Acronyms and Glossary Flashcards

To provide a dictionary of technical terms used in the accounting profession for the CIA, CCSA and CCSA exams

1
Q

Is this a blank card?

A

I don’t know, let’s try again. Something’s wrong with Card 1 in this app

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

ACFE

A

Association of Certified Fraud Examiners

ACFE is important because AU section 316, the fraud standard, uses the Fraud Tree as described by ACFE. Established in 1988 the Association of Certified Fraud Examiners is the professional organization that governs professional fraud examiners. Its activities include producing fraud information, tools and training. It governs the professional designation of Certified Fraud Examiner. The ACFE is the world’s largest anti-fraud organization and a provider of anti-fraud training and education, with more than 75,000 members.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

AIS

A

Accounting Information Systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Application Controls

Give the two definitions - 1) not a CITP and 2) CITP specific.

A

IT controls are addressed in two broad categories: application controls and IT General Controls (ITGC).

Generally speaking, application controls are those embedded in software applications. For the CITP, application controls can be either automated or manual. Applicaton controls are internal controls, whether automated or manual, that operate at the transaction-level with the objective of ensuring that:

  • Proper authorization is obtained to initiate and enter transactions;
  • Applications are protected from unauthorized access;
  • Users are only allowed access to those data and functions in an application that they should have access to;
  • Errors in the operation of an application will be prevented or detected and corrected in a timely manner;
  • Application output is protected from unauthroized access or disclosure;
  • Reconciliation activities are implemented when appropriate to ensure that informatino is complete and accurate; and
  • High-risk transactions are appropriately controlled.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Artificial Intelligence (AI)

A

AI is an area of computer science study that involves automated reasoning and problem solving, emulating human inteilligence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Assertion Level Risks

A

Assertion level risks are risks that are limited to one or more specific assertions in an account or in several accounts, for example, the valuation of inventory or the occurrence of sales. Assertion level risks are addressed by the nature, timing, and extent of further audit procedures, which may include substantive procedures or a combination of tests of controls and substantive procedures. The risk of material misstatement at the assertion level has two components - Inherent Risk (IR) and Control Risk (CR).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Assertions

A

Google it, add a definition here. List the assertions auditors normally test

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Asset Misappropriation Schemes

A

The use of one’s occupation for personal gain through the deliberate misuse or theft of the employing organizatoin’s resources or assets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Attribute

A

A characteristic of something in a data file. For example, the part number of an inventory item is an attribute of the item. Also referred to as a field or column in relational databases.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Audit Risk (AR)

A

Audit risk (also referred to as residual risk) refers to the risk that an auditor may issue unqualified report due to the auditor’s failure to detect material misstatement either due to error or fraud. In the audit risk model, Audit Risk (AR) is a function of three primary risks: Inherent Risk (IR), Control Risk (CR), and Detection Risk (DR) and is calculated as:

AR = IR X CR X DR

Inherent Risk (IR) refers to the risk involved in the nature of business or transaction. For example, transactions involving exchange of cash may have higher IR than transactions involving settlement by checks.

Control Risk (CR) refers to the risk that a misstatement could occur but may not be detected and corrected or prevented by entity’s internal control mechanism. Example,control risk assessment may be higher in an entity where separation of duties is not well defined.

Detection Risk (DR) is the probability that the audit procedures may fail to detect existence of a material error or fraud. While CR depends on the strength or weakness of the internal control procedures, DR is either due to sampling error or human factors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Automated Control

A

Controls automation involves leveraging technology to build and enforce internal controls with the least manual intervention possible. It can take many forms, including better use of available system configuration options of the kind common in enterprise resource plannning (ERP) systems, to using workflow and imaging technologies to automate and drive processes from start to completion.

The IT auditor has a dual focus on automated controls. One focus is the fact that automated controls are a key objective in an IT audit. The second focus is on leveraging effective controls - effective automated controls can be leveraged to reduce substantive testing in the FAP phase of a financial audit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Balanced Scorecard

A

A BSC is a holistic perforemance measuring and managing methodology combining financial, customer, internal processes, and learning/growth objectives into a single report.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

BoD

A

Board of Directors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

BOK

A

Book of Knowledge

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

BP or BPs

A

Business Process or Business Processes

Business Processes, for the CITP, focus on automated business processes. IT-related BPs are a key element of risk assessment and are a special case of controls. The best way to evaluate risk in BP is to gain sufficient understanding of the flows and relationships of key data or transactions through all of the businsses processes, using some kind of flowchart.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Business Activity Montioring (BAM)

A

BAM is software that assists management in monitoring business activities, especially automated processes. It refers to aggregating, analyzing, and presenting business process performance. BAM can also address multiple business processes, including those that span multiple systems or applications. Typically, the results are displayed in dashboard style, where real time results are compared to key performance indicators (KPIs).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Business Architecture

A

A business architecture is the organization and structure given to the information and IT of the business. The business informaiton architecture should be properly documented, including the documents and diagrams that describe it. An effective design bridges the business model, business units, and business operations into a coherent architecture that facilitates the management and use of relevant information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Business Intelligence (BI)

A

BI is a structure and process that combines information architecture, databases, analytical tools, reporting tools, and other applications to gather and communicate business information for strategic and tactical purposes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Business Performance Management

(BPM)

A

A BMP is a comprehensive structure and process that measures and analyzes enterprise performance, operational and financial, to achieve strategic advantages.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Business Process Improvement (BPI)

A

BPI has the goal of optimizing business processes to achieve efficiencies and effectiveness, using a structured approach. The approach is generic and can apply equally to commercial, not-for-profit, or government entities. BPI attempts to reduce variation and/or waste in processes, resulting in more efficient use of resources. Successful BPI usually results in radical changes rather than incomremental change. The primary goal of BPI is to align business processes to realize organizational goals (to do things right). BPI usually involves automating former manual or semi-manual processes, collapsing multiple processes into a single process, or both.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Business Process Management

(BPrM)

A

BPrM is a holistic management approach to managing business processes at the enterprise level to promote efficiency and effectiveness, while stressing improvements, innovation, and integration with technology. BPrM is a professinof its own. It focuses on more than efficiency and effectiveness gains in revising business processes, but rather takes a holistic approach that strives for innovation, more flexibility, and integration with technology. A continuous improvement approach is also key to successful BPrM. BPrM considers processes as potentially strategic tools that can be better managed, improved, and then deliver value-added products and services to the entity’s clients.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Business and Industry

B & I

A

Business and Industry

Generally speaking, accountants can work for publich accounting firms (called Public Accounting) or for clients in “business and industry” (called Industry accounting).

The same is true for CITPs. CITPs can work for public acconting firms, or they can work in B&I.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

CAATS

A

Computer-Assisted Audit Tools

Computer-assisted audit techniques (CAATs) or computer-assisted audit tools and techniques (CAATTs) is a growing field within the audit profession. CAATs is the practice of using computers to automate the audit processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

CDLC

A

Understanding the control development life cycle (CDLC) is beneficial in understanding, evaluating, and managing controls. The cyclical phases are: design, implementation, operational effectiveness, and monitoring.

NEED A B ETTER DEFINITION

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

CMM

A

Capability Maturity Model

The Capability Maturity Model for Software (CMM) is a framework that describes the key elements of an effective software process. The CMM describes an evolutionary improvement path from an ad hoc, immature process to a mature, disciplined process. The CMM covers practices for planning, engineering, and managing software development and maintenance. When followed, these key practices improve the ability of organizations to meet goals for cost, schedule, functionality, and product quality. The CMM establishes a yardstick against which it is possible to judge, in a repeatable way, the maturity of an organization’s software process and compare it to the state of the practice of the industry. The CMM can also be used by an organization to plan improvements to its software process..

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

COBIT

A

Control Objectives for Information and related Technology

COBIT is one of the relevant models for risk the CITP can use, along with COSO’s ERM model and the P-D-C model. The COBIT framework was created by ISACA for information technology (IT) management and IT governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. The COBIT framework is IT process-focused, and is known for its practical application in performing evaluations of IT internal controls. The system model looks at controls from a data processing, or information systems, view.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Conceptual Schema

A

The schema or view of informaiton requirements before it is converted into an actual database. It is a composite view of all user views / schemas. Also referred to as a logical view.

A composit of all external views or schemas is developed to represent the entity’s view or schema, or the composite users’ view, whch is known as the conceptual schema. The conceptual schema exists only on paper or in digital document but describes the formats of the databases with specificity of the data to be captured, stored, and processed at the enterprise level. The conceptual schema is also referred to as the logical schema.

See also user schema and physical schema.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Continuous monitoring (CM)

A

Continuous monitoring is the system of processes and technology that is used to ensure compliance and avoid risk issues associated with an entity’s financial and operating systems. CM involves people, processes, and technology that work together to detect weak or poorly designed controls, allowing managmeent to correct or replace them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Control Deficiency (CD)

A

A control deficiency is a breakdown in an internal control where the design or operation of the control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct material misstatements in a timely basis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Control Gaps

A

One outcome of an effectual IT risk assessment is the identification of IT risks where no controls exists - that is, a control gap. If any IT risk has no mitigating control, this gap is an exposure, by defintiion, that the entity has, whether management is aware of it or not. Control gaps represent serious risk and significant flaws in the control environment. The CITP would want to identify any control gap, and make a recommendation to mitigate that gap/exposure, or use that information in evaluatng audit evidence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Control Risk (CR)

A

Control Risk

Control risk refers to the ability of internal controls to prevent or detect a material misstatement in a timely manner. Control risk indicates the likelihood that a material misstatement exists insome area of the transactions, events, disclosures, or account balances that will not be prevented or detected by the entity’s system of internal controls in a timely manner. In order to assess CR, the CITP will need to consider the nature of controls (automated vs. manual, key vs. non-key) and use some framework as the adequacy and mitigation of cotrols (for example, the P-D-C model).

Control risk (CR) is the risk that a material misstatement could occur in an assertion and will not be prevented or detected by the entity’s internal control on a timely basis. Control risk is a function of the effectiveness of the design and operation of the entity’s internal controls. The auditor must consider the risk of misstatement individually and in aggregate with other misstatements.

Control risk is one of the two components of the risk of material misstatement at the assertion level (the other is inherent risk).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Corrective (Mitigating) Controls

A

Corrective controls provide a means to correct issues/errors after an adverse event occurs. The corrective controls corrects the event and reestablishes equilibrium by correcting data, correcting workflows, or correcting what went wrong with the process.

Corrective controls are the “C” in the P-D-C model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Corruption Schemes

A

A set of fraud schemes that involves someone inside the victim organization working for someone outside the entity to defraud the entity. Types of corruption schemes include bribery, kickbacks, conflict of interests, bid rigging, economic extortion, and illegal gratuities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

COSO and the COSO framework

A

Committee of Sponsoring Organizations of the Treadway Commission

The COSO framework is a compreheinsive view of management’s perspective of controls. The Committee of Sponsoring Organizations of the Treadway Commission is a joint initiative of five private sector organizations, established in the United States, dedicated to providing thought leadership to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting. COSO has established a common internal control model against which companies and organizations may assess their control systems. COSO is supported by five supporting organizations, including the Institute of Management Accountants, the American Accounting Association, the American Institute of Certified Public Accountants, the Institute of Internal Auditors, and Financial Executives International.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

COTS

A

Commercial Off-the-Shelf Software

Commercial-off-the-shelf (COTS) software and services are built and delivered usually from a third party vendor. COTS can be purchased, leased or even licensed to the general public. COTS is software that is published and made commercially available to the general public.

COTS provides some of the following strengths:

  • Applications are provided at a reduced cost.
  • The application is more reliable when compared to custom built software because its reliability is proven through the use by other organizations.
  • COTS is more maintainable because the systems documentation is provided with the application.
  • The application is higher quality because competition improves the product quality.
  • COTS is of higher complexity because specialists within the industry have developed the software.
  • The marketplace, not industry, drives the development of the application.
  • The delivery schedule is reduced because the basic schedule is operations.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Critical Success Factors (CSF)

A

A CSF is a comprehensive structure and process that measures and analyzes enterprise performance, operational and financial, to achieve strategic advantages.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Dashboard

A

A visual presentation of information that allows for quick assimiliation of the facts and understanding of the significance or importance of the information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Data

A

For IT risk assessments, data is defined as the collection of numbers, characters, images and other outputs from devices or processes that collect data and information. Data is a collection of raw, unorganized, alphabetic, numberic, or symbolic representatins of objects.

Data - raw facts such as numbres, letters, or special characters. Apart from outside manipulation, data is virtually meaningless.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Data analysis

A

Data analysis is the process of inspecting data with some goal or benchmark in mind. For example, when auditing for fraud, the goal or benchmark is to determine whether or not there is evidence of fraudulent transactions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Data Mart

A

A cogent subset of data warehouse database that is useful to one or more users of the entity, or its customers or vendors for reporting or analyzing information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Data Mining

A

Data processing using large data sets and sophisitcated data search capabilities and statistical tools to discover patterns or correlations, or to make predictions based on historical data. Data mining is examining data by extracting patterns, modeling and knowledge discovery, and/or matching transactions against specific criteria.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Data Warehouse

A

A data repository of historical and possibly current data that has been cleansesd, transformed, and loaded into the repository in a standardized format for business intelligence gathering, data mining, analytics, or sother similar purposes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Database

A

A closely related collection of data files where the data is shared among users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

DBA

A

Database Administrator

Database administrators (DBAs) use specialized software to store and organize data. The role may include capacity planning, installation, configuration, database design, migration, performance monitoring, security, troubleshooting, as well as backup and data recovery.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

DBMS

A

Database Management System

A DBMS is a system of software for creating, updating, and quering a database.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Decision Suport System (DSS)

A

A DSS is a system of applications, data, and usually dashboard that supports managers, often modeling data or problems to facilitate effective decisions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Detection Risk (DR)

A

Detection Risk

Detection Risk is the risk that the audit procedures will fail to detect a material misstatement and basically reflects the level of substantive procedures and further audit procedures necessary to sufficiently minimize Audit Risk (AR) to an accepbable level based on the other three risks.

Detection Risk (DR) is the risk that the auditor will not detect a material misstatement in the financial statements of the entity being audited.

Hey . . . . wait a minute . . . what other three risks???

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Detective Control

A

A detective control is an internal control designed to detect an adverse event should it occur. If an error in data did occur, a detective control is capable of identifying it. One example would be to use a CAAT to identify gaps or duplicates in check numbers for disbursements.

Detective Controls are the “D” in the P-D-C model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Disaster Recovery (also DR)

A

Disaster Recovery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

e-Discovery

A

Discovery in civil litigation which deals with the exchange of informration in electronic format, often referred to as electronically stored information (ESI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

EDI

A

Electronic Data Interchange

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Electronic Commerce

A

Electronic business applications or processes that facilitate commercial transactions. E-Commerce can involve electronic funds transfer, supply chain management, e-marketing, online marketing, online transaction processing, electronic data interchange (EDI), automated inventory management systems, and automated data collection systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Emerging Technologies

A

Changes or advances in technologies such as information technology, nanoechnology, biotechnology, cognitive science, robotics,and artificial inteiligence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Enterprise Resource Planning (ERP)

A

ERP integrates internal and external systems across the entire organizatin, integrating financial, accounting, manufacturing, sales, service, sustomer relationship management and supply chain management systems.

55
Q

Entity-Relationship (ER) Model

A

An ER is a data model that focuses on the relationship between two data files and how the records of one file relate to the other. The result of documenting the relationship is called an ER diagram.

Data structures should be documented and accurately potrayed with one or more of the conceptual data modeling tools available. The ER model depicts the relationship between files and records in the various data files n a top-down fashion.

56
Q

ERM

A

Enterprise risk management (ERM) is the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization’s objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall. ERM can also be described as a risk-based approach to managing an enterprise, integrating concepts of internal control, the Sarbanes–Oxley Act, and strategic planning. ERM is evolving to address the needs of various stakeholders, who want to understand the broad spectrum of risks facing complex organizations to ensure they are appropriately managed.

57
Q

ESI

A

Electronically Stored Information

58
Q

EUC

A

End User Computing

End-user computing (EUC) refers to systems in which non-programmers can create working applications. EUC is a group of approaches to computing that aim to better integrate end users into the computing environment. These approaches attempt to realize the potential for high-end computing to perform problem-solving in a trustworthy manner. End-user computing can range in complexity from users simply clicking a series of buttons, to writing scripts in a controlled scripting language, to being able to modify and execute code directly.

For CITPs, end-user computing (EUC) is a function developed using commn desktop tools,like spreadsheets, that are used in financial processes for purposes of determining amounts used for accounting and financial reporting purposes.

59
Q

Extract, Transform, and Load (ETL)

A

ETL is a database processespecially applied to data warehouses that involves:

  • Extracting data from outside sources
  • Transforming data to fit organizatonal needs, and
  • Loading the data into the target database or data warehouse.
60
Q

Field

A

See Attribute. Also referred to as a column in relatinal databases.

Attribute: A characteristic of something in a data file. For example, the part number of an inventory item is an attribute of the item. Also referred to as a field or column in relational databases

61
Q

File

A

A closely set of records, a full set of all instances of the thing being tracked in the database. Also called a table in relational databases.

62
Q

Financial Statement Level Risks

A

Financial statement level risks are risks that may affect many different accounts and several assertions. Financial statement level risks typically require an overall response, such as providing more supervision to the engagement team or incorporating additonal elements of unpredictability in the selection of audit procedures.

63
Q

Fraud

A

An intentional act that results in a material misstatement in financial statements that are the subject of an audit.

64
Q

Fraud Investigation

A

The process involved with conducting an investigation into possible fraud from the law enforcement and legal perspective. Fraud investigations include gathering accounting evidence, digital evidence, interviews, and other information that helps build a case to prove or disprove a fraud.

65
Q

Fraud Risk Factors (FRF)

A

Fraud risk factors are identifiers, indicators, situations, behaviors, and other evidence that a fraud has occurred, is occurring, or will occur. They are specifically related to a set of factors identified in AU section 316. See also red flags. Antifraud professionals often refer to FRF as “red flags” of fraud; that is, something that increases suspicion or skepticism that a fraud exists.

OK, can we list the set of factors identified in AU section 316?

66
Q

Fraud Tree

A

The ACFE categorized occumpational abuse and fraud schemes into a taxonomy that contains more than 50 individual schemes. The nature of the taxonomy resembles a tree with branches. The trunk has three main branches: asset missappropriation; frauduent financial reporting, and corruption.

67
Q

Fraud Triangle

A

Donald Cressey conducted research involving interviewing embezzlers who were incarcerated. From those interviews, Cressey identified three things that were present in all of the frauds: pressure, opportunity, and rationalizaton. These three factors have become known as the Cressey triangle or the fraud triangle.

68
Q

Fraudulent Financial Reporting

A

The deliberate misrepresentation of the financial condition of an enterprise accomplished through the intentional misstatement or omission of amounts or disclosures in the financial statements in order to deceive financial statement users.

69
Q

Further Audit Procedures (FAP)

A

Further Audit Procedures

In Generally Accepted Auditng Standards (GAAS), under Standards of Field Work, FAP are mentioned as follows:

  • The auditor must adequately plan the work and must properly supervise any assistants.
  • The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures.
  • The auditor must obtain sufficient appropriate audit evidence by performing audit procedures to afford a reasonable basis for an opinion regarding the financial statements under audit.

SAS 110 defines further audit procedures (FAP) that include tests of the operating effectiveness of controls; whether relevant or necessary; and substantive procedures whos nature, timing, and extent are responsive to the assessed risks of material misstatement at the relevant assertion level.

70
Q

GLBA

A

Gramm-Leach-Bliley Act of 1999

This key federal law about PII applies to financial institutions such as commercial banks, investment balns, securities firms, and insurance companies.

71
Q

HIPAA

A

Health Information Portability and Acountability Act (HIPAA) of 1996

Requires health entities tro provide reasonabile privacy and security for PII for health data.

72
Q

Information

A

For IT risk assessments, inforation is defined as data organized into usefulness, especially for decision making purposes. Information is data that has been validated as accurate and timely, is presented within a context that gives it meaning and purpose, is specific and organized for a purpose, and can lead to an increase in understanding and a decrease in uncertaintainty. The value of information is directly related to its ability to affect positively behaviors, decisions, or outcomes.

73
Q

Information Lifcycle Management (ILM)

A

The foundation of effective information management is a thorough understanding of the information lifecycle managment (ILM). The steps in ILM are identify, capture, organize/manage, access/share utilize, archive, and destroy.

Information Lifecycle Management (ILM) is the structure and processes associated with managing informationfrom creation or capture through disposition or destructrion.

74
Q

Inherent Risk (IR)

A

Inherent Risk

Inherent risk refers to the risk before controls are considered that could lead to a material misstatement in the financial reports. Inherent risk means evaluating the risk inherent in something without regard of possible mitigating activities and controls. Assessing IR involves identifying risks that are in some way inherent to the client and/or specific audit being conducted, even if the entity cannot affect it. The things that should be evaluated include the entity’s environment and the entity’s IT infrastructure (financial data, data processing, and financial reporting processes).

Inherent risk (IR) is the susceptibiltiy of an assertion to a material misstatement, assuming that there are no related controls. Inherent risk is greater for some assertions and related account balances, classes of transactions, and disclosures than for others.

Inherent risk is one of the two components of the risk of material misstatement at the assertion level (the other is control risk).

75
Q

Internal Control, Five Components of COSO

A

The Committee of Sponsoring Organizatoins of the Treadway Commission (COSO) outlines internal control in their Internal Control - Integrated Framework, as consisting of five related components that must be present for an entity to achieve effective internal controls. These five components are:

  • The control environment,
  • Risk assessment,
  • Control activities,
  • Informationa and Communication,
  • Monitoring
76
Q

Internal Control

A

Internal control, as defined in accounting and auditing, is a process for assuring achievement of an organization’s objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.

Internal Control is a process, affected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding achievement of objectives in the following categories:

  • Effectiveness and efficiency of oeprations
  • Reliability of financial reproting
  • Compliance with applicable laws and regulations

Key concepts of internal control:

  • Internal control is a process. It is a means to an end, not an end in itself.
  • Internal control is affected by people. It’s not merely policy manuals and forms, but people at every level of an organization.
  • Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board.
  • Internal control is geared to the achievement of objectives in oneror ore separate but overlapping categories.
77
Q

ISACA

A

Information Systems Audit and Control Association

ISACA is an international professional association focused on IT Governance. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves.

78
Q

IT

A

Information Technology or

Informatoin and Technology

79
Q

IT Auditor

A

An IT auditor is a professional possessing the necessary knowledge and skills to understand and audit an entity’s IT environment, systems, or applications, in support of a financial statement audit, internal audit, or other form of attesttion engagement. The IT auditor often has deep domain-specific knowledge or specialized skills (for example, in use of computerized tools) that make him or her particularly competetent to understand the IT environment (and its associated risks) or perform IT-specific audit procedures.

80
Q

IT Control Risk

A

IT Control Risk is a type of Control Risk where the source of risk is related to the use of IT in the processing of transactions or security of underlying data.

81
Q

IT General Controls (ITGC)

A

IT controls are addressed in two broad categories: application controls and IT general controls (ITGC). IT general controls (ITGC) are controls that apply to all systems components, processes, and data for a given organization or information technology (IT) environment. The objectives of ITGCs are to ensure the proper development and implementation of applications, as well as the integrity of programs, data files, and computer operations. ITGC are associated with all aspects of the IT environment; that is, where the controls are created, implemented, managed, and changed at all levels of the organization. The effectiveness of application controls is directly dependent on the sufficently and effectivenness of ITGCs.

IT general controls (ITGC) are internal controls, generally implemented and administred by an organization’s IT department. The objectives of ITGC are to:

  • Ensure the proper operation of the applications and availability of systems;
  • Protect both data and programs from unauthorized changes;
  • Protect both data and programs from unauthorized access and disclosure;
  • Provide assurance that applications are developed and subsequently maintained, such that they provide the functionality required to process transactions and provide automated controls; and
  • Ensure an organization’s ability to recover from system and operational failures related to IT.
82
Q

IT Governance

A

IT governance is a formal, structured process that serves as a control for the IT organization, especially for major IT projects. IT governance is a mirror of corporate governance but instead of financial reporting, the object is IT. This the BoD should have an expert in IT, who is independent.

This is a subset discipline of corporate governance, focused on information and technology (IT) and its performance and risk management. The interest in IT governance is due to the ongoing need within organizations to focus value creation efforts on an organization’s strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders. It has evolved from The Principles of Scientific Management, Total Quality Management and ISO 9001 Quality management system.

Historically, board-level executives deferred key IT decisions to the company’s IT management and business leaders. Short-term goals of those responsible for managing IT can be in conflict with the best interests of other stakeholders unless proper oversight is established. IT governance systematically involves everyone: board members, executive management, staff, customers, communities, investors and regulators.

83
Q

ITSC

A

Information Technology Steering Committee

Part of the “Control” function of management’s functions of plan, organize, direct and control. The ITSC is a surrogate for Board of Directors involvement and should reresent all major IT user groups; all major business units; and IT itself. The chair should be independent of the IT function.

84
Q

Key Control

A

A key control is one that prevents or detects a material misstatement. Key controls include aspects of both materiality and likelihood. Key controls have one or more of the following characteristics:

  • Is a control or a combination of controls that covers all of the risks, objectives, and assertions in a financial process related to the RMM.
  • Is at the pinnacle of a hierarchy of controls over the same process, risk or assertion.
  • Is designed to mitigate the RMM arising from a process, and if it failed, the entity would fail to prevent or detect the material misstatement.
  • Covers a risk that no other control also covers is by default a key control.

The difinition of a key control is not given by the PCAOB or the AICPA, instead, the term has arisen through practical applications of risk based auditing.

85
Q

Key Field

A

A field that uniquely identifies records within the file. The key for a particular file is called a primary key. The presences of a primary key in another file is referred to as a foreign key.

86
Q

Key Performance Indicator

A

A KPI is a type of performance measurement where the object and target metric has been developed strategically. KPIs define and measure progress toward organizational goals.

87
Q

Logical Access Controls

A

Logical access controls are policies, procedures, and automated controls that exist for the purpose of restricting access to informatoin assets to only authorized users.

88
Q

Material Weakness (MW)

A

A material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detectd and corrected in a timely basis.

A material weakness is a deficiency, or combination of significant deficiencies that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected.

89
Q

Materiality

A

Materiality is “the magnitude of an omission or misstatement of accounting information that, in the light of surrounding circumstances, makes it probably that the judgement of a reasonable person relying on the information would have been changed by the omission or misstatement.” Materiality is influenced by the needs of financial statement users who rely on the financial statements to make judgments about the client’s financial positon and results of operations and the auditor must consider audit risk and must determine a materiality level for the financial statements.

90
Q

MDPA

A

Massachusetts Data Privacy Act

A key state law regarding PII which establishes minimim standards for safegurding PII of any resident of the state by organizations or individuals who own, license, store or maintain PII.

91
Q

Neural Network

A

Computer technology that mimics the human brain - processing information, solving problems, and making predictions.

92
Q

Non-Key Controls

A

A non-key control is a control that does not meet the defiinition of a key control. This is a “reverse” definition. After you evaulte a control and determine that it is not a key control, it is by default a non-key control. For example, a control designed to prevent or detect only immaterial errors would be a non-key control.

93
Q

Normal Form

A

too long to type right now . . . Glossary, page 8 . . . type this in later

94
Q

Normalized Data (statistically)

A

The statistical process of converting all of the values for an attribute to a number between 0 and 1; or to give a percentage or ratio of a particular value to the range of possible values for the attribute. Note: Statistically normalized data is different from the data structure process known as normalization.

OK . .. . WHAT IS NORMALIZATION?

95
Q

O/S

A

Operating System

96
Q

Online Analytical Processing (OLAP)

A

OLAP is an approach to analyzing and querying multidimensional data, and is part of the business intelligence discipline.

97
Q

Online Transactional Processing (OLTP)

A

OLTP is a system that initiates, records, and processes transactions such as accounting and finance. OLTP records daily transactions for the organization to capture and report financial results.

98
Q

Operating Effectiveness

A

Operating effectiveness is concerned with determining if “controls operate with sufficient effectiveness to achieve the related control objectives during a specificied period. This is a function of how control is applied, the consistency with whichit is applied, and by whom it is applied.

99
Q

P-D-C

A

Prevent, Detect, Control Called the P-D-C- Model

One framework for evaluting risks associated with controls is the P-D-C mondel; prevent, detect, correct. The P-D-C framework looks at controls from the perspective of an undesirable event, in chronological order. The P-D-C model is used in systems development, information security and security audits, anti-fraud profession, and accounting controls. Usually, the ideal internal control system includes some of each. It is not possible to detect all errors, so some provision needs to be made to detect them and correct them. Likewise, it is sometimes not cost-effective to implement adequate prevent controls, and thus detective and corrective controls become even more important.

100
Q

PCI

A

Payment Card Industry

101
Q

Physical Schema

A

The schema or view of information requirements that is an actual database. Also referred to as an internal view. See also conceptual schema and user schema.

The conceptual schema is implemented via a database management system (DBMS) onto a physical computer, and is knowna s the physical schema. That is, a database adminsitrator (DBA) or a smilar technicialn formats databases, files, and fields to define all of the data to be captured in that particulr system properly. This level of schema is also known as the internal view or schema.

102
Q

PII

A

Personally Identifiable Information

PII is information that would potentially allow someone access to financial assets or personal medical information.

103
Q

PoD

A

Perception of Detection

PoD is the environment that leads potential fraudsters to percieve / believe that if they commit a fraud, they will get caught, and they will go to jail. The potential results theoretically cause some potential fraudsters to forego frauds out of fear. Increasing PoD is the primary factor in prevention and deterrence of fraud.

104
Q

Policies and Procedures (P and P)

A

Policies and Procedures

Entities should have policies and procedures that use subject matter experts in integrating effective controls into the relevant business process. That expertise could be an independent internal auditor or accountant, a consultant, a change committee function, an IT governance funcation, or an IT steering committee.

105
Q

Preventive Controls

A

Preventive controls are designed to prevent the adverse event from occurring in the first place. For instance, preventive controls can be implemented to prevent certain data keypunch errors, fraud, or bugs in software development.

This is the “P” in the P-D-C model.

106
Q

Professional Skepticism

A

Having a questioning mind and critically assessing audit evidence, from SAS 99 - Consideration of Fraud in a Financial Statement Audit (AU sec. 316).

107
Q

Professional Skepticism

A

Professional skepticsm involves an attitude that includes a questioning mind along with a critical assessmentof audit evidence. Professional skepticism understands that a material misstatement due to fraud could occur in the current audit, despite past experience. That auditor should not be satisfied with audit eveidence that is less than suitable and the corroborating evidence is only an explanation from mangement; that is, the auditor should seek independent verification.

108
Q

Read Only (RO)

A

Ape of acces to data. . . google this, add more

109
Q

Real-Time Data Warehourse

A

A real-time data warehouse caputres and provides data in more or less real time.

110
Q

Record

A

A closely related set of fields (attributes, columns) that constitute an instance of the thing being tracked by the data file. Also caled a tuple, or a row of values in a relational database.

111
Q

Red Flags

A

Signs that a fraud has occurred, is occurring, or will occur. They are similar to fingerprints in a traditional police investigation. The term can apply to fraud risk factors.

112
Q

Relational Database

A

A database whose records are organized into tables with columns and rows making it easy for users to understand and work with this data framework. Tables are normalized and relate to each other through related attribute / column values.

113
Q

Relational Model

A

Relational Model

Data structures should be documented and accurately potrayed with one or more of the conceptual data modeling tools available. The Relational model illustrates the data files as tables with arrows from primary keys to foreign keys to illustrate the relationship between data fles.

114
Q

Relevant Assertions

A

Relevant Assertins - SAS No. 106, Audit Evidence (AU sec. 326) defines relevant assertions as those assertions have a meaningful bearing on whether the account is stated fairly.

See “Assertions” for a listing of assertions auditors normally test.

115
Q

Risk Assessment Procedures

A

Risk Assessment Procedures are audit procedures performed to obtain an understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement at the financial statement and relevant assertion levels. Risk Assessment Procedures include:

  • Inquiries of management and others within the entity
  • Analytical procedures
  • Observation and inspection
116
Q

Risk of Material Misstatement (RMM)

A

The risk of material misstatement (RMM) is defined as the risk tht an account balance, class of transactions or disclosures, and relevant assertions are materially misstated. Misstatements can result from errors or fraud. The RMM consists of two components which are Inherent Risk and Cntrol Risk. Although auditors describe RMM as the combined assessment of inherent risk and control risk, auditors may make separate assessments of inherent risk and control risk.

Inherent Risk x Control Risk = RMM

The risk-based standards define the combination of Inherent Risk (IR) and Control Risk (CR) as the Risk of Material Misstatment (RMM). RMM is the result of performing a proper risk assessment related to IR and CR. Mathematically, it is the product of IR and CR. From a pragmatic standpoint, it is the risk that some event, process, or activity will lead to a material misstatement in the financial statements and not be prevented or detected timely. RMM assessments include not only account balances, classs of transactions, disclosures, and management assertions, but also risks that arise strictly from the IT side of the entity. There is some inherent risk associated with all processes, transactions, and events; however, controls may exist to mitigate that IR to some degree. Once that degree of mitigation is determined, the CITP reduces the original IR level assigned in the risk assesment by some amount to reach “residual” risk. The residual risk then becomes a primary factor in audit planning and developing FAPs.

117
Q

Risk-Based Approach (RBA)

A

RBA is the methodology which provides assurance that significant risks associated with audit objectives have been identified, and that audit procedures address them to adequately gain assurance about th objectives of the audit, and the mitigation of those risks or nature of residual risk that exists.

Risk-based auditing is a style of auditing which focuses upon the analysis and management of risk. In the UK, the 1999 Turnbull Report on corporate governance required directors to provide a statement to shareholders of the significant risks to the business. This then encouraged the audit activity of studying these risks rather than just checking compliance with existing controls. A traditional audit would focus upon the transactions which would make up financial statements such as the balance sheet. A risk-based approach will seek to identify risks with the greatest potential impact. Strategic risk analysis will then include political and social risks such as the potential effect of legislation and demographic change.

The RBA is top down, involves brainstorming/collaborating, and starts each audit with no predispositions about where fraud risks lie, but rather a consientious risk assessment. The RBA gathers information, identifies inherent risks; assess controls for control risk; and uses that information to evaluate the “residual risk” (that is, how much risk is left after taking the controls and compensating contris into account). Residual Risk is also known as RMM and AR in a fnancial audit.

118
Q

ROI

A

Return on Investment

119
Q

RTTN

A

Report to the Nation on Occupational Fraud and Abuse

This is a survey of reported frauds from which the ACFE drew statistics to assist those whose role include some aspect of antifraud. One of the statistics is the averae amount of loss er category of farud. The average loss of corruption ($250,000 over about 18 months, or about $160,000 per fiscal year) and asset misappropriation ($135,000 over about 18 months, or about $90,000 per fiscal year) are likely to be immatreial, for the majority of frauds in those categories. However, the $4 million average for fraudulent statements is much more likely to be material.

120
Q

RW

A

Read Write

A type of access to data

121
Q

SDLC

A

Systems Development Life Cycle

122
Q

Segregation of Duties (SoD)

A

Segregation of Duties . . . check your cards, you have a good card in Ch 1 that describes this

123
Q

Significant Deficiency (SD)

A

A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.

A significant deficiency is a control deficinecy, or combination of control deficiencies, that adversely affects the entity’s ability to initiate, autohrize, record, process, or report financial data reliability in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity’s financial statements that is more than inconsequential will not be prevented or detected.

124
Q

Snowflake Data Schema

A

So called because an ER diagram looks like a snowflake. Snowflake is the data structure for data warehouse databases that use normalized data, usually to 3NF. Bill Immon is credited with creating the snowflake design.

125
Q

Star Data Schema

A

Star is the data structure for data warehouse databases that use dimensional data to amplify factual data (quantifiable values). Ralph Kimball is credited with creating the star design.

126
Q

Structured Query Language

A

add later

127
Q

Subject Matter Expert (SME)

A

A subject matter expert is a person who has the knowledge, skills and abilities to prefessionally address issues related to the topic.

128
Q

Substantive Procedures

A

add later

129
Q

Test of Controls (ToC)

A

add definition from glossary

130
Q

TPS

A

Transactional Processing Systems

131
Q

UML

A

Unified Modeling Language

Data structures should be documented and accurtely portrayed with one or more of the conceptual data modeling tools available. The most recent data model is UML, which is particularly associated with object-oriented programming (OO); that is, newer programming languages such as C sharp and Java.

132
Q

User Schema

A

The schema or review of informatin requirements related to a specific user or group of users, before it is converted into a logical view or database. Also referred to as an external view. See also conceptual schema and physical schema.

133
Q

System Solution Management

A

The System Solution Management (SSM) function is similar in concept to the systems development life cycle (SDLC). The purpose of SSM is to ensure quality in systems development and deployement. That is, to make sure applications have the appropriate controls, and that errors and other risks have been minimized. The purpose of SSM is to make sure the system aligns with the business model, strategic plans, and goals of the enterprise.