P3 – Mock Exam 2 – Free Mode

The Production Manager has four possible suppliers for a key component.  The organisation operates a Just-in-Time manufacturing process and requires parts to be delivered within 4 hours of placing the order.  The organisation has a monthly demand of 2.5m for this specific component.  The cost of production coming to a halt will cost the organisation £100,000 per 15 minutes and £1.75m in start up costs once production can be resumed.

Consider each proposal, using a 3×3 risk matrix (low medium and high) with impact on the Y axis and likelihood on the X axis, with the criteria: Capacity Issues, Delivery disruption and Infrastructure.

Based on your analysis of the risk matrix which of the following suppliers minimises the potential of the organisation incurring any downside risk?

An organisation operates as part of a oligopoly within the fleet industry, which naturally comes with high barriers to entry, with fierce competitive behaviour between the companies.  Customers tend to be locked into long term contracts and it is known within the oligopoly when customer contracts are due for renewal, with competitors quick to promote their offer to customers.  The market size is in excess of 100,000 customers.

Which one of the following would be the weakest competitive strategy to adopt?

Under the COSO framework, match the element to the principle:

Which of the following is the first line of defence against a malware attack?

Which one of the following represents the greatest operational risk for a national telecoms company?

An established organisation who has become a byword for quality and service in their industry and has been rewarded with a very high market share is looking to grow over the next few years.

Which Product-Market strategy would be the most appropriate?

An organisation has analysed the amount it is spending on raw materials and does not understand how it has increased so much more than revenue despite the price per unit being fixed.

Which type of management control system could be introduced to analyse this issue further?

Some hackers are called Grey Hat, what makes Grey Hat hackers different to Black and White Hat hackers?

An American company needs to reduce costs, they are considering approaching Asian companies to manufacture their products.

Which of the following generates the most downside risk?

Scenario planning is used in risk mitigation, as it removes which two of the following from the decision making process?

Under COSO, an organisation’s effective internal communication of issues is dependent on which of the following?

Select all that apply

Which of the following are characteristics of good cybersecurity policy?

Select all that apply

An organisation has a risk which has a 40% probability of occurring and would require extensive renovations to the projects lasting 26 weeks.

On further analysis, it is confirmed that of the 40% probability, this is made up of a 20% probability of requiring a 26-week renovation and a 20% probability of only needing minor remedial work, there is a 50% chance the remedial work could be delivered within 5 weeks and a 50% chance of it taking 10 weeks.

If this risk was to occur what is the exposure?

Enter your answer to one decimal places in the field below.

A business-to-consumer organisation is concerned over a possible recession and has asked the accounting department to conduct stress testing on its liquidity.

Which one of the following should not be considered?

An organisation has a policy where management can sign purchases off up to a value of £500.  To do this they need to ensure that the invoice arrives with a purchase order number, they need to sign the invoice and hand it to the accounting department two weeks before the payment is due. The accounting department will issue purchase orders verbally via the telephone, which sometimes leads to issues as the purchase orders on the invoice don’t always match the number the accounting department is expecting.

What, if any, is a control weakness in this system?

Which one of the following is not a security method for managing third party vendor security risks:

An organisation has a policy of reporting only risks with a score of 9 or above to the Non-Executive Directors.

Which of the following would need to be reported?

Select all that apply

Which one of the following would not result in reputational risk?

A temporary recruitment company has developed an automated system to record the workers time sheets. Workers are employed within the haulage sector where 10 hour days, 5 days a week are the norm and most contracts allow the agency to pay an overtime rate for any hours in excess of 10 hours per day. The system has the following criteria:

1. No more than 10 normal hours per day
2. No more than 5 overtime hours per day
3. Total Normal hours between 0 and 48
4. Total Overtime hours not in excess of 36

Which of the following statements are true?

Many online services require the employee to select the security question ‘Mother’s maiden name’, where is the weak link in this security question?

An organisation responsible for the design and installation of a new software system, which must be complete within the next eight weeks for the company is facing a overrun resulting in a penalty of £15,000 for each week the project is late, current projections are the project is between 8 and 12 weeks delayed.  On further analysis, there is a probability of achieving the project by week 8 of 40% and by week 12 of 60%.

The organisation could bring in a number of freelance programmers to help catch up, the cost of this would be £25,000 per week and the project manager believes they would need the freelance programmers for 4 to six weeks.  On further analysis there is a 60% probability of being caught up in four weeks and a 40% chance of it taking six weeks.

Which of the following statements is true?

Which one of the following would have the greatest reputational impact for an auditing firm?

Which one of the following does not require the legal business name of a company to be displayed?

To implement an ISO 27001 compliant system, which of the following steps must be taken?

Select all that apply

Which non-executive committee is often tasked with providing risk oversight?

A high street retailer known for low prices and quality that was reflective of the price was found to be mistreating its staff in its warehouses.

What impact will this have on the organisation’s strategy?

An organisation is constantly calculating an adverse variance on raw material.  Production volumes and efficiency have remained consistent and the price has actually fallen over the past six months.

There is a growing belief that a number of staff are stealing the raw material from the company. Which of the following detective controls would allow the company to identify if this is the case?

Which one of the following is not part of a Cyber Security Incident Response Plan?

Under IFRS 7 – Financial Instruments: Disclosure, which of the following must management disclosure to shareholders?

Select all that apply.

What is the role of the CEO when it comes to risk?

What type of audit being being described below:

This procedure is more detailed than a normal audit, since some issues involving smaller amounts of money and other assets that they might fall below the standard materiality thresholds

Which one of the following would identify if an employee has accessed a database which has recently been involved in a security breach?

An charitable organisation is putting together a bid for a project.  The amount the charity is asking for will exactly cover the costs of the project.  As part of the project the charity is at risk of incurring a significant additional expense, which the charity would find difficult to cover.  The charity is relatively small and as such is quite risk averse.

Which of the following should the charity do?

For a listed company the UK Corporate Governance Code suggests what fraction of the board should be independent non-executive directors?

A Social and Environmental Audit would consider which of the following:

Select all that apply

If an organisation is affected by a malware attack, sort the following steps of response from once the attack is known:

If an organisation was to compile a COSO ERM report, which of the following must the organisation cover?

Select all that apply

Which of the following senior managers have powers of day-to-day management of the company that are exercisable without reference to the board?

Select all that apply

The three primary purposes of analytical review are:

Select three

If an organisation wanted to develop an app which followed industry guidelines on software security, which body could they turn to for guidance?

Consider the Assurance Map below

Which department has the lowest level of assurance?

Which one of the following statements is true regarding the Nomination Committee?

What type of risk is being defined below:

is the probability that an auditor will fail to find material misstatements that exist in an organisation’s financial statements

A Trust Gap exists between the Board and C-Suite on matters of cyber security, which one of the following should be adopted to overcome this issue?

Consider the Risk Register below:

Click to Open Risk Register in New Window

Which Risk is yet to be agreed?

The shareholders of an organisation want the share price to increase over the next five years, which of the following compensation packages for the CEO offers the lowest risk to this strategy?

Which of the following are elements of effective internal audits according to the COSO framework?

Select all that apply

When writing a cyber risk report, rearrange the following into a suitable structure:

Rearrange the following to reflect the correct format of a Risk Report

A national manufacturer is looking to strength its non-executive directors.  The CEO has asked the nominations committee to consider a recently retired partner from the accounting firm the organisations currently uses for consultancy.

If this partner was to be appointed, where might a conflict exist?

Rank the following three internal audit findings from highest to lowest risk.

An organisation has three subsidiaries, the internal auditors of each subsidiary also complete auditors at the other subsidiaries.  Two of the internal auditors have a romantic relationship.

What is the ethical threat in the above scenario?

Which one of the following is an indicator that there is an issue with ineffective risk oversight?

A small independent online retailer has taken the action to make the website unavailable, why might the retailer do this?

Select all that apply

Which of the following will influence the mitigation technique an organisation will adopt?

Which one of the following is not the responsibility of the Risk Manager?

Which one of the following is not a characteristic of a digital organisation?

A UK organisation has just completed an update to its five year strategy, when a USA based supplier announced it plans to open operations in the UK.

Which underlying Strategic assumptions changed significantly?

Which model provides a framework covering operations, reporting and compliance?

According to the UK Government’s guidance ‘Reducing the Cyber Risk in 10 Critical Areas’, which one of the following is not one of the ten?