definitions

Question 1

Anchoring bias

Answer 1

The tendency to rely too heavily, or “anchor”, on one trait or
piece of information when making decisions (usually the first
piece of information acquired on that subject).

Question 2

Audit universe

Answer 2

An audit universe represents the potential range of all audit
activities and is comprised of a number of “auditable” entities.

Question 3

Availability bias

Answer 3

Tendency to judge an event more probable the more easily it

can be recalled or pictured mentally.

Question 4

Benford analysis

Answer 4

Data reasonableness test based upon the expected pattern

(Benford distribution) of digits in tabulated data.

Question 5

Black Swans

Answer 5

Events characterized by their (a) rarity, (b) extreme impact,
and (c) retrospective (but not prospective) predictability.

Question 6

Board

Answer 6

Governing body of an entity

Question 7

Cash larceny

Answer 7

The theft of an organization’s cash after it has been recorded in
the accounting system.

Question 8

COBIT

Answer 8

Control Objectives for Information and Related Technology.
COBIT is the generally accepted internal control framework
for IT.

Question 9

Confirmation bias

Answer 9

The tendency to search for, interpret, focus on and remember

information in a way that confirms one’s preconceptions.

Question 10

Control activities

Answer 10

The actions established through policies and procedures that
help ensure that management’s directives to mitigate risks to
the achievement of objectives are carried out.

Question 11

Control matrix

Answer 11

Tool to assist in evaluating the potential effectiveness of
controls in a business process by matching control goals with
relevant control plans.

Question 12

Control selfassessments

Answer 12

Control self-assessments (CSA) are all activities where the
people responsible for a business area, task, or objective use
some demonstrable approach to analyze the status of control
and risk to provide additional assurance related to the
achievement of none or more business objectives.

Question 13

Corporate governance

Answer 13

The system by which companies are directed and controlled

Question 14

Corruption

Answer 14

Fraud schemes in which an employee uses her/his influence
in a business transaction in a way that violates her/his duty to
her/his employer for the purpose of obtaining a benefit for
her/himself or someone else (e.g., bribery, extortion, conflicts
of interest).

Question 15

Data

Answer 15

Data are facts (“raw observations”) that are collected,

recorded, stored, and processed by an information system.

Question 16

Deficiency

Answer 16

A condition within enterprise risk management worthy of
attention that may represent a perceived, potential, or
real shortcoming, or an opportunity to strengthen enterprise
risk management to provide a greater likelihood that the
entity’s objectives will be achieved.

Question 17

Enterprise risk

management

Answer 17

The culture, capabilities, and practices, integrated with
strategy-setting and its execution, that organizations rely on to
manage risk in creating, preserving, and realizing value.

Question 18

Enterprise-wide

information systems

Answer 18

Enterprise-wide information systems (also known as
Enterprise Systems) are information systems (IS) that integrate
information across operations on a company wide basis.

Question 19

Event identification

Answer 19

The identification of potential events from internal or external
sources affecting the achievement of objectives. It includes
distinguishing between events that represent risks, those
representing opportunities, and those that may be both

Question 20

External corporate
governance
characteristics

Answer 20

The corporate governance structures and processes that are
outside the control of the firm’s shareholders and the board of
directors

Question 21

Framing effects

Answer 21

Drawing different conclusions from the same information,

depending on how that information is presented

Question 22

Fraud

Answer 22

An intentional act by one or more individuals among
management, those charged with governance, employees, or
third parties, involving the use of deception to obtain an
unjust or illegal advantage.

Question 23

Fraudulent

disbursement

Answer 23

A scheme in which an employee illegally or improperly causes
the distribution of funds in a way that appears to be
legitimate.

Question 24

Fraud risk factors

Answer 24

Events or conditions that indicate an incentive/pressure to

commit fraud or provide an opportunity to commit fraud

Question 25

Fraud triangle

Answer 25

Model that describes fraud as more likely to occur in the

presence of incentives, opportunity, and rationalization

Question 26

Gambler’s fallacy

Answer 26

The tendency to think that future probabilities are altered by
past events, when in reality they are unchanged. The fallacy
arises from an erroneous conceptualization of the law of large
numbers. For example, I’ve flipped heads with this coin five
times consecutively, so the chance of tails coming out on the
sixth flip is much greater than heads.

Question 27

Ghost employee

Answer 27

An individual on the payroll of an organization who does not

actually work for the organization.

Question 28

Heavy-tailed

distribution

Answer 28

Probability distribution whose tail is not exponentially

bounded

Question 29

Hindsight bias

Answer 29

The tendency to perceive events that have already occurred as
having been more predictable than they actually were before
the events took place (I-knew-it-all-along).

Question 30

Illusion of control

Answer 30

The tendency to overestimate one’s degree of influence over

other external events.

Question 31

Information

Answer 31

Information is data that have been organized and processed

into meaning to a user.

Question 32

Information bias

Answer 32

The tendency to seek information even when it cannot affect

action.

Question 33

Information overload

Answer 33

Information overload occurs when the amount of input to a
system exceeds its processing capacity. Decision makers have
fairly limited cognitive processing capacity. Consequently,
when information overload occurs, it is likely that a reduction
in decision quality will occur.

Question 34

Information systems

Answer 34

Man-made systems that generally consist of an integrated set
of computer-based components and manual components
established to collect, store, and manage data and to provide
output information to users.

Question 35

Inherent limitations

Answer 35

Limitations inherent to (enterprise) risk management. The
limitations relate to the limits of human judgment; resource
constraints, and the need to consider the cost of controls in
relation to expected benefits; the reality that breakdowns can
occur; and the possibility of management override and
collusion.

Question 36

Inherent risk

Answer 36

The risk to an entity in the absence of any actions management
might take to alter either the risk’s likelihood or impact

Question 37

Insensitivity to sample

size

Answer 37

The tendency to under-expect variation in small samples.

Question 38

Internal control

Answer 38

A process, effected by an entity’s board of directors,
management and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives
in the following categories:
(1) Effectiveness and efficiency of operations
(2) Reliability of financial reporting
(3) Compliance with applicable laws and regulations.

Question 39

Internal corporate
governance
characteristics

Answer 39

The corporate governance structures and processes that are
within the control of the firm’s shareholders and the board of
directors (e.g., the structure of the board of directors and
committees, internal control systems, managerial incentives,
firm’s ownership structure).

Question 40

Internal environment

Answer 40

The internal environment encompasses the tone of an entity,
and sets the basis for how risk is viewed and addressed by an
entity’s people, including risk management philosophy and
risk appetite, integrity and ethical values, and the
environment in which they operate.

Question 41

IT application controls

Answer 41

IT application controls are programmed procedures in
application software and related manual procedures designed
to help ensure the completeness, accuracy, authorization, and
validity of data capture and processing (e.g., balancing control
activities, checking digits, predefined data listings, data
reasonableness test, logic tests). The objective of IT application
controls is to prevent errors from entering the system, and to
detect and correct errors once they are present.

Question 42

IT general controls

Answer 42

IT general controls (ITGC) are controls that apply to all
systems components, processes, and data for a given
organization or information technology (IT) environment. The
objectives of ITGCs are to ensure the proper development and
implementation of applications, as well as the integrity of
programs, data files, and computer operations. ITGCs include
controls over (a) IT management, (b) IT infrastructure, (c)
security management, and (d) software acquisition,
development and maintenance.

Question 43

Management

intervention

Answer 43

Management’s actions to overrule prescribed policies
or procedures for legitimate purposes; management
intervention is usually necessary to deal with non-recurring
and non-standard transactions or events that otherwise
might be handled inappropriately by the system (contrast this
term with Management Override).

Question 44

Management override

Answer 44

Management’s overruling of prescribed policies or procedures
for illegitimate purposes with the intent of personal gain or an
improperly enhanced presentation of an entity’s financial
condition or compliance status (contrast this term with
Management Intervention).

Question 45

Mission

Answer 45

The mission of an organization defines the “purpose” of that

organization . That is, the reason why the organization exists.

Question 46

Overconfidence effect

Answer 46

Excessive confidence in one’s own answers to questions. For
example, for certain types of questions, answers that people
rate as “99% certain” turn out to be wrong 40% of the time.

Question 47

Reasonable assurance

Answer 47

The concept that enterprise risk management, no matter how
well designed and operated, cannot provide a guarantee
regarding achievement of an entity’s objectives. This is
because of inherent limitations in enterprise risk management

Question 48

Residual risk

Answer 48

The remaining risk after management has taken action to alter
the risk’s likelihood or impact.

Question 49

Retrievability bias

Answer 49

Frequency of similar events in our past reinforces
preconceived notions of comparable situations occurring in
the future.

Question 50

Risk

Answer 50

The possibility that an event will occur and adversely affect
the achievement of objectives.

Question 51

Risk appetite

Answer 51

The broad-based amount of risk a company or other entity is

willing to accept in pursuit of its mission (or vision).

Question 52

Risk assessment

Answer 52

The process of analyzing events that might adversely affect the
achievement of objectives.

Question 53

Risk culture

Answer 53

Risk culture is the system of values and behaviors present in
an organization that shapes risk decisions of management and
employees.

Question 54

Risk map

Answer 54

A graphic representation of likelihood and impact of one or

more risks.

Question 55

Risk philosophy

Answer 55

An entity’s risk management philosophy is the set of shared
beliefs and attitudes characterizing how the entity considers
risk in everything it does, from strategy development and
implementation to its day-to-day activities. Its risk
management philosophy reflects the entity’s values,
influencing its culture and operating style, and affects how
enterprise risk management components are applied,
including how risks are identified, the kinds of risks accepted,
and how they are managed.

Question 56

Risk response

Answer 56

The strategy of how to manage risks (accept, avoid, reduce,

share, or pursue).

Question 57

Risk tolerance

Answer 57

The acceptable variation relative to the achievement of an

objective.

Question 58

Risk universe

Answer 58

The full range of risks which could impact, either positively or
negatively, on the ability of the organization to achieve its long
term objectives.

Question 59

Segregation of duties

Answer 59

The concept of dividing, or segregating, duties among
different people to reduce the risk of error or fraud. The basic
idea underlying segregation of duties is that no one employee
(or group of employees) should be in a position both to
perpetrate and conceal errors or irregularities in the normal
course of their duties. In general, the principal incompatible
duties to be segregated are: authorization, execution, recoding,
and custody.

Question 60

Skimming

Answer 60

The theft of an organization’s cash prior to its entry in the
accounting system.

Question 61

SMART objectives

Answer 61

Objectives formulated in a way that is specific, measurable,

achievable, results oriented, and time bound.

Question 62

Stakeholders

Answer 62

Parties that are affected by the entity, such as shareholders,
the communities in which the entity operates, employees,
customers, and suppliers.

Question 63

Strategic objectives

Answer 63

High-level goals reflecting how an entity aims to achieve its
mission.

Question 64

Survivorship bias

Answer 64

Cognitive bias that arises when we mistakenly treat the one
realized outcome (the people or things that “survived” a
certain event or process) among all possible random histories
as the most representative one (i.e., overlooking the people or
things that did not “survive” due to their invisibility).

Question 65

Tone at the top

Answer 65

The ethical environment within the firm created through

management practices and espoused values.

Question 66

Zero-risk bias

Answer 66

Preference for reducing a small risk to zero over a greater

reduction in a larger risk.