination = 0.25. This means that 25% of the variation in one variable can be explained by variation in the other. 75% of the change seems to be for other reasons.

Corporate governance is a system by which companies are directed and controlled.

Corporate governance frameworks should:

• Protect shareholders’ rights
• Recognise the rights of all shareholders
• Ensure disclosure and transparency
• Ensure timely and accurate information is available
• The board should determine and be accountable for the strategy of the company

• Leadership 
• Effectiveness 
• Accountability 
• Remuneration 
• Relations with shareholders

UKCGC = not in statute. Enforced for listed companies by the stock exchange: comply or explain

SA Act = US law.

• Nomination committee appointment of new directors)
• Audit committee (liaison with internal and external auditors)
• Remuneration committee (directors’ remuneration)

• The control environment
• The risk assessment process
• The information system
• The control activities
• Monitoring

‘The management system of controls, financial and otherwise, established in order to provide reasonable assurance of:

(a) effective and efficient operation

(b) internal financial control

(c) compliance with laws and regulations’

(CIMA Official Terminology, 2005).

The Board

‘A periodic examination of the books of account and records of an entity carried out by an independent third party (the auditor), to ensure that they have been properly maintained, are accurate and comply with established concepts, principles, accounting standards, legal requirements and give a true and fair view of the financial state of the entity.’ (CIMA’s Management Accounting Official Terminology)

‘An independent appraisal activity established within an organisation as a service to it. It is a control which functions by examining and evaluating the adequacy and effectiveness of other controls; a management tool which analyses the effectiveness of all parts of an entity’s operations and management.’ (CIMA’s Management Accounting Official Terminology)

Inherent risk: this is the risk that an error is made in the first place before the application of any controls of checks.

Risk appetite is determined by two factors: 

• Stakeholder’s attitude to risk
• Risk capacity, which is the amount of risk that the organisation can bear.

‘Risk appetite’ is the term given to describe the amount of risk an organisation is willing to accept in pursuit of value.

Strategic risks: arise from long term effects such as those relating to the nature and type of business, changes in competitive and legal environments, poor long-term decisions being made.

Operational risks: short-term, day-to-day problems.

Malware is a term that covers all software intentionally designed to cause damage to a client computer, a server, the network or data.

Data, programs and processing are (mostly) not held locally, but are held remotely on servers (the cloud). Software updates are easy and heavy processing can be carried out on powerful cloud computers rather than each user having to have a powerful machine.

Denial of service (DOS) attacks. Typically, the overwhelming of internet sites with demands for responses so that legitimate users are denied service.

Bots: derived from ‘robot, this is a piece of software that carries out automated processes. For example, emails or posts on social media can be generated to give the appearance of support for particular causes.

Penetration testing (‘a pen test’) is an authorised simulated cyberattack on a computer system. It is a controlled form of hacking where the hackers act on behalf of the client to probe the system for vulnerabilities.

what is meant by ‘malware analysis’?”

This aims process aims to understand what a piece of malware does and how it does it. The analysis might discover ways in which the malware can be countered.

‘Forensic’ implies that findings will be presented in a court of law or possibly some legal argument or negotiation. Computer forensics techniques discover, preserve and analyse information on computer systems.

Conformance (compliance with rules) is necessary to avoid failure, but it does not produce success. Performance implies taking some risks.

This is where there can be both good and bad outcomes. It might occasionally be called ‘two-way risk’.

This is where there is a chance of loss but no gain. There is downside risk only.

True

Risk is when both the probability that a particular outcome occurs and its impact are known. If the probabilities of different outcomes occurring are not known then we are working under conditions of uncertainty, not risk.