Acronyms and Glossary Flashcards
To provide a dictionary of technical terms used in the accounting profession for the CIA, CCSA and CCSA exams
Is this a blank card?
I don’t know, let’s try again. Something’s wrong with Card 1 in this app
ACFE
Association of Certified Fraud Examiners
ACFE is important because AU section 316, the fraud standard, uses the Fraud Tree as described by ACFE. Established in 1988 the Association of Certified Fraud Examiners is the professional organization that governs professional fraud examiners. Its activities include producing fraud information, tools and training. It governs the professional designation of Certified Fraud Examiner. The ACFE is the world’s largest anti-fraud organization and a provider of anti-fraud training and education, with more than 75,000 members.
AIS
Accounting Information Systems
Application Controls
Give the two definitions - 1) not a CITP and 2) CITP specific.
IT controls are addressed in two broad categories: application controls and IT General Controls (ITGC).
Generally speaking, application controls are those embedded in software applications. For the CITP, application controls can be either automated or manual. Applicaton controls are internal controls, whether automated or manual, that operate at the transaction-level with the objective of ensuring that:
- Proper authorization is obtained to initiate and enter transactions;
- Applications are protected from unauthorized access;
- Users are only allowed access to those data and functions in an application that they should have access to;
- Errors in the operation of an application will be prevented or detected and corrected in a timely manner;
- Application output is protected from unauthroized access or disclosure;
- Reconciliation activities are implemented when appropriate to ensure that informatino is complete and accurate; and
- High-risk transactions are appropriately controlled.
Artificial Intelligence (AI)
AI is an area of computer science study that involves automated reasoning and problem solving, emulating human inteilligence.
Assertion Level Risks
Assertion level risks are risks that are limited to one or more specific assertions in an account or in several accounts, for example, the valuation of inventory or the occurrence of sales. Assertion level risks are addressed by the nature, timing, and extent of further audit procedures, which may include substantive procedures or a combination of tests of controls and substantive procedures. The risk of material misstatement at the assertion level has two components - Inherent Risk (IR) and Control Risk (CR).
Assertions
Google it, add a definition here. List the assertions auditors normally test
Asset Misappropriation Schemes
The use of one’s occupation for personal gain through the deliberate misuse or theft of the employing organizatoin’s resources or assets.
Attribute
A characteristic of something in a data file. For example, the part number of an inventory item is an attribute of the item. Also referred to as a field or column in relational databases.
Audit Risk (AR)
Audit risk (also referred to as residual risk) refers to the risk that an auditor may issue unqualified report due to the auditor’s failure to detect material misstatement either due to error or fraud. In the audit risk model, Audit Risk (AR) is a function of three primary risks: Inherent Risk (IR), Control Risk (CR), and Detection Risk (DR) and is calculated as:
AR = IR X CR X DR
Inherent Risk (IR) refers to the risk involved in the nature of business or transaction. For example, transactions involving exchange of cash may have higher IR than transactions involving settlement by checks.
Control Risk (CR) refers to the risk that a misstatement could occur but may not be detected and corrected or prevented by entity’s internal control mechanism. Example,control risk assessment may be higher in an entity where separation of duties is not well defined.
Detection Risk (DR) is the probability that the audit procedures may fail to detect existence of a material error or fraud. While CR depends on the strength or weakness of the internal control procedures, DR is either due to sampling error or human factors.
Automated Control
Controls automation involves leveraging technology to build and enforce internal controls with the least manual intervention possible. It can take many forms, including better use of available system configuration options of the kind common in enterprise resource plannning (ERP) systems, to using workflow and imaging technologies to automate and drive processes from start to completion.
The IT auditor has a dual focus on automated controls. One focus is the fact that automated controls are a key objective in an IT audit. The second focus is on leveraging effective controls - effective automated controls can be leveraged to reduce substantive testing in the FAP phase of a financial audit.
Balanced Scorecard
A BSC is a holistic perforemance measuring and managing methodology combining financial, customer, internal processes, and learning/growth objectives into a single report.
BoD
Board of Directors
BOK
Book of Knowledge
BP or BPs
Business Process or Business Processes
Business Processes, for the CITP, focus on automated business processes. IT-related BPs are a key element of risk assessment and are a special case of controls. The best way to evaluate risk in BP is to gain sufficient understanding of the flows and relationships of key data or transactions through all of the businsses processes, using some kind of flowchart.
Business Activity Montioring (BAM)
BAM is software that assists management in monitoring business activities, especially automated processes. It refers to aggregating, analyzing, and presenting business process performance. BAM can also address multiple business processes, including those that span multiple systems or applications. Typically, the results are displayed in dashboard style, where real time results are compared to key performance indicators (KPIs).
Business Architecture
A business architecture is the organization and structure given to the information and IT of the business. The business informaiton architecture should be properly documented, including the documents and diagrams that describe it. An effective design bridges the business model, business units, and business operations into a coherent architecture that facilitates the management and use of relevant information.
Business Intelligence (BI)
BI is a structure and process that combines information architecture, databases, analytical tools, reporting tools, and other applications to gather and communicate business information for strategic and tactical purposes.
Business Performance Management
(BPM)
A BMP is a comprehensive structure and process that measures and analyzes enterprise performance, operational and financial, to achieve strategic advantages.
Business Process Improvement (BPI)
BPI has the goal of optimizing business processes to achieve efficiencies and effectiveness, using a structured approach. The approach is generic and can apply equally to commercial, not-for-profit, or government entities. BPI attempts to reduce variation and/or waste in processes, resulting in more efficient use of resources. Successful BPI usually results in radical changes rather than incomremental change. The primary goal of BPI is to align business processes to realize organizational goals (to do things right). BPI usually involves automating former manual or semi-manual processes, collapsing multiple processes into a single process, or both.
Business Process Management
(BPrM)
BPrM is a holistic management approach to managing business processes at the enterprise level to promote efficiency and effectiveness, while stressing improvements, innovation, and integration with technology. BPrM is a professinof its own. It focuses on more than efficiency and effectiveness gains in revising business processes, but rather takes a holistic approach that strives for innovation, more flexibility, and integration with technology. A continuous improvement approach is also key to successful BPrM. BPrM considers processes as potentially strategic tools that can be better managed, improved, and then deliver value-added products and services to the entity’s clients.
Business and Industry
B & I
Business and Industry
Generally speaking, accountants can work for publich accounting firms (called Public Accounting) or for clients in “business and industry” (called Industry accounting).
The same is true for CITPs. CITPs can work for public acconting firms, or they can work in B&I.
CAATS
Computer-Assisted Audit Tools
Computer-assisted audit techniques (CAATs) or computer-assisted audit tools and techniques (CAATTs) is a growing field within the audit profession. CAATs is the practice of using computers to automate the audit processes.
CDLC
Understanding the control development life cycle (CDLC) is beneficial in understanding, evaluating, and managing controls. The cyclical phases are: design, implementation, operational effectiveness, and monitoring.
NEED A B ETTER DEFINITION
CMM
Capability Maturity Model
The Capability Maturity Model for Software (CMM) is a framework that describes the key elements of an effective software process. The CMM describes an evolutionary improvement path from an ad hoc, immature process to a mature, disciplined process. The CMM covers practices for planning, engineering, and managing software development and maintenance. When followed, these key practices improve the ability of organizations to meet goals for cost, schedule, functionality, and product quality. The CMM establishes a yardstick against which it is possible to judge, in a repeatable way, the maturity of an organization’s software process and compare it to the state of the practice of the industry. The CMM can also be used by an organization to plan improvements to its software process..
COBIT
Control Objectives for Information and related Technology
COBIT is one of the relevant models for risk the CITP can use, along with COSO’s ERM model and the P-D-C model. The COBIT framework was created by ISACA for information technology (IT) management and IT governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. The COBIT framework is IT process-focused, and is known for its practical application in performing evaluations of IT internal controls. The system model looks at controls from a data processing, or information systems, view.
Conceptual Schema
The schema or view of informaiton requirements before it is converted into an actual database. It is a composite view of all user views / schemas. Also referred to as a logical view.
A composit of all external views or schemas is developed to represent the entity’s view or schema, or the composite users’ view, whch is known as the conceptual schema. The conceptual schema exists only on paper or in digital document but describes the formats of the databases with specificity of the data to be captured, stored, and processed at the enterprise level. The conceptual schema is also referred to as the logical schema.
See also user schema and physical schema.
Continuous monitoring (CM)
Continuous monitoring is the system of processes and technology that is used to ensure compliance and avoid risk issues associated with an entity’s financial and operating systems. CM involves people, processes, and technology that work together to detect weak or poorly designed controls, allowing managmeent to correct or replace them.
Control Deficiency (CD)
A control deficiency is a breakdown in an internal control where the design or operation of the control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct material misstatements in a timely basis.
Control Gaps
One outcome of an effectual IT risk assessment is the identification of IT risks where no controls exists - that is, a control gap. If any IT risk has no mitigating control, this gap is an exposure, by defintiion, that the entity has, whether management is aware of it or not. Control gaps represent serious risk and significant flaws in the control environment. The CITP would want to identify any control gap, and make a recommendation to mitigate that gap/exposure, or use that information in evaluatng audit evidence.
Control Risk (CR)
Control Risk
Control risk refers to the ability of internal controls to prevent or detect a material misstatement in a timely manner. Control risk indicates the likelihood that a material misstatement exists insome area of the transactions, events, disclosures, or account balances that will not be prevented or detected by the entity’s system of internal controls in a timely manner. In order to assess CR, the CITP will need to consider the nature of controls (automated vs. manual, key vs. non-key) and use some framework as the adequacy and mitigation of cotrols (for example, the P-D-C model).
Control risk (CR) is the risk that a material misstatement could occur in an assertion and will not be prevented or detected by the entity’s internal control on a timely basis. Control risk is a function of the effectiveness of the design and operation of the entity’s internal controls. The auditor must consider the risk of misstatement individually and in aggregate with other misstatements.
Control risk is one of the two components of the risk of material misstatement at the assertion level (the other is inherent risk).
Corrective (Mitigating) Controls
Corrective controls provide a means to correct issues/errors after an adverse event occurs. The corrective controls corrects the event and reestablishes equilibrium by correcting data, correcting workflows, or correcting what went wrong with the process.
Corrective controls are the “C” in the P-D-C model.
Corruption Schemes
A set of fraud schemes that involves someone inside the victim organization working for someone outside the entity to defraud the entity. Types of corruption schemes include bribery, kickbacks, conflict of interests, bid rigging, economic extortion, and illegal gratuities.
COSO and the COSO framework
Committee of Sponsoring Organizations of the Treadway Commission
The COSO framework is a compreheinsive view of management’s perspective of controls. The Committee of Sponsoring Organizations of the Treadway Commission is a joint initiative of five private sector organizations, established in the United States, dedicated to providing thought leadership to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting. COSO has established a common internal control model against which companies and organizations may assess their control systems. COSO is supported by five supporting organizations, including the Institute of Management Accountants, the American Accounting Association, the American Institute of Certified Public Accountants, the Institute of Internal Auditors, and Financial Executives International.
COTS
Commercial Off-the-Shelf Software
Commercial-off-the-shelf (COTS) software and services are built and delivered usually from a third party vendor. COTS can be purchased, leased or even licensed to the general public. COTS is software that is published and made commercially available to the general public.
COTS provides some of the following strengths:
- Applications are provided at a reduced cost.
- The application is more reliable when compared to custom built software because its reliability is proven through the use by other organizations.
- COTS is more maintainable because the systems documentation is provided with the application.
- The application is higher quality because competition improves the product quality.
- COTS is of higher complexity because specialists within the industry have developed the software.
- The marketplace, not industry, drives the development of the application.
- The delivery schedule is reduced because the basic schedule is operations.
Critical Success Factors (CSF)
A CSF is a comprehensive structure and process that measures and analyzes enterprise performance, operational and financial, to achieve strategic advantages.
Dashboard
A visual presentation of information that allows for quick assimiliation of the facts and understanding of the significance or importance of the information.
Data
For IT risk assessments, data is defined as the collection of numbers, characters, images and other outputs from devices or processes that collect data and information. Data is a collection of raw, unorganized, alphabetic, numberic, or symbolic representatins of objects.
Data - raw facts such as numbres, letters, or special characters. Apart from outside manipulation, data is virtually meaningless.
Data analysis
Data analysis is the process of inspecting data with some goal or benchmark in mind. For example, when auditing for fraud, the goal or benchmark is to determine whether or not there is evidence of fraudulent transactions.
Data Mart
A cogent subset of data warehouse database that is useful to one or more users of the entity, or its customers or vendors for reporting or analyzing information.
Data Mining
Data processing using large data sets and sophisitcated data search capabilities and statistical tools to discover patterns or correlations, or to make predictions based on historical data. Data mining is examining data by extracting patterns, modeling and knowledge discovery, and/or matching transactions against specific criteria.
Data Warehouse
A data repository of historical and possibly current data that has been cleansesd, transformed, and loaded into the repository in a standardized format for business intelligence gathering, data mining, analytics, or sother similar purposes.
Database
A closely related collection of data files where the data is shared among users.
DBA
Database Administrator
Database administrators (DBAs) use specialized software to store and organize data. The role may include capacity planning, installation, configuration, database design, migration, performance monitoring, security, troubleshooting, as well as backup and data recovery.
DBMS
Database Management System
A DBMS is a system of software for creating, updating, and quering a database.
Decision Suport System (DSS)
A DSS is a system of applications, data, and usually dashboard that supports managers, often modeling data or problems to facilitate effective decisions.
Detection Risk (DR)
Detection Risk
Detection Risk is the risk that the audit procedures will fail to detect a material misstatement and basically reflects the level of substantive procedures and further audit procedures necessary to sufficiently minimize Audit Risk (AR) to an accepbable level based on the other three risks.
Detection Risk (DR) is the risk that the auditor will not detect a material misstatement in the financial statements of the entity being audited.
Hey . . . . wait a minute . . . what other three risks???
Detective Control
A detective control is an internal control designed to detect an adverse event should it occur. If an error in data did occur, a detective control is capable of identifying it. One example would be to use a CAAT to identify gaps or duplicates in check numbers for disbursements.
Detective Controls are the “D” in the P-D-C model.
Disaster Recovery (also DR)
Disaster Recovery
e-Discovery
Discovery in civil litigation which deals with the exchange of informration in electronic format, often referred to as electronically stored information (ESI)
EDI
Electronic Data Interchange
Electronic Commerce
Electronic business applications or processes that facilitate commercial transactions. E-Commerce can involve electronic funds transfer, supply chain management, e-marketing, online marketing, online transaction processing, electronic data interchange (EDI), automated inventory management systems, and automated data collection systems.
Emerging Technologies
Changes or advances in technologies such as information technology, nanoechnology, biotechnology, cognitive science, robotics,and artificial inteiligence.