definitions Flashcards
Anchoring bias
The tendency to rely too heavily, or “anchor”, on one trait or
piece of information when making decisions (usually the first
piece of information acquired on that subject).
Audit universe
An audit universe represents the potential range of all audit
activities and is comprised of a number of “auditable” entities.
Availability bias
Tendency to judge an event more probable the more easily it
can be recalled or pictured mentally.
Benford analysis
Data reasonableness test based upon the expected pattern
(Benford distribution) of digits in tabulated data.
Black Swans
Events characterized by their (a) rarity, (b) extreme impact,
and (c) retrospective (but not prospective) predictability.
Board
Governing body of an entity
Cash larceny
The theft of an organization’s cash after it has been recorded in
the accounting system.
COBIT
Control Objectives for Information and Related Technology.
COBIT is the generally accepted internal control framework
for IT.
Confirmation bias
The tendency to search for, interpret, focus on and remember
information in a way that confirms one’s preconceptions.
Control activities
The actions established through policies and procedures that
help ensure that management’s directives to mitigate risks to
the achievement of objectives are carried out.
Control matrix
Tool to assist in evaluating the potential effectiveness of
controls in a business process by matching control goals with
relevant control plans.
Control selfassessments
Control self-assessments (CSA) are all activities where the
people responsible for a business area, task, or objective use
some demonstrable approach to analyze the status of control
and risk to provide additional assurance related to the
achievement of none or more business objectives.
Corporate governance
The system by which companies are directed and controlled
Corruption
Fraud schemes in which an employee uses her/his influence
in a business transaction in a way that violates her/his duty to
her/his employer for the purpose of obtaining a benefit for
her/himself or someone else (e.g., bribery, extortion, conflicts
of interest).
Data
Data are facts (“raw observations”) that are collected,
recorded, stored, and processed by an information system.
Deficiency
A condition within enterprise risk management worthy of
attention that may represent a perceived, potential, or
real shortcoming, or an opportunity to strengthen enterprise
risk management to provide a greater likelihood that the
entity’s objectives will be achieved.
Enterprise risk
management
The culture, capabilities, and practices, integrated with
strategy-setting and its execution, that organizations rely on to
manage risk in creating, preserving, and realizing value.
Enterprise-wide
information systems
Enterprise-wide information systems (also known as
Enterprise Systems) are information systems (IS) that integrate
information across operations on a company wide basis.
Event identification
The identification of potential events from internal or external
sources affecting the achievement of objectives. It includes
distinguishing between events that represent risks, those
representing opportunities, and those that may be both
External corporate
governance
characteristics
The corporate governance structures and processes that are
outside the control of the firm’s shareholders and the board of
directors
Framing effects
Drawing different conclusions from the same information,
depending on how that information is presented
Fraud
An intentional act by one or more individuals among
management, those charged with governance, employees, or
third parties, involving the use of deception to obtain an
unjust or illegal advantage.
Fraudulent
disbursement
A scheme in which an employee illegally or improperly causes
the distribution of funds in a way that appears to be
legitimate.
Fraud risk factors
Events or conditions that indicate an incentive/pressure to
commit fraud or provide an opportunity to commit fraud
Fraud triangle
Model that describes fraud as more likely to occur in the
presence of incentives, opportunity, and rationalization
Gambler’s fallacy
The tendency to think that future probabilities are altered by
past events, when in reality they are unchanged. The fallacy
arises from an erroneous conceptualization of the law of large
numbers. For example, I’ve flipped heads with this coin five
times consecutively, so the chance of tails coming out on the
sixth flip is much greater than heads.
Ghost employee
An individual on the payroll of an organization who does not
actually work for the organization.
Heavy-tailed
distribution
Probability distribution whose tail is not exponentially
bounded
Hindsight bias
The tendency to perceive events that have already occurred as
having been more predictable than they actually were before
the events took place (I-knew-it-all-along).
Illusion of control
The tendency to overestimate one’s degree of influence over
other external events.
Information
Information is data that have been organized and processed
into meaning to a user.
Information bias
The tendency to seek information even when it cannot affect
action.
Information overload
Information overload occurs when the amount of input to a
system exceeds its processing capacity. Decision makers have
fairly limited cognitive processing capacity. Consequently,
when information overload occurs, it is likely that a reduction
in decision quality will occur.
Information systems
Man-made systems that generally consist of an integrated set
of computer-based components and manual components
established to collect, store, and manage data and to provide
output information to users.
Inherent limitations
Limitations inherent to (enterprise) risk management. The
limitations relate to the limits of human judgment; resource
constraints, and the need to consider the cost of controls in
relation to expected benefits; the reality that breakdowns can
occur; and the possibility of management override and
collusion.
Inherent risk
The risk to an entity in the absence of any actions management
might take to alter either the risk’s likelihood or impact
Insensitivity to sample
size
The tendency to under-expect variation in small samples.
Internal control
A process, effected by an entity’s board of directors,
management and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives
in the following categories:
(1) Effectiveness and efficiency of operations
(2) Reliability of financial reporting
(3) Compliance with applicable laws and regulations.
Internal corporate
governance
characteristics
The corporate governance structures and processes that are
within the control of the firm’s shareholders and the board of
directors (e.g., the structure of the board of directors and
committees, internal control systems, managerial incentives,
firm’s ownership structure).
Internal environment
The internal environment encompasses the tone of an entity,
and sets the basis for how risk is viewed and addressed by an
entity’s people, including risk management philosophy and
risk appetite, integrity and ethical values, and the
environment in which they operate.
IT application controls
IT application controls are programmed procedures in
application software and related manual procedures designed
to help ensure the completeness, accuracy, authorization, and
validity of data capture and processing (e.g., balancing control
activities, checking digits, predefined data listings, data
reasonableness test, logic tests). The objective of IT application
controls is to prevent errors from entering the system, and to
detect and correct errors once they are present.
IT general controls
IT general controls (ITGC) are controls that apply to all
systems components, processes, and data for a given
organization or information technology (IT) environment. The
objectives of ITGCs are to ensure the proper development and
implementation of applications, as well as the integrity of
programs, data files, and computer operations. ITGCs include
controls over (a) IT management, (b) IT infrastructure, (c)
security management, and (d) software acquisition,
development and maintenance.
Management
intervention
Management’s actions to overrule prescribed policies
or procedures for legitimate purposes; management
intervention is usually necessary to deal with non-recurring
and non-standard transactions or events that otherwise
might be handled inappropriately by the system (contrast this
term with Management Override).
Management override
Management’s overruling of prescribed policies or procedures
for illegitimate purposes with the intent of personal gain or an
improperly enhanced presentation of an entity’s financial
condition or compliance status (contrast this term with
Management Intervention).
Mission
The mission of an organization defines the “purpose” of that
organization . That is, the reason why the organization exists.
Overconfidence effect
Excessive confidence in one’s own answers to questions. For
example, for certain types of questions, answers that people
rate as “99% certain” turn out to be wrong 40% of the time.
Reasonable assurance
The concept that enterprise risk management, no matter how
well designed and operated, cannot provide a guarantee
regarding achievement of an entity’s objectives. This is
because of inherent limitations in enterprise risk management
Residual risk
The remaining risk after management has taken action to alter
the risk’s likelihood or impact.
Retrievability bias
Frequency of similar events in our past reinforces
preconceived notions of comparable situations occurring in
the future.
Risk
The possibility that an event will occur and adversely affect
the achievement of objectives.
Risk appetite
The broad-based amount of risk a company or other entity is
willing to accept in pursuit of its mission (or vision).
Risk assessment
The process of analyzing events that might adversely affect the
achievement of objectives.
Risk culture
Risk culture is the system of values and behaviors present in
an organization that shapes risk decisions of management and
employees.
Risk map
A graphic representation of likelihood and impact of one or
more risks.
Risk philosophy
An entity’s risk management philosophy is the set of shared
beliefs and attitudes characterizing how the entity considers
risk in everything it does, from strategy development and
implementation to its day-to-day activities. Its risk
management philosophy reflects the entity’s values,
influencing its culture and operating style, and affects how
enterprise risk management components are applied,
including how risks are identified, the kinds of risks accepted,
and how they are managed.
Risk response
The strategy of how to manage risks (accept, avoid, reduce,
share, or pursue).
Risk tolerance
The acceptable variation relative to the achievement of an
objective.
Risk universe
The full range of risks which could impact, either positively or
negatively, on the ability of the organization to achieve its long
term objectives.
Segregation of duties
The concept of dividing, or segregating, duties among
different people to reduce the risk of error or fraud. The basic
idea underlying segregation of duties is that no one employee
(or group of employees) should be in a position both to
perpetrate and conceal errors or irregularities in the normal
course of their duties. In general, the principal incompatible
duties to be segregated are: authorization, execution, recoding,
and custody.
Skimming
The theft of an organization’s cash prior to its entry in the
accounting system.
SMART objectives
Objectives formulated in a way that is specific, measurable,
achievable, results oriented, and time bound.
Stakeholders
Parties that are affected by the entity, such as shareholders,
the communities in which the entity operates, employees,
customers, and suppliers.
Strategic objectives
High-level goals reflecting how an entity aims to achieve its
mission.
Survivorship bias
Cognitive bias that arises when we mistakenly treat the one
realized outcome (the people or things that “survived” a
certain event or process) among all possible random histories
as the most representative one (i.e., overlooking the people or
things that did not “survive” due to their invisibility).
Tone at the top
The ethical environment within the firm created through
management practices and espoused values.
Zero-risk bias
Preference for reducing a small risk to zero over a greater
reduction in a larger risk.
