IA Knowledge II Flashcards
The acceptable levels of variation relative to the achievement of objectives.
Risk tolerance
Ranking risks, formally or informally, from the highest to the lowest, establishing the relative strength of each risk and the potential consequences of each.
Risk prioritization
The actions taken to manage risk.
Risk response
A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of an organization’s objectives.
Risk management
The evaluation of the magnitude of risk, based on the likelihood and impact of risk occurrence.
Risk measurement
The assignment of risk into categories, such as financial risk, operational risk, strategic risk, or reputation risk.
Risk classification
The method of recognizing possible threats and opportunities.
Risk identification
The amount of risk an organization is willing to accept in pursuit of value.
Risk appetite
The identification of risk, the measurement of risk, and the process of prioritizing risk (considering likelihood and impact) or selecting alternatives based on risk.
Risk assessment
The risk remaining after management takes action to reduce the impact and likelihood of an adverse event, including control activities in responding to a risk.
Residual risk
The identification of risk, the measurement of risk, and the process of prioritizing risk or selecting alternatives based on risk.
Risk analysis
As related to risk, an uncertain event with a positive consequence.
Opportunity
The type of risk found throughout the environment.
Pervasive risk
Limitations of risk management, control, and governance related to human judgment, resource limitations, and the need to balance the costs of controls in relation to expected benefits.
Inherent limitations
The risk derived from the environment without the mitigating effects of internal controls.
Inherent risk
The policies, procedures (both manual and automated), and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level that an organization is willing to accept.
Control processes
A structured, consistent, and continuous process across the whole organization for identifying, assessing, deciding on responses to, and reporting on opportunities and threats that affect the achievement of its objectives.
Enterprise risk management (ERM)
A condition that warrants attention as a potential or real shortcoming that leaves the organization excessively at risk.
Control deficiency
The attitude and actions of the board and management regarding the importance of control within the organization; provides the discipline and structure for the achievement of the primary objectives of the system of internal control.
Control environment
The comparison of an organization or project to similar internal or external organizations or projects, for the purpose of determining areas for potential improvement and to identify best practices. May also be used to assess likelihood and impact of potential events across an industry.
Benchmarking
The conformity and adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements.
Compliance
A risk level derived from an organization’s legal and regulatory compliance responsibilities, its threat profile, and its business drivers and impacts.
Acceptable risk level
A level of control that is present if management has planned and organized in a manner that provides reasonable assurance that the organization’s risks have been managed effectively and that the organization’s goals and objectives will be achieved efficiently and economically.
Adequate control
The risk derived from the environment without the mitigating effects of internal controls.
Absolute risk
A type of risk that revolves around the business impact that would be experienced if certain risks were realized.
Acceptable risk
