5S - Are the five words that remind us of the different ways that a facility can become more organized - sort, straighten, shine, standardize, and sustain.
Abatement Costs - The costs associated with limitation, prevention or repair of impacts (mostly used for environmetal impacts). Examples include asbestos abatement in construction or social cost of carbon in greenhouse gas emissions.
Absolute Quality Conformance - A type of conformance that requires all products or services to meet a target value exactly, with no variation.
Absolute Risk - is the risk derived from the environment without the mitigating effects of internal controls.
Acceptable Risk - is a type of risk that revolves around the business impact that would be experienced if certain risks were realized.
Acceptable Risk Level - is a risk level derived from an organization's legal and regulatory compliance responsibilities, its threat profile, and its business drivers and impacts.
Accepted Risk (Risk Acceptance) - The assumption of a risk, typically because its risk-reward profile is attractive or within your risk tolerance. Risk that is outside the university's risk appetite and that management seeks to accept will generally require approval from the board. It is one of the five risk treatments - accept, avoid, pursue, reduce or transfer/share.
Access to Personal Information - The ability of the data subject to view personal information held by the university. This ability may be complemented by an ability to update or correct the information. Access defines the intersection of identity and data, that is, who can do what to which data. Access is one of the fair information practice principles. Individuals need to be able to find out what personal information the university has on file about them and how the information is being used. Individuals need to be able to correct erroneous information in such records.
Account - A record of transactions that fit within a specific category.
Accountability - is the process of objectively assessing what actions led to not delivering service excellence (results). It is an improvement process performed by an authentic leader that identifies assigned responsibilities and holds people accountable for their actions and decisions in an empowering manner (think coaching and offers of assistance). It is not a process of placing blame, i.e. finding fault and penalizing for it.
Accrual Basis Accounting -An accounting system that records transactions as they occur, recognizing revenue when earned and expenses when incurred, regardless of when the cash is actually paid.
Accruals - Either accrued revenues, which are earned revenues yet to be received as cash or recorded, or accrued expenses, which are incurred but unpaid expenses yet to be recorded.
Active Control - is a type of control that prevents or detects a deviation from the approved procedure.
Activity - Any type of action, work, or movement performed within an entity.
Activity Center - A logical grouping of activities, actions, movements, or sequences of work.
Activity Chart - A project scheduling technique that divides a project into sequential activities with estimated start and completion times.
Activity Cost Driver - A measurement of the amount of an activity used by a cost object.
Actual Conflict of Interest - Any action or any decision or recommendation by a person acting in a capacity as a public official, the effect of which would be to the private pecuniary benefit or detriment of the person or the person’s relative or any business with which the person or a relative of the person is associated unless the pecuniary benefit or detriment arises out of circumstances described in subsection (13) of this section.
Add Value - The internal audit activity adds value to the organization (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management, and control processes.
Added-Value Negotiating - A cooperative negotiation approach based on shared interests and objectives; focus is on presenting exchanges of value for each party.
Adequate Control - is present if management has planned and organized (designed) processes in a manner that provides reasonable assurance that the university’s risks have been managed effectively and that the university’s goals and business objectives will be achieved efficiently and economically.
Adjunct Account - An account that increases an asset, liability, or equity account, for example, premium on bonds payable.
Adjustments to Estimates - Estimates are common throughout the accounting process and can be manipulated to impact revenues, expenses, asset valuations, and/or liabilities. Management is often in a position where it can influence or bias estimates.
Agile - A project management discipline created by software developers in which challenges evolve and are resolved through the continous collaboration of small cross-functional teams.
Agreed Upon Procedures (Consulting Engagement) - are specific procedures performed on subject matter by the Internal Auditor. Most often the Internal Auditor issues a report of findings related to the specific procedures applied to assist in evaluating subject matter or make an assertion. The Internal Auditor does not express an opinion or conclusion.
Allocation - Assigning costs to a cost object.
Allocation Base - Any factor that has a cause-and-effect relationship with costs, such as a rise in sales volume that affects a rise in sales commissions.
Analytical Auditing - A type of review that examines relationships among information.
Annual Risk Assessment and Planning Process - is performed by internal audit as part of developing the annual internal audit plan. Internal Audit reviews the various risk assessments that have been performed, considers prior audits, interviews management, etc. to identify auditable areas that would most benefit from internal audit's various services. The process seeks to apply available resources to the highest risks identified, but also serves to provide periodic resources to all areas. It is not to identify, prioritize and manage risks directly for the university's management.
Application Controls - are programmed procedures in application software designed to help ensure the completeness and accuracy of information processing.
Application Gateway/Proxy Server - A type of firewall that serves as an intermediary for communications between the external world and private internal servers; intercepts external packets and, after inspection, relays a version of the information, called a proxy, to the private server, and vice versa.
Application Proxy Filtering - A type of firewall that serves as an intermediary for communications between the external world and private internal servers; intercepts external packets and, after inspection, relays a version of the information, called a proxy, to the private server, and vice versa.
Arbitrage - A method of theoretically making a risk-free profit from the price differences between markets through the simultaneous purchase of an investment in one market and sale in another.
Arbitration - A process in which the parties in a dispute agree in advance that they will abide by the decision of an arbitrator who is chosen to hear both sides and make a judgment.
Architecture - The design of the structure of a system, including logical components, and the logical interrelationships of a computer, its operating system, a network, or other elements.
Artificial Intelligence - is the development of computer systems able to perform tasks that normally require human intelligence, such as visual perception, speech recognition, and decisionmaking. As an analytics tool, artificial intelligence gives companies the ability to see specific new patterns in data, almost in real time. Through artificial intelligence, analysts can create a process that sets parameters for a modeling structure and uses logical steps to recreate the model in real time based on recent historical data (for example, from earlier in the day).
Assets - Resources obtained or controlled by an organization as a result of past transactions or events that will probably result in future economic benefits to the organization.
Assignable Cause - is a nonrandom cause of variability.
Assurance - a positive declaration intended to give confidence while No Assurance would mean the opposite. See also Reasonable Assurance and Limited Assurance.
Assurance Services - are objective examinations of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes of the university to the Board of Trustees. This includes assessing and reporting on the adequacy and effectiveness of internal controls, the degree of compliance with laws, policies, processes, etc. and evaluating risk exposures relating to the university’s governance, operations, and information systems.
Attack Surface - The university's exposure to malicious activity through attack vectors.
Attack Vectors - The means by which a vulnerability can be found and exploited.
Attestation Engagements - examinations, reviews, or agreed-upon procedures engagements performed by External Auditors (not Internal Auditors) under the attestation standards related to subject matter or an assertion that is the responsibility of another party.
Attributes - In a database, fields relating to entities.
Attribution - The way we interpret verbal or nonverbal messages by our own references.
Authentication - The process of verifying the identity or other attributes claimed by or assumed of an entity (user, process, or device) or the process of verifying the source and integrity of data.
Authorization - The process of granting access privileges to a user, program, or process by a person that has the authority to grant such access.
Automated Clearing House (ACH) - is the electronic clearing and settlement system used for financial transactions by US commercial banks and other institutions. Payments are aggregated into batches and sent electronically.
Automated Clearing House Pre-note - is a zero dollar financial transaction sent via the Automated Clearing House network. Its purpose is to validate the banking information before committing the funds to the transfer.
Automated Controls - Control activities mostly or wholly performed through technology.
Availability Bias - People tend to think events are more likely to occur if they have recently heard of them happening. Thus, people overestimate the risk of death from tornadoes, cancer or accidents and underestimate the risk from asthma or diabetes. This is because tornadoes, cancer and accidents get a lot of press and movie coverage.
Avoid Risk - Action is taken to remove the risk. Choosing avoidance suggests that the university was not able to identify a response that would reduce the risk to an acceptable level of severity.
Baiting - A form of social engineering where a malware-infected physical device is placed somewhere it is sure to be noticed - such as a USB flash drive. When it is loaded onto another computer, the malware is installed.
Balanced Scorecard (Kaplan & Norton's) - A Strategic measurement and management system that links long term strategic planning objectives with day to day activities; measuring financial performance, customer knowledge, internal business process, and learning and growth.
Balance Sheet - A financial statement that shows what an organization owns and owes and where the money for the ownership originated.
Bankers Acceptance - A negotiable security used for import or export, created when a bank accepts payment responsibility for a letter of credit.
Bank Reconciliation - A schedule to explain any differences between a bank statement and cash on the books.
Batch Processing - A type of processing the accumulates data changes until a set time and then releases them into the database.
Behavioral Anchored Rating Scale (BARS) Appraisal Method - An appraisal method that associates desirable and undesirable behavior and then associates the examples with different performance levels.
Behavioral Red Flags - A trait or characteristic that might be consistent with or indicative of fraudulent behavior, such as living beyond means, financial difficulties, unusually close relationship with a vendor or customer, control issues/unwillingness to share duties, wheeler-dealer attitude, divorce or family problems.
Behavioral Risks - are risks connected to the workplace behaviors of employees and organizations that have a negative impact on the productivity of an organization. Some examples of behavioral risks would be stress, personality types, cultural background, unethical decision making, accepted negative behavior, etc. that result in organizational misalignment, preventable losses, decreased productivity, high employee turnover, etc.
Bell Curve - is a graph of a normal distribution of random variables in a population; perfectly symmetrical, with the mean, median, and mode lying at the same central point, most values clustered near that midpoint, and a decreasing number occurring at greater distances from the midpoint.
Benchmarking - is the comparison of an organization or project to similar internal or external organizations or projects, for the purpose of determining areas for potential improvement and to identify best practices. May also be used to asses likelihood and impact of potential events across an industry.
Best Evidence - is a type of evidence that is generally documentary; original writing is required when available.
Bit - A binary digit; the item that is lowest in the binary hierarchy.
Black Swan - is a low probability, high risk event.
Blended Data - is formed by combining different data sources into a consolidated data set, enabling analysts to uncover patterns and exceptions that would not be visible in individual data sets.
Block Diagram - is a pictorial representation of a process or activity, typically including a series of boxes and connecting lines to indicate association and direction/order.
Board of Trustees - The highest level governing body of the university and its committees charged with the responsibility to direct and/or oversee the university’s activities and hold senior management accountable.
Bond Indenture - A promise to pay a sum of cash at a set maturity rate plus a specific rate of periodic interest on the face value.
Bonds Payable - Debt that can be raised by multiple lenders; the most common type of long-term liability on a balance sheet.
Bottleneck - A limiting factor, barrier or constraint that slows down a product's total cycle time.
Bounded Awareness - The notion that we experience gaps between who we believe ourselves to be and who we actually are due to the common tendency to exclude important and relevant information from our decisions by placing arbitrary and dysfunctional bounds around the definition of a problem. It is the result of systematic failure to see information that is relevant to our personal lives and professional obligations (Bazerman and Tenbrunsel).
Brainstorming - is an activity in which a group generates new ideas; ideas are accepted without criticism and are then evaluated together.
Break-Even Point - The output at which total revenue and total costs are equal.
Break-Even Pricing - A pricing method that determines the number of units that must be sold at a set price to cover all fixed and variable costs.
Bridge - A networking hardware that connects two or more LANs with similar architectures.
Business Context - The trends, events, relationships and other factors that may influence, clarify, or change the university's current and future strategy and business objectives.
Business Combination - A type of merger in which operations of two or more organizations are brought under common control.
Business Continuity Plan - A set of processes developed for the entire enterprise, outlining the actions to be taken by the information technology (IT) organization, executive staff, and various business units in order to quickly resume operations in the event of a business disruption or a serious outage.
Business Cycle - A regular period of expansion (recovery) and contraction (recession) in the level of economic activity.
Business Objectives - Those measurable steps the university takes to achieve its strategy.
Business Process Reengineering (BPR) - A fundamental rethinking of business process in order to achieve improvements in cost, quality, service, and speed.
Business to Business (B2B) E-Commerce - Any direct link between businesses and the use of the online business marketplaces, such as Electronic Data Interchange (EDI) or or online catalogs.
Business to Customer (B2C) E-Commerce - Marketing and selling products to customers online.
Business to Employee (B2E) E-Commerce - An online tool set for employees.
Bus Network - A network topology that has a main line (bus); all devices are connected to the line.
Callable Bonds - Bonds that the issuer can call and retire before maturity, such as during periods of high interest rates.
Cap - Sets a maximum value for an adjustable interest rate.
Capacity - The maximum rate of output generated by a process
Capital - The accumulated resources of an organization raised through debt and equity financing and through the organization's productive efforts.
Capital Gains Tax - Tax levied on the profit released upon the sale of a capital asset.
Capital Stock - The par value of issues shares of stock.
Cash Basis Accounting - An accounting system in which an organization recognizes revenue only when cash is received and expenses only when cash is paid out.
Cash Flow Hedge - A hedge of the exposure to variable cash flows of a forecast transaction.
Category - One of three groupings of objectives of internal control under COSO's Integrated Framework - relating to operations, reporting, and compliance.
Category Rating - A performance appraisal method that requires the appraiser to mark an employee' s level of performance on a specific form.
Causal Forecasting Methods - Forecasting methods based on the assumption that the variable being forecast exhibits a cause-and-effect relationship with one or more other variables.
Cause - The reason for the difference between criteria and actual conditions.
Cause-and-Effect Diagram - is a quality tool that uses a visual to map out a list of factors that are thought to affect a problem or desired outcome.
C-Chart - is a control chart that tracks the variability of attributes (values that can be counted, such as errors) in successive samples.
Centralized Structure - An organizational structure in which there are several level of authority, a long chain of command, and a narrower span of control.
Certificates of Deposit (CDs)- Bank issues time deposits for large sums with a fixed maturity; can be negotiable or non-negotiable.
Certification - A system of measurement of characteristics such as education or experience that results in the recognition of an individual as one who meets the suggested knowledge and other minimum requirements for a position or a profession.
Chain of Command - The line of authority in an organization.
Change Management - is the continuous process of planning and directing changes that occur within an organization to achieve an intended result.
Change Velocity - is the rate of change. It directly affects the speed of risk, which is how rapidly a significant disruption can emerge and impact an organization.
Channel Stuffing - The practice of inflating sales figures by forcing more products through a distribution channel than the channel can actually sell.
Character - An alphanumeric key; the item that is second lowest on the database hierarchy.
Charter - The internal audit charter is a formal document that defines the internal audit activity’s purpose, authority, and responsibilities. The internal audit charter establishes the internal audit activity’s position within the organization; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities.
Check Digits - A type of control in which an extra digit is added that has an algorithmic relationship to the remaining digits to show if the number was incorrectly entered such as by transposition.
Check Sheet - A simple visual tool used to collect and analyze data.
Chief Audit Executive - is responsible for effectively managing the internal audit activity in accordance with the internal audit charter and the mandatory elements of the International Professional Practices Framework. The Chief Audit Executive or others reporting to the Chief Audit Executive will have appropriate rofessional certifications and qualifications. The specific job title and/or responsibilities of the Chief Audit Executive may vary across organizations. https://inside.sou.edu/ia/contact-the-internal-auditor.html
Chief Information Security Officer - is responsible for the University's information security program and for ensuring that policies, procedures and standards are developed, implemented and maintained.
Circumstantial Evidence - is a type of evidence that proves an intermediate fact from which a primary fact can be logically inferred.
Client/Server Architecture - A network architecture that uses servers for specialized functions; clients (the recipients of these functions) are personal computers that send requests to the servers.
Close(d) - is dismissing an allegation as unfounded and not pursuing investigation until further information is available, turning the report over to management as it was not truly an allegation of misconduct, or management notifying Internal Audit that it is accepting the reported risk and Internal Audit believing this to be appropriate in the Auditor’s sole professional judgment.
Closing - The process of reducing all temporary or nominal accounts to zero so they are ready to be used in the next period.
Clustering - A tendency for a subpopulation, such as student-athletes or under-represented communities, to participate in a certain academic area or take classes from a certain professor.
Cluster Organization - An organizational structure with many groups or teams to accomplish organizational objectives.
Cluster Sampling - is used in statistics when the population is scattered among many locations, assuming that the cluster in each location is representative.
Coaching - In the organizational setting, refers to specific advising for new learning and improved work performance.
Code of Ethics - of The Institute of Internal Auditors (IIA) are principles relevant to the profession and practice of internal auditing, and rules of conduct that describe behavior expected of internal auditors. The purpose of the code of ethics is to promote an ethical culture in the global profession of internal auditing.
Coefficient of Variability/Variance - in statistics is a measure of the variability in relation to the mean; calculated by dividing the standard deviation by the mean.
Collar - Sets both a maximum and a minimum value for an adjustable interest rate, with one end protecting the buyer and the other end the seller.
Collusion - A secret agreement between two or more parties for fraud or deceit.
Commercial Paper (CP) - Unsecured promissory notes issued by nonfinancial corporations and bank holding companies.
Committee of Sponsoring Organizations of the Treadway Commission (COSO) - is a joint initiative of five private-sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence.
Common Cause - is a random cause of variability in a process.
Common-Size Financial Statements - Financial statements that express all account balances as percentages of one relevant aggregate balance.
Common Stock - The default classification for an organization's public shares granting a portion of ownership.
Communication - A two-way transfer of information between a sender and a receiver; can be verbal, written, or nonverbal.
Communication Style - The way a person prefers to express himself or herself.
Communities of Practice - Groups of individuals that form around topics of interest for the purpose of learning and innovation in an organization.
Comparability - The use of similar standards and techniques across organizations so that users can differentiate real similarities and differences from those caused by divergent accounting rules.
Comparative Advantage - Situation in which a party's opportunity cost for producing a good or service, in comparison to that of other goods and services it can apply its resources toward, is lower than the opportunity cost for other parties.
Comparative Methods - Performance appraisal methods in which the appraiser directly compares the performance of each employee with that of others.
Compatibility - is the least desired level of interoperability. Compatibility is passing information between systems, often using exchange transfer and load features (like Excel files) with minimal purpose. Separate logins, scheduled (rather than automated) data transfers are signs of compatibility. See also interoperability.
Compensating Balances - Minimum balance requirements set by banks as partial compensation for their services.
Compensating Controls - Controls that compensate for the lack of an expected control; for example, close supervisory review may compensate for a lack of segregation of duties where a small staff size makes proper segregation impractical.
Compensation Systems - and other human resources policies, procedures and practices influence behavior and are considered an integral part of the university's control structure.
Competition-Based Pricing - A pricing approach that takes competitors' prices into account.
Competitive Advantage - The advantage that one organization has over competitors in realizing above-average financial performance.
Competitive Convergence - the more indistinguishable companies become from one another as their productivity frontiers shift outward, lowering costs and improving value.
Competitive Intelligence - The data gathered about current and potential competitors.
Compliance - is adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements.
Compliance Manager/Officer - is the second line of defense - between management and internal audit in a governance, risk and control framework.
Component - One of five elements of internal control under COSO's Integrated Framework - relating to Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities.
Comprehensive Annual Financial Report - The government entity's offical annual report that includes financial statements designed to report the financial position and results of operations of the primary government (including its blended component units) and provide an overview of the discretely presented component units.
Computer-Integrated Manufacturing (CIM) - A manufacturing system that completely integrates all factory and office functions within an organization throughout the life cycle of a product or service.
Computer Network - The sum of all infrastructure and applications required to connect two or more network nodes (computers and devices).
Compromise - Refers to a loss of confidentiality, integrity, or availability of information, including any resulting impairment of (1) processing integrity or availability of systems or (2) the integrity or availability of system inputs or outputs.
Concentrated Industry - An industry with stronger and larger leaders that give it market focus.
Conclusion - represents the auditor's professional judgment concerning the activities reviewed in the engagement. See also "Findings".
Condition – The factual evidence an auditor identifies, i.e. the current state. The auditor’s professional judgment determines the materiality of conditions in the context of a given engagement.
Confidence Interval - in statistics is the mean plus or minus the Z value times standard error. Decreasing the confidence level decreases the Z value which results in a smaller confidence interval.
Confidence Level - in statistics it is the probability that the results of tests run on a sample will represent the conditions in the population.
Confirmation Bias - People tend to emphasize data that confirms their established beliefs or ideas and to discount information that conflicts with their beliefs. People also fall for the “false-consensus effect,” assuming that others share their world view. For example, if they believe in global warming, they expect that most people agree. Yet those who question its existence also believe they hold the mainstream opinion.
Confiscation - Situation in which a country takes over the assets of an organization.
Conflict - is when parties disagree over substantive issues or when emotional antagonisms prevail and result in friction between parties.
Conflict of Commitment - relates to an individual's distribution of time and effort between his/her full-time duties as a University Employee, and his/her responsibilities resulting from Outside Employment and Outside Professional Commitments.
Conflict of Interest - is broadly the existence of a competing professional or personal interest. Conflict of interest can exist without impropriety so long as there is not a decision (abstention/recuse) or an undue influence on another's decision that is adverse to your role or responsibilities to the university. In other words, having a conflict of interest is not in and of itself improper, but acting on it is. A conflict of interest would prejudice an individual’s ability to perform his or her duties and responsibilities objectively.
Conflict Resolution - is a situation in which the underlying reasons for a conflict are eliminated.
Conformance - Reducing and eliminating variations (defects) from a desired outcome (the target value).
Consensus Building - When divergent views are brought into the conversation with the outcome of shared goals that meet the relevant interests of the stakeholders. Everyone does not always get what they want though and the process is not without disagreement. In fact, the way that this process can go wrong is when position power unduly influences either the process and/or the result, participants do not take initiative, there's indecisiveness, or participants don't introduce new ideas because of a perception of a "correct consensus".
Conservatism - Prudence and adequate consideration of the risks and uncertainty in business situations when presented with situations that require judgment.
Consortium Network - A computer network formed by a group of organizations to assist in intercommunications.
Constructive Conflict - is a type of conflict that leads to beneficial results; can transform the ways in which individuals interact and improve the quality of conflict outcomes.
Consulting Services - Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve the university’s governance, risk management, and control processes without the Internal Auditor assuming management responsibility. Examples include counsel, advice, facilitation, training and aggregating information on best practices.
Consumer price index (CPI) - A measure of the collective changes in the cost of living for the average consumer household.
Contingencies - Existing situations or circumstances with an uncertain potential for gain or loss; tied to certain future events that may or may not occur.
Contingency Planning - A system of internal controls for managing the availability of computer and other resources and data after a processing disruption.
Contingent Liabilities - Liabilities that satisfy two criteria: the amount of the loss can be estimated reasonably, and all available information implies that it is probable a liability will exist on or before the financial statement date.
Contingent Valuation - is a survey-based approach to value non-market resources such as consumer willingness to pay more for food safety.
Continuing Professional Development - The means by which members of a profession maintain, improve, and broaden the knowledge, skills, and competence required in their professional lives.
Continuous Auditing – is the collection of audit evidence related to business processes and controls on a continuous basis based on which the auditor can provide a continuous or on-demand opinion on the state of those business processes or controls.
Continuous Budgeting - A 12-month budget system that rolls forward one month (or quarter) as the current month (or quarter) is completed.
Continuous Monitoring - is automated monitoring of relevant internal and external events and their outcomes to ensure that business processes, systems and controls are operating as prescribed. Continuous monitoring feedback can be used for continuous auditing or trigger an on-demand audit. In information technology, continuous monitoring assesses and analyzes the effectiveness of security controls. It provides ongoing reporting on the university's security posture. It supports risk management decisions to help maintain the university's risk tolerance at acceptable levels.
Contra Account - A type of account that reduces an asset, liability, or equity account, such as discount on bonds payable.
Contrarian - Someone who asks difficult questions that encourages others to re-examine their assumptions and plans - a hedge against groupthink.
Contract - An agreement between parties, with terms and conditions that describe the agreement and constitute a legal obligation.
Contract Manufacturing - A licensing agreement whereby an organization manufactures for a foreign market.
Contribution Margin - The amount remaining from sales revenue after variable expenses are deducted.
Control - Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved.
Control Activity- Any action taken by the Board of Trustees, management or compliance to manage risk and increase the likelihood that established business objectives and goals will be achieved. Management plans, organizes and directs the performance of sufficient actions to provide reasonable assurance that business objectives and goals will be achieved.
Control Chart - is a statistical process that illustrates variations from normal in a situation over time.
Control Deficiency - is a condition that warrants attention as a potential or real shortcoming that leaves the organization excessively at risk.
Control Environment - The attitude and actions of the board of trustees and management regarding the importance of control within the university. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements:
1. Integrity and ethical values.
2. Management’s philosophy and operating style.
3. Organizational structure.
4. Assignment of authority and responsibility.
5. Human resource policies and practices.
6. Competence of personnel.
Control Framework - is a recognized system of concepts encompassing all elements of internal control.
Control Processes - The policies, procedures (both manual and automated), and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level that the university is willing to accept.
Control Self-Assessment - is a process through which internal control effectiveness is examined and assessed through workshops, surveys, and management analysis facilitated and/or assisted by a subject matter specialist/expert. Participants, who are typically management or work teams directly involved in a business function, identify the risk factors, assess the controls processes, develop action plans to reduce risks to acceptable levels, and determine the likelihood of the entity achieving the intended business objectives. Internal Auditors usually are involved in this process as facilitators.
Conversion - is taking into possession the university's money or property and converting or using them fraudulently for one's own use and benefit or for the use and benefit of a third party to whom the money or property does not belong.
Cookies - Files intended to be accessible only by the creator that are used to store data about a user's preferences.
Copyright - Government protection granted to authors and artists of all types.
Core Principles for the Professional Practice of Internal Auditing - are the foundation for the International Professional Practices Framework and support internal audit effectiveness.
Core Values - are the university's beliefs and ideals about what is good or bad, acceptable or unacceptable, which influence the behavior of the organization.
Corporate Values - An organization's standards of behavior.
Corroborative Evidence - A type of evidence that supplements evidence already given and tends to support it.
Corrective Controls - are those controls designed to correct undesirable outcomes that have been realized.
Corruption - Acts in which individuals wrongfully use their influence in a business transaction in order to procure some benefit for themselves or another person, contrary to their duty to their employer or the rights of another (for example, kickbacks, self-dealing, or conflicts of interest). Corruption and fraud can be interlinked, but they are not interchangeable; where corruption refers to the misuse of power for potential profit, fraud refers to a party’s application of dishonesty and/or dishonest practices to acquire profit.
COSO - The Committee of Sponsoring Organizations of the Treadway Commission. COSO is a joint initiative of five private-sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence.
Cost - Any resource that must be given up to obtain some objective.
Cost-Based Pricing - A pricing approach that uses the average product or service cost as the base and then adds a percentage to cover additional costs and provide a profit.
Cost Driver - Any factor that has a cause-and-effect relationship with costs, such as a rise in sales volume that affects a rise in sales commissions.
Cost Leadership - A competitive strategy in which an organization will minimize development, advertising, and other costs in order to offer products and services at a lower cost than competitors.
Cost Object - Any object that can have a cost applied to it and can be used to determine how much a particular thing or activity costs.
Cost of Goods Sold Budget - A budget that includes the total and per unit production cost for a period.
Cost-Plus Pricing - A pricing method that uses an accurate analysis of cost per unit as a basis for calculating the selling price for a product or service; a margin representing a minimally accepted return on investment is added to the cost to set the price.
Cost-Push Inflation - An increase in production costs that reduces supply and increases prices.
Cost Recovery Method - A revenue deferral method that defers all profit recognition until cash collections exceed cost of goods sold.
Cost Reimbursement Contract - A type of contract that allows for payment of all incurred costs within a predetermined ceiling that can be allocated to the contract, are allowable within cost standards, and are reasonable.
Cost-Volume-Profit (CVP) Analysis - Type of analysis that helps managers understand the interrelationships among cost, volume, and profit by focusing on the interactions among prices of products, volume or level of activity, per unit variable costs, total fixed costs, and mix of products sold.
Counterparty Risk - The risk that the other party to a transaction will not fulfill their obligations; includes settlement risk and credit risk.
Countertrade - An in-kind trade made between parties, typically through a trading organization.
Credential Sharing/Theft - Either willingly (sharing) or not (theft), providing login and password information to someone else.
Crisis Management - is how an organization plans to survive a crisis.
Criteria – are the standards, measures or expectations used in making an evaluation or verification, i.e. the correct state.
Critical Path Method -A project management tool used to schedule, organize, and coordinate tasks within a project.
Critical Success Factors - are the few factors that will determine or hinder success.
Critical Path Method (CPM) - A project management tool used to schedule, organize, and coordinate tasks within a project.
Cultural Intelligence - The ability to understand and communicate effectively across cultures.
Cultural Numbness - when others play along and gradually begin to accept and embody deviant norms.
Culture - The attitudes, behaviors, and understanding about risk, both positive and negative, which influence the decisions of management and personnel and reflect the mission, vision, and core values of the organization.
Cumulative Average Time Learning Model - A learning curve analysis model that calculates cumulative total time by multiplying the incremental unit by the cumulative average time per unit.
Current Assets - Cash and cash equivalents and assets held for sale or expected to be realized in the current operating cycle or within one year of the balance sheet date.
Current Liabilities - Liabilities that are expected to be settled within the normal operating cycle or one year of the balance sheet date.
Current Ratio - A measure of an organization's potential for paying down current liabilities; a larger number indicates more assets in relation to debt and therefore greater ability to pay holders of short-term debt.
Customer Centric Strategy - is getting and staying close to customers' needs and interests. It is emulated in Peter F Drucker's "Five Questions":
- What is your mission? Why does your organization exist in the first place? What are you trying to accomplish for your customers?
- Who are your customers? Describe the person you wish to satisfy with your actions.
- What does your customer value? What is it that you do especially well that you are uniquely suited to provide to your customers? How can you exceed the standards set by your competition?
- What results are you trying to accomplish? How do you measure success?
- What is your plan? How do you go about satisfying your customers and getting the results that are most important?
Customer Intangibles - Data regarding customers, such as customer lists and contracts with customers.
Cyberattack Simulation - A management performed process that simulates a cyberattack in order to:
- Evaluate the impact of exploiting (attack vector) vulnerabilities.
- Assess the university's capability to prevent, detect and respond to cyberattacks.
- Identify weak security controls and practices.
- Facilitate risk-based control improvement and attack surface reduction.
- Leverage threat and vulnerability information from vulnerability assessment/scanning, penetration testing and continuous monitoring.
Cyberresiliency - is the ability to respond to inevitable cyberattacks, breaches, data loss, etc. as well as complying with increasingly stringent data-privacy laws and regulations.
Cybersecurity - is preventing cyberattacks. See cyberresiliency.
Cyclical Unemployment - A type of unemployment caused by ups and downs in the business cycle, specifically by a lack of demand for labor.
Data - Raw facts that can be collected together to be analyzed, used, or referenced.
Database - Any repository of data in a computer system
Database Management System (DBMS) - An application that links users and programs to a database and allows the database to be manipulated by multiple applications.
Data Breach - A data breach occurs any time sensitive or personal data has been accessed by a person who has not been authorized to do so, including internal employees accessing data inappropriately. Note that this is much broader than simply saying a hacker broke in and accessed data. Breaches often include obtaining private information such as Social Security numbers, financial information, health records, credit card numbers, trade secrets, intellectual property or other protected data.
Data Cleansing - The removal of redundancies and errors in a database.
Data Definition Language - Describes the data and the relationships between data in a database, including logical access paths and records.
Data Dictionary - A master recording concerning data in the database.
Data Items - In a database, the specific data in fields.
Data Manipulations Language - A language that has commands for viewing or changing a database.
Data Mining - The capability of sifting through and analyzing large volumes of data to find certain patterns or associations.
Data Query Language - A use-friendly method of querying a database for information.
Data Terminal - An input/output node for a mainframe system, consisting of either just a display and entry devices or a PC running terminal emulation software.
Data Warehouse - Database designed to collect the information from one or more transactional databases for purposes of multiyear storage of records and reporting.
Day's Sales Outstanding - A measure of a company's effectiveness in collecting accounts receivable; a smaller number indicates greater effectiveness in managing and collecting money from customers.
Debenture Bonds - Bonds that have no collateral. (are unsecured).
Debt Ratio - The ratio of an organization's debts to all of its assets; provides a general measure of the ability to repay creditors.
Debt to Equity Ratio - The ratio of all an organization's debts to all of its assets; provides a general measure of ability to repay creditors.
Decentralized Structure - An organizational structure in which there are fewer levels of authority, a shorter chain of command, and a wider span of control.
Decision Support System - A broad category of software systems designed not to make decisions but to enhance information available to management in making decisions.
Decision Usefulness - The selection of aggregation levels and accounting and presentation methods that will provide information that will be most useful for decision-makers.
Declining Industry - An industry where the demand for products or services are diminishing.
Decoding - The process of interpreting a message.
Deepfake - A blending of "deep learning" and "fake" are media that take a person in an existing image or video and replace them with someone else's likeness. Audio deepfakes have been used as part of social engineering scams, fooling people into thinking they are receiving instructions from a trusted individual.
Default Risk - The risk that a lender will not recoup the interest and/or principal when payments on debt become due.
Defined Benefit Plan - A type of pension plan in which the employer promises a specific level of benefits at retirement.
Defined Contribution Plan - A type of pension plan that defines the required annual contribution to the plan but makes no guarantee of the ultimate benefit level paid.
Delphi Method - A forecasting model that attempts to develop forecasts through group consensus.
Demand-Pull Inflation - An increase in aggragate demand that pulls up the price level.
Demand-Side Policies - Attempt to eliminate or reduce the severity of recessions, or maintain growth at a noninflationary pace, through active fiscal and monetary policy.
Demonstrative Evidence - Evidence in the form of a representation of an object, such as photos, x-rays, movies, maps, etc., that clarifies a witness's testimony and that is substantially similar to the "real" object at issue in the case.
Departmentalization - An organizational structure for grouping work into specialized units and jobs.
Department Production Report - A report that tracks the number of units moving through a department, provides a computation of unit costs, and shows how costs were charged to that department.
Depreciable Base - An asset's original cost lest (than) its salvage value.
Depreciation - A method of allocating the cost of tangible assets over the periods of expected use.
Derivative Instruments - Contracts requiring one party to pay another party some amount based on an underlying price or value.
Design - As used in the COSO definition of internal control, the internal control system design is intended to provide reasonable assurance of the achievement of an entity’s (the university's) business objectives, if those controls operated as designed.
Design Thinking - is a methodology that draws upon logic, imagination, and intuition to explore possibilities of “what could be” as well as the associated benefits to the university, unit, and student.
Descriptive Analytics - is the least sophisticated and most frequently used analytics technique as it requires little synthesis or analysis. Analysts use this method to report and characterize past events by condensing large chunks of data into smaller, more meaningful bits of information.
Descriptive Statistics - is the branch of statistics concerned with collecting, analyzing, describing, and presenting data, for example, mean, median, mode, range, variance, and standard deviation.
Destructive (Dysfunctional) Conflict - is the type of conflict that erodes relationships and derails progress toward goals.
Detective Controls - are those controls established to spot errors, omissions, circumvention of preventative controls and fraud after the initial processing has occurred, but before the ultimate objective has concluded. Risks that have high materiality, but relatively low probability, are controlled with detection and monitoring (such as data mining, fraud screening, etc.).
Deter - The creation of an environment in which a potential perpetrator decides not to commit a fraudulent act.
Determination Letter - Letter written by the federal awarding agency in response to the single audit findings. This letter provides their conclusions about the findings and the actions the state entity plans to take to resolve the findings.
Development - (1) The use of research to develop new processes and products or significantly improve existing ones: (2) the process of employees gaining new capabilities that are useful for both present and future jobs.
Diagnostic Analytics - provides insight into why certain trends or specific incidents occurred. Analysts using diagnostic analytics can evaluate data in different and deeper ways - for example, by segmenting by product, region, or customer - and therefore gain a better understanding of business performance, market dynamics, and the impact of different inputs on outcome.
Differential Costs - The increase or decrease in costs as a result of one more or one less unit of output.
Differentiation - A competitive strategy in which an organization strives to make its products or services different and unique in the industry.
Digital Evidence - Evidence in the form of e-mail messages, digital photographs, word-processing documents, spreadsheets, and databases.
Digital Signature - Uses public key encryption and a hashing algorithm (information about the transmitted data) to prevent an original message from being reconstructed.
Digitization - is the process of converting documents and other assets into a digital format that can be stored and analyzed by computers.
Direct Costing - A method of inventory costing in which all variable manufacturing costs are included as inventorial costs except for fixed manufacturing costs, which are treated as costs of the period in which they are incurred.
Direct Costs - Any costs that can be easily and accurately traced to a cost object (usually direct labor and direct materials).
Direct Evidence - is a type of evidence that proves a fact without requiring presumptions or inference, for example, testimony of an eyewitness to a fraud.
Direct Financing Lease - A type of lease in which the lessee uses the lease to finance the purchase of an asset.
Directive Control - A type of control that is proactive and that causes or encourages a desirable event to occur; examples include guidelines, training programs, incentive plans.
Directive Controls - are those controls designed to ensure that a particular outcome is achieved. An example of this type of control is that staff be required to put the fraud response plan into action immediately after a fraud is suspected or discovered.
Direct Labor Budget - A type of budget that can help an organization plan production processes to smooth out production and keep a consistent workforce size throughout the year.
Direct Materials Budget - A type of budget that determines the required materials and the quality level of the materials used to meet production.
Direct Materials Purchase Budget - A type of budget that is concerned with direct purchases of material components and finished goods.
Direct Materials Usage Budget - A type of budget that specifies the material components and the cost of the materials in the direct materials budget.
Discount Rate - The interest rate on loans that the Federal Reserve makes to commercial banks.
Discovery Sampling - is used in statistics to measure the probability of at least one exception occurring in a sample if there are a minimum number of errors in the population. In auditing, it is to provide a specific level of assurance that a sample will show at least one example of an attribute if the rate of occurrence of that attribute within the population is at or above a specified limit. The attribute is expected to be rare. The audit decision is made once the first error is observed.
Distribution - The area concerned with how a product or service reaches a customer.
Distribution Channel - The medium used to reach a customer.
Diversity -Accepting and respecting individual differences and being inclusive of such things as different backgrounds, values, beliefs, experiences, and skills.
Divest - To sell off business units early in the decline stage by finding interested buyers.
Dividend Growth Model -A method of estimating the stock value of constantly growing dividends that assumes that the dividend will grow at a constant rate g, based either on historical growth rates or on an analyst's forecasts.
Divisional Structure - Organizational structure in which divisions are fairly autonomous units.
Documentary Evidence - is a type of evidence that includes all kinds of writings, including those that are handwritten, typed, printed, photocopied, or photographed, as well as any media by which information can be preserved.
Dollar Unit Discovery Sampling - is used in statistics when a population is weighted by size and numbers are assigned to dollar amounts. Numbers are picked and every item with the specified dollar amount is tested.
Domain Name - A plain language label referring to a numeric IP address.
Domain Name System - A hierarchical server network that maintains the domain names for conversion to IP addresses.
Domestication - The situation in which a host county acquires more ownership than foreign business.
Dual-Entry Accounting - An accounting system in which each transaction is recorded in at least two places: a debit to one account and a credit to another account.
Due Care - The level of caution that an individual exercises when performing a due diligence audit and reporting the results.
Due Diligence - The process of investigating a person, business, or financial transaction.
Dumb Terminal -An input/output node for a mainframe system, consisting of either just a display and entry devices or a PC running terminal emulation software.
Dumping - Situation in which an exporter sells a product for less in a foreign country than the product sells for in the domestic market; designed to drive competitors out of an industry and allow the exporter to raise prices to make a profit.
Duplicate Process Check - A hardwired control in which a process is done twice and compared.
Dysfunctional Conflict - Type of conflict that erodes relationships and derails progress toward goals.
Earnings Per Share - The ratio of total earnings to number of shares outstanding; a commonly used measure of a company's value to investors.
Echo Check - A hardware control in which received data is returned to the sender for comparison.
E-Commerce - Conducting commercial activities over the internet.
Economic Entity - Any entity that has a separately identifiable accounting and accountability; could be an individual, type of corporation, or business unit.
Economic Exposure - The risk that fluctuations in exchange rates will affect the future cash flows or value of an organization.
Economic Growth - An increase in real gross domestic product over a period of time.
Economic Indicator -Any economic statistic, such as the unemployment rate, GDP, or the inflation rate, that indicates how well the economy is doing and how well it will do in the future.
Economic Order Quantity (EOQ) Inventory Model - A model useful for evaluating the efficiency of organizations that have substantial inventory.
Economic Value Added - Determined by deducting the weighted average cost of capital form after-tax net income plus interested expense.
Edit Check - A type of control that involves automated test on data fields.
Effect – is the risk or exposure the organization encounters because the condition is not consistent with the criteria.
Effectiveness - Relates outputs and the degree to which an organization's goals and objectives are achieved. Doing the right things.
Efficiency - Minimizing the use of resources in a product or service process as compared to standard expectations; the ratio of the resources actually used to the resources that were planned to be used. Doing things right.
Efficiency Opportunity - means that the current process does not result in achievement of optimal productivity or use of resources.
Electronic Data Interchange (EDI) - An intercompany communication directly between applications in standard format.
Electronic Evidence - Evidence in the form of e-mail messages, digital photographs, word-processing documents, spreadsheets, and databases.
Electronic Funds Transfer (EFT) - The transfer of monetary value and financial data from one bank to another.
Emerging Industry - An industry in the early stages of development.
Emotional Intelligence - is the capacity to be aware of, control, and express one's emotions, and to handle interpersonal relationships judiciously and empathetically.
Empathy or an Empathetic Work Environment - is showing compassion through active listening, asking questions that get to the root of others' needs, being open-minded, avoiding making assumptions, showing understanding, prioritizing urgent matters, knowing your coworkers as people, valuing people over profits, and accepting that an empathetic work environment doesn't happen overnight.
Employee Work Passion - is a persistent, emotionally positive, meaning-based state of well-being stemming from reoccurring cognitive and emotional appraisals of various work-related situations that result in consistent, constructive, work intentions and behaviors. It is characterized by five positive intentions:
- Performs above standards expectations (service excellence)
- Uses discretionary effort on behalf of the organization
- Endorses the organization and it leadership to others outside the organization
- Uses altruistic citizenship behaviors toward all stakeholders
- Stays with the organization
Encoding - Creating a message in the best sensory mode (such as seeing or hearing) and the best tone, format, length, etc.
Encryption - Use of a mathematical algorithm to scramble data so that it cannot be unscrambled without a numeric key code.
Engagement - is a specific internal audit assignment, task, or review activity, such as an audit, consulting agreement, control self-assessment review, or investigative service. An engagement may include multiple tasks or activities designed to accomplish a specific set of related objectives. Engagement also means a positive state of mind with positive behavior that results in positive work-related outcomes. Engagement is not the same as motivation. See also Employee Work Passion.
Engagement Conclusion - is the professional judgment, opinion and/or description of results of an audit engagement by the Internal Auditor, relating to those aspects within the objectives and scope of the engagement.
Engagement Objectives - are broad statements developed by internal auditors that define intended engagement accomplishments.
Engagement Work Program - is a document that lists the procedures to be followed during an engagement, designed to achieve the engagement plan.
Enterprise Application Integration (EAI) - A portfolio of technologies that help disparate applications communicate.
Enterprise Resource Planning (ERP) - Modular suites of business applications that share data between modules seamlessly and store all data in a single repository.
Enterprise Risk Management - The culture, capabilities, and practices, integrated with strategy setting and its performance, that organizations rely on to manage risk in creating, preserving, and realizing value (2017). It is a process, effected by the university's board of trustees and management, designed to identify risks and opportunities related to the university's business objectives, assessing them, determining a response and monitoring progress so that risk is managed to be within the university's risk appetite and to provide reasonable assurance regarding the achievement of business objectives (2013).
Entity - In a database, a record that relates to a person, place, or thing.
Entity-Level - In COSO, higher levels of the entity, separate and distinct from other parts of the entity, such as subsidiaries, divisions, operating units, and functions.
Entity-Wide - Activities that apply across the entity - in COSO, most commonly in relation to entity-wide controls.
Environmental Analysis - A process for analyzing external and internal factors that are important to setting and carrying out strategy.
Environmental Scanning - A process for analyzing external and internal factors that are important to setting and carrying out strategy.
Environmental, Social and Governance (ESG) - Commonly referred to as sustainability, non-financial or extra-financial risks, the environmental, social and governance risks and/or opportunities that may impact an entity.
Equipment Check - Circuitry controls that detect hardware errors.
Equity (Shareholders' Equity or Net Assets) - The residual ownership interest in an organization's assets after deducting all of its liabilities.
Equivalent Unit - A measure of work done on partially completed units expressed in terms of how many completed units could have been created with the same amount of work in the period under consideration.
Error - A mistake that was not intentional.
Ethics - is the study of right or wrong conduct in situations where there is a choice of behavior involving human values.
Ethical Competence - is the difference between simply having technical skills and having a true sense of professionalism.
Ethical Culture - is an intangible structure of organizing and characterizing a group of people to constitute a framework influencing the behavior of each individual in the group.
Ethical Omnipotence - when someone feels so aggrandized and entitled that they believe the rules of decent behavior don’t apply to them.
Ethical Values - Moral values that enable a decision-maker to determine an appropriate course of behavior; these values should be based on what is right, which may go beyond what is legal.
EthicsPoint – is a third-party provider of anonymous communication services to the university. The EthicsPoint toll-free hotline (855-375-6776) and website (sou.ethicspoint.com) are available to you to alert internal audit to misconduct. If internal audit is able to objectively substantiate your allegation, the Internal Auditor assists management in a process to address the situation.
Ethnocentric Orientation - In terms of international operations, an orientation in which the home country headquarters largely controls home country and host country operations.
European Central Bank (ECB) - The bank that is responsible for monetary policy covering the 13 member countries of the European Union that have adopted the euro as their currency.
European Commission (EC) - The executive body of the European Union.
European Investment Bank (EIB) - The European Union's financing institution; provides financing for capital investment furthering European Union policy objectives.
European System of Central Banks (ESCB) -The banking system that is made up of the European Central Bank and the local central banks of the 27 member states of the European Union.
European Union (EU) - A customs and economic union of 27 (as of January 2012) independent, democratic European countries (called member states) supporting free trade and fixed exchange rates.
Event - An occurrence or set of occurrences (negative connotation).
Evidence - The information presented to a judge or jury that is designed to convince them of the truth or falsity of statements.
Exchange Rate Risk - The volatility of exchange rates between an organization's primary currency and any currencies used by its subsidiaries and trading partners.
Exchange-Traded Securities - Securities traded on an organized exchange with standardized contracts.
Excise Tax - A specific cash amount levied on a particular commodity, such a liquor.
Expenses - Depletion or outflows of assets and/or incurrence of liabilities resulting from an organization's production or delivery of goods or services as part of its primary ongoing operations.
Expense/Expenditure - Designates the cost of goods delivered or services delivered, whether paid or unpaid.
Experimental Evidence - A type of evidence that is the result of an experiment conducted outside or inside the court under circumstances similar to those giving rise to the issue in the case.
Expert Judgement - A forecasting method used when conditions in the past are not likely to hold in the future; involves a group of experts, each considering information and then weighing in with an opinion or conclusion regarding a specific forecast.
Expert Systems - Software systems that capture the knowledge of a professional using a series of decision points; used to automate complex situations requiring judgment, such as the probability of loan default.
Exponential Smoothing - A smoothing method that uses a weighted average of past time series as the forecast; selects only one weight, that of the most recent observation.
Exporting - When an organization sells its products or services to foreign customers, either directly or indirectly through an intermediary.
Export Subsidies - Payments a government makes to a business that exports goods; the firm will export the good up to the point at which the domestic price exceeds the foreign price by the amount of the subsidy.
Expropriation - The situation in which a country takes over an organization's assets without adequate compensation.
Extensible Markup Language - A language used for Internet applications; it is accessible by any type of computer platform, allows new tags to be defined, has interactive elements, and eases inter-application communication.
External Environment Analysis - A research process that gathers information on the external environment that might affect the industry and organization, such as factors related to the economy, government, laws and regulations, societal and cultural concerns, and technology, as well as specific industry or competitor trends.
Extranet - A network that is similar to an intranet but is designed for customers, external partners, or suppliers.
External Environment - Anything outside of the university that influences the ability to achieve strategy and business objectives.
External Service Provider - is a person or firm outside of the university that has special knowledge, skill, and experience in a particular discipline.
External Stakeholders - Any parties not directly engaged in the university's operations but who are affected by the university, directly influence the university's business environment, or influence the university's reputation, brand, and trust.
Failure Mode and Effects Analysis - a technique that helps identify and counter weak points in the early conception phase of process change by identifying and prioritizing every possible failure mode (frequency), its resulting effect (impact), how it can be prevented and who is responsible for preventing it (internal controls).
Face Value - The amount of a bond owed at maturity.
Factory Budget - A type of budget that includes all production costs other than direct materials and direct labor.
Fail Fast Model - is when new ideas are developed quickly and change course as they succeed or fail. Leaders are not afraid to fail. If an effort fails, fail fast and recover quickly.
Fair Market Value - The amount an asset could be acquired for (or sold) or a liability incurred (or settled), assuming willing parties that are not involved in a liquidation.
Fair Value - The amount an asset could be acquired for (or sold) or a liability incurred (or settled), assuming willing parties that are not involved in a liquidation.
Fair Value Hedge - A hedge of the exposure to changes in the fair value of a recognized asset or liability or an unrecognized firm commitment.
Fault Tolerant Components - Components that have redundancies in hardware or software to allow continued operations if a system fails.
Federal Reserve System (The Fed) - The central banking system of the US; uses monetary policy to help the economy achieve full-employment GDP.
Fedwire - A secure and expensive type of electronic funds transfer; operated by Federal Reserve System.
Field - In a database, a business object such as a name or asset.
Field Check - A type of control that involves a check to see if information in an entry field is complete.
File - In a database, a collection of related records.
File Transfer Protocol (FTP) - Allows transfer of large files between computers on a network or the Internet.
Financial Accounting Standards Board (FASB) - An independent, nonprofit group under authority of the US Securities and Exchange Commission that sets accounting standards.
Financial Audits - independent assessments of whether an entity’s reported financial information (e.g., financial condition, results, and use of resources) are presented fairly in accordance with recognized criteria. This is subtly, but importantly, different than financial attestation audits performed by External Auditors for the use of third parties.
Financial Electronic Data Interchange (FEDI) - Type of electronic data interchange that transfers payment information between companies, banks, or others; settlement occurs through electronic funds transfer (EFT).
Financial Flexibility - The ability of an organization to respond to unexpected opportunities by changing amounts and timing of cash flows.
Financial Instruments - Cash, ownership interests, and rights or obligations set by contract to receive or remit cash or other financial instruments.
Financial Leverage - The use of fixed interest in the form of debt or preferred equity stock with the expectation of earning a greater return than the cost of the fixed interest.
Financial Lease - Any lease that transfers substantially all of the risks and rewards of owning an asset, whether title is or is not eventually transferred.
Finished Goods - Products that are ready-to-wear, ready-to-eat, ready-to-drive, or ready-to-use and are waiting to be purchased.
Firewall - A hardware/software combination that routes all communications to or from the outside world through it, blocking unauthorized traffic.
First-In-First-Out (FIFO) Inventory Valuation Method - An accounting assumption that the oldest goods are used or sold first; calculates the unit cost using only the costs incurred and work performed during the current accounting period.
First Line of Defense - is operational management, comprising frontline functions such as sales and customer service or procurement. These frontline process owners also own and manage risk, which entails designing and implementing operating control procedures on a day-to-day basis. They also are responsible for identifying and correcting control deficiencies.
First Mortgage Bonds - Bonds secured by real estate.
Findings - organize facts discovered during auditing; facts that the auditor believes the client should know about and, most likely, act upon. A finding is generally considered to have the "Five C's" - criteria, condition, cause, concern, and corrective action. Notice that "conclusion" is not included. A conclusion represents the auditor's professional judgment concerning the activities reviewed in the engagement.
Finite Population Correction Factor - is used in statistics to adjust an initial computed sample size to arrive at the final sample size.
Fiscal Policy - A government's use of taxes and spending to achieve its macroeconomic goals.
Fishbone Diagram - A quality tool that uses a visual to map out a list of factors that are thought to affect a problem or a desired outcome.
Fixed Asset Turnover Ratio - A measure of how efficiently a company uses its fixed assets to generate sales; the higher the ratio, the better.
Fixed Costs - Portions of the total cost that remain constant regardless of changes in the level of activity over the relevant range.
Fixed Exchange Rate - A rate of exchange for currency that does not rise or fall.
Fixed Payment Coverage Ratio - A measure of an organization's ability to pay fixed obligations within a set period of time.
Fixed Price Contract - A type of contract that requires a contractor to successfully perform the contract and deliver supplies or services for a price agreed to up front.
Flexible Exchange Rate - A system in which the exchange rates for currencies are determined by market supply and demand, as are the prices of other financial assets such as stocks and bonds.
Floating Exchange Rate - A system in which the exchange rates for currencies are determined by market supply and demand, as are the prices of other financial assets such as stocks and bonds.
Floor - Sets a minimum value for an adjustable interest rate.
Flowchart - is a graphical representation of the actual or ideal path followed by any service or product; provides a visual sequence of the steps in a process, illustrates the relationship between parts, and identifies what the process does or should do.
Focus - A competitive strategy in which an organization appeals to a narrower segment of the industry.
Follow-Up - A process by which internal auditors determine the adequacy, effectiveness, and timeliness of actions taken by management on reported engagement observations and recommendations, including those made by external auditors and others.
Force Field Analysis - A planning tool to identify forces for and against change to help make better decisions.
Forecasting - Analyzing past and present data in order to project the future.
Foreign Currency Exposure Hedge - A hedge of the foreign currency exposure of a net investment in a foreign operation, an unrecognized firm commitment, an available-for-sale security, or a foreign-currency-denominated forecasted transaction.
Foreign Direct Investment (FDI) - A situation in which an international organization owns part or all of an operation in another country.
Forensic Auditing - The application of auditing skills to gather evidence that may be used in a court of law for a criminal or civil matter.
Format Check - A type of control that checks to see that data is entered in an acceptable format.
Forward - An over-the-counter contract between a buyer and a seller who agree today on a price and delivery date for the future.
Forward Exchange Contract - An agreement to buy foreign currency in the future at a price determined by the forward market, often as a fair value hedge against the cash flow variability from changes in exchange rates.
Forward-Type Contracts - Binding contracts that fix the price of an asset in advance and give the buyer the risks of asset ownership at a fraction of the asset's cost; usually settled in cash prior to the settlement date.
Fragmented Industry - An industry made up of a number of smaller competitors with no strong market leader.
Framework - Under COSO, the five components consisting of:
- Governance and Culture
- Strategy and Objective-Setting
- Strategy and Objective Performance
- Review and Revision; and
- Information, Communication and Reporting.
Franchising - A type of license whereby use of an entire business is licensed.
Fraud - Any illegal act characterized by deceit, concealment or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated to inappropriately obtain money, property, or services, to avoid payment or loss of services or to secure personal or business advantage. http://sos.oregon.gov/audits/Pages/frauddefined.aspx
Fraud Risk – The chance of a perpetrator committing a fraud - including the method of fraud, the degree of dishonesty and skill of the perpetrator, and the effectiveness of controls. You have the responsibility to report fraud (see EthicsPoint). Management has the responsibility to deter, detect and prevent fraud. https://inside.sou.edu/assets/ia/Fraud_Presentation.pptx
Fraud Triangle - A model of the relationships between the opportunity to commit fraud, the pressure to perpetrate fraud, and the rationalization to justify a fraudulant action.
Fraudulent Financial Reporting - Falsified reporting designed to mislead financial statement users, usually by understating or overstating assets/liabilities or revenues/expenses.
Free Trade - The absence of artificial barriers to trade among different nations.
Frictional Unemployment - The amount of unemployment due to the normal workings of the labor market.
Full Costing - A method of inventory costing in which all variable and fixed manufacturing costs are included as inventoriable costs; thus, inventory "absorbs" all manufacturing costs.
Full Cost Model - A transfer pricing model that starts with the seller's variable cost for an item and then allocates fixed costs to the prices.
Full Disclosure Principle - A principle that recognizes that statement preparers must make compromises between a level of detail sufficient to help users with their decisions while condensing that information enough to keep it understandable.
Functional Currency - The currency of a subsidiary's primary economic environment.
Functional Group - A group that is established to accomplish a specific ongoing purpose and remains in existence.
Functional Structure - An organizational structure in which authority and decision-making are arranged by functional groups such as finance, marketing, manufacturing, and research.
Fund Balance - In governmental accounting, “funds” are used to separately account for specific activities within the government and present them in the financial statements. For example, the Educational Support Fund shows the activities of the Higher Education Coordinating Commission (HECC) and the Department of Education. Fund balance is the arithmetic difference between total fund assets and total fund liabilities.
Futures - Forwards traded on an established exchange or its clearinghouse.
Future Value - The value of an investment at a particular date in the future assuming that compound interest is applied.
FX Rates - Quotations of the number of units of one currency needed to exchange for a unit of a different currency.
Gains - Increases in net assets (equity) due to incidental or peripheral transactions except those resulting from investments by or distributions to owners.
Gantt Chart - A project scheduling technique that divides a project into sequential activities with estimated start and completion times.
Gap Analysis - A type of analysis that looks at the gap between the organization and benchmark competitor that has the best quality in the industry.
Gateway - Networking hardware that connects networks with dissimilar architectures.
Gateway Firewall - A type of firewall that stops traffic flowing to a specific application such as File Transfer Protocol.
General Agreements on Tariffs and Trade (GATT) - An agreement that sets forth binding tariffs between member countries; generally means that the countries cannot raise their tariffs from the agreed-upon levels.
General Ledger - The primary ledger for an organization, containing all asset, liability, equity, revenue, and expense accounts.
Generally Accepted Accounting Principles (GAAP) - A combination of authoritative standards (set by policy boards) and the commonly accepted ways of recording and reporting accounting information.
General Control - is an entity-level IT control that applies generally to the IT environment or overall mix of systems, networks, data, people, and processes.
Geocentric Orientation - In terms of international operations, an orientation in which there is strong interdependence between the home and host countries, the approach is to develop worldwide standards and objectives that serve both universal and local purposes.
Global Industry - An industry in which products or services are similarly created and distributed for markets in more than one country.
Global Strategy - A strategy in which an organization can produce products or services anywhere from a global location.
Goalpost Conformance - Conformance to a quality specification expressed as a specified range around a target.
Goals - are "what" we are trying to achieve - in general. Goals are high-level, aligned with and supporting mission and vision, reflecting management's choice as to how the university will seek to create value for its stakeholders. Management and/or the Board of Trustees are responsible for establishing the criteria used by Internal Audit in determining whether goals and objectives have been accomplished. See also objectives, tactics and strategy.
Goodwill - The excess of the price paid for a subsidiary over the fair value of the subsidiary's net assets.
Governance - is the combination of processes and structures implemented by the Board of Trustees to inform, direct, manage, and monitor the activities of the organization toward the achievement of its business objectives.
Governance Controls - are entity-level controls (rather than process or transaction-level controls) that establish the control culture, clarify organizational expectations and include organization-wide policies and procedures. They rest with the Board of Trustees and their committees, such as the Executive and Audit Committee, in consultation with executive management.
Governance Model - provides the supporting organizational structure and management needed to address conflicts, evolve capabilities, and continually improve.
Governance Risk Control (GRC) - is an acronym invented as a shorthand reference to the critical capabilities that must work together to achieve principled performance — the capabilities that integrate the governance, management and assurance of performance, risk, and compliance activities. This includes departments like internal audit, compliance, risk management, legal, business services, information technology, human resources and other administrative roles, as well as management of the university's services, executive management and the board of trustees. http://www.oceg.org/about/what-is-grc/
Government Auditing Standards - The professional standards and guidance issued by the Comptroller General of the United States that provide the framework for conducting high quality audits.
Government Bonds - Bonds issued by government entities; repaid through general tax revenues (general obligation bonds) or revenues of the item financed (revenue bonds).
Gross Domestic Product (GDP) - The total market value of all goods and services produced in the economy in one year.
Gross Profit - The money remaining from sales revenues after deductions for the cost of goods sold.
Gross Profit Margin - The ratio of gross profits to sales.
Group Dynamics - The way groups and individuals act and react.
Groupthink - Is the practice of thinking or making decisions as a group in a way that discourages creativity or individual responsibility. Groups can make faulty decisions because group pressures sometimes lead to a deterioration of mental efficiency, reality testing and moral judgment. A group is especially vulnerable to groupthink when its members are similar in background, insulated from outside opinions and there are no clear rules for decisionmaking.
Hard (Internal) Controls - Tangible internal controls such as organizational structure, delegation of responsibility, and human resources policies.
Harvest - To maximize cash flow while minimizing or ceasing investments.
Heat Map - A presentation tool to show the results of a risk assessment process. Risks are mapped on a residual risk basis that considers the extent to which risks are mitigated or reduced by internal controls.
Hedger - The party in a derivative transaction who is attempting to reduce an underlying business risk (usually loss of profitability).
High-Context Language - When individuals say things indirectly and implicitly, reading between the lines is important because the words could have different meanings and some things may be left unsaid.
Histogram - A measurement of the frequency of particular elements contributing to an overall set of data.
Historical Cost - The principle that using the values actually paid or received is more reliable than estimates of current value.
Holding Gains/Losses - The net change in the fair value of a security from one period to the next.
Home Country - The country where an organization's headquarters are.
Horizontal Analysis - A type of analysis used to review historical sequences of data; more appropriately used in reviewing data from income statements or expense statements rather than balance sheets, which present financial information for a particular point in time.
Horizontal Bar Chart - A project scheduling technique that divides a project into sequential activities with estimated start and completion times.
Horizontal Common-Size Financial Statements - Statements that express the results for the same organization over several periods as a percentage of a base year, with other years shown as the percentage increase or decrease from the base year.
Horizontal Integration - A lateral approach to owning and gaining control of activities at a same level of the value chain.
Host Country - A foreign country within an organization conducts business.
Host IPS (HIPS) - Software that functions at the operating system kernel level to detect and block abnormal application behavior before it executes.
Hub - In terms of networking hardware, a port switching communications device.
Hybrid Instruments - A combination of traditional debt or equity financing with an embedded derivative, such as a convertible bond or convertible preferred stock.
Hypertext Transfer Protocol/Secure (HTTP/HTTPS) - Regular and encrypted versions of the communications standard for Internet message formatting and transmission.
Identity Theft - The illegal use of sensitive information to impersonate an individual over computer networks in order to defraud the person or commit a crime without the perpetrator's true identity being known.
If-Converted Method - A method of determining the impact of convertible bonds that assumes that all convertibles are converted at the beginning of the period or at their date of issuance (prorated).
Illusion of Control - People find comfort believing they can control the world around them, even when they cannot. For example, an organization may believe it is mitigating climate-related risk by accounting for and reducing greenhouse gas emissions and energy use.
Impact - is the positive and/or negative result or effect a risk event may have on university operations. Under COSO there may be a range of possible impacts associated with a risk.
Impairment - is an impediment to organizational independence and individual objectivity. It may include personal conflict of interest, scope limitations, restrictions on access to records, personnel and properties, and resource limitations (funding).
Imperfect Data - Internal Auditors may need to work with imperfect data. As long as the Internal Auditor assesses the effects of incomplete data and disclaims the reliability of the data clearly in the report, the analysis of the data may prove useful without being misleading.
Importing - When an organization buys products, supplies, or services from a foreign country.
Import Quotas - The maximum amount of a good that may be imported to a country in a given time period.
Imprest Accounts - Accounts that are restricted as to what cash in the account can be used for, such as for clearing large amounts of checks or for specific disbursements such as payroll, dividends, or travel expenses.
Imprest System - is a form of financial accounting system. The base characteristic of an imprest system is that a fixed amount is reserved, which after a certain period or when circumstances require, because money was spent, it will be replenished. The most common imprest system is the petty cash system.
Inconclusive – the Internal Auditor did not have access to enough information to determine whether the allegation could be substantiated or unsubstantiated, for example, essential witnesses have left the university’s employment, relevant individuals refuse to be interviewed, or documents have been lost or destroyed.
Income Bonds - Bonds that pay interest only whne the organization has profits.
Income Statement - A summary of the profitability or success of an organization over a period of time, such as a year.
Incremental Budgeting - A type of budget in which a manager starts with last year's figures and adds to them (or subtracts from them) according to anticipated needs.
Incremental costs - The increase or decrease in costs as a result of one more or one less unit of output.
Incremental Unit-Time Learning Model - A learning curve analysis model that measures increased efficiency by adding the incremental time for each unit to the previous total time; average time per unit is then calculated by dividing total time by the number of units.
Independence - is the freedom from conditions that threaten the ability of the internal audit activity to carry out its responsibilities in an unbiased manner. This applies to both independence in fact (real independence) and independence in appearance (perceived independence). Internal Audit reports administratively to the President to ensure direct and unrestricted access to senior management. Internal Audit is supervised by the Executive and Audit Committee of the Board of Trustees to ensure that Internal Audit does not subordinate its judgment to management.
Industrial revenue bonds - Bonds issued by tax-exempt state or local governments to finance public projects.
Inflation - The decrease in the purchasing power of money and the increase in the general price level for goods and services.
Informal groups - Groups that develop on their own, without a formal decision by management; may form spontaneously in response to a function or task or from a sense of shared experiences or interests.
Information - Processed, organized, and structured data concerning a particular fact or circumstance.
Information risk - The risk that inaccurate information is used to make a business decision.
Information Technology Controls - are controls that support business management and governance as well as provide general and technical controls over information technology infrastructure such as applications, information, hardware, networks and people.
Information Technology Governance - consists of the leadership, organizational structures and processes that ensure that the university’s information technology supports the university’s strategies and business objectives.
Inherent Limitations - are limitations of risk management and preconditions of internal control and governance related to limits of human judgment, resource limitations, external events beyond the entities control, the reality that breakdowns can occur, the possibility of management override, collusion, and the need to balance the costs of controls in relation to expected benefits.
Inherent Risk - is the risk to the university in the absence of any actions management might take to alter the risk's likelihood or impact.
Input Controls - are a type of control intended to prevent computer errors by controlling data as it manually or electronically enters the system.
Insignificant Deficiency - A deficiency in internal controls that would not adversely affect the university's financial reporting process and the critical processes that provide data and information.
Installment sales method - A revenue deferral method that recognizes revenue as cash is collected from prior sales; used for sales on installment where title for the goods is held until the final payment is collected.
Integration - A growth strategy used by many organizations to control aspects of product or service development or customer buying processes.
Integrity (of Auditors) - Auditors conducting their work with an attitude that is objective, fact-based, nonpartisan, and non-ideological with regard to audited entities and users of the auditors’ reports. Within the constraints of applicable confidentiality laws, rules, or policies, communications with the audited entity, those charged with governance, and the individuals contracting for or requesting the audit are expected to be honest, candid, and constructive.
Interest - The agreed-upon payment for use of resources.
Internal Analysis - A research process that collects information on an organization's resources, capabilities, structure, limitations, etc.
Internal Audit Activity - is a department or practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization’s operations. The internal audit activity helps an organization accomplish its business objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management and control processes.
Internal Controls – are control activities designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting an compliance, including policies that establish what should and should not be done and procedures that are the actions to implement the policies. Control activities either deter undesirable acts or prevent errors from occurring (preventative) or find undesirable acts or errors after they've occurred and provide evidence as to whether the preventative controls are effective (detective). Internal controls can be automated by software or manually performed.
Internal Control Assessment - is taking the Risk Assessment and mapping internal controls to the risks to determine if there are gaps between risks and controls.
Internal Control Deficiency - when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. See also: insignificant deficiency, significant deficiency and material weakness.
Internal Control Questionnaire - is a pre-constructed array of questions used to elicit key information about internal control.
Internal Environment - Anything inside of the entity that influences the ability to achive strategy and business objectives.
International Accounting Standards Committee (IASC) - An independent private-sector body formed from the accountancy bodies of numerous countries.
International Monetary Fund (IMF) - An international agency charged with promoting economic stability and preventing global depression by providing loans to usually stable countries during times of crisis.
International Professional Practices Framework (Standards) - are the conceptual framework that organizes the authoritative guidance promulgated by The Institute of Internal Auditors. Authoritative guidance is composed of two categories – (1) mandatory (“must”) and (2) recommended (“should”). The Standards consist of three classifications:
- Attribute Standards - are the critical characteristics that individuals, teams, and organizations must have in order to provide effective internal audit services; such as purpose, authority, responsibility, a charter, independence, objectivity, proficiency, due professional care, quality assurance and improvement.
- Performance Standards - describe the nature of internal audit services and the quality criteria against which the performance of these services can be evaluated. In other words, they describe what internal auditors do and how they should do it.
- Implementation Standards - provide more specific guidance as to how the Attribute and Performance Standards apply to each major type of internal audit activity.
Interoperability - is full operational integration of a system, such as using an application programming interface (API). See also compatibility.
Interval Sampling - is selecting a sample of information from a list with the same distance or time between each measurement is taken or data is recorded. In research terms this is also referred to as 'nth selection'. The sampling interval produces a random selection from throughout the total population.
Ishikawa Diagram - is a quality tool that uses a visual to map out a list of factors that are thought to affect a problem or a desired outcome.
Job Analysis - A process that identifies the activities and responsibilities of a job, its relative importance and relationship to other jobs, the personnel qualifications necessary to perform the job, and the conditions under which the work is performed.
Job costing - A costing system that assigns costs to a specific job (a distinct unit, batch, or lot of a product or service).
Job Design - The way a job and its tasks are organized; includes what the tasks are, in what order they are done, and how they are done.
Job Enlargement - Broadening the scope of a job with an expansion of similar or different tasks.
Job Enrichment - Adding more depth to a job by adding responsibilities.
Job-Order Costing - A costing system that assigns costs to a specific job (a distinct unit, batch, or lot of a product or service).
Job Specifications - A document that lists the knowledge, skills, and abilities (KSAs) necessary to perform a job satisfactorily.
Joint Ventures - Agreements between two separate organizations to accomplish a single project together.
Juice Jacking - is a type of cyber attack involving a charging port that doubles as a data connection, typically over USB (such as at an airport). This often involves either installing malware or surreptitiously copying sensitive data from a smartphone, tablet, or other computer device.
Justified Neglect - when people don’t speak up about ethical breaches because they are thinking of more immediate rewards such as staying on a good footing with the powerful.
Just-in-time (JIT) manufacturing - A comprehensive manufacturing production and inventory control methodology in which materials arrive exactly as they are needed for each stage of the production process.
Kaizen - are activities that continuously improve all functions and involve all employees.
Kalkines Warning - is an advisement of rights that compels subjects to make statemements or face disciplinary action up to and including dismissal, but provides suspects with criminal immunity for their statements. For example:
"You are being questioned as part of an internal and/or administrative investigation. You will be asked a number of specific questions concerning your official duties, and you must answer these questions to the best of your ability. Failure to answer completely and truthfully may result in disciplinary action, including dismissal. Your answers and any information derived from them may be used against you in administrative proceedings. However, neither your answers nor any information derived from them may be used against you in criminal proceedings, except if you knowingly and willfully make false statements."
Kanban - is a lean method to manage work by balancing demands with available capacity and by improving the handling of bottlenecks.
Kanban Board - a workflow optimization visualization tool. Kanban means "visual signal" or "card" in Japanese. An example would be a process being mapped from left to right under headings such as plan, produce, deliver, verify. The distance between the processes could be time relative to express constraints. There could be points in the process where data is collected and used as a key performance indicator such as tracking flow, quality, throughput, lead times, etc. Specific project statuses could be layer over the information to track and communicate such as backlogged, to do, planning, in progress, in test, in quality review, done, etc.
Kano Model - is a theory for product development and customer satisfaction developed in the 1980s by Professor Noriaki Kano, which classifies customer preferences into five categories (paraphrased): customer required, customer desired (and dissatisfied when not met), customer wanted (but not dissatisfied when not met), customer indifference (do not cause dissatisfaction when not met), and not all customers are alike.
Key Performance Indicators - are relevant (important - not just quantifiable), measurable, available, aligned with objectives and articulated to those involved so that they understand the importance of achieving performance levels.
Kickbacks - A form of corruption where an employee receives something of value from a vendor as inducement to do business.
Law - is the collection of rules of conduct imposed by an authority.
Lean - is the process of eliminating waste by relentlessly eliminating any process that does not add value from your customer's perspective.
Liability - Legal debts or obligations that arise during the course of business operations
Likelihood - is how likely it is for a risk event to occur.
Limited Assurance - means "nothing has come to my attention" that would cause an Internal Auditor to believe that things are not as they should be. Limited Assurance is the first hurdle in providing Reasonable Assurance. It is possible to provide Limited Assurance and be unable to "prove" Reasonable Assurance.
Lower Control Limit - is the value that is farthest from the mean in the negative direction but still within the range that represents statistical control.
Lower of Cost or Market (LCM) - An inventory valuation method in which cost is the original cost and market refers to the market-determined cost to reproduce or replace the item, the lower of which becomes the new value.
Lump Sum Contract - A type of contract that requires a contractor to successfully perform the contract and deliver supplies or services for a price agreed to up front.
Machine Learning - is a type of artificial intelligence that provides systems with the ability to automatically learn and improve from experience without being explicitly programmed. Machine learning focuses on the development of computer programs that can access data and then use the data to learn for themselves.
Macroeconomics - The science of economic concerns on a national level.
Mainframe computer - A large computer capable of supporting massive inputs and outputs and many concurrent users.
Maintenance/Repair/Operations (MRO) - Those supplies required for repairs and maintenance of machinery, computers, etc.
Malware - Short for “malicious software,” this is a blanket term used to describe any type of software designed to inflict damage on an IT system or facilitate a data breach. Malware includes computer viruses, ransomware and spyware.
Managed Floating Exchange Rate System - A system in which the currency rate normally fluctuates according to supply and demand but is also supported by currency interventions by central banks in order to stabilize or alter rates.
Managed Risk - The risk remaining after management takes action to reduce the impact and likelihood of an adverse event, including control activities in responding to a risk.
Management by Objectives (MBO) appraisal method - An appraisal method that encourages employees to help set objectives for themselves by defining what they hope to achieve within a specific period.
Management Controls - IT controls that determine and mitigate risks to critical assets, sensitive data, or operations, including standards, organizational structure, and physical and environmental controls.
Management Identified - is a designation that may be applied to an observation so long as:
- Internal Audit was notified prior to detailed testing;
- Management has identified, assessed, and communicated the issue to the appropriate level of executive management; and
- Management has established clear action plans with targeted completion dates for remediation.
Management Intervention - Management's overruling of prescribed policies or procedures for legitimate purposes when dealing with non-recurring or non-standard transactions or events that otherwise might be handled inappropriately.
Management Override - is when a member of management overrides established internal controls for illegitimate purposes. Fraud risk assessment should consider the potential override of internal controls by management as well as areas where controls are weak or there is a lack of segregation of duties. The AICPA refers to management override as "the Achilles heel of fraud prevention."
Management Processes - The series of actions taken by management to run an entity. An internal control system is a part of an integrated management process.
Manual Controls - Controls performed manually, rather than automated through the use of technology.
Materiality - (1) Any condition that has caused, or is likely to cause, errors, omissions, fraud, or other adversities of such magnitude as to force senior managers to undertake immediate corrective actions to mitigate the associated business risk and possible consequent damages to the organization. (2) A threshold level above which items would make a difference to a decision-maker (material) and below which the items are insignificant (immaterial).
Material Weakness - A significant deficiency or aggregation of significant deficiencies in internal controls that could have a material effect on the financial statements. It indicates a reasonable possibility that a material misstatement of the entity's financial statements would not be prevented or detected and corrected on a timely basis.
Matrix Structure - An organizational structure that is a team and project-based approach between functions and divisions.
Mature Industry - An industry that is fairly well established.
Maturity Matching - A method of mitigating risks by matching the maturities of liabilities to the maturities of
Mean - is the simple average computed by adding all the numbers in a series of n samples and dividing by n.
Mean Absolute Deviation - is the average distance of each value in a distribution from the mean value of the distribution (sum of the differences divided by the number of items in the distribution).
Median - is the exact midpoint of a distribution, with an equal number of items below it and above it.
Mediation - A process in which a neutral third party intervenes to help parties in a dispute negotiate their differences.
Memo Posting - Type of processing that is halfway between batch and real-time processing. Creates real-time entries that are posted to a temporary memo file (which allows the updated information to be viewed); at a designated time the memo file is batch-processed to update the master file.
Mentoring - A process whereby a mentor who has developed certain expertise shares that expertise with a protégé.
Merchandise Purchases Budget - A type of budget that shows the amount of merchandise an organization needs to purchase during a period.
Metropolitan-area network (MAN) - A computer network of local-area networks for a city, campus, or other medium-sized area.
Milestone chart - A project scheduling technique that divides a project into sequential activities with estimated start and completion times.
Minimum Viable Product - is the most basic solution and target operating model that can provide the defined capability and allow the organization to begin to capture value. Enhancements and functionality can be added over time.
Mission - The university's core purpose, which establishes what it wants to accomplish and why it exists.
Mitigating Controls - are controls that compensate for the lack of an expected control; they reduce the potential impact should an event occur. Insurance is a prime example of this.
Mode - is the number that occurs most frequently in a series.
Monte Carlo Simulation - is a broad class of computational algorithms that rely on repeated random sampling to obtain numerical results. The underlying concept is to use randomness to solve problems that might be deterministic in principle. In regards to risk, it is a technique used to understand the impact of risk and uncertainty in financial, project management, cost, and other forecasting models. The more sources of uncertainty there is, the more advantageous Monte Carlo simulation is over other forms of statistical analysis. A Monte Carlo simulator helps visualize most or all of the potential outcomes to have a better idea regarding the risk of a decision.
Moral Capture - Just because the university's culture makes a decision seem right, doesn't mean that it is ethical.
Moral Hazard - is a lack of incentive to guard against risk where one is protected from its consequences, for example by having insurance coverage. In the case of grants in the public sector, this risk almost always is associated with the grantee, who may provide misleading information regarding its assets to receive the grant, or have an incentive to mislead the grantor on how the funds will be used.
Motivation - is the energy to act. Some motivation is high quality and optimal and some is the opposite. Optimal motivation fuels Engagement and Employee Work Passion. Suboptimal motivation fuels disengagement and active disengagement. Motivation is the means to an end.
Moving Averages Method - A smoothing method that uses the average of the most recent data value set of a given
Multi-Business Organization - An organization with more than one business operation under its umbrella.
Multi-Domestic Industry - An industry in which the products and services are segmented by country and are not competitive from country to country.
Multi-Domestic Strategy - A strategy in which the organizations in host countries are subsidiaries with their own control of operations.
Multi-Local Strategy - A strategy in which the organizations in host countries are subsidiaries with their own control of operations.
Multinational Organization - An organization that serves customers in various countries.
Multinational Strategy - A strategy in which an organization's home and host countries are closely connected to operate on a worldwide basis.
Multiple Regression Analysis - is a statistical technique used to trace the effects of more than one independent variable on one dependent variable.
Multiplexer - Networking hardware that combines multiple channels into a single channel, such as multiple phone lines sharing a single physical phone line.
Multisource Rating - An appraisal method that solicits evaluation feedback from everyone an employee interacts with, including subordinates, superiors, and internal and external customers, as well as the employee.
Municipal Notes - Notes issued by local or state governments; can be exempt from some taxes and are
liquid but not risk-free.
Mura - (Lean reference.) Unevenness or variation that lead to interruptions in flow. It creates waste through inefficiency. Lean creates a smooth flow.
Muri - (Lean reference.) Overburden that leads to breakdown.
Muda - (Lean reference.) Waste - things that cost resources but do not add value: transportation, inventory, motion, waiting, overproduction, over-processing, and defects.
Must - The Standards use the word “must” to specify an unconditional requirement.
Narrative Appraisal Methods - Appraisal methods that require appraisers to submit written narrative performance appraisals.
Narratives - is a mapping process that provides a step-by-step picture of a process in a single document without the use of detailed symbols or keys.
Natural Cause - is a random cause of variability in a process.
Negotiated Price Model - A transfer-pricing model that sets the transfer price through negotiation between the buyer and the seller (managers of different business units).
Negotiation - A process of bargaining between two or more parties to try to reach a mutually acceptable outcome.
Nemawashi - An informal process of quietly laying the foundation for a proposed change/project by gathering support and feedback from stakeholders. It's a Japanese word translated as "going around the roots". It refers to the process of introducing dirt from a new location to a tree, so it can get accustomed to the new environment before it is transplanted.
Nepotism - The practice among those with power or influence of favoring relatives or friends; especially by giving them jobs.
Net Present Value (NPV) Method - Capital investment decision model in which the present value of a project's cash inflows is compared to the present value of the project's cash outflows; the difference between these values determines whether or not the project is an acceptable investment.
Net realizable value (NRV) - The sales price of an asset, usually inventory, less the costs of completion and transportation or disposal that can be predicted within reason.
Network Address Translation (NAT) - Used by firewalls with packet filtering and stateful inspection to hide the internal host computer IP addresses from sniffer utilities.
Network Analysis - A type of analysis that involves evaluating the network of tasks and functions that contribute to a project in order to determine the most efficient path for reaching the project goals.
Net Working Capital Ratio - A ratio that measures the relationship of short-term debt to short-term assets by subtracting liabilities from assets; a larger number indicates a greater ability to pay current debts.
Network IPS (NIPS) - Hardware and software systems on a network that analyze incoming packet content, dropping malicious packets.
Network Structure - A structure that involves relationships between multiple organizations or separate entities within an organization that perform different aspects of work.
Neutrality - Making choices that are free from bias toward a predetermined result and that place the relevance and reliability of information above other concerns.
No Assurance - a negative declaration intended to communicate a strong lack of confidence (in compliance, management process, internal control or similar).
Noncurrent assets - Any assets that do not qualify as current assets.
Nonmanufacturing costs - All the items that cannot be included in product costs and must be expensed in the period in which they occur.
Non-statistical Sampling - is the selection of a test group that is based on the auditor's judgment, rather than a formal statistical method.
Nontariff Trade Barriers (NTBs) - Trade barriers such as licensing requirements, unrealistic quality standards, or undue amounts of red tape in customs.
Normal Costing System - A cost measurement system that applies actual costs for direct materials and direct labor to a job, process, or other cost center and then uses a predetermined rate to assign overhead to cost centers.
North American Free Trade Agreement (NAFTA) - A trade agreement that lowered trade barriers among the US, Mexico, and Canada.
Off Balance Sheet Accounting (OBSA) Methods - Legal loopholes that allow organizations to acquire funds without having to report a related liability on the balance sheet.
Objectives - are "what" we're trying to achieve - specifically. Objectives are different from goals, in that objectives are specific, quantified, and performance is measurable. Management and/or the Board of Trustees are responsible for establishing the criteria used by Internal Audit in determining whether goals and objectives have been accomplished. See also goals, tactics and strategy.
Objectivity - is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others.
Official Reserves - Quantities of foreign currencies held by the central bank of every nation.
Online Analytical Processing (OLAP)- Software that allows multiple perspectives for a set of data to be analyzed.
Open Market Operations - When the US Federal Reserve System buys or sells government securities (bonds,
notes, and bills) in the open market from the public.
Open-Mindedness - Improve judgment and challenge the status quo by eliminating the influence of stereotypes, idiosyncratic associations and irrelevant factors.
Open Systems Interconnection (OSI) Reference Model - A method of defining how messages should be sent through a network so that unrelated products can work together.
Operating Budgets - Plans that identify needed resources and the way these resources will be acquired for all day-to-day activities of an organization, including sales and services, production, purchasing, marketing, and research and development.
Operating Expenses - All the items that cannot be included in product costs and must be expensed in the period in which they occur.
Operating Leases - Short-term, pure rental agreements where the asset and the related liability remain off the lessee's books (they simply debit lease expense and credit cash).
Operating Leverage - The proportion of fixed costs used in the production of goods or services.
Operating Profit Margin - A measure of operational efficiency as well as effective pricing and cost controls.
Operating System (O/S) - The software interface between the hardware and the applications and end user.
Operating Together - In COSO, the determination that all five components collectively reduce, to an acceptable level, the risk of not achieving an objective.
Operational Effectiveness - is creating, producing, selling and delivering a product or service faster or with fewer inputs or defects than rivals.
Operation Costing - A hybrid costing system that incorporates elements of job costing and process costing; assigns direct materials to each job or batch but assigns direct labor and overhead in a manner similar to process costing.
Opinion Shopping - is the unethical process of hiring an auditor because they will give you the assurance opinion that you want.
Opportunity - is the possibility (positive risk) that an event will occur and positively affect the achievement of business objectives. Under COSO, an action or potential action that creates or alters goals or approaches for creating, preserving, and realizing value.
Opportunity Costs - The potential benefits given up when one alternative is selected over another.
Option-Type Contract - Type of derivative in which the buyer pays a premium or a percentage of the underlying asset's value to get the right, but not the obligation, to purchase or sell the asset over a particular period.
Ordinary Annuity - An annuity that requires payment at the end of each period.
Organization - The term used to collectively describe the Board of Trustees, management, and other personnel of an entity.
Organizational Dynamics - The ways individuals and groups interact and cooperate in an organization.
Organizational Strategy - A strategy that focuses on the entire organization and its plans for moving into the future and achieving its goals and objectives.
Organizational Structure - An organization's formal decision-making framework and its way of organizing authority, responsibilities, and performance activities.
Organization Sustainability - The ability of an entity to withstand the impact of large-scale events.
Other Comprehensive Income - The subset of comprehensive income that includes all items that are not included on the income statement in the calculation of net income but that still affect stockholders' equity.
Output Controls - are process or transaction-level controls that find errors and verify the accuracy, completeness and validity of output data after processing is complete.
Overconfidence Effect - People, especially specialists and experts, overestimate how much they know. Compounding the overconfidence effect is the tendency to underestimate the time and costs of projects.
Overhead Budget - A type of budget that includes all production costs other than direct materials and direct
Over-the-Counter Trading - Privately arranged trades (no exchange intermediary); allow customization to meet
Packet - A general term describing a logical grouping of data passing through network layers.
Packet Filtering - A type of firewall that compares source and destination addresses to an allowed list, examining headers and other fields in packets of data.
Pareto Diagram - A histogram that breaks down quality problems into their various causes and lists them from most to least prevalent.
Partnership (business type) - An association between two or more persons or corporations to be co-owners in a business for profit, such as a law firm.
Par value - (1) The amount of a bond owed at maturity; (2) a nominal price per share, set at issuance, usually at a low price to make it unlikely that a stock price will go below this value.
Passive Control - is a type of control that operates without human intervention; may be built into a computer system or a relationship or process that possess control implications.
Patch Management - The installation of released bug fixes to applications that are already in production.
Patent - The exclusive right to sell, use, or manufacture something for a period of 20 years.
Payback Method - A capital investment decision model that focuses on the payback period.
Payback Period - The time required for an organization to recover its original investment in a project.
Payment Card Industry Data Security Standards (PCI DSS) - A set of industry IT security standards surrounding the handling, storage and transmission of credit card data. The PCI DSS were created by the major credit card brands and are not law, but are enforced via a process established by the card brands and the PCI Security Standards Council.
Payroll Tax - Tax that is levied directly on wages and salaries.
P Chart - is a control chart that tracks the variability in a percentage measure of errors (or other attributes) in successive samples.
Peak - The point at which economic activity reaches a temporary maximum.
Peer-to-Peer Network - A type of computer network that is a direct connection between two computers.
Penetration Test - A set of activities performed on an IT system, network or website to defeat security controls by identifying and attempting to exploit vulnerabilities on the target environment. A penetration test is not necessarily designed to identify ALL potential weaknesses in the environment, but rather to provide an indication of the ease with which a target can be compromised and the likelihood that a malicious attacker could accomplish a similar compromise. A penetration test differs from a vulnerability assessment in that the objective of a penetration test is typically to obtain unauthorized access to the target environment or to obtain sensitive data from the environment. Penetration tests can be very invasive and can cause system instability, and therefore should be performed only by individuals experienced in penetration testing tools and techniques. While automated tools are available that can assist a penetration tester in identifying potential exploit vectors, most penetration tests involve both automated and manual techniques.
Pension - Deferred employee compensation to be paid during retirement.
Performance Appraisal - A process that measures the degree to which an employee accomplishes the work requirements stated in the performance standards and then communicates that information to the employee.
Performance Audits (also known as “operational audits” and “value-for-money audits”) – independent, objective and reliable examinations of whether government undertakings, systems, operations, programs, activities, or organizations are operating in accordance with the principles of economy, efficiency and/or effectiveness and whether there is room for improvement.
Performance Management - The measurement of efforts to achieve or exceed the strategy and business objectives.
Performance Measures - identify a program's true measures of success.
Period Costs - All the items that cannot be included in product costs and must be expensed in the period in which they occur.
Periodic Inventory System - An inventory accounting method that determines only the inventory on hand at the end of a period by physical count.
Perpetual Inventory Accounting - An inventory accounting method that keeps a continuous record of inventory changes as they occur.
Personal-Area Network (PAN) - A computer network that supports wireless connections within a room or small area.
Personally Identifiable Information (PII) - As defined by OR SB 583, means a consumer's first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are not rendered unusable through encryption, redactions or other methods, or when the data elements are encrypted and the encryption key has also been acquired:
- Social Security number;
- Driver license number or state identification card number issued by the Department of Transportation;
- Passport number or other United States issued identification number; or
- Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to a consumer's financial account.
It also means any of the data elements or any combination of the data elements described [above] when not combined with the consumer's first name or first initial and last name and when the data elements are not rendered unusable through encryption, redaction or other methods, if the information obtained would be sufficient to permit a person to commit identity theft against the consumer whose information was compromised.
Pervasive Risk - is risk found throughout the environment.
- Minorly pervasive risk is isolated and/or limited to local process.
- Moderately pervasive risk is noticeable and may extend beyond the local process.
- Extensively pervasive risk is significant and occurs in multiple places.
Phishing - A form of computer fraud in which the attacker tries to trick users into disclosing sensitive information such as login credentials or account information by masquerading as a reputable entity or person via email or via other communication channels.
Physical Access Controls - The means of preventing access to an asset such as locks and/or key cards preventing access to a building, to data centers, and to key operational areas.
Physical Evidence - Type of evidence that includes physical objects such as clothing, weapons, tools, machines, photographs, maps, models, computer animation, motion pictures, diagrams, x-rays, and physical examinations.
Pilot Sample - is used in statistics to estimate the standard deviation in a population. This enables an auditor to estimate the confidence interval that would be achieved by the sample and therefore help decide how large a sample to select.
Pioneering - An effort to be the first, or at least an early, entrant in a market and become the market leader.
Place - In terms of the "4 P's" of marketing, the area concerned with how a product or service reaches the customer.
Pledging Receivables/Factoring - Type of asset-backed security in which finance companies (acting as factors) purchase receivables and collect payments from customers directly, also charging a fee to the seller to compensate for bad debts.
Poka-Yoke - is any mechanism in a process that helps an operator avoid (yokeru) mistakes (poka). Its purpose is to eliminate product/service defects by preventing, correcting or drawing attention to human errors as they occur.
Policy - Management or Board statement of what should be done to effect control. Such statements may be documented, explicity stated in communications, or implied through actions and decisions. A policy serves as the basis for procedures.
Political Risk - Any government or political action that would harm a country's business environment.
Polycentric Orientation - In terms of international operations, an orientation that gives much latitude to the host country to make decisions locally and direct operations.
Port - In terms of networking hardware, a physical connection point to a device.
Portfolio Leverage Risk - The use of debt contracts that use money that the organization doesn't have; occurs because derivatives require little or no money up front.
Portfolio Theory - A theory that states that as most financial assets are held in portfolios, measuring portfolio risk and finding the value of the portfolio are more important than individual asset risks and returns.
Portfolio View - A composite view of risk the entity faces, which positions management and the Board of Trustees to consider the types, severity, and interdependencies of risks and how they may affect the entity's performance relative to its strategy and business objectives.
Positioning - The way products are differentiated from the competition.
Positive Conflict - is a type of conflict that leads to beneficial results; can transform the ways in which individuals interact and improve the quality of conflict outcomes.
Positive pay - A control that involves preparing a log of all checks to be disbursed and sending it to the bank; the bank then pays only items that reconcile. It is important that vendor name is included.
Post-close trial balance - A balance that is prepared after closing to show that debits and credits of the real accounts (assets, liabilities, and shareholders' equity) are equal.
Posting - To record an item from the journal into the general ledger, including summarizing and classifying the items.
Potential Conflict of Interest - Any action or any decision or recommendation by a person acting in a capacity as a public official, the effect of which could be to the private pecuniary benefit or detriment of the person or the person's relative, or a business with which the person or the person's relative is associated, unless the pecuniary benefit or detriment arises out of the following:
- An interest or membership in a particular business, industry, occupation or other class required by law as a prerequisite to the holding by the person of the office or position.
- Any action in the person’s official capacity which would affect to the same degree a class consisting of all inhabitants of the state, or a smaller class consisting of an industry, occupation or other group including one of which or in which the person, or the person’s relative or business with which the person or the person’s relative is associated, is a member or is engaged.
- Membership in or membership on the board of directors of a nonprofit corporation that is tax-exempt under section 501(c) of the Internal Revenue Code.
Practices - The methods and approaches deployed within an entity relating to managing risk.
Predictive Analytics - allows users to identify trends and forecast outcomes by extracting information from large volumes of existing data, applying certain assumptions, and drawing correlations.
Preferred Stock - Stock that has both debt and equity qualities; gives preference in liquidation and has a fixed but optional dividend.
Premium - The price paid for an option.
Prepayments - Either prepaid expenses, which are cash paid for goods or services prior to their consumption and treated as assets, or unearned revenues, which are cash received from customers as prepayment for goods or services and treated as liabilities.
Preponderance of Evidence - "More likely than not."
Prescriptive Analytics - requires a significant volume of data to link predictions to actions that will produce the best result. If predictive analytics seeks to determine demand, prescriptive analytics answers the question, "How do I align my business to maximize profit if demand is X?"
Present and/or Functioning - In COSO, applied to the components and principles. "Present" refers to the determination that components and relevant principles exist in the design and implementation of the system of internal control to achieve specified objectives. "Functioning" refers to the determination that components and relevant principles continue to exist in the conduct of the system of internal control to achieve specified objectives.
Pretexting - is a form of social engineering in which an individual lies to obtain privileged data. A pretext is a false motive. Pretexting often involves a scam where the liar pretends to need information in order to confirm the identity of the person they are talking to.
Preventive Controls - are those controls designed to limit the possibility of an undesirable outcome (e.g. a fraud) being realized. Under COSO, it is more specifically a control designed to avoid an unintended event or result at the time of initial occurrence. Preventative controls can be more successful if they remain relatively unknown to others. It is important for preventative controls to be augmented by detective controls because collusion may negate the effectiveness of segregation of duties.
Price - The cost of a product or service to the customer.
Price Ceiling - A legal maximum on the price of a good or service.
Price Floor - A legal minimum on the price of a good or service.
Price Standard - In standard costing, the amount that should be paid for the quantity of input to be used.
Primary Evidence - is a type of evidence that is generally documentary; original writing is required when available.
Primary Key - In a database, a unique key field number (i.e., a proper noun) used to identify a specific entity.
Principled Negotiation - A method to decide issues based on their merits rather than on competitive or cooperative negotiating tactics.
Private Key Encryption - An encryption method in which a sender creates an encryption key and sends it to a trusted receiver, who can use it to decrypt all messages in that session.
Privatization - The sale of a government-owned operation to a private investor.
Procedures - are actions that implement policy.
Process Analysis - A collection of analytical techniques that examine and measure the basic elements of processes in order to understand their activities, relationships, and contributions to organizational goals.
Process Costing System - A costing system that accumulates product or service costs by process or department and then assigns them to a large number of nearly identical products by dividing the total costs by the total number of units produced.
Process-Flow Analysis - is a two-dimensional graphic representation of an operation in terms of the flow of activity through the process. It examines the combination of inputs, tasks, and responsibilities that comprise a process.
Processing Controls - are automated error checks built into computer processing as well as segregation of duties such as controlling programmers' access to files and records. They check that data processing tasks are accurate, complete, and valid.
Process Maps - are graphical representations of a program's key processes including internal control activities.
Product - In terms of the "4 P's" of marketing, the physical product, service, or other offering that provides value to the customer.
Product Costing - The process of accumulating, classifying, and assigning direct materials, direct labor, and factory overhead costs to products and services.
Product Costs - Those costs associated with the manufacture of goods or the provision of services.
Production Budget - The plan for acquiring resources and combining them to meet sales goals and maintain a specific level of inventory.
Productivity - Refers to the quantity of an organization's outputs (products and services) in relationship to the inputs (human and physical resources).
Productivity Frontier - is the maximum value a company can deliver at a given cost, given the best available technology, skills, and management techniques.
Professional Judgment - includes exercising reasonable care and professional skepticism when evaluating the significance of matters within the context of relevant objectives. Comparing conditions against criteria to reach justifiable and defensible conclusions by using professional judgment means that different individuals evaluating similar facts may reach different conclusions.
Professional Skepticism - is an attitude that includes a questioning mind and a critical assessment of evidence.
Program Evaluation Review Technique (PERT) - A project management tool used to schedule, organize, and coordinate tasks within a project.
Project Budget - A type of budget that is used when a project is completely separate from other elements of an organization or is the only element of a company.
Project Management - The process of planning, organizing, directing, and controlling an organization's resources (people, equipment, time, and money) so that objectives can be met within defined scope, time, and cost constraints.
Promotion - The marketing of a product or service through advertising, development of brand, incentive programs, and sales initiatives.
Proof of Value - is quickly integrating a representative set of historical data, building the analytical models, and producing results that can be judged against what actually happened.
Protected Health Information (PHI) - Any information that relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual that can be used to identify the individual. Such information is protected under the Health Information Portability and Accountability Act (HIPAA).
Protectionism - The existence of barriers to free trade.
Proxemics - Study of perceptions of space and personal contact.
Public Data Network (PDN) - A computer network that allows public access, such as the World Wide Web.
Public Integrity – the consistent alignment of, and adherence to, shared ethical values, principles and norms for upholding and prioritizing the public interest over private interests in the public sector.
Public Interest – the collective well-being of the community of people and entities that the auditors serve.
Public Key Encryption - An encryption method in which two keys are created, private and public. The sender places the public key in a directory or an application automatically applies it to lock sent data; to decrypt the data, the private key must be used.
Public Official - is defined in ORS 244.020(14) as any person who, when alleged violation of ORS Chapter 244 occurs, is serving the State of Oregon or any of its political subdivisions or any other public body as defined in ORS 174.109 as an elected official, appointed official, employee or agent, irrespective of whether the person is compensated for the services. In short, all university employees and many volunteers are public officials as it relates to Oregon ethics laws.
Public Sector – the legislative, executive, administrative, and judicial bodies, and their public officials whether appointed or elected, paid or unpaid, in a permanent or temporary position at the central and subnational levels of government. It can include public corporations, state-owned enterprises and public-private partnerships and their officials, as well as officials and entities that deliver public services (e.g. health, education and public transport), which can be contracted out or privately funded in some countries.
Pursue Risk - Action is taken that accepts increased risk to achieve improved performance. Management understands the nature and extent of any changes required to achieve desired performance while not exceeding the boundaries of acceptable risk tolerance.
Qualified Opinion - The type of audit opinion given when audit procedures identify a department or program’s internal controls are inadequate to prevent or detect significant noncompliance or financial material misstatements.
Quality Improvement Survey – is an essential component of internal audit’s quality assessment plan. Please complete Southern Oregon University’s internal audit quality improvement survey.
Quantitative Forecasting Methods - Forecasting methods that make use of statistical or mathematical models designed to simulate reality and help in decision-making.
Quantity Standard - In standard costing, the amount of input that should be used per unit of output.
Quasi-Integration - Refers to not having complete ownership and financial responsibility for value chain
Questioned Cost - A cost that is questioned by the auditor for violation of federal award provisions, or lack of supporting documentation, or because the cost appears unreasonable.
Quid Pro Quo - A form of social engineering where the fraudster pretends to provide something in exchange for the target's information - such as claiming to be a return call from tech support and asking for your password.
Ransomware - A type of malware that denies access to an IT system until the system operators pay a sum of money or agree to other demands.
R Chart - is a control chart that tracks the variability of the range of values in successive samples.
Reasonable Assurance - affirmatively, but not absolutely, proves that things are as they should be (normally at a 90% confidence interval or higher). Reasonable Assurance provides Limited Assurance. Finding something material to compliance, management proccess or internal control that is not as it should be most often results in No Assurance as "something has come to my attention" as well as "proven that things are not as they should be". Under COSO, it is the concept that internal control, no matter how well designed and operated, cannot guarantee that an entity's objectives will be met. This is because of Inherent Limitations in all internal control systems.
Reasonable Care - includes acting diligently in accordance with professional standards and ethical principles.
Reasonable Expectation - The amount of risk of achieving strategy and business objectives that is appropriate for an entity, recognizing that no one can always predict risk with precision.
Reduce Risk - Action is taken to reduce the severity of the risk to better align with risk tolerance.
Regression Analysis - is a statistical technique used to measure the amount of change in one value in relation to a change in another value.
Regulation – a primary way in which government can achieve its policy objectives to protect and benefit people, businesses, and the environment and to support economic growth. Distinct from direct government provision of services, regulation relies on using incentives to drive behavior change in individuals and organizations outside government’s direct oversight. Regulation is primarily used to address market failures when market characteristic mean that, left to their own devices, the markets risk failing to produce behavior or results in accordance with public interest or policy objectives.
Related-Party - Entities that are controlled by or influenced by the university. It is a source of risk as well as a potential area for fraud.
Relevant Principles - represent fundamental concepts associated with components. There may be a rare industry, operating, or regulatory situation in which management has determined that a principle is not relevant to a component.
Representational Faithfulness - The assurance that descriptions of events and financial transactions correspond closely to what occurred in reality.
Repurchase Agreement - The sale of product or inventory with an agreement to buy back the goods in the future; (2) a type of money market instrument in which a securities dealer issues a government security, agreeing to repurchase it on a specific date.
Reputational Risk - The potential that negative publicity regarding an institution's business practices, whether true or not, will cause a decline in the customer base, costly litigation or revenue reductions.
Residual Risk - is the risk to achievement of objectives that remains after management's response to alter a risk's likelihood or impact has been designed and implemented.
Resolved – Internal Audit assisted in gathering supporting documentation but did not conduct an investigation.
Revenue(s) - (1) Income received or earned during a specific period. (2) Enhancements or inflows of assets and/or settlements of liabilities generated when an organization makes or delivers goods or services as part of its primary ongoing operations.
Risk - is the possibility of an event occurring that will have an impact, positively, negatively or both, on the achievement of business objectives. Risk is measured in terms of impact and likelihood. Risk can be described in terms of agility (organization's adaptability and response), complexity (interdependency of risks), velocity (speed of impact), persistence (length of impact), and recovery (organization's capacity to return to tolerance).
Risk Agility - The ability to alter and adapt risk management infrastructure to respond quickly to changing markets, customer preferences or market dynamics.
Risk Analysis - is the identification of risk, the measurement of risk, and the process of prioritizing risk or selecting alternatives based on risk.
Risk Appetite - The amount of risk, on a broad level, that an organization is willing to accept in pursuit of value; it reflects the enterprise's risk management philosophy and in turn influences the university's culture and operating style. The first expression of risk appetite is the university's mission and vision.
Risk Appetite Statement - The written statement or documentation of the university's risk appetite.
Risk Assessment - is management's process of identifying risks and rating the likelihood and impact of a Risk Event. An internal control assessment is often performed at the same time. (Objective - Risks - Controls) https://inside.sou.edu/ia/risk-assessment.html This is different from Internal Audit's annual risk assessment used to develop the annual internal audit plan.
Risk Attitude - is the university's approach to assess and eventually pursue, retain, take or turn away from risk.
Risk Capacity - The maximum amount of risk that an entity is able to absorb in the pursuit of strategy and business objectives.
Risk Classification - is the assignment of risk into categories, such as financial risk, operational risk, strategic risk, or reputation risk.
Risk Control Matrix - shows how internal controls address each of your program's risks.
Risk Culture - is the norms and traditions of behavior of individuals and of groups within an organization that determine the way in which they identify, understand, discuss and act on the risks the organization confronts and takes.
Risk Event - is a potential incident, occurrence or missed opportunity that affects the achievement of business objectives. Events can have a negative impact, positive impact, or both.
Risk Identification - is the process of finding, recognizing, and describing threats and opportunities (risk).
Risk Inventory - All risks that could impact an entity.
Risk Management - is the process performed by management to identify, assess, manage, and control potential events or situations to provide reasonable assurance to the Board of Trustees regarding the achievement of the university’s business objectives. The Board of Trustees is responsible for determining that appropriate risk management processes are in place and that these processes are adequate and effective. As part of fulfilling this responsibility, the Board of Trustees may direct Internal Audit to assist them by examining, evaluating, reporting, and/or recommending improvements to the adequacy and effectiveness of management's risk processes.
Risk Management Philosophy - is the set of shared beliefs and attitudes characterizing how the university considers risk in everything it does, from strategy development and implementation, to its day-to-day activities.
Risk Measurement - is the evaluation of the magnitude of risk, based on the likelihood and impact of risk occurrence.
Risk Prioritization - is the ranking of risks, formally or informally, from the highest to the lowest, establishing the relative strength of each risk and the potential consequences of each.
Risk Profile - A composite view of the risk assumed at a particular level of the entity, or aspect of the business that positions management to consider the types, severity, and interdependencies of risks, and how they may affect performance relative to the strategy and business objectives.
Risk Resiliency - is the ability of the university to withstand business disruption by relying on solid processes, controls and risk management tools and techniques, including a well-defined corporate culture and a powerful brand.
Risk Response - is management's set of actions to align risk with the university's risk tolerances and risk appetite by avoiding, accepting, reducing or sharing risk. In the United Kingdom, the "orange book" states there are five ways of addressing risk: tolerate, treat, transfer, terminate, or take the opportunity.
Risk-Reward Profile - is an understanding of the relationship between risk and performance determined by assessing risk to the strategy and business objectives. This profile helps management determine what amount of risk is acceptable and manageable in the pursuit of strategy and business objectives.
Risk Score - is a weighting of likelihood, impact and sometimes other risk measurement factors. It is sometimes calculated in a manner to create a stack ranking or heat map of risks.
Risk Taxonomy - is a common set of risk categories or a risk structure of possible risk sources to help identify, manage, and communicate interrelationships among risks to strengthen and better integrate the university's risk management approach in all aspects of its operations.
Risk Tolerance - is the acceptable level of variation relative to the achievement of a specific business objective, and often is best measured in the same units as those used to measure the related business objective.
Risk Transfer/Share - Action is taken to reduce the severity of the risk by transferring or otherwise sharing a portion of the risk to better align with risk tolerance.
Risk Velocity - is how quickly a risk impact could potentially follow the onset of the risk.
Root Cause Analysis - is a systematic process for identifying root causes of problems or events and an approach to responding to them that is preventative. It helps avoid treating symptoms rather than the underlying problem.
Sadphishing - Seeking financial assistance by sharing sympathetic personal information.
Scareware - Form of social engineering where a victim is tricked into thinking their computer is infected and a solution is offered to the problem, which actually installs the malware.
Secondary Evidence - is a type of evidence that is inferior to primary evidence in reliability; may be a copy of a document or oral evidence of a document's contents.
Second Line of Defense - is risk management and compliance functions that educate, train, and otherwise assist the first line. They monitor what the first line does, ensuring that controls are operating as designed. Such functions may include the risk management department, the compliance department, and the controller’s department that monitors financial reporting risk.
Segregation of Duties - The separation of the ability to approve the spending of money (authorization) from accounting and reconciliation duties (record keeping) and the handling of money or goods (custody of assets).
Self-Dealing - is conduct of a Public Official that takes advantage of their position in a transaction and acting in their own interests rather than in the interests of the university.
Sensitivity Analysis - is a type of analysis that describes how changes in probabilities and/or changes in payoffs affect a recommended decision alternative.
Severity - A measurement of considerations such as the likelihood and impact of events or the time it takes to recover from events.
Should - The Standards use the word “should” where conformance is expected unless, when applying professional judgment, circumstances justify deviation.
Significance - is the relative importance of a matter within the context in which it is being considered, including quantitative and qualitative factors, such as magnitude, nature, effect, relevance, and impact.
Significant Deficiency - A deficiency in internal controls that could adversely affect the university's financial reporting process and the critical processes that provide data and information. It is less severe than a material weakness, but requires corrective action.
SIM Card Swapping - When a fraudster takes over your cell phone number to get access to your data connected to your cell phone. If this happens to you, immediately contact your cell phone provider, regain access to your phone number and change your account passwords. Then check your credit card and bank accounts for unauthorized charges or changes that indicate that your account has been hacked. Please see identitytheft.gov for more steps you can take.
Six Sigma - is a quality process improvement approach that focuses on the customer experience by reducing the number of defects in a process until they approach statistical insignificance.
Social Engineering - The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
Soft (Internal) Controls - Intangible internal controls such as morale, integrity, ethical climate, empowerment, competencies, openness, and shared values.
Special Purpose Entity (SPE) - A subsidiary created by a parent company to perform a specific task, often part of an off balance sheet accounting arrangement.
Spear Phishing - Form of social engineering that is tailored to a specific individual or organization.
Speed of Risk - is how rapidly a significant disruption can emerge and impact an organization.
Sponsorship - is championing an analytics initiative, providing direction and strategy, and ensuring the sufficient allocation of resources.
Stakeholders - are parties that are affected by the entity, such as shareholders, taxpayers, the State, the communities in which an entity operates, employees, students, customers, and suppliers.
Standard - A professional pronouncement promulgated by the International Internal Audit Standards Board that delineates the requirements for performing a broad range of internal audit activities and for evaluating internal audit performance.
Standard Error - in statistics is a function of the standard deviation, which is a measurement of the average variation from the mean of the sample (standard deviation divided by the square root of the sample size). The standard error is used to compute precision and the confidence interval. The larger the standard error, the wider the interval.
Statement of Activities - Required basic financial statement that shows the financial results of the year’s activities. The statement of activities presents revenues less expenditures to show net position.
Statement of Net Position: Required basic financial statement that shows the balance of the assets, liabilities, deferrals, and net position at June 30.
Status Quo Bias - In choosing among alternatives, individuals display a bias toward the status quo. Risks can be new and emerging, or unexpected; therefore, individuals are less likely to identify them.
Stop-and-Go Sampling - applies to situations in which the auditor suspects the population to be relatively error-free. It minimizes the sample size for a specified level of sampling risk. The auditor begins with a small sample, and if the sample demonstrates the anticipated low error rate, the auditor may choose to stop sampling and formulate his or her conclusion. If the error rate turns out to be higher than expected, the auditor will go ahead with further sampling and analysis before a conclusion is reached.
Strategic Positioning - attempts to achieve sustainable competitive advantage by preserving what is distinctive about a company. It means performing different activities from rivals, or performing similar activities in different ways.
Strategy - refers to the university's plan to achieve its mission and vision, and apply its core values. A well-defined strategy drives the efficient allocation of resources and effective decision-making. It also provides a road map for establishing business objectives throughout the organization. It is the "how" we'll get there - generally. See also Tactics.
Stratified Sampling - is used in statistics to divide the population into different groups (strata) to ensure representation in the sample by each strata.
Structured Data - is data that exists in an understandable, organized format that allows the data to be fed into a relational database management system for analysis.
Sub-recipient - An entity that receives federal funds from the state to carry out a federal program.
Substantiated – there is sufficient supporting documentation to show that the misconduct more likely than not occurred (51% or a preponderance of evidence).
Sustainability - A business approach that creates long-term shareholder value by embracing opportunities and managing risks deriving from economic, environmental and social developments.
Tactics - are "how" we're going to get there - specifically. See also strategy.
Tailgating - Also called piggybacking. Form of social engineering where someone follows you into a secure building (assuming that you will hold the door open for them).
Target Residual Risk - The amount of risk that an entity prefers to assume in the pursuit of its strategy and business objectives, knowing that management will implement, or has implemented, direct or focused actions to alter the severity of the risk.
Technical Controls - are a process or transaction-level control that must be in place for management and governance controls to be effective. They are usually specific to a given application but may also control larger technical processes such as system access rights.
Technology-Based Audit Techniques - are any automated audit tool, such as generalized audit software, test data generators, computerized audit programs, specialized audit utilities, and computer-assisted audit techniques (CAATs).
Technology General Controls - Control activities that help ensure the continued, proper operation of technology. They include controls over the technology infrastructure, security management, and technology acquisition, development, and maintenance. Other terms sometimes used to describe technology general controls are "generic computer controls" and "information technology controls".
Text Analytics - uses tools such as text mining, natural data processing, and analytics to identify patterns in unstructured data.
Theory of Constraints - In business process reengineering it is focusing on improving the most constrained part of the process to improve the overall process.
Third Line of Defense - is the internal audit department, which provides the Executive & Audit Committee and executive management with independent assurance of findings, processes, and controls.
Third Party (Risk) - An individual or organization other than the university and its employees and the risks/opportunities they bring to the university. Third parties may be customers, vendors, business partners, or others.
Threat — Any circumstance, adversarial force or phenomenon that could affect the confidentiality, integrity or availability of an information system and/or its networks, including the facility that houses the hardware and software.
Three Lines of Defense Model - management, compliance and internal audit (see graphic elsewhere on this website).
TIMWOODS - is an acronym that provides a framework for finding wasteful steps in a process:
- Transport - Unnecessarily moving things, forms, furniture, resources and materials from one location to another.
- Inventory - Making more than customer demand, building up unnecessary stocks e.g. of printed materials, reports.
- Motion - Unnecessary movement; people walking to get things, which should be located closer to the point of use.
- Waiting - Delays between operations because parts are missing. Stopped work: waiting for information, approval, other processes, or people.
- Over-production - Making too much or too many. Completing a task before it is needed. Developing outputs that the customer hasn’t requested.
- Over-processing - Duplicate or redundant operations, performing wasteful steps that are not required. Often because “we always do it this way”.
- Defects - Failing to produce a quality output the first time generating rework or scrap. Not delivering the service “right the first time”.
- Skills - Failing to use skills and capabilities of staff. Not listening to people, using their knowledge or learning from past mistakes/issues.
Tolerance - The boundaries of acceptable variation in performance related to achieving business objectives.
Total Asset Turnover - A measure of how well assets are being used to produce revenue.
Transaction Controls - Control activities that directly support the actions to mitigate transaction processing risks in an entity's business processes. Transaction controls can be manual or automated and will likely cover the information processing objectives of completeness, accuracy, and validity.
Transfer Pricing - A system for pricing products or services that are transferred from one organizational subunit to another within the same organization.
Trend Analysis - is a type of analysis used to review historical sequences of data; more appropriately used in reviewing data from income statements or expense statements rather than balance sheets, which present financial information for a particular period.
Turnbull Guidance - recommends a focus on significant risks rather than all risk, the development of risk reporting systems within existing information systems, and insists that employees be involved but have the necessary knowledge, skills, information, and authority to establish, operate, and monitor the system of internal control within their sphere of responsibility.
Unauthorized Access - Access to information or system components that (a) has not been approved by a person designated to do so by management and (b) compromises segregation of duties, confidentiality commitments, or otherwise increases risks to the information or system components beyond the levels approved by management (that is, access is inappropriate).
Uncertainty - The state of not knowing how or if potential events may manifest.
Unfounded – there is insufficient information in the allegation to warrant an investigation, or the allegation is not misconduct and the search for supporting documentation did not take place.
Unmodified Opinion - This is good. The financial statements, as corrected, are fairly presented in conformance with Generally Accepted Accounting Principles.
Unsubstantiated – there is insufficient supporting documentation to show that the misconduct more likely than not occurred.
Unstructured Data - is data that has no predefined organizing format; traditionally a free form, text-heavy format.
Upper Control Limit - is the value that is farthest from the mean in the positive direction but still within the range that represents statistical control.
Value Benefit Transfer - is an estimation method transferring information from another location or context to that in question, for example the potential benefits from protecting and restoring wetlands in one location similar to the location in question.
Value Stream Mapping - is a Lean technique used to analyze the current state, design the future state, and visually map where value is added with a measurement of time from the beginning of a process until it reaches the customer.
Variance - is a number that measures the degree of dispersion from the mean of all values in a sample.
Variance Analysis - is an analytical procedure that begins with the recognition that one set of data differs from another set in an unexpected way; for example, expenses for the current period may be unexpectedly greater than expenses for the past period by a significant amount.
Virtuous Cycle - A complex chain of events that reinforce themselves through a feedback loop with favorable results. The opposite of a vicious cycle - detrimental results. For example, giving credit to ideas makes people willing to offer more ideas. Showing respect for those ideas makes participants realize that so-called "mistakes" are actually innovations created to streamline processes while still delivering on time.
Vishing - Form of social engineering over the phone - voice phishing.
Vision - The university's aspirations for its future state or what the organization aims to achieve over time.
Voice of the Customer Workout - In Six Sigma, this process captures internal and/or external customer stated and/or unstated (measurable) critical to quality requirements.
Vulnerability - An inherent weakness in an information system that a threat or threat agent can exploit, resulting in an undesirable impact on the protection of the confidentiality, integrity or availability of the computer system.
Vulnerability Assessment - A set of activities performed on an IT system, network or website to identify the security vulnerabilities that are present in the target environment. A vulnerability assessment is intended to identify and assign a priority rating to potential security weaknesses in the environment, but not to exploit the weaknesses. Therefore, a vulnerability assessment provides the organization with a perspective on the technical security posture of the organization’s IT systems, but does not provide any validation of the likelihood that the organization could be successfully compromised via one of the identified vulnerabilities.
Vulnerability Scanning - An automated process that attempts to discover security weaknesses in networks, hosts and/or applications. Vulnerability scanning is typically conducted using an automated scanning tool, and can be performed with or without authentication credentials. Vulnerability scans that are performed with authentication credentials typically provide much more accurate information about the environment under evaluation.
Washed Check - A check that has been altered by forgery.
Water-holing - Form of social engineering where the fraudster targets a specific person or people by infecting websites they're known to frequent.
Whistleblower - Anyone who has and reports insider knowledge of illegal activities occurring at the university. Whistleblowers can be employees, suppliers, contractors, students or any individual who somehow becomes aware of illegal activities through witnessing it or being told about it. Whistleblowers are protected from retaliation.
Working Papers - are paper or electronic documents arranged in columnar format for accumulating and recording entries.
X Bar Chart - is a control chart that tracks variability in the means of successive samples.
Zero Tolerance for Fraud - A formal policy that fraud will not be tolerated under any circumstances.