Full P3 Case Study Booklet
Full P3 Case Study Booklet
This document will also help you look at certain case study
type questions and objectives you must have in mind to
accomplish whilst studying each chapter from our notes.
1
RISK
Chapter 1
Upside risk:
Possible chance of gain. Also called Two-way of speculative risk
Downside risk:
Pure Risk: No chance of gain
Some risks are quoted and have a market rate of return. E.g. Equity
Benefits of taking risks=
Concerns ability to gain competitive advantage on one side and
activity risk on the other.
Advantage received from risk and level of risk being compared
below:
2
CIMA risk management cycle=
3
Types of risks=
4
d) Compliance risk= risk of losses, fines, penalties because of
non-compliance.
b) Product risk= risk that customers will not buy new products
or that current product share will decline.
5
E) Economic risk= changes in the economy affect the business.
Those changes could be inflation, unemployment rates,
international trade relations, fiscal policy etc. External risk to
the business. E.g. The USA Credit crunch example.
6
I) Fraud risk= Type of operational business risk.
7
Couple points to know:
a) Risk identification and management is the responsibility of all
8
Learnings From P3 Chapter 1:
Risk is a very important part of this case study exam. You could be asked
to comment “different types of risks” where you start your explanations
with first explaining risk and saying that it can be both upside and
downside.
Evidently, the different types of risks are an important categorization to
know.
9
Risk Management
Chapter 2
Risk management is defined as process of understanding and
managing risks that the organisation is subject to in order to gain
competitive advantage.
10
COSO ERM framework is represented as a 3-dimensional matrix=
11
E and Y developed a shareholder value model=
Static NPV of existing business model + value of future growth
options.
In easy words means value of what the company is doing now and
the value of what they could possibly do in the future.
4 stages=
12
The double helix is broken down into five components:
c) Performance:
13
e) Information, communication and reporting:
Risk Management:
Tougher the business objectives the more risk the organisation will
have to take.
Residual risk is the risk the business faces after its controls have been
considered.
Risk can be stated in qualitative terms (organisations reputation)
and in quantitative terms (How much capital business is willing to
commit and how much loss it Is willing to accept.
14
Factors or business strategies which can affect the risk appetite:
a) Nature of product being made (high risk product)
b) The need to increase sales (need to move into a new market
will be riskier)
c) The background of the board
d) Amount of change in the market
e) Reputation of the company
15
Common methods for risk identification= PEST/SWOT analysis,
External advisors, interviews/questionnaires, internal audit,
brainstorming.
Quantification of risk exposure=
Quantification of risk is important in understanding the extent and
significance of exposure to risk. Some techniques are=
Expected values=
Example:
Required:
a) What is the credit risk exposure of the company?
b) What is the expected loss each year due to credit risk?
Solution:
The total exposure to credit risk can be expressed either as the total
annual credit sales ($10 million) or the exposure to unpaid debts at
any point in time ($10 million × 1/12 = $1 million).
For a full year the expected value of loss is = $10million × 2.5% × 80%
= $200,000
16
Standard deviation=
17
Value at risk=
A bank can try to control the risk in its asset portfolio by setting
target maximum limits for value at risk over different time periods
(one day, one week, one month, three months, and so on).
A mean of 0
A standard deviation of 1.
Where:
z is the score
x is the value being considered
μ is the mean
Z= X-U/ SD
18
This calculation is used to convert any value to standard normal
distribution.
If you are asked to calculate the 95% VaR, this is a one tail test. As we
are looking at risk, it is usually about being 95% certain that the
outcome will be above a particular value.
50% of the distribution is on one side of the mean, within the tables
we are looking for as close to 0.4500
If you are asked about being 95% certain the result is within a range,
the area would look like this:
Summary:
19
20
One Tail Test
Example 1:
Solution 1:
The Z value for a one-tail 95.5% confidence level is 1.70 (from the
Normal Distribution tables).
This means there is a 4.5% chance that the value of the portfolio will
be (1,000 – 340) $660 million or below.
21
Two tail-test:
Example 2:
The mean exchange rate is $1.25/£ and the daily volatility of the
pound/dollar exchange rate is 0.25%.
What is the range of values that XYZ plc will be 95% confident of
receiving in 1 day?
Solution 2:
This means that AL plc is 95% confident that the value will be within
£39,200 of the mean.
22
Given the 1-day VaR, we can easily calculate the VaR for longer
holding periods as:
The VaR increases with the holding period. Thus, the longer the
holding period, the greater the VaR.
23
Example 3:
Calculate the:
a) 1-day 95% VaR
b) 1-day 99% VaR.
Solution 3:
The standard normal value (Z) associated with the one-tail 95%
confidence level is 1.645 (see Normal Distribution tables).
Hence, the 1-day 95% VaR is 1.645 × £40,000 = £65,800. This means
that we are 95% confident that the maximum daily loss will not
exceed £65,800.
The standard normal value (Z) associated with the one-tail 99%
confidence level is 2.33 (see Normal Distribution tables). Hence, the
1-day 99% VaR is 2.33 × £40,000 = £93,200. Thus, there is a 1% (1 out
of 100) chance that the loss would exceed £93,200.
24
If we wanted to calculate the VaR for longer period, say 5 days, at
the 95% level the calculation would be:
Similarly, the 30-day 99% VaR would be: 1 day 99% VaR × √30 =
£93,200 × 5.477 = £510,477
This illustrates the longer the holding period, the greater the VaR.
Regression analysis=
Used to measure company’s exposure to various risk factors at the
same time. Regression co-efficient will indicate the sensitivities of
the company’s cash flow to the risk factors.
The drawback with this technique is that the analysis is based on
historical factors which may no longer be predictors of the company
in the future.
25
Simulation analysis=
26
Risk map is sometimes called assurance map.
It deals with impact/consequences and probability/likelihood of
the risk.
27
For each high-probability, high-impact risk, further analysis should
be carried out, with a view to:
Spreading the risk, diversification works best when the returns from
different businesses are negatively correlated. It will work if the
Correlation is less than +1.
28
Portfolio theory=
29
Risk Reporting:
30
The Risk Cube:
31
For example, imagine a company sells car parts on credit to
industrial customers.
The threat might be that the customer doesn't pay for their car parts.
The vulnerability might be that the selling company has a low cash
balance and therefore needs the funds to pay its own suppliers.
Net risk=
Gross risk=
32
Assessment of risk before any control, transfer or management
responses:
If the residual risk is considered to be too great then the company
will need to:
33
Evaluating risk management strategy:
Once the company has established its risk strategy and decided in
what areas it will reduce its risks and the methods it will use to
achieve the desired reductions, the strategy should be evaluated.
34
EXAMPLE:
35
Roles of the risk committee:
37
Learnings From P3 Chapter 2:
Whenever they give you a scenario which revolves around:
• Alignment of risk with the whole business
• Embedding of risk into the organizations culture
• Making sure risk is part of every strategic decision taken
• Risk management culture in the organization
You must quote the ERM framework and what ERM is used for.
To explain the ERM you can suggest the COSO ERM model by explaining
it in your own words.
Quantifying and giving risk a number can be done by various techniques.
Your suggestions can include:
• Expected value method
• Standard deviations method
• Volatility understanding method
• VAR Method. (You will not be required to do any calculations but
you must know “what is VAR, how is it calculated, where is it used”
in your own words. Explanations are important)
• Regression analysis
• Simulation analysis
Students must be able to distinguish clearly on which method is used for
what reason.
Diversification is an important aspect for any strategic case study exam
Pre-seen material. So, knowing the terminology becomes important. Try
to visualize the diagram relating to, backward, related diversification,
forward integration, horizontal integration and unrelated diversification.
Explaining in your own words on what means what is very important.
38
Learnings From P3 Chapter 2 Continued…..
For Risk management framework or talking about any kind of risk
management the TARA framework must be referred to.
One very important part of this chapter is the responsibilities table on
Page 27 in our notes. It is important to know whose role is what. In the
exam a scenario might be referring to the role of the BOD’s or conflict
between audit committee and risk committee role. It is then your job to
clearly define the roles of each person in the hierarchy. So, this simple
diagram is important.
Specifically, also knowing what the risk committee’s job is and the job of
a risk manager is also an important aspect of this chapter.
39
Strategy Risk
Chapter 3
Strategy=
A course of action, including specifications of resources required to
achieve a specific objective.
Strategy generally involves a comprehensive understanding of:
1. Resources (assets, employees, cash etc.)
2. Environment (Political, economic, customers, competitors)
3. Stakeholders (anyone who has in interest in your organization)
40
Levels of strategy=
41
Strategic Planning process:
The rational model:
This is a logical step-by-step approach.
It has the following steps:
1. Mission and objectives
2. SWOT
3. Strategic options
4. Evaluation and choice
5. Implementation
6. Review and control
These 6 points given above are now compiled into 3 main headings
and this is given by JSW: (also known as the JSW approach to rational
model) =
Strategic analysis:
SWOT, identifying stakeholder objectives and Gap analysis.
Strategic Choice:
Making the decision, competitive strategy, growth directions.
Strategic implementation:
Target setting, monitoring and review.
Advantages of this model:
1. Forces managers to look ahead
2. Improves control
3. Identify key risks
4. Encourages creativity
42
2. Short term pressures
3. Difficulties in forecasting accurately
4. Bounded rationality
5. Rigidity
6. Cost
Dis-advantages:
1. No overall long-term plan
2. May cause strategic drift and may not be able to meet the
needs of customers.
Freewheeling opportunism=
Organisations should avoid planning and instead simply take
advantage of opportunities as they arise.
43
Advantages=
1. Formal planning takes too long and this can save time.
Dis-advantages=
1. Failure to identify risks
3. Strategic drift.
44
Risks of formal planning include:
The risks of formal, long-term planning include:
45
Problems with a lack of formal planning:
46
Problems with Not for Profit’s and other profit seeking
organisations=
It is difficult to measure objectives, there may be a more equal
balance of power between stakeholders, the people receiving the
service are not necessarily those paying for it.
KPI’s and certain targets are set by the central government to exert
control and ensure the government funding is used appropriately.
47
The risks associated with the 3Es:
48
Approaches to strategic planning=
1. Traditional approach (Stakeholders)=
Emphasis here is to look at what the firm is good at. i.e. its core
competencies. Critical success factors are important here and
difficult for competitors to copy.
49
As part of strategic choice there are 3 key levels of strategy to
consider=
1. Where to compete? (which market)
Limitations=
1. They are too simplistic.
2. Undue emphasis is placed upon them and there is tendency at
times to think that the models will provide a solution.
3. They are outdated and were produced when environments
were very different.
4. Serve as a good basis for analysis but cannot be applied to
every situation.
50
Porters generic strategies=
51
discounts, seek for government aid or cost advantages, use
learning and experience curve benefits.
2. Differentiation strategy=
3. Focus strategy=
52
B) Requires= Segment identification, research becomes more
crucial since customer needs are to be identified, segment
must be sufficiently large to enable a return In the future,
competition analysis, focus on consumer needs.
53
Limitations of porter’s generic strategies=
1. Porter argues that any business that attempts to adopt more
than one of the generic strategies will be “stuck in the middle”,
this suggests that a business will be unable to successfully
implement more than one strategy at the same time leading to
strategic drift.
54
Ansoff matrix=
As part of a larger strategic planning initiative, an Ansoff matrix is a
communication tool which helps you see the possible growth
strategies for your organization.
1. Market penetration=
55
2. Market development=
3. Product development=
New product for existing market. Key notes here would be that
the company needs to be innovative and strong in the area of R
and D, constant innovation allows competitive advantage to be
maintained.
4. Diversification=
56
Limitations of the Ansoff matrix=
1. Matrix is seen as being too simplistic. For a complete picture
organisation must undertake SWOT, PEST and five forces.
57
Advantages of acquisition over internal growth=
1. High-speed access to resources (brand name)
2. Avoids barriers to entry (may be the only way to enter a
market)
3. Less reaction from competitors (less likelihood of retaliation
because acquisition does not alter capacity of competitive
arena)
4. Can block a competitor
5. Help restructure the operating environment
6. Relative price/earnings ratio= Can increase P/E ratio if right
decisions made.
7. Asset valuation
58
The key control for an acquisition:
Due diligence:
There is always risk involved in any acquisition, but the work done
here is designed to help reduce the uncertainty and control the risks
that the acquirer will face as they go through the acquisition and
afterwards as the company looks to make a success of the combined
entity.
Financial statements:
a) Financial metrics
b) reasonableness of the financial forecasts
c) verification of the assets owned and their value
d) analytical review of annual, quarterly, monthly financial
statements, potentially going back several years.
59
Strategic Fit:
Employee/Management Issues:
60
Property:
Competition commission:
Intellectual Property:
a) website operations
b) mobile apps
c) data analytics processes.
The due diligence team may want to look at whether the target has
taken appropriate steps to protect its intellectual property (including
confidentiality agreements with current and former employees
regarding any data analytics processes).
61
Contract review:
Pending litigation:
The acquirer needs to know whether there are any ongoing claims,
closed claims or pending litigation. Acquiring a huge legal case would
not be ideal as part of any deal.
Tax:
In any acquisition the buyer would need to consider the tax situation
of the target company, reviewing any tax returns and getting an
understanding of any tax balances or correspondence with the tax
authorities of the relevant countries. As with the litigation, the buyer
does not want to end up acquiring a large tax liability.
Insurance:
62
Joint methods of expansion=
In any joint arrangement, there are some key considerations=
1. Sharing of costs
2. Sharing of benefits
3. Sharing of risks
4. Ownership of resources
5. Control/decision making.
Types=
1. Joint venture=
2. Strategic alliance=
63
a) Strategic synergy
b) Positioning opportunity
d) Less risk
e) Cooperative spirit
f) Clarity of purpose
g) Win-win.
4. Licensing=
5. Outsourcing
64
Key risks of joint development methods:
Strategic fit:
The partner chosen needs to have a similar strategy because by
association the two (or more) collaborating firms will affect each
other’s reputation.
Cost sharing:
The two companies will have to come to an agreement over how
costs are split or who bears particular costs. This can be difficult and
can lead to disagreements
Knowledge sharing:
By partnering with a firm, there is a risk that an organisation may
have to reveal some of its trade secrets, depending on how close the
collaboration is. Careful consideration must be given to who a
company collaborates with and what skills and knowledge they share
in the collaboration.
Profit sharing:
The ultimate aim for most collaborations is to increase the
collaborating organisations’ ability to make money, therefore a key
discussion point must be how the profits are split and it must be
deemed proportionate to the risks each party is taking on in the
collaboration.
Loss of control:
Partnering with other organisations requires trust that the partner
will perform its work to the same standard as normal. Any issues
with quality of product or service will have a knock-on effect to the
reputation of the other organisation.
65
Loss of development opportunities:
Collaboration is often used to enter into a new geographic market or
offer a service/product the company did not previously provide. If an
alternative approach had been used then an organisation could have
developed these skills themselves rather than effectively outsourcing
them.
International Growth:
66
When deciding between which approaches to take if expanding
abroad, consideration should be given to the risks of international
growth:
67
Disruption:
68
Considerations for successful disruption:
The platform must be one that enables the disruptor to maximise the
returns from their disruption.
Some of the factors that influence the success of the disruptors are:
69
Scenario Planning:
70
Scenario planning involves the following steps:
For example, two key factors may have been identified as:
a) the threat of new entrants
b) new legislation that may reduce the potential for profit.
71
5. For each scenario, identify and assess possible courses of
action for the firm.
Construction of scenarios:
72
The upside of scenario planning:
Game theory:
73
Game theory has two key principles:
If just one firm decides to increase it spend, then it will see its
returns increase.
However, if both increase the spend then both end up with lower
returns than at present.
a) If B does not increase spending, then the best plan of action for
A would have been to invest heavily.
b) If B does increase spending, then the best plan of action for A
would have been to invest heavily.
74
However, the end result ("equilibrium") is likely to be that both firms
increase spending and thus end up worse off than if they had both
kept their marketing spend at its current low level.
75
Stress testing:
1. Prioritisation:
76
2. Measurement:
There are various well known saying around this: “If it matters,
measure it”, “what gets measured gets done.
The key is not to have too many measures on any scorecard but
to identify the key factors that drive performance and focus on
those. Where to focus is often viewed as the safer option, while
where not to focus allows more creativity.
3. Productivity:
4. Flexibility:
77
The need for stress testing:
Stress testing can play a strategic role. The results of a stress test can
indicate why strategy may not be successfully realised or
implemented, it can identify areas of inefficiency and it can make a
business more ‘agile’ and adaptable to changes in its business
environment.
78
Sources of business stress:
The scenarios that are planned for and tested for should be
plausible.
79
Learnings From P3 Chapter 3:
For any kind of strategy, you must understand the:
• Resources
• Environment
• Stakeholders
There are different levels of strategy. For your strategic case study exam
you are given the role of senior finance officer which means you are
making decisions on the “Corporate-Strategic Level”. Only know what
other levels exist in your own words.
In the exam they may end up asking you about the different strategic
planning processes. You need to suggest looking at the situation:
• Rational Model for slow environments and step by step approach.
• Emergent approach for looking at the best available opportunity
• Logical incrementalism for small increments and adjustments to
current strategy
• Freewheeling opportunity for avoiding planning
When you are using or looking at strategic options as a broad term there
are various models that can come to use if referenced:
• Porters Generic Strategies:
o Cost leadership
o Differentiation
o Focus
You can look at the product that your company provides and
then choose a strategy and follow it to achieve competitive
advantage and market superiority
80
Learnings From P3 Chapter 3 Continued….
• Ansoff Matrix:
o If you are specifically asked about “Possible Growth options”
or “growth strategies” be sure to quote the Ansoff’s matrix.
Try to remember the diagram and form your own simple
explanation around the same.
o Market Penetration
o Product Development
o Market Development
o Diversification
Whenever your organization is looking for an acquisition the question of
strategic fit must come to your mind. Issues such as:
• Time and cost of integration
• Cost savings
• Employee management issues
• Property
• Competition commission
• Intellectual property
• Pending litigation
• Tax
• Insurance.
81
Learnings From P3 Chapter 3 Continued….
You need to keep these points in mind, ready to discuss if you are faced
with a proposition of an acquisition for your company.
Important aspect in this chapter is joint methods of expansion. The clear
difference between joint ventures, strategic alliances, subsidiary’s,
franchising, licensing and outsourcing must be known. This is important
from the case study aspect. Make sure you know this well.
The concept of digital disruption is important to know from a case study
perspective and how your business can cope with the same. Is your
business changing the traditional way of business?
How you can survive this disruption must also be kept in mind?
A frequent exam question which comes up is around scenario planning.
So, what is scenario planning? How to use scenario planning? Steps in
scenario planning? Usefulness of scenario planning? Are things you must
be able to answer in your own words before you move on to the next
item on this list.
A brief on the concept of stress testing is important.
82
Reputational Risk
Chapter 4
What is reputational risk?
83
From that framework, two key areas to consider are social and
environmental.
Environmental considerations and reputational risks:
For example:
a) level of fines
b) number of environmental prosecutions
c) number of environmental enforcement actions
d) number of ‘notifiable’ incidents (local legislation will define
what is ‘notifiable’ and what is not)
Business ethics:
a) experiment on animals?
b) drill for oil?
c) build roads through the countryside?
84
d) allow smoking in public areas?
Corporate social responsibility:
By aligning the company's core values with the values of society, the
company can improve its reputation and ensure it has a long-term
future.
85
CSR and metrics:
Code of ethics:
86
Integrity:
Objectivity:
Confidentiality:
88
Professional behaviour:
Ethical Threats:
Advocacy threat:
Familiarity threat:
89
Intimidation threat:
Safeguards:
CPD requirements.
90
b) Safeguards in the work environment:
Firm-wide safeguards
91
Safeguards to be applied:
92
CIMA recommends the following process for addressing situations
of ethical conflict:
93
Conflicts within employing organization:
Pressures that may be faced:
94
Impact of strategy on brand and reputation:
They are often used as if they are the same thing and they are not.
Brand:
Reputation:
95
Strategic Alignment:
96
Transfer pricing:
Transfer Pricing: general rules:
The general rule for decision-making is that all goods and services
should be transferred at opportunity cost.
A perfect market means that there is only one price in the market,
there are no buying or selling costs and the market is able to absorb
the entire output of the primary division and meet all of the
requirements of the secondary division.
98
Transfer Pricing: the selling division has surplus capacity
there is a limit to the amount that it can sell externally, and–it has
spare capacity.
The transfer price is marginal cost, but in addition a fixed sum is paid
per annum or per period to the supplying division to go at least part
of the way towards covering its fixed costs, and possibly even to
generate a profit.
The transfer price is the marginal cost or full cost plus a mark-
up.
C) Dual Pricing:
100
International transfer pricing:
101
Taxation:
102
Government action on transfer prices:
This tactic is not possible, however, when the country’s tax laws
require that transfer prices should be set on an arm’s length basis.
103
International transfer pricing and currency management:
Exchange rates, even for strong currencies, can be very volatile and
subsidiaries could make unexpected profits or losses from
movements in an exchange rate.
Example:
When the exchange rate is $1.60, the sterling equivalent value of the
$12.80 transfer price is £8, and the UK subsidiary makes a profit of
£2 per unit transferred.
104
The implications for an international group of currency risk in
transfer prices are as follows:
C). When it is fairly certain which way an exchange rate might move
in the future, a multinational company might be tempted to set
transfer prices in a currency such that any currency losses arise in
the subsidiary in the high-tax country, and currency profits arise in
the country with the lower tax rate
105
Fraud:
3 pre-requisites of fraud=
a) Dishonestly (some people may be able to rationalise
fraudulent activity as necessary, harmless and justified),
b) opportunity (thinking the system is weak),
c) motive.
106
More on managing reputational risk:
Governance:
Employee relations:
In line with the ERM framework, every single person within the
organisation has a responsibility to manage risk, including reputation
risk.
External relations:
Environmental awareness:
This relates to being aware of not only the impact that the company
and its supply chain is having on the environment, but also changes
in beliefs about how society should interact with the environment.
107
Monitoring:
Risk professionals:
Policy framework:
As the rise of social media is part of the reason for an increased focus
on reputational risk, organisations are investing significantly in tools
to analyse text and linguistics used in social media posts and reviews
to understand what is being said about their firm. They are aiming to
do this in real time, so they effectively have a live feed of public
opinion, giving them time to act quickly and avoid surprises.
108
Reputation crisis response:
Scenario planning:
109
Learnings From P3 Chapter 4:
Reputational Risk is an important consideration for any company that is
growing and willing to establish itself in different markets around the
world.
Corporate social responsibility is very important for any business in
todays modern environment. The benefits of CSR must be know well.
Very important study in this chapter is the Code of Ethics. You are sure to
encounter a question on this in the exam. So clearly know what the code
is and you should be able to identify the principles effectively.
• The Corporate code of ethics revolves around application of ethical
values to business behaviour. How you deal in the business
environment mainly.
• The CIMA Code of ethics on the other hand is fundamental
principles which must be followed. This is the more important set
that we must follow and know well. This is what the exam will refer
to most times.
In the exam they may also ask you on “how can an ethical conflict be
resolved”. This is an important aspect to be aware of.
Transfer pricing is a real-world decision-making consideration which has
to be taken into account a senior manager when making suggestions on
company opportunities. To explain this, you must know the underlying
meaning of transfer pricing and its objectives. Along with this if you can
have a brief about the 3 transfer pricing situations in your own words it
would really add value to your answer.
The other side of transfer pricing which is government sanctions, arms-
length prices and ethical implications also need to be kept in mind.
The concept of fraud along with how you would manage fraud is an
important point to keep in mind.
110
Corporate Governance
Chapter 5
What is corporate governance:
111
Development of corporate governance:
112
Some examples of corporate governance: (Read more from text)
Maxwell communication corporation= power at the top
concentration example.
Enron= substance over form representation of assets
Barings bank= all power to one person, Singapore back and front
office run by same person
Worldcom= creative accounting techniques to show more profits
Parmalat= Italian dairy company, falsified accounts for over 15
years.
b) Division of Responsibilities
e) Remuneration
113
Board leadership and company purpose:
This board should be responsible for setting the purpose, values and
strategy of the company and making sure the culture is aligned with
them. The members of the board should lead by example with
regard to the culture of their organisation and behave with integrity.
The board should consider the strategy upon which the company
intends to generate wealth over the long term and report on both
opportunities and risks to the continued success of the business.
114
The chairs of the audit, remuneration and nomination committees
should also engage with the shareholders with regard to their areas
of responsibility.
The board should seek to identify any conflicts of interest and ensure
there do not compromise the company’s ability to achieve its
objectives.
Directors should record any concerns they have about the operations
of the board in the board minutes and if a NED resigns, they should
provide a written statement about any concerns they had to the
chair, which should be circulated to the board.
115
Leadership=
a) There should be a clear division of responsibilities between
running the board (the role of the chairman) and the executive
responsibility for the running of the company’s business (the
role of the CEO).
b) The roles of chairman of the board and CEO should not be held
by the same individual.
116
Main roles can be divided into=
117
Effectiveness:
118
Independence:
There are also concerns over the recruitment of NED’s and the
challenge that this may bring to independence.
119
Reasons for NED independence:
The board and its committees should have the appropriate balance
of skills, experience, independence and knowledge.
120
All directors should be subject to an annual evaluation regarding
whether they are contributing appropriately.
121
f) Give full consideration to succession planning for directors.
b) How any board evaluation has been carried out, the results of
this evaluation and action taken.
122
Audit, risk and internal control:
The board should create policies and procedures to make sure that
internal and external audit are independent and effective, and that
financial statements are produced with integrity.
123
The audit committee's role is:
124
g) The terms of reference of the audit committee, including its
role and the authority delegated to it by the board, should be
made available. A separate section of the annual report should
describe the work of the committee in discharging those
responsibilities.
125
k) The annual report should explain to shareholders how, if the
auditor provides non-audit services, auditor objectivity and
independence is safeguarded
126
Remuneration:
The committee should also recommend and monitor the level and
structure of remuneration for senior management.
127
Remuneration should align with creating long term shareholder
value, and so should promote long term shareholdings by directors.
Basic salary should be the only basis for pension contributions and
the pension contributions should be considered in any decisions
about increasing in basic salary
128
The aim should be to avoid rewarding poor performance. They
should take a robust line on reducing compensation to reflect
departing directors’ obligations to mitigate loss.
129
f) Alignment to culture: Consideration of the company purpose,
values and principles should be incorporated to encourage
appropriate behaviours.
d) whether the policy was applied as intended, and if not why not,
and how it will have been changed.
130
Components of directors’ salary:
a) Basic salary:
Covering the job itself, the skills required, the directors'
performance, their contribution to company strategy and
market rates;
b) Performance-related pay:
Remuneration dependent on the achievement of some
performance measure. This could be short-term e.g. a bonus
paid to the director at the end of the accounting year for
achieving a certain level of profit or earnings per share, or long-
term e.g. executive stock options. Stock/share options are
contracts that allow the director to buy shares at a fixed price.
c) Pension contributions:
The remuneration committee should consider the pension
consequences of increases in basic salary;
d) Benefits in kind:
Are various non-wage compensations e.g. a company car, or
health insurance
131
Share (stock) options:
Not investing in new products and not developing existing ones will
adversely affect future profits and may threaten the long-term
existence of the business.
Until recently, there has been no charge in the company's profit and
loss account for share options, so the shareholders are not aware of
the value of the options granted to the directors. However, share
options can be very valuable to directors.
The grant date is the date when the employee and employer enter
into an agreement that will entitle the employee to receive an option
on a future date, provided certain conditions are met.
The vesting date is the date when the employee, having satisfied all
the conditions becomes unconditionally entitled to the option.
132
Example:
If, at the exercise date of, say, 30 June 2010, the value of the shares
is 290p, the director will buy the shares from the company for
£2,500,000 and immediately sell them in the market for £2,900,000,
making a gain of £400,000.
If the value of the shares is less than 250p on 30 June 2010, the
director will not purchase the shares (as he/she would make a loss),
so the director's gain on the option will be zero.
Only a small minority of directors buy the shares at the option price
and continue to hold them.
It has been seen that the increase in the share price of a company
may be more related to market conditions than its long-term
profitability. Thus, awarding options on shares may not be a very
effective way of paying directors, as the change in the share price
may have little to do with profitability of the company and the
directors' contribution to increasing those profits.
133
Corporate governance and internal controls:
Turnbull report=
Should be established using risk-based approach. Establish business
objectives, identify key risks, decide upon control for those risks, set
up a system to implement controls.
Internal controls must have 5 headings= Control environment, risk
assessment, control activities, information and communication,
monitoring.
More on reviewing the effectiveness of internal controls:
When reviewing reports on internal control, the board should:
a) consider the significant risks and how they have been
identified, evaluated and managed
b) assess the effectiveness of the internal controls for managing
each significant risk
c) consider whether any controls are weak and action is necessary
to strengthen them
134
The annual assessment of the system of internal control should
consider:
a) the changes since the assessment carried out in the previous
year
b) the scope and quality of management’s ongoing monitoring of
risks and of the system of internal control
c) the extent and frequency of the communication of the results
of this monitoring to the board
d) the extent and frequency of internal control weaknesses and
failing that have been identified during the year
e) the effectiveness of the company’s public reporting processes.
135
Corporate governance and audit committees=
Particular criticisms of the relationship were about:
f) The audit committee should meet at least three times per year,
and also at least once a year have a meeting with the auditors
without the presence of any executive directors.
136
Responsibilities of an audit committee:
b) The audit committee should meet at least three times per year,
and also at least once a year have a meeting with the auditors
without the presence of any executive directors.
137
The audit committee should review the significant financial reporting
issues and judgements in connection with the preparation of the
company’s financial statements.
It should consider:
138
Audit committee and internal control:
139
Audit committee and internal audit:
The audit committee should monitor and review the effectiveness of
the company’s internal audit function. If the company does not have
an internal audit function:
d) ensure that the internal auditor has direct access to the board
chairman and is accountable to the audit committee
e) review the scope of the audit with the auditor, and satisfy itself
that this is sufficient
f) make sure that appropriate plans are in place for the audit at
the start of each annual audit
141
SOX= 2 main differences are Enforcement and Documentation from
UK corporate governance code.
Key points of SOX=
Auditor independence,
Audit committee (US stock exchange is prohibited from registering a
company if audit committee requirements are not met, specific non-
audit work has been identified which is prohibited)
Audit partner,
Restrictions on dealing,
Increased financial disclosures,
Internal control report, certification of accuracy of financial
statements (responsibility of CEO and finance director to provide a
signed certificate to the SEC vouching for accuracy and is a criminal
offense)
142
The CSR Report:
143
Other Considerations:
a) CEO Responsibility and Board Oversight.
b) Focus on Impact.
c) Stock Exchange Reporting Initiatives.
d) Identify Corporate Team
e) Other Components of Stakeholder Engagement.
144
How does corporate governance impact organisational strategy?
145
Learnings From P3 Chapter 5:
The concept of corporate governance is an important consideration to
keep in mind. You will be given a company structure in the pre-seen and
to check if good corporate governance is being followed you will have to
keep these important points in your mind.
So a topic like why governance code was developed, can be used in your
answers with real world examples of companies like Maxwell, Enron and
Barings bank (companies failing because of poor governance)
The principles of corporate governance are important. You need to know
the principles well and you can base your explanations in your own
words on the principle identified as being violated by our pre-seen
company. E.g. if they tell you that Mr. X is the chairman and the CEO of
your company, you will say that this goes against the “board leadership
and company purpose” corporate governance guideline and so a
different person must be CEO and Chairman.
Understanding the code and being able to explain each in your own
words is important.
Clear demarcation against the role of audit committee and risk
committee must be known.
Internal controls are a very important part for the case study exam.
The relationship of the audit committee with the internal audit function
and risk management committee is an important relationship to know.
146
Internal Control
Chapter 6
Internal control=
Turnbull report=
147
d) the purpose of internal control is to help manage and
control risk appropriately rather than to eliminate it.
B) Responsibilities:
148
➢ help ensure compliance with applicable laws and regulations,
and also with internal policies with respect to the conduct of
business.
149
A sound system of internal control therefore provides reasonable,
but not absolute, assurance that a company will not be hindered in
achieving its business objectives, or in the orderly and legitimate
conduct of its business, by circumstances which may reasonably be
foreseen.
150
151
152
153
154
4 categories of objective setting are strategic, operational,
reporting and compliance.
There are considered to be 3 features of a sound internal control
system=
a) embedded within the operations and not considered as a
separate exercise,
b) Able to respond to changing risks within and outside the
company
c) Includes procedures for reporting control failings and
weaknesses.
155
The details of controls:
Segregation of duties (every transaction can be broken into parts.
One person does not control the whole transaction.)
This reduces the risk of fraud and the risk of error.
For example, in the purchases system, the same individual should
not have responsibility for:
a) Making a purchase;
b) Making the payment;
c) Recording the purchase and payment in the accounts.
156
Authorisation and approval:
For spending transactions, an organisation might establish
authorisation limits, whereby an individual manager is authorised to
approve certain types of transaction up to a certain maximum value.
Management control:
top level reviews= senior management might call for a performance
report on how the organisation is progressing towards its goals,
Activity controls= also called functional reviews and should be done
more frequently)
Supervision:
Supervision is oversight of the work of other individuals, by someone
in a position of responsibility. Supervisory controls help to ensure
that individuals do the tasks they are required to and perform them
properly.
Organisation (controls provided by the organisations structure):
Organisation controls refer to the controls provided by the
organisation’s structure, such as:
157
Arithmetic and accounting:
ACRONYM TO LEARN
SOAPSPAM:
a) Supervision,
b) Organisation,
c) Arithmetic and accounting,
d) Personnel,
e) Segregation of duties,
f) Physical,
g) Authorisation and approval,
h) Management.
158
Examples of controls:
159
Bank and cash:
The objectives of controls over bank and cash are to ensure that:
c) Continuous training;
e) Contract of employment.
160
f) Controls over the distribution department might include
Classification of controls=
161
Evaluation of an internal control system=
Developing an adequate internal control system, cost vs benefits:
a) The first step in designing an adequate control system is to
ascertain the objectives of the system in question.
162
Limitations of internal control systems:
Warnings should be given regarding over-reliance on any system,
noting in particular that:
163
COSO model applied to fraud prevention:
Fraud is a crime, but does not have a precise legal definition. The
term ‘fraud’ refers to an intentional act by one or more individuals
among management, those charged with governance, employees or
third parties, involving the use of deception to obtain an unjust or
illegal advantage.
164
Fraud indicators mainly fall into 2 categories= Warning signs
(organisational indicators):
165
3 pre-requisites of fraud=
d) Dishonestly (some people may be able to rationalise
fraudulent activity as necessary, harmless and justified),
e) opportunity (thinking the system is weak),
f) motive.
166
Fraud prevention= aim of preventive controls is to reduce
opportunity and remove temptation, introduction of policies,
procedures and controls, training and fraud awareness activities.
Specific examples are anti-fraud culture, risk awareness, whistle
blowing, sound internal control systems, fraud policy statement.
Fraud detection= it is believed that external auditors find fraud but it
is expressly noted in their contracts that it is not their responsibility
to do so.
Most frauds are discovered accidentally or as a result of information
received (whistleblowing).
Methods of discovering frauds= performing regular checks, warning
signals such as failure in internal control systems, lack of information
provided, unusual behaviour of staff, accounting difficulties and
whistle-blowers.
Failures in internal control procedures:
The risk of fraud is high when internal controls are ignored or by-
passed. For example, expenditures might be made without proper
authorisation or without proper documentation.
167
Unusual behaviour by individual staff members. Warning signs
might be members of staff who arrive first in the morning and leave
last in the evening, and do not take holidays, or members of staff
who keep an area of the office for their exclusive use and do not
share files with others.
168
Legal position of whistle-blower=
Responsibilities:
169
e) Internal auditors, who will most likely have the task of
investigating the fraud.
Investigations of fraud:
170
d) The investigator should look at all relevant documents and
files, listen to recorded telephone conversations and read the
fraudsters e-mails. Individuals working with the fraudster
should be interviewed, such as colleagues, supervisor and
manager.
171
Learnings From P3 Chapter 6:
As mentioned earlier internal controls is a very important part of the SCS
exam.
You must clearly know what the internal audit function is and what
internal controls it puts into place. To further explain internal controls,
you can mention the objectives of internal control and then expand on
them.
Whenever you are speaking about internal controls and you have to
specify in details about a “sound system on internal control” the COSO
model on internal controls can be a good place to start. The model can
be used/quoted in any situation surrounding internal controls looking at
suitability to the question. Explaining each part of the COSO model with
clear demarcation but in your own words is important.
If they are asking you to further specify the specific controls you can put
in place to make internal control more specific you can then state:
• Segregation of duties
• Physical controls
• Authorisation and approval
• Management control
• Supervision
• Arithmetic and accounting controls
• Personnel controls
To further make it easy for you we have mentioned with examples
specific controls you can have in place. Read through them. Whenever
you are writing a mock question and you feel the example is relevant you
are most welcome to put it in. It will add value to your answer.
172
Learnings From P3 Chapter 6 Continued…
Similarly, they can ask you to evaluate the situation where you are
making an entire new system of internal controls. So, you must know the
Cost Vs Benefits of an internal control system. Along-with this the
limitations of an internal control system must also be known.
We have already given you hints on how you need to learn about fraud
but, remember to quote the “fraud risk management strategy” whenever
asked on “how to manage fraud”.
173
Internal Audit
Chapter 7
Internal audit:
It is an independent and objective assurance activity designed to add
value and improve an organizations operation.
It helps an organization accomplish its objectives by bringing a
systematic approach to evaluating and improving the effectiveness
of risk management, control and governance processes.
The scope of internal auditing within an organization is broad and
may involve topics such as efficacy of operations, the reliability of
finance reporting, deterring and investigating fraud, safeguarding
assets and compliance with laws and regulations.
Risk management:
1. Risk management team would be considered to own the entire
risk management process.
174
Internal Audit:
1. Monitoring and reviewing the effectiveness of the controls.
175
Scope of internal audit work: (ACORNYM TO LEARN: R3A2SE)
Review accounting and internal control systems:
This is the traditional view of internal audit. The internal auditor
checks the financial controls in the company, possibly assisting or
sharing work with the external auditor. The internal auditor would
comment on whether appropriate controls exist as well as whether
they are working correctly. In this work, the internal auditor does not
manage risk, but simply reports on controls.
Review 3E’s of operations:
This is also called a value for money (VFM) audit (see more later in
this chapter). The auditor checks whether a particular activity is cost-
effective (economical), uses the minimum inputs for a given output
(efficient) and meets its stated objectives (effective)
Review compliance with Laws and regulations or internal policies:
This objective is particularly relevant under corporate governance
codes where the internal auditor will be carrying out detailed work
to ensure that internal control systems and financial reports meet
stock exchange requirements.
Assist in carrying out external audit procedures:
Assisting with identification of significant risks:
Special investigations:
Investigations into other areas of the company’s business, e.g.
checking the cost estimates for a new factory, or investigating
suspected fraud.
Examining financial and operating information:
176
Standards of internal audit work:
It would be expected that:
177
Attribute standards:
a) Independence:
b) Objectivity:
c) Professional care:
178
The head of internal audit should submit the plan of work to
senior management and the board for approval
b) Risk management:
c) Control:
d) Governance:
179
e) Internal audit work:
f) Communicating results:
180
Structure and independence of internal audit:
There should be measures in place to protect the independence of
the internal audit department:
a) Should be independent of executive management (free from
operational responsibility)
181
i) Technically competent and must exercise professional
competence and due-care.
182
d) The decision may be based on cost with the effectiveness of the
function being reduced.
The internal audit process must provide benefits in excess of its cost.
184
clause i.e. some might read it as 'we performed the audit work
to the best of our ability, but we can't test everything, so if we
missed something, we are sorry but it wasn't our fault'! The
auditor will finally sign the report.
185
Factors that external auditors must consider:
a) the status of internal audit within the organisation
186
Internal auditors may be asked to:
a) Assess the likelihood of fraud
b) Assess its consequences
c) To make recommendations for prevention in the future.
Fraud investigation:
187
It is the company directors who are responsible for identifying
fraud.
188
Types of audit work:
Compliance audit:
Compliance audits check the implementation of written rules,
regulations and procedures.
Transaction audit:
In this way, less time and effort are spent on elements of the system
that are relatively ‘safe’.
189
Quality audit:
It should cover the project throughout its lifecycle from the planning
and implementation stages through to performance after
commissioning.
The review should take place at some time after the project or
process has been completed or is being used. Review should not
be too soon, where the project or process hasn't been given a
chance to 'bed in'. But it should also not be too late where important
feedback and learning have not been applied on later projects.
Projects are often assessed on three criteria: time, cost and quality.
Was the project implemented on time? Did the project come in on
budget? Was the project delivered at the expected quality level, or
more commonly, did it solve the original issue that prompted the
project?
190
Post-completion audits are often performed by internal audit, as
long as they are not involved in the original design of the project
itself.
191
Problems with VFM:
a) Difficult to measure outputs
Environmental audit:
A management tool comprising a systematic, documented, periodic
and objective evaluation of how well organisations, management,
and equipment are performing, with the aim of contributing to
safeguarding the environment by facilitating management control of
environmental practices, and assessing compliance with company
policies, which would include meeting regulatory requirements and
standards applicable.
192
Social audit:
The social audit would look at the company's contribution to society
and the community.
a) Donations.
b) Sponsorship.
c) Employment practices.
d) Education.
e) Health and safety.
f) Ethical investments
Management audit:
Operational audit, effectiveness of mergers and experienced staff.
Its aim is to identify existing and potential management weakness
and recommend ways to rectify them.' This type of audit would
require the use of very experienced staff who understand the nature
of the business.
193
The elements of a management audit might include:
a) an unwillingness to delegate
b) regular failure to achieve standards or targets
c) inadequate management information systems
d) poor communications within or between departments
e) poor management/staff relationships
f) an absence of clear leadership
g) a failure by management to make good decision
Systems-based audit:
Ledger system, accounting system. Aim of such an audit is to identify
weaknesses in the system.
Systems- based audit is an audit of internal controls within an
organisation.
194
A systems-based audit would take the following steps:
2. Testing
3. Reporting
195
Audit planning:
The auditors should assess how much time and effort will be
required to carry out the audit, and schedule the work accordingly.
196
Risk-based approach:
Most audits are now carried out using a risk-based approach,
whereby the auditor assesses whereabouts the key risks are in a
system, and then concentrates the audit effort at those key risks.
197
Types of benchmarking:
Process benchmarking:
The company focuses its observation and investigation on business
processes with a goal of identifying and observing the best practices
from one or more benchmarked firms.
Process analysis is required where the objective is usually to
benchmark cost and efficiency
Product benchmarking:
The process of designing new products or upgrades to current ones.
This process can sometimes involve reverse engineering which is
taking apart competitors’ products to find strengths and weaknesses
Functional benchmarking:
A company will focus its benchmarking on a single function e.g.
Production, to improve the operation of that particular function.
Complex functions such as Human Resources, Finance and
Information Technology are unlikely to be directly comparable in
cost and efficiency terms and may need to be disaggregated into
processes to make valid comparison.
Competitor benchmarking:
Involves studying the leading competitor or the company that best
carries out a specific function
Environmental benchmarking:
This is the process of collecting, analysing and relating environmental
performance data of comparable activities with the purpose of
evaluating and comparing performance between or within the
entities.
198
One way of assessing risk is to consider:
1. Inherent risk: the risk of an activity or operation, ignoring the
controls in the system. Inherent risk relates to both the severity
of the risk and the incidence of the risk.
2. Quality of control:
g) the length of time since the last audit of the activity was carried
out.
199
h) Confidence in the quality of controls will diminish over time
without fresh reassurance from another audit that the controls
are still effective.
Audit risk:
This is the risk that the auditors might give an inappropriate opinion
on something which they tested i.e. they say that a process is well
controlled when in fact it is out of control.
a) Inherent risk:
b) Control risk:
This is the risk that the existing controls are not sufficient to
prevent or detect a material mis-statement of a value in the
financial statements.
c) Detection risk:
This is the risk that the auditors’ substantive tests will not
reveal a materially incorrect amount in the financial
statements, if such an error exists
200
Ascertaining systems:
How can systems be investigating and documentation:
1. Flowcharts
2. Interviews/questionnaires
3. Systems documentation
4. Observation
Audit Testing:
Types of testing:
1. Compliance testing: (test of controls). Results should indicate
whether: controls are effective or controls are ineffective in
practice.
201
Substantive test:
Monitor the number of quality control failures as a proportion of
good output.
Compliance test:
Observe the functioning of the quality control staff to ensure they
are checking output.
Try to avoid options with the word 'check' since that can be
construed as vague, unless it explains fully what they would be
checking for and why.
Audit sampling:
Running tests on selective data in order to form a conclusion on the
population.
Risks of sampling:
1. Sampling risk: risk that the auditor’s conclusion based on the
sample may be different from the other results that are obtained.
202
Analytical review:
203
Audit reporting
The auditor will need to consider whether the residual risk will be
reduced by the recommendation. If it will not, the recommendation
is not worthwhile.
The head of the internal audit team will usually meet with the head
of the department being audited and will discuss the points that are
being reported.
204
senior management without at least having some advance warning
and the opportunity to make their own arguments.
Once this has been done, they would submit the report for review
within internal audit and then provide the audit committee with a
copy.
205
The auditor may encounter several problems with computer
systems that do not occur with ‘manual’ systems. These include:
206
5. Overwriting of data: When data are stored on a magnetic file,
the file will eventually be overwritten with new data. If the
auditor needs some of this data to carry out audit tests, it will
be necessary to take steps to make the data available. The
auditor might therefore need to take copies of data files during
the course of the year, and retain them for audit purposes.
207
Audit approach:
1. Through the computer: interrogates the computer files and
computer controls and relies much more on the processes that
the computer uses. Auditor follows the audit trail and attempts
to find the problems.
b) Test data:
Divided into:
• Live Data
• Dead Data
Live data = test data are processed during a normal production run.
208
Dead data = test data are processed outside the normal cycle
Benefits of CAAT’s Examples
CAAT’s force the auditor to rely Credit limits within a system can
on programmed controls during only be changed by the
the audit. Sometimes it may be accountant. A computer assisted
the only way to test controls check will test that this is the
within a computer system, case.
therefore enables the auditor to
test program controls.
209
h) Identifying exception
reporting facilities.
If the company you are auditing Do not use audit software until
cannot confirm all system these have been identified.
documentation is available, then
the auditors will be unable to
210
perform the tests effectively due
to lack of understanding.
211
Learnings From P3 Chapter 7:
The need and functions of an internal audit function are important to
know. The thin line of difference between the risk management function
and the internal audit function is important to know.
Topics revolving around the scope of internal audit works is important.
Whenever they are to ask what specific work would you expect from an
internal audit department you can quote the points on page 3 of this
chapter. To further go into specific (which you don’t need to learn, but
having a brief about can help) the standards of internal audit work can
be used to explain the question better. (In your own words of course)
The relationship of internal and external auditors is an important
diagram on page 12 of this chapter. They often come up with scenarios
where they will say that there is a conflict between these departments,
can you help define limits? This is where your knowledge will be useful.
The different types of audit works need to be knowns. They might ask
you to recommend an audit that helps check our compliance with rules
and regulations. So, your knowledge must be ready to say that we must
use the compliance audit. This is just an example. Think about the
scenarios for other types of audits and try to know the basics for each.
The concepts of Audit testing and Audit sampling are also important to
know from a case study perspective.
212
Cyber Security Threats
Chapter 8
Types of sensitive information:
a) Names
b) Addresses
c) Date of birth
d) Credit card numbers
e) Bank account numbers
213
Business information could include, but is not limited to:
214
All of these factors provide an opportunity for an issue to arise, if
they are not properly understood and controlled.
Connection type:
Data sent using the internet (for example a web page or email) is put
in the form of a data packet and the packet is sent from one router
to another until it reaches the destination that requested it (web
page), or the destination it was told to go to (email).
215
Virtual servers take advantage of improvements in technology. A
modern server is now so powerful that having one server for a single
function is very inefficient. Servers can now perform multiple
functions and can be located offsite and often controlled by a third
party. The resources the server provides are often used by multiple
users and each user can administer it as though they have complete
control over it.
216
c) Restructure – if an organisation were to undertake an internal
restructure that would impact cyber security. Reporting lines
would change, and IT users would require their access to be
updated to match their new roles.
217
Changeover methods:
Direct changeover – This is where the old system is switched off and
then the new system is switched on. This is appropriate when the
two systems are very different, or it is too expensive to run two
systems. Although this method is cheap, it is also risky since if the
new system doesn't work properly the company might be unable to
revert to their old system quickly. (Also, staff trust in the new system
would be lost.)
Parallel running – The old and new systems are run together for a
period of time, until it is considered safe to switch the old system off.
This method will be costly (inputting data twice and possibly
employing more staff to do this), however, it will be less risky than
direct changeover.
218
Cyber security objectives:
219
As well as understanding their cyber security objectives,
consideration must be given to how these objectives are established,
approved and maintained.
220
Malware:
The code may direct the victim to a malicious site where the
malware can be installed or it may directly infect the victim’s
computer when they visit the page that contains the advert,
even if the user does not click on anything to do with the online
advert.
221
Malvertising is a serious threat that requires little or no user
interaction.
Application attacks:
222
Below are some of the more common types of application attacks:
223
d) Buffer overflow attack – A buffer overflow occurs when a
system cannot store as much information as it has been sent
and consequently starts to overwrite existing content. A buffer
overflow attack occurs when an attacker sends a malicious
programme which deliberately overloads the system and starts
to overwrite existing data.
Hackers:
Once hackers have gained access to the system, there are several
damaging options available to them.
a) gain access to the file that holds all the user ID codes,
passwords and authorisations
224
Hackers could be thieves operating from outside the organisation
such as business competitors or nation-states. They can also be
insiders, such as disgruntled, or otherwise malicious, employees.
225
Social engineering:
226
Phishing refers to the use of fraudulent messages to try to steal
sensitive information such as passwords or credit card numbers, or
to install malware onto a user’s computer.
227
Cryptocurrency:
Social media is a catch-all term for a range of sites that may provide
radically different social interactions.
228
e) Real-time information gathering – in the past it would take
days or weeks for businesses to conduct a survey to gather
enough responses to generate conclusive data. Now on social
media, businesses can gather instant feedback with quick polls.
229
Risks of social media to organisations:
230
g) Costs – in theory using social media costs nothing, but to use it
well, and control the accompanying risks, could cost a
significant amount. Also, any fines from non-compliance with
regulations could also be significant.
Poor use of social media can create risks for individuals too:
The reasons for this fame can be both good (taking a strong
stance for a good cause) and bad, for example an ill thought
out joke can lead to thousands of abusive responses. People
have been known to disable their accounts after receiving such
abuse.
231
e) Physical theft – posting from a holiday resort overseas, or just
posting from a significant distance from home, can signal to
thieves that a property is unoccupied and is likely to remain so
for several hours or days.
232
Risk of security vulnerabilities:
233
The following are some examples of the implications for an
organisation that is compromised in some way:
234
Legislation surrounding information systems (UK and EU)
The UK Government has published its new Data Protection Bill that
repeals the DPA and enshrines the GDPR into UK law post-Brexit. It is
overseen and enforced in the UK by the Information Commissioner’s
Office (ICO). The aim is to keep personal data secure at all times.
This means:
235
Learnings From P3 Chapter 8:
Any business in this modern environment has sensitive information
which is at risk of leaking and damaging the business. Important
consideration from the case study perspective again. For this reason,
itself there are different mitigation techniques companies can look at
such as ERP, VPN usage, secured software’s etc.
A company could be at a high risk to cyber security issues when in the
stage of: Expansion, acquisition, restructuring, hardware update and
software updates. These are situations in which you must suggest your
company to put in place extensive data security measures.
They may ask you to suggest which changeover method could be applied
to your business. Keeping the pre-seen company in mind you must come
up with a decent suggestion with knowledge on direct, parallel, pilot and
phased changeover methods.
There are certain threats a business in respect to the digital threats we
have been speaking about:
• Malware
• Application Attacks
• Hackers
• Social engineering
• Phishing
You are not expected to know the details of each but if they were to
mention malware, phishing attack you must not be blank. Have general
knowledge about each type of threat could also be used in different
suggestions on cyber security or in any other digital strategy concept.
Organizations in today’s modern world must take advantage of offerings
from social media. You must look at the pre-seen company given to you
and see if they are optimising their social media usage. Benefits and poor
usage of social media must be known.
For reference or to justify that Data protection is very important and
coming up around the world you can quote the rules and regulations in
the GDPR. No need to learn anything here. 236
Cyber Security Processes
Chapter 9
Cyber security organisational characteristics:
PROTECTION
DETECTION RESPONSE
• corporate governance,
• tone from the top,
• communication of appropriate information for decision
making.
237
Cyber security risk governance:
238
239
240
Cyber security information and communication:
a) Availability
b) Confidentiality
c) Integrity of data
d) Integrity of processing
241
Cyber security information and communication:
Internal:
External:
242
Protection:
Areas to be protected:
243
f) Data storage: the recording and storing of data and information
to be accessed by devices on a network. Often this incorporates
the use of cloud-based storage, where the data is held on
servers in a remote location. Often cloud storage is operated by
a third party.
Methods of protection:
245
Forms of protection:
246
c) Authorisation: as well as recording what an individual looks at
or enters into the system, it is also possible to limit what any
particular user can access within the system. This means that
they will only be able to view and enter information
appropriate to their skill/employment level.
247
d) Physical security: is also a key way of protecting hardware,
from desktops to smartphones to servers – all should only be
accessible by authorised personnel.
248
Additionally, procedural controls to protect files and output
include:
Location of IT facilities:
249
e) Personnel controls:
Certification:
250
There are different types of certificate:
251
Man, in the middle attacks (MitM):
The aim is to make them think they are communicating directly with
each other whilst in reality is the attacker is controlling the
conversation. This kind of attack is often used to collect information,
to help a further attack, for example discovering specialist
knowledge about a target in order to carry out a spear phishing
attack.
252
Detection:
As with most things, the sooner any issues are detected the easier it
(usually) is to fix them. The detection strategies are effectively a
computer equivalent to having a security camera set up.
253
d) Threat monitoring– studying the way hackers attempt to
compromise organisations, including the techniques and the
software tools. This can then be used to develop and share
intelligence on the types of threats which in turn can help to
develop new controls.
e) User reports – this links into the first point, event monitoring,
and the user reports can identify unusual activity.
Response:
When an organisation comes under attack, the key role of the CIRT
or CSIRT is to keep the business functioning, or some people refer to
it as “keeping the patient alive”.
254
Defending against the cyber security risks
Being aware of the risk is part of the solution and they can be
defended against.
1. Desktops:
255
2. Laptops:
3. Mobile devices:
While in the short term this may save some time, it may also
mean that the version of the manual the engineer is using does
not get updated and so procedures are not carried out to exact
company specification.
Another issue can arise if a device is left logged on for too long.
256
4. Bring your own device (BYOD):
257
5. Network configuration management (NCM):
258
6. Firewalls:
Certain mainstream sites are less risky to visit than say a site
dedicated to illegal software, and sites that offer something for
free, for example music, are more likely to be risky than a site
that requires payment for the music. Where content is free,
then there has to be some other way for the site to make
money, whether through advertising, or installing malicious
software onto a computer to mine for data.
259
Application firewalls are additional security to network
firewalls and can be used by an organisation to monitor the
inputs, outputs and operations of a particular application. It
effectively filters damaging content passing through to the
application – like viruses or any attempt to exploit a known
flaw in the software
260
Business continuity and disaster recovery:
261
c) Warm back up site – this is a building that has all the critical
hardware for the servers and systems in place but they will
need to be configured and the most recent back up of the
data/information installed before the site can take over the
organisation’s activities.
262
System back-ups:
There may still be some loss of data if inputs to the system occurred
after the most recent back-up copy of the file was made.
263
ISO27001:
The key principle behind the standard is: to ensure a proactive rather
than reactive approach to cyber security risk management.
264
Learnings From P3 Chapter 9:
The problem of cyber security is very real for all organizations in this
modern digital world. So, topics around the cyber security risk
governance are important. You must have clear information and
communication systems for cyber security measures.
There are certain areas that need to be protected from cyber security
attacks. The vulnerable areas and how to protect them must be known in
brief. This is an important aspect of this chapter so make sure you can
summarize well.
For any business, business continuity and disaster recovery is an
important backup plan to have in mind. Think about it from the
perspective of the business (pre-seen company) given to you and know
the brief.
265
Cyber security tools and techniques:
Chapter 10
Throughout the CIMA syllabus there are examples of companies using
techniques to learn from the results of their actions. Whether it is variance
analysis or a post completion audit, the common theme of the models is that
they look back and learn from events that have occurred.
Forensic Analysis:
As with any crime scene, virtual or physical, something is always left behind.
Forensic analysis is the process of examining the things that have been left
behind by the attack/attacker to increase understanding about the attack and
how the systems were breached to be able to improve defences in the future.
266
There are three main areas to consider in forensic analysis of cyber-attacks
and cyber security. They are:
Once it is known that a system has been compromised, the first stage is to
identify what part of the system is affected. This often referred to as looking
for ‘footprints in the sand’ to identify what, if any, changes have been made to
the system.
Configuration changes: settings of the system and how programmes run can
be affected by malware.
267
Example: Social media
Facebook and other social media companies are trying to remove as many
fake accounts as possible.
268
Storage Analysis:
Computers and devices have a huge amount of storage on them which can
make locating particular files difficult and conversely make it much easier to
hide a file that is not meant to be seen.
The introduction of cloud storage has made this aspect of forensic analysis
harder. Since a third party owns the servers that store the data, obtaining
access to review any changes can be harder.
Another difficulty with regard to storage analysis is that although files can be
deleted, in most cases the deleted files still exist but in an unreferenced way.
They continue to take up storage and can even still be accessed (although the
recovery process is very time consuming and complex).
In the run up to the 2016 US General Election, the FBI were investigating Hilary
Clinton’s use of her private computer server for classified information. Reports
stated that despite over 30,000 emails having been deleted, the FBI were able to
recover some of the emails, both personal and work related.
Network Analysis:
The monitoring process doesn’t allow the company to see what is in the car
(i.e. what data is being transferred), but it does tell you whose car it is that is
on the road (i.e. which users are on the network).
As with the traffic flow of cars – usually busy in the morning around 9am and
the late afternoon around 5pm – there are patterns in the volume and
identity of users on a network at a particular time.
269
If there are unexpected users on the network, or if the level of traffic is
unexpectedly high, these could be cause for concern leading to further
investigation.
Analysing network traffic using third party cloud storage services can cause
privacy issues that would not arise on company-owned hard drives.
Forensic analysis:
After the attack on DigiNotar, the Dutch government commissioned Fox-IT to carry
out forensic analysis on the DigiNotar Network. As always with these incidents, the
public never find out the whole story, but some reports say that they were able to
find digital “fingerprints” on one of the servers and from this they were able to
work out that it was the same attacker who had also compromised another
certificate authority called Comodo based in New Jersey in America.
This story suggests that the security preventing unauthorised access to a firm’s
network appears easier to get around than the security that certificates
provide.
270
Similar situation happened with car security systems. Cars were becoming so
hard to break into that criminals were breaking into houses to steal keys to
cars, rather than breaking into the cars themselves.
The weakest link in any control is often a mistake made by a person, for
example leaving the front door unlocked and the car keys near the front door.
Malware Analysis:
Ideally no malware would get on to an entity’s systems, but the reality is it will.
Once malware has been identified, analysis of the software should be carried
out to understand as much as possible about the malware. The aim of malware
analysis is to understand how the malware got on to the computer and its
purpose, including whether it was intended specifically for the organisation.
Reverse Engineering:
271
In terms of cyber security and malware, the design and functionality are of
interest, but discovering how the malware infiltrated the system provides a key
piece of information to help patch flaws and prevent further infiltration.
Developers of malware are aware of the risk that their malware will be
discovered and reverse engineered to learn more about it, so they aim to
make it as difficult as possible to reverse engineer.
Several layers of code are written to protect the malware code and each layer
must be uncovered, usually in different ways, before the malware code is
revealed.
During reverse engineering, a key aim is to discover whether the attack was
targeted or not. Clearly, a targeted attack is more of a concern – it means you
have something that someone wants and they have taken the time to write
code and hide that code to get at it.
Targeted attacks are likely to have better layering as they do not want the
target to know where the attack comes from, what they are trying to access
and why. Of course, untargeted attacks are still a concern as it means the
organisation’s security processes have been breached.
272
Decompilation and disassembly:
Once the layers of code have been removed and the organisation has access to
the malware, it is vital that analysis is carried out to understand how it works
and why it was put into their system, particularly if it was a targeted attack.
Penetration Testing:
This can often involve the use of white hat hackers who are hired to try and
penetrate the network or system.
Network Discovery:
There are obvious devices like desktops, laptops, tablets and smart phones, but
as connectivity improves and the “internet of things” develops more and more,
other devices are joining the network such as like printers, televisions, alarm
systems, thermostats, lights and many more.
273
Some of the issues that can be discovered through this type of penetration
test are:
274
IoT for business
Hackers might try social engineering to gain access to the network by ringing
staff and asking for passwords, or make practical attempts such as trying
doors that should be locked, checking desks for passwords that have been
written down and left visible etc.
A business must decide whether the convenience that the IoT provides is
worth the additional vulnerabilities and therefore security measures that
would be required.
275
Vulnerability Probing:
Once the scope of the network is determined, the next step is to identify the
devices on the network that are most vulnerable to intrusion.
Software can be used to probe the system and identify, quantify and rank the
vulnerabilities in terms of their potential impact.
276
Exploiting Vulnerabilities:
And
b) What can be exploited using the access that has been gained.
277
Internal network penetration testing:
This aspect of penetration testing is to identify any security issues from poor
design, coding and publishing. In the modern business world, applications are
critical to many organisations and are often used to process personal data
including payments details; they can even process or store proprietary data.
This type of penetration testing is looking for any access points or devices that
should not be in an organisation secured environment.
278
Simulated Phishing Testing:
Example: Kaplan
The members of staff who clicked on the link were identified as being more
susceptible and so received additional training on how to spot suspicious
communications and how to react to them.
Software Security:
Level 1 – This primary level seeks to prevent the attacker from gaining access
to the software at all.
Level 3 – While the alert will mean that the appropriate parties can
investigate the security breach, time is critical in any attack and in a very
short space of time data can be compromised, so the third level takes
automatic urgent action, for example locking down accounts and sensitive
information.
279
Design Review:
Design review:
The extent to which our phones, watches and, since the development of the
IoT, other devices, have become integral to the way we live and work, was
not envisaged when the software for these devices was originally created.
This has led to a need to improve the security features designed into the
software.
Code Review:
A code review looks at how code is written, with a focus on how someone
proves they should be allowed access to a system that contains sensitive
information. Often companies have an internal manual detailing best practice
and this stage of the review can check that software code is complying with
the best practice manual.
280
Two step verification compared to two factor authentications:
Two step verification requires users to input two forms of the same type of
information, each from a different source, so for example a password that you
remember as a first step, then a password that you are sent via email or SMS
as a second step.
Two factor authentication requires the user to prove they should access the
system in two different ways, so the first step could be the password that you
must remember, but the second step requires something different – like a
finger print or proof that you have the trusted device for the account.
Security Testing:
Cyber security and compliance experts say that two of the key software
controls in existence in most organisations today are version control and patch
management.
281
Again, using NCM organisations will push software updates through to devices.
Depending on company policy and the severity of the flaw, this can happen at
different times. Some companies run updates on a daily basis, others do so less
frequently but push through any critical updates ahead of planned updates.
Digital Resilience:
The concept is about doing more than the minimum to protect the company
and comply with regulations, but to integrate cyber security into the business
operations.
They identify six actions an organisation must consider to achieve their digital
resilience, each of the six actions is considered below.
The key is then to integrate this knowledge as the defences will be much
stronger if they operate together than if they are considered in isolation.
The logic here, as with all good targets, is to set a cyber security plan
that is challenging but attainable - to help motivate people towards
achieving it. It is also important to translate it into language that people
can understand, so that non-IT leaders within the organisation can
explain it and make sure that the workforce support the plan.
282
The well-defined target should include prioritisation of the cyber
security risks to the business. Once these have been assessed they can
use three types of control to improve the security.
The tendency is often to focus on the final one of these, which can
lead to unnecessary expense.
c) Work out how best to deliver the new cyber security system:
This area links into change management, and looks at how a company
takes these challenging targets and turns them into a reality. As with all
controls the workforce can often resist what are perceived to be
additional controls believing they will inhibit creativity, cause problems
with current procedures or increase the time to get things done.
Roles and reporting are important here, and part of the advice is to have
a high-level manager responsible for all aspects of cyber security,
perhaps reporting into the board or potentially dual reporting into the
leading risk manager within the company too.
Considering the risk resource trade-offs takes account of the fact that
there is no one solution to managing cyber risk and that different
companies have different attitudes towards risk and different risk
appetites.
283
Example: A company could set up three packages:
Basic – this would be the lowest cost package and lead to the
lowest level of security, only covering absolutely essential (legal)
requirements.
Premium – this package would include the top level security, and
could potentially differentiate a firm from its rivals. It would also
cost a significant amount more than the other packages.
Example:
Example: GDPR and Kaplan GDPR came into force in May 2018 and to reduce the
risk of non-compliance all staff need to be trained.
At Kaplan all staff, even those who are not regularly involved with handling
private information on computers, have been trained.
This includes for example the warehouse staff who prepare the orders for
shipment – they are handling personal data and if the wrong delivery note was
put into the wrong delivery package this could potentially reveal confidential
information to another Kaplan customer.
Frameworks:
As cyber security risks and cyber security risk management increase in focus,
so too does the need to report on them to stakeholders.
Organisations would like their stakeholders to know that they have robust
cyber security procedures in place, but don’t know how to convey this to the
stakeholder. Equally stakeholders are concerned about whether cyber security
is receiving the attention it requires within the organisation but don’t know if
what they are told has any real meaning.
285
As a result, frameworks have been created that, although they are not
mandatory, give an organisation something credible to show stakeholders to
confirm that they do have robust processes and controls in place.
The board and regulatory authorities are not the only stakeholders concerned
with minimising the risk of cyber-attacks and associated losses.
The framework the AICPA have set up requires management to prepare certain
information and then for a qualified accountant at the organisation to review
it.
a) Management’s description
b) Management’s assertion
c) The practitioner’s opinion
Management’s description:
This first section provides a description of the firm’s cyber security activities,
including how the organisation identifies its most sensitive information, how it
manages the cyber risks associated with this information, what the key polices
and processes it has in place to protect against the risks etc.
This part of the report provides the context for the next two sections.
286
Management’s assertion:
The final section is where a qualified CPA accountant gives their opinion on the
description of the risks and whether the controls in place are effective.
Criteria:
To assist with the writing and evaluation of the management description and
to improve the comparability of the reports produced the AICPA uses two
sets of criteria:
a) Description criteria:
This is a detailed (33 page) document giving guidance on the areas that
should be considered when identifying the cyber security risks the entity
faces and the controls it puts in place.
287
There are nine categories of description criteria that the management should
consider, including the considerations in developing control processes.
288
g) Cyber security communications and quality of cyber security
information:
Disclosure about how objectives, expectation and responsibilities are
communicated to appropriate stakeholders, both internally and
externally including thresholds for when an event/response requires
communication.
289
Illustration of application of description criteria
What it manufactures, where this takes place, how it makes its sales (online, in
store), the main regions it makes sales. Any collaborative ventures used to make
sales and distribute goods.
Availability – consideration of the need to provide 24 hours a day, 365 days a year
sales opportunity online, the need to supply manufacturing information during
shift hours
Integrity of processing – making sure there are controls to prevent improper use,
alteration or destruction of systems to support deliveries, processing transactions,
manufacturing goods to the correct specifications and protecting employees in
hazardous situations in the manufacturing facilities.
Process for establishing, maintaining and approving the objectives – the board
establishes and approves overall objectives, this feeds into business objectives
290
and the most senior IT manager aligns cyber security objectives which are then
approved at board level.
May also include references to relevant standards for example GDPR, ISO 270001
and PCIDSS.
Changes in the period that could affect cyber security risks it be environmental,
technological, organisational or other aspects:
For example, an additional manufacturing operation set up, how this was carried
out and what IT infrastructure was in place.
Also, any security incidents that occurred during the period should be included
here:
•
Any attempted hack e.g. a DDoS on the website, the implications of the attack e.g.
any compromised data like PII of consumers or commercial customer info,
291
the work done to fix the issue, potentially including outside contractors helping to
review the issue, any changes to security procedures as a result.
Integrity and ethical values are at the heart of cyber security risk management,
may include:
• Tone from the top
• Code of ethics
• Policy and reward structures promoting control and governance
• Board activities, for examples review meetings
• Employee policies – code of conduct, employee handbook, IT policy
Board oversight:
• Details of the board’s IT experience, including NEDs
• Details of any specific committees for example a risk committee
Accountability:
• the work of any risk committees
• reporting lines for people like the CISO, CTO
The process used to identify cyber security risks and other changes that could affect
the risk management program and to assess risks related to the achievement of
cyber security objectives.
292
• Annual risk assessments
• Internal audit cyber security reviews
• Vulnerability assessments and penetration tests
293
• Risk based assessments (internal and external)
• Information about action taken when threats or control weaknesses are
discovered.
• The work of any risk committees
• Vulnerability tracking including any mitigation required
• Use of KPIs to assess responses to threats or weaknesses
The key security processes and policies to mitigate the cyber security risks
identified:
294
b) Control criteria:
This is even more detailed (over 300 pages) document giving guidance on the
types of risks and controls that may have been identified in the description
criteria and examples of other controls that could be used, that managers
and qualified accountants can use in their assertions and reports.
Example risk: DRPs are not designed appropriately and backups are not
enough to allow recovery of the system to meet the organisation’s
commitments and
system requirements.
296
Consideration: Confidential information is protected during system design,
development, testing and implementation to meet organisational
confidentiality and system requirements.
Example risk: Data used in test systems is not appropriately protected from
unauthorised access and loss.
Example risk: Internal and external users are not aware of the privacy
commitments and how PII is collected and used.
297
NIST cybersecurity framework:
Implementation Tiers:
Core:
The core provides a set of desired cybersecurity activities and outcomes using
simple easy to understand language. The core is based on five principles:
298
Profiles:
Profiles help the organisation map its own requirements and objectives, risk
appetite, and resources against the desired outcomes included in the core.
AIC Triad:
It is known as the AIC (or CIA) Triad because of the three elements that
underpin it, seen by many as the most important aspects of cyber security.
➢ Availability:
Put simply systems must be online and available, otherwise
organisations cannot do business.
➢ Integrity:
Making sure that people who modify data are authorised to do so means
the data is more likely to be accurate and trustworthy.
➢ Confidentiality:
When data is being stored and when it is in use or in transit there need
to be rules in place to limit access to those who are authorised to use it.
299
AIC Triad in more detail:
Availability:
Integrity:
Confidentiality:
Confidentiality and privacy are often used interchangeably in the way the AIC
triad works. It is focused on putting controls in place to ensure that private
information is only viewed by those authorised to see it. Often companies will
categorise data relating to different levels of risk should it fall into the wrong
hands, with more stringent controls in place around the most sensitive data.
300
Technological advances mean that all frameworks including the AIC triad
must evolve.
Big data – extra challenges arise because of the huge volume of information
that needs to be protected, the variety of sources and types of information and
the speed with which it is updated. Making use of it can be challenging, but
also making sure that it is accessible, trustworthy and private can become very
costly.
Internet of things – as with any network, the more you increase the size, the
more access points are created and so the bigger the threat becomes. The
issue for the AIC triad is both privacy and security.
Privacy – it may only be fragments of data that are accessible from each of the
various endpoints, but when they are collated, they can constitute personally
identifiable information.
Security – while computers get regular software patches and invariably have
good security configurations, many of the devices in the IoT that connect to
them don’t have the ability to receive software updates or do not require
passwords.
301
Learnings From P3 Chapter 10:
If they come up with a scenario which says that your organization has
“already” been subject to a cyber-attack. How do you learn from this
situation to make sure it is not repeated? This is where you can suggest
“Forensic analysis”. Explain it in your own words but remember to
explain it.
In similar situations, i.e. after the cyber security attack occurring you
have other options like:
• Malware analysis
• Reverse engineering
• Decompilation and disassembly
• Penetration Testing
• Network discovery
• Vulnerability probing
• Internal network penetration testing
• Wireless network penetration testing
• Simulated phishing testing
• Software testing
• Design review
These options you can state and suggest when dealing with questions
such as “how can we learn from past mistakes, what new initiatives can
we take to make our organization more secure and questions along the
same line”
You don’t need to learn the details from here BUT like I have always
mentioned 3-4 lines of explanation in your own words so, if they were to
ask you to explain you have enough basic knowledge.
302