Acronyms and Glossary Flashcards

Question

CMM

Answer 1

Capability Maturity Model ## Footnote The Capability Maturity Model for Software (CMM) is a framework that describes the key elements of an effective software process. The CMM describes an evolutionary improvement path from an ad hoc, immature process to a mature, disciplined process. The CMM covers practices for planning, engineering, and managing software development and maintenance. When followed, these key practices improve the ability of organizations to meet goals for cost, schedule, functionality, and product quality. The CMM establishes a yardstick against which it is possible to judge, in a repeatable way, the maturity of an organization's software process and compare it to the state of the practice of the industry. The CMM can also be used by an organization to plan improvements to its software process..

Answer 2

Control Objectives for Information and related Technology ## Footnote COBIT is one of the relevant models for risk the CITP can use, along with COSO's ERM model and the P-D-C model. The COBIT framework was created by ISACA for information technology (IT) management and IT governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. The COBIT framework is IT process-focused, and is known for its practical application in performing evaluations of IT internal controls. The system model looks at controls from a data processing, or information systems, view.

Answer 3

The schema or view of informaiton requirements before it is converted into an actual database. It is a composite view of all user views / schemas. Also referred to as a logical view. A composit of all external views or schemas is developed to represent the entity's view or schema, or the composite users' view, whch is known as the conceptual schema. The conceptual schema exists only on paper or in digital document but describes the formats of the databases with specificity of the data to be captured, stored, and processed at the enterprise level. The conceptual schema is also referred to as the logical schema. See also ***user schema*** and ***physical schema***.

Answer 4

Continuous monitoring is the system of processes and technology that is used to ensure compliance and avoid risk issues associated with an entity's financial and operating systems. CM involves people, processes, and technology that work together to detect weak or poorly designed controls, allowing managmeent to correct or replace them.

Answer 5

A control deficiency is a breakdown in an internal control where the design or operation of the control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct material misstatements in a timely basis.

Answer 6

One outcome of an effectual IT risk assessment is the identification of IT risks where no controls exists - that is, a control gap. If any IT risk has no mitigating control, this gap is an exposure, by defintiion, that the entity has, whether management is aware of it or not. Control gaps represent serious risk and significant flaws in the control environment. The CITP would want to identify any control gap, and make a recommendation to mitigate that gap/exposure, or use that information in evaluatng audit evidence.

Answer 7

Control Risk ## Footnote ***Control risk*** refers to the ability of internal controls to prevent or detect a material misstatement in a timely manner. Control risk indicates the likelihood that a material misstatement exists insome area of the transactions, events, disclosures, or account balances that will not be prevented or detected by the entity's system of internal controls in a timely manner. In order to assess CR, the CITP will need to consider the nature of controls (automated vs. manual, key vs. non-key) and use some framework as the adequacy and mitigation of cotrols (for example, the P-D-C model). ***Control risk (CR)*** is the risk that a material misstatement could occur in an assertion and will not be prevented or detected by the entity's internal control on a timely basis. Control risk is a function of the effectiveness of the design and operation of the entity's internal controls. The auditor must consider the risk of misstatement individually and in aggregate with other misstatements. **Control risk** is one of the two components of the risk of material misstatement at the assertion level (the other is inherent risk).

Answer 8

Corrective controls provide a means to correct issues/errors after an adverse event occurs. The corrective controls corrects the event and reestablishes equilibrium by correcting data, correcting workflows, or correcting what went wrong with the process. Corrective controls are the "C" in the P-D-C model.

Answer 9

A set of fraud schemes that involves someone inside the victim organization working for someone outside the entity to defraud the entity. Types of corruption schemes include bribery, kickbacks, conflict of interests, bid rigging, economic extortion, and illegal gratuities.

Answer 10

Committee of Sponsoring Organizations of the Treadway Commission The COSO framework is a compreheinsive view of management's perspective of controls. The Committee of Sponsoring Organizations of the Treadway Commission is a joint initiative of five private sector organizations, established in the United States, dedicated to providing thought leadership to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting. COSO has established a common internal control model against which companies and organizations may assess their control systems. COSO is supported by five supporting organizations, including the Institute of Management Accountants, the American Accounting Association, the American Institute of Certified Public Accountants, the Institute of Internal Auditors, and Financial Executives International.

Answer 11

Commercial Off-the-Shelf Software Commercial-off-the-shelf (COTS) software and services are built and delivered usually from a third party vendor. COTS can be purchased, leased or even licensed to the general public. COTS is software that is published and made commercially available to the general public. COTS provides some of the following strengths: * Applications are provided at a reduced cost. * The application is more reliable when compared to custom built software because its reliability is proven through the use by other organizations. * COTS is more maintainable because the systems documentation is provided with the application. * The application is higher quality because competition improves the product quality. * COTS is of higher complexity because specialists within the industry have developed the software. * The marketplace, not industry, drives the development of the application. * The delivery schedule is reduced because the basic schedule is operations.

Answer 12

A CSF is a comprehensive structure and process that measures and analyzes enterprise performance, operational and financial, to achieve strategic advantages.

Answer 13

A visual presentation of information that allows for quick assimiliation of the facts and understanding of the significance or importance of the information.

Answer 14

For IT risk assessments, **data** is defined as the collection of numbers, characters, images and other outputs from devices or processes that collect data and information. Data is a collection of raw, unorganized, alphabetic, numberic, or symbolic representatins of objects. **Data** - raw facts such as numbres, letters, or special characters. Apart from outside manipulation, data is virtually meaningless.

Answer 15

Data analysis is the process of inspecting data with some goal or benchmark in mind. For example, when auditing for fraud, the goal or benchmark is to determine whether or not there is evidence of fraudulent transactions.

Answer 16

A cogent subset of data warehouse database that is useful to one or more users of the entity, or its customers or vendors for reporting or analyzing information.

Answer 17

Data processing using large data sets and sophisitcated data search capabilities and statistical tools to discover patterns or correlations, or to make predictions based on historical data. Data mining is examining data by extracting patterns, modeling and knowledge discovery, and/or matching transactions against specific criteria.

Answer 18

A data repository of historical and possibly current data that has been cleansesd, transformed, and loaded into the repository in a standardized format for business intelligence gathering, data mining, analytics, or sother similar purposes.

Answer 19

A closely related collection of data files where the data is shared among users.

Answer 20

Database Administrator ## Footnote Database administrators (DBAs) use specialized software to store and organize data. The role may include capacity planning, installation, configuration, database design, migration, performance monitoring, security, troubleshooting, as well as backup and data recovery.

Answer 21

Database Management System ## Footnote A DBMS is a system of software for creating, updating, and quering a database.

Answer 22

A DSS is a system of applications, data, and usually dashboard that supports managers, often modeling data or problems to facilitate effective decisions.

Answer 23

Detection Risk ***Detection Risk*** is the risk that the audit procedures will fail to detect a material misstatement and basically reflects the level of substantive procedures and further audit procedures necessary to sufficiently minimize Audit Risk (AR) to an accepbable level based on the other three risks. ***Detection Risk*** (DR) is the risk that the auditor will not detect a material misstatement in the financial statements of the entity being audited. Hey . . . . wait a minute . . . what other three risks???

Answer 24

A **detective contro**l is an internal control designed to detect an adverse event should it occur. If an error in data did occur, a detective control is capable of identifying it. One example would be to use a CAAT to identify gaps or duplicates in check numbers for disbursements. Detective Controls are the "D" in the P-D-C model.

Answer 25

Disaster Recovery

Answer 26

Discovery in civil litigation which deals with the exchange of informration in electronic format, often referred to as electronically stored information (ESI)

Answer 27

Electronic Data Interchange

Answer 28

Electronic business applications or processes that facilitate commercial transactions. E-Commerce can involve electronic funds transfer, supply chain management, e-marketing, online marketing, online transaction processing, electronic data interchange (EDI), automated inventory management systems, and automated data collection systems.

Answer 29

Changes or advances in technologies such as information technology, nanoechnology, biotechnology, cognitive science, robotics,and artificial inteiligence.

Answer 30

ERP integrates internal and external systems across the entire organizatin, integrating financial, accounting, manufacturing, sales, service, sustomer relationship management and supply chain management systems.

Answer 31

An ER is a data model that focuses on the relationship between two data files and how the records of one file relate to the other. The result of documenting the relationship is called an ER diagram. Data structures should be documented and accurately potrayed with one or more of the conceptual data modeling tools available. The ER model depicts the relationship between files and records in the various data files n a top-down fashion.

Answer 32

**Enterprise risk management (ERM)** is the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall. ERM can also be described as a risk-based approach to managing an enterprise, integrating concepts of internal control, the Sarbanes–Oxley Act, and strategic planning. ERM is evolving to address the needs of various stakeholders, who want to understand the broad spectrum of risks facing complex organizations to ensure they are appropriately managed.

Answer 33

Electronically Stored Information

Answer 34

End User Computing ## Footnote End-user computing (EUC) refers to systems in which non-programmers can create working applications. EUC is a group of approaches to computing that aim to better integrate end users into the computing environment. These approaches attempt to realize the potential for high-end computing to perform problem-solving in a trustworthy manner. End-user computing can range in complexity from users simply clicking a series of buttons, to writing scripts in a controlled scripting language, to being able to modify and execute code directly. For CITPs, end-user computing (EUC) is a function developed using commn desktop tools,like spreadsheets, that are used in financial processes for purposes of determining amounts used for accounting and financial reporting purposes.

Answer 35

ETL is a database processespecially applied to data warehouses that involves: * Extracting data from outside sources * Transforming data to fit organizatonal needs, and * Loading the data into the target database or data warehouse.

Answer 36

See Attribute. Also referred to as a column in relatinal databases. Attribute: A characteristic of something in a data file. For example, the part number of an inventory item is an attribute of the item. Also referred to as a field or column in relational databases

Answer 37

A closely set of records, a full set of all instances of the thing being tracked in the database. Also called a table in relational databases.

Answer 38

Financial statement level risks are risks that may affect many different accounts and several assertions. Financial statement level risks typically require an overall response, such as providing more supervision to the engagement team or incorporating additonal elements of unpredictability in the selection of audit procedures.

Answer 39

An intentional act that results in a material misstatement in financial statements that are the subject of an audit.

Answer 40

The process involved with conducting an investigation into possible fraud from the law enforcement and legal perspective. Fraud investigations include gathering accounting evidence, digital evidence, interviews, and other information that helps build a case to prove or disprove a fraud.

Answer 41

**Fraud risk factors** are identifiers, indicators, situations, behaviors, and other evidence that a fraud has occurred, is occurring, or will occur. They are specifically related to a set of factors identified in AU section 316. See also red flags. Antifraud professionals often refer to FRF as "red flags" of fraud; that is, something that increases suspicion or skepticism that a fraud exists. OK, can we list the set of factors identified in AU section 316?

Answer 42

The ACFE categorized occumpational abuse and fraud schemes into a taxonomy that contains more than 50 individual schemes. The nature of the taxonomy resembles a tree with branches. The trunk has three main branches: asset missappropriation; frauduent financial reporting, and corruption.

Answer 43

Donald Cressey conducted research involving interviewing embezzlers who were incarcerated. From those interviews, Cressey identified three things that were present in all of the frauds: pressure, opportunity, and rationalizaton. These three factors have become known as the Cressey triangle or the fraud triangle.

Answer 44

The deliberate misrepresentation of the financial condition of an enterprise accomplished through the intentional misstatement or omission of amounts or disclosures in the financial statements in order to deceive financial statement users.

Answer 45

Further Audit Procedures In Generally Accepted Auditng Standards (GAAS), under Standards of Field Work, FAP are mentioned as follows: * The auditor must adequately plan the work and must properly supervise any assistants. * The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent **of further audit procedures**. * The auditor must obtain sufficient appropriate audit evidence by performing audit procedures to afford a reasonable basis for an opinion regarding the financial statements under audit. SAS 110 defines further audit procedures (FAP) that include tests of the operating effectiveness of controls; whether relevant or necessary; and substantive procedures whos nature, timing, and extent are responsive to the assessed risks of material misstatement at the relevant assertion level.

Answer 46

Gramm-Leach-Bliley Act of 1999 ## Footnote This key federal law about PII applies to financial institutions such as commercial banks, investment balns, securities firms, and insurance companies.

Answer 47

Health Information Portability and Acountability Act (HIPAA) of 1996 ## Footnote Requires health entities tro provide reasonabile privacy and security for PII for health data.

Answer 48

For IT risk assessments, inforation is defined as data organized into usefulness, especially for decision making purposes. Information is data that has been validated as accurate and timely, is presented within a context that gives it meaning and purpose, is specific and organized for a purpose, and can lead to an increase in understanding and a decrease in uncertaintainty. The value of information is directly related to its ability to affect positively behaviors, decisions, or outcomes.

Answer 49

The foundation of effective information management is a thorough understanding of the **information lifecycle managment** (ILM). The steps in ILM are identify, capture, organize/manage, access/share utilize, archive, and destroy. **Information Lifecycle Management** (ILM) is the structure and processes associated with managing informationfrom creation or capture through disposition or destructrion.

Answer 50

Inherent Risk ## Footnote ***Inherent risk*** refers to the risk before controls are considered that could lead to a material misstatement in the financial reports. Inherent risk means evaluating the risk inherent in something without regard of possible mitigating activities and controls. Assessing IR involves identifying risks that are in some way inherent to the client and/or specific audit being conducted, even if the entity cannot affect it. The things that should be evaluated include the entity's environment and the entity's IT infrastructure (financial data, data processing, and financial reporting processes). ***Inherent risk (IR)*** is the susceptibiltiy of an assertion to a material misstatement, assuming that there are no related controls. Inherent risk is greater for some assertions and related account balances, classes of transactions, and disclosures than for others. Inherent risk is one of the two components of the risk of material misstatement at the assertion level (the other is control risk).

Answer 51

The Committee of Sponsoring Organizatoins of the Treadway Commission (COSO) outlines internal control in their Internal Control - Integrated Framework, as consisting of five related components that must be present for an entity to achieve effective internal controls. These five components are: * The control environment, * Risk assessment, * Control activities, * Informationa and Communication, * Monitoring

Answer 52

**Internal control**, as defined in accounting and auditing, is a process for assuring achievement of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization. **Internal Control** is a process, affected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding achievement of objectives in the following categories: * Effectiveness and efficiency of oeprations * Reliability of financial reproting * Compliance with applicable laws and regulations Key concepts of internal control: * Internal control is a process. It is a means to an end, not an end in itself. * Internal control is affected by people. It's not merely policy manuals and forms, but people at every level of an organization. * Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's management and board. * Internal control is geared to the achievement of objectives in oneror ore separate but overlapping categories.

Answer 53

Information Systems Audit and Control Association ## Footnote ISACA is an international professional association focused on IT Governance. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves.

Answer 54

Information Technology or Informatoin ***and*** Technology

Answer 55

An IT auditor is a professional possessing the necessary knowledge and skills to understand and audit an entity's IT environment, systems, or applications, in support of a financial statement audit, internal audit, or other form of attesttion engagement. The IT auditor often has deep domain-specific knowledge or specialized skills (for example, in use of computerized tools) that make him or her particularly competetent to understand the IT environment (and its associated risks) or perform IT-specific audit procedures.

Answer 56

IT Control Risk is a type of Control Risk where the source of risk is related to the use of IT in the processing of transactions or security of underlying data.

Answer 57

IT controls are addressed in two broad categories: application controls and IT general controls (ITGC). ***IT general controls (ITGC)*** are controls that apply to all systems components, processes, and data for a given organization or information technology (IT) environment. The objectives of ITGCs are to ensure the proper development and implementation of applications, as well as the integrity of programs, data files, and computer operations. ITGC are associated with all aspects of the IT environment; that is, where the controls are created, implemented, managed, and changed at all levels of the organization. The effectiveness of application controls is directly dependent on the sufficently and effectivenness of ITGCs. IT general controls (ITGC) are internal controls, generally implemented and administred by an organization's IT department. The objectives of ITGC are to: * Ensure the proper operation of the applications and availability of systems; * Protect both data and programs from unauthorized changes; * Protect both data and programs from unauthorized access and disclosure; * Provide assurance that applications are developed and subsequently maintained, such that they provide the functionality required to process transactions and provide automated controls; and * Ensure an organization's ability to recover from system and operational failures related to IT.

Answer 58

IT governance is a formal, structured process that serves as a control for the IT organization, especially for major IT projects. IT governance is a mirror of corporate governance but instead of financial reporting, the object is IT. This the BoD should have an expert in IT, who is independent. This is a subset discipline of corporate governance, focused on information and technology (IT) and its performance and risk management. The interest in IT governance is due to the ongoing need within organizations to focus value creation efforts on an organization's strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders. It has evolved from The Principles of Scientific Management, Total Quality Management and ISO 9001 Quality management system. Historically, board-level executives deferred key IT decisions to the company's IT management and business leaders. Short-term goals of those responsible for managing IT can be in conflict with the best interests of other stakeholders unless proper oversight is established. IT governance systematically involves everyone: board members, executive management, staff, customers, communities, investors and regulators.

Answer 59

Information Technology Steering Committee ## Footnote Part of the "Control" function of management's functions of plan, organize, direct and control. The ITSC is a surrogate for Board of Directors involvement and should reresent all major IT user groups; all major business units; and IT itself. The chair should be independent of the IT function.

Answer 60

A key control is one that prevents or detects a material misstatement. Key controls include aspects of both materiality and likelihood. Key controls have one or more of the following characteristics: * Is a control or a combination of controls that covers all of the risks, objectives, and assertions in a financial process related to the RMM. * Is at the pinnacle of a hierarchy of controls over the same process, risk or assertion. * Is designed to mitigate the RMM arising from a process, and if it failed, the entity would fail to prevent or detect the material misstatement. * Covers a risk that no other control also covers is by default a key control. The difinition of a key control is not given by the PCAOB or the AICPA, instead, the term has arisen through practical applications of risk based auditing.

Answer 61

A field that uniquely identifies records within the file. The key for a particular file is called a ***primary key***. The presences of a primary key in another file is referred to as a ***foreign key***.

Answer 62

A KPI is a type of performance measurement where the object and target metric has been developed strategically. KPIs define and measure progress toward organizational goals.

Answer 63

Logical access controls are policies, procedures, and automated controls that exist for the purpose of restricting access to informatoin assets to only authorized users.

Answer 64

A **material weakness** is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detectd and corrected in a timely basis. A **material weakness** is a deficiency, or combination of significant deficiencies that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected.

Answer 65

Materiality is "the magnitude of an omission or misstatement of accounting information that, in the light of surrounding circumstances, makes it probably that the judgement of a reasonable person relying on the information would have been changed by the omission or misstatement." Materiality is influenced by the needs of financial statement users who rely on the financial statements to make judgments about the client's financial positon and results of operations and the auditor must consider audit risk and must determine a materiality level for the financial statements.

Answer 66

Massachusetts Data Privacy Act ## Footnote A key state law regarding PII which establishes minimim standards for safegurding PII of any resident of the state by organizations or individuals who own, license, store or maintain PII.

Answer 67

Computer technology that mimics the human brain - processing information, solving problems, and making predictions.

Answer 68

A non-key control is a control that does not meet the defiinition of a key control. This is a "reverse" definition. After you evaulte a control and determine that it is not a key control, it is by default a non-key control. For example, a control designed to prevent or detect only immaterial errors would be a non-key control.

Answer 69

too long to type right now . . . Glossary, page 8 . . . type this in later

Answer 70

The statistical process of converting all of the values for an attribute to a number between 0 and 1; or to give a percentage or ratio of a particular value to the range of possible values for the attribute. Note: Statistically normalized data is different from the data structure process known as normalization. OK . .. . WHAT IS NORMALIZATION?

Answer 71

Operating System

Answer 72

OLAP is an approach to analyzing and querying multidimensional data, and is part of the business intelligence discipline.

Answer 73

OLTP is a system that initiates, records, and processes transactions such as accounting and finance. OLTP records daily transactions for the organization to capture and report financial results.

Answer 74

Operating effectiveness is concerned with determining if "controls operate with sufficient effectiveness to achieve the related control objectives during a specificied period. This is a function of how control is applied, the consistency with whichit is applied, and by whom it is applied.

Answer 75

Prevent, Detect, Control Called the P-D-C- Model ## Footnote One framework for evaluting risks associated with controls is the P-D-C mondel; prevent, detect, correct. The P-D-C framework looks at controls from the perspective of an undesirable event, in chronological order. The P-D-C model is used in systems development, information security and security audits, anti-fraud profession, and accounting controls. Usually, the ideal internal control system includes some of each. It is not possible to detect all errors, so some provision needs to be made to detect them and correct them. Likewise, it is sometimes not cost-effective to implement adequate prevent controls, and thus detective and corrective controls become even more important.

Answer 76

Payment Card Industry

Answer 77

The schema or view of information requirements that is an actual database. Also referred to as an internal view. See also *conceptual schema* and *user schema*. The conceptual schema is implemented via a database management system (DBMS) onto a physical computer, and is knowna s the physical schema. That is, a database adminsitrator (DBA) or a smilar technicialn formats databases, files, and fields to define all of the data to be captured in that particulr system properly. This level of schema is also known as the internal view or schema.

Answer 78

Personally Identifiable Information ## Footnote PII is information that would potentially allow someone access to financial assets or personal medical information.

Answer 79

Perception of Detection ## Footnote PoD is the environment that leads potential fraudsters to percieve / believe that if they commit a fraud, they will get caught, and they will go to jail. The potential results theoretically cause some potential fraudsters to forego frauds out of fear. Increasing PoD is the primary factor in prevention and deterrence of fraud.

Answer 80

Policies and Procedures ## Footnote Entities should have policies and procedures that use subject matter experts in integrating effective controls into the relevant business process. That expertise could be an independent internal auditor or accountant, a consultant, a change committee function, an IT governance funcation, or an IT steering committee.

Answer 81

Preventive controls are designed to prevent the adverse event from occurring in the first place. For instance, preventive controls can be implemented to prevent certain data keypunch errors, fraud, or bugs in software development. This is the "P" in the P-D-C model.

Answer 82

Having a questioning mind and critically assessing audit evidence, from SAS 99 - Consideration of Fraud in a Financial Statement Audit (AU sec. 316).

Answer 83

Professional skepticsm involves an attitude that includes a questioning mind along with a critical assessmentof audit evidence. Professional skepticism understands that a material misstatement due to fraud could occur in the current audit, despite past experience. That auditor should not be satisfied with audit eveidence that is less than suitable and the corroborating evidence is only an explanation from mangement; that is, the auditor should seek independent verification.

Answer 84

Ape of acces to data. . . google this, add more

Answer 85

A real-time data warehouse caputres and provides data in more or less real time.

Answer 86

A closely related set of fields (attributes, columns) that constitute an instance of the thing being tracked by the data file. Also caled a tuple, or a row of values in a relational database.

Answer 87

Signs that a fraud has occurred, is occurring, or will occur. They are similar to fingerprints in a traditional police investigation. The term can apply to fraud risk factors.

Answer 88

A database whose records are organized into tables with columns and rows making it easy for users to understand and work with this data framework. Tables are normalized and relate to each other through related attribute / column values.

Answer 89

Relational Model ## Footnote Data structures should be documented and accurately potrayed with one or more of the conceptual data modeling tools available. The Relational model illustrates the data files as tables with arrows from primary keys to foreign keys to illustrate the relationship between data fles.

Answer 90

Relevant Assertins - SAS No. 106, Audit Evidence (AU sec. 326) defines relevant assertions as those assertions have a meaningful bearing on whether the account is stated fairly. See "Assertions" for a listing of assertions auditors normally test.

Answer 91

Risk Assessment Procedures are audit procedures performed to obtain an understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement at the financial statement and relevant assertion levels. Risk Assessment Procedures include: * Inquiries of management and others within the entity * Analytical procedures * Observation and inspection

Answer 92

The risk of material misstatement (RMM) is defined as the risk tht an account balance, class of transactions or disclosures, and relevant assertions are materially misstated. Misstatements can result from errors or fraud. The RMM consists of two components which are Inherent Risk and Cntrol Risk. Although auditors describe RMM as the combined assessment of inherent risk and control risk, auditors may make separate assessments of inherent risk and control risk. Inherent Risk x Control Risk = RMM The risk-based standards define the combination of Inherent Risk (IR) and Control Risk (CR) as the ***Risk of Material Misstatment*** (RMM). RMM is the result of performing a proper risk assessment related to IR and CR. Mathematically, it is the product of IR and CR. From a pragmatic standpoint, it is the risk that some event, process, or activity will lead to a material misstatement in the financial statements and not be prevented or detected timely. RMM assessments include not only account balances, classs of transactions, disclosures, and management assertions, but also risks that arise strictly from the IT side of the entity. There is some inherent risk associated with all processes, transactions, and events; however, controls may exist to mitigate that IR to some degree. Once that degree of mitigation is determined, the CITP reduces the original IR level assigned in the risk assesment by some amount to reach "residual" risk. The residual risk then becomes a primary factor in audit planning and developing FAPs.

Answer 93

RBA is the methodology which provides assurance that significant risks associated with audit objectives have been identified, and that audit procedures address them to adequately gain assurance about th objectives of the audit, and the mitigation of those risks or nature of residual risk that exists. Risk-based auditing is a style of auditing which focuses upon the analysis and management of risk. In the UK, the 1999 Turnbull Report on corporate governance required directors to provide a statement to shareholders of the significant risks to the business. This then encouraged the audit activity of studying these risks rather than just checking compliance with existing controls. A traditional audit would focus upon the transactions which would make up financial statements such as the balance sheet. A risk-based approach will seek to identify risks with the greatest potential impact. Strategic risk analysis will then include political and social risks such as the potential effect of legislation and demographic change. The RBA is top down, involves brainstorming/collaborating, and starts each audit with no predispositions about where fraud risks lie, but rather a consientious risk assessment. The RBA gathers information, identifies inherent risks; assess controls for control risk; and uses that information to evaluate the "residual risk" (that is, how much risk is left after taking the controls and compensating contris into account). Residual Risk is also known as RMM and AR in a fnancial audit.

Answer 94

Return on Investment

Answer 95

Report to the Nation on Occupational Fraud and Abuse ## Footnote This is a survey of reported frauds from which the ACFE drew statistics to assist those whose role include some aspect of antifraud. One of the statistics is the averae amount of loss er category of farud. The average loss of corruption ($250,000 over about 18 months, or about $160,000 per fiscal year) and asset misappropriation ($135,000 over about 18 months, or about $90,000 per fiscal year) are likely to be immatreial, for the majority of frauds in those categories. However, the $4 million average for fraudulent statements is much more likely to be material.

Answer 96

Read Write ## Footnote A type of access to data

Answer 97

Systems Development Life Cycle

Answer 98

Segregation of Duties . . . check your cards, you have a good card in Ch 1 that describes this

Answer 99

A **significant deficiency** is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A **significant deficiency** is a control deficinecy, or combination of control deficiencies, that adversely affects the entity's ability to initiate, autohrize, record, process, or report financial data reliability in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity's financial statements that is more than inconsequential will not be prevented or detected.

Answer 100

So called because an ER diagram looks like a snowflake. Snowflake is the data structure for data warehouse databases that use normalized data, usually to 3NF. Bill Immon is credited with creating the snowflake design.

Answer 101

Star is the data structure for data warehouse databases that use dimensional data to amplify factual data (quantifiable values). Ralph Kimball is credited with creating the star design.

Answer 102

A **subject matter expert** is a person who has the knowledge, skills and abilities to prefessionally address issues related to the topic.

Answer 103

add definition from glossary

Answer 104

Transactional Processing Systems

Answer 105

Unified Modeling Language ## Footnote Data structures should be documented and accurtely portrayed with one or more of the conceptual data modeling tools available. The most recent data model is UML, which is particularly associated with object-oriented programming (OO); that is, newer programming languages such as C sharp and Java.

Answer 106

The schema or review of informatin requirements related to a specific user or group of users, before it is converted into a logical view or database. Also referred to as an external view. See also *conceptual schema* and *physical schema*.

Answer 107

The System Solution Management (SSM) function is similar in concept to the systems development life cycle (SDLC). The purpose of SSM is to ensure quality in systems development and deployement. That is, to make sure applications have the appropriate controls, and that errors and other risks have been minimized. The purpose of SSM is to make sure the system aligns with the business model, strategic plans, and goals of the enterprise.

Acronyms and Glossary Flashcards

To provide a dictionary of technical terms used in the accounting profession for the CIA, CCSA and CCSA exams