A comprehensive summary report of a firm’s performance which must be submitted annually to the Securities and Exchange Commission.
Absorption Costing (Absorption Accounting)
Cost of a finished unit in inventory will include direct materials, direct labor, and both variable and fixed manufacturing overhead (or all manufacturing costs).
ACC (Australian Criteria of Control)
Emphasizes the competency of management and employees to develop and operate the internal control framework. Developed by the Institute of Internal Auditors – Australia.
Refers to safeguards against the use of company assets and records by unauthorized individuals.
The risk that admittance to data or programs may be either granted inappropriately or mistakenly denied. This type of risk is associated with access to information for any purpose, including read-only access. Access risk typically encompasses improper segregation of duties, risk associated with the inappropriate access to data and databases, and risk associated with information confidentiality.
A legally enforceable claim for payment from a business to its customer or client for goods supplied and/or services rendered in execution of the customer's order.
Accounts Receivable (AR) Aging
A report that shows all outstanding receivable balances at a specific point in time, broken down into categories by length of time outstanding.
Accounts Receivable (AR) Roll-Forward
Shows all accounts receivable balance activity reported by a company for a particular period. The AR roll-forward typically includes gross sales, total cash collections, rebates/discount credits, credit memos, charge offs and other miscellaneous adjustments.
Automated clearing house (ACH) is a form of electronic payment.
A budget that starts with a level of output and then determines the resources needed to obtain that level of output.
A corporate action in which a company buys most, if not all, of the target company’s ownership stakes in order to assume control of the target firm.
The internal audit activity adds value to the organization (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management and control processes.
Present if management has planned and organized (designed) business processes and activities in a manner which provides reasonable assurance that the organization's objectives and goals will be achieved efficiently and economically.
The control is operating as intended by management in accordance with the wording of the control. The test results return expected results and indicate that the control actions are being performed appropriately.
Aged Trial Balance
A report that reflects the original invoice amount while aging the net balance that remains outstanding. Aging refers to breaking down the balances by the amount of time passed between the date
of sale and the date of the balance sheet.
Agreed-Upon Procedures Engagement
Specified procedures that are agreed upon by the client and internal audit to be performed for a particular review. The report is presented in the form of negative assurance.
Allowance for Bad Debts
An estimate of how much of a period's reported accounts receivables will eventually be not collectible.
The deduction of capital expenses over a specific period of time (usually over the asset's life). More specifically, this method measures the consumption of the value of intangible assets, such as a patent or a copyright.
Evaluation of financial information made by a study of plausible relationships among both financial and non-financial data.
Analytical procedures include comparison of financial information (data in financial statement) with:
- Prior periods
- Similar industries, etc.
They also include consideration of predictable relationships, such as gross profit to sales and payroll costs to employees.
IT application or program controls are fully-automated (i.e., performed automatically by the systems), designed to ensure the complete and accurate processing of data, from input through output. They include:
- Completeness checks - controls that ensure all records were processed from initiation to completion
- Validity checks - controls that ensure only valid data is input or processed
- Identification - controls that ensure all users are uniquely and irrefutably identified
- Authentication/authorization - controls that ensure only approved business users have access to the application system
- Problem management - controls that ensure all application problems are recorded and managed in a timely manner
- Change management - controls that ensure all changes on production environment are implemented with preserved data integrity
- Input controls - controls that ensure data integrity fed from upstream sources into the application system
The fixed overhead application rate times the standard input allowed for the production achieved.
Costs that are associated with the formal evaluation and audit of quality in the firm.
Something declared or stated positively. There are different types of assertions; for example, a financial statement assertion includes assertions around completeness, accuracy, validity, presentation and disclosure, and valuation of the data within the financial statement.
Asset-Backed Commercial Paper (ABCP)
A commercial paper that is secured and backed by physical assets, such as trade receivables.
Asset-Backed Commercial Paper Conduit
A facility created by financial institutions to buy assets from the bankruptcy remote SPE and issue commercial paper to investors in exchange for their money.
A structured finance process in which assets are acquired, classified into pools, and offered as collateral for third-party investment.
Asset-Based Lending (ABL)
The securing of a line of credit or loan by pledging an asset or collateral. Pledging an asset as collateral means that if for any reason the company that borrowed money was unable to pay it back, the collateral that was pledged would be collected by the lender and the borrower’s debt would be forgiven.
To inspire confidence, certainty or a comfort around a topic, subject, review, etc.
An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management and control processes for the organization. Examples may include financial, performance, compliance, system security and due diligence engagements.
A document or statement which bears witness, confirms, or authenticates the truth of a statement(s).
The characteristic being tested for in the item being reviewed.
Standards that address the characteristics of organizations and parties performing internal audit activities. They focus on the people and the internal audit organization.
Evaluating controls over routine transaction items and assessing compliance with policies and procedures, standards, or operational requirements.
Appointed by the board of directors, the audit committee assists an organization in fulfilling their oversight responsibilities, which include financial reporting, corporate governance and corporate control. The Sarbanes-Oxley Act requires all public companies to have an audit committee.
Audit Committee Charter
A written document that is tailored to a company’s current environment and details the audit committee’s specific responsibilities, including the audit committee’s communication and oversight of the internal audit function. The charter must be approved by the board of directors.
Broad statements developed by internal auditors defining intended audit accomplishments.
The tasks the internal auditor undertakes for collecting, analyzing, interpreting and documenting information during an audit. Audit procedures are the means to attain audit objectives.
Also known as "work program." A document which lists the audit procedures to be followed during an audit.
A written document (signed or unsigned) which presents the purpose, scope and results of the audit. Results of the audit may include findings, conclusions (opinions), management responses and recommendations.
Refers to the activities covered by an internal audit. Audit scope includes, where appropriate:
- Audit objectives
- Nature and extent of auditing procedures performed
- Time period audited
- Related activities not audited in order to delineate the boundaries of the audit
Consist of those subjects, units or systems which are capable of being defined and evaluated. Auditable activities may include:
- Policies, procedures and practices
- Cost centers, profit centers and investment centers
- General ledger account balances
- Information systems (manual and computerized)
- Major contracts and programs
- Organization units such as product or service lines
- Functions such as electronic data processing, purchasing, marketing, production, finance, accounting and human resources
- Financial statements
- Laws and regulations
Includes any individual, unit or activity of the organization that is audited.
The process of evaluation of an organization, system, process, project, product or person.
Auditing Standard No. 2 (AS.2)
Relates to an audit of internal controls over financial reporting performed in conjunction with an audit of financial statements. It was superseded by AS.5.
Auditing Standard No. 5 (AS.5)
Relates to an audit of internal controls over financial reporting performed in conjunction with an audit of financial statements.
A control executed by programmed applications or IT systems.
The risk that systems or data will not be available or may not be functioning correctly when needed.
Costs that can be eliminated – in whole or in part – by choosing one alternative over another.
Back-Up and Recovery
A backup or the process of backing up refers to making copies of data so that these additional copies may be used to restore the original in the event of a data loss. These additional copies are typically called “backups.” Backup and recovery procedures help to ensure critical data, transactions and programs can be restored to their original state.
A method of inventory bookkeeping in which the book inventory (system amount) of components is automatically reduced by the system after the completion of activity on the component’s upper-level parent item.
One who holds or stores items (such as inventory) for a second party in exchange for some form of consideration.
A financial statement that summarizes a company's assets, liabilities and shareholders' equity at a specific point in time.
A strategic management and measuring process used to help align specific business activities with an organization's strategy and vision.
Bankruptcy Remote Special Purpose Entity
An entity created by the target company with the sole purpose of holding assets for a short time before they are sold to the conduit. This separate entity protects the underlying assets in the event the target company files for bankruptcy.
Based on Testing Performed…
Refers to the fact that testing has occurred and, given the results of testing, certain factual conclusions can be drawn.
Batch Processing/Job Scheduling
Batch processing is execution of a series of programs, or jobs, on a computer without manual intervention. Batch processing and job scheduling controls validate the accuracy, completeness and timely processing of system jobs.
The total for a specified constituent quantity in a batch of data.
Focuses on dividing population into groups based on similar characteristics. This is typically done via stratifying the sample.
Bill of Lading
A legal document between the shipper of a particular good and the carrier, detailing the type, quantity and destination of the good being carried.
Bill of Material
A list of all the subassemblies, intermediates, parts and raw materials that go into parent assemblies, showing the quantity of each required to make an assembly. Typically, it is used in conjunction with the master production schedule to determine the items for which purchase requisitions and production orders must be released.
The second counter does not have a preconception of what the quantity should be.
The highest level of governing body charged with the responsibility to direct and/or oversee the activities and management of the organization. Typically, this includes an independent group of directors (e.g., a board of directors, a supervisory board, or a board of governors or trustees). If such a group does not exist, the "board" may refer to the head of the organization. "Board" may refer to an audit committee to which the governing body has delegated certain functions.
Business Continuity Management (BCM)
Business continuity management focuses on the development of strategies, plans and actions that provide protection or alternative modes of operation for those activities or business processes which, if they were to be interrupted, might otherwise bring about serious damage to the enterprise. The main components of BCM include business continuity planning (BCP), which focuses on the recovery of critical business functions, and disaster recovery planning (DRP), which focuses on the recovery of critical technology assets and infrastructure.
Business Continuity Planning
The process of preparing for interruptions to normal business by creating and maintaining plans to resume the most critical functions in the appropriate time determined by the client.
Series of business operations or functions that lead to the achievement of a measurable business result, typically designed around company's business goals and/or mission statement. Business processes contain three main components: a purpose defining the specific goal the process is to achieve; a scope defining a clear starting and ending point; and an action composed of all steps needed to achieve the objective of the process.
Incidental output of a joint process with a higher sales value than scrap but a lower sales value than joint products.
Capability Maturity Model
Provides a scale for evaluating the maturity of an organization’s capabilities around a process. The model provides five states for rating the maturity or capability of any process ranging from “initial” to “optimizing.” The capability maturity model is a powerful tool for evaluating sustainability. Using this model, management rates the enterprise’s capabilities in key risk areas, identifies gaps based on the level of capability desired in specific areas, and shifts the dialogue on operating metrics to incorporate appropriate emphasis on process maturity.
The target company's collateral position (the eligible receivables calculation, less any related reserves) is compared to the current balance outstanding on the securitization facility.
An accounting method used to delay the recognition of expenses by recording the expense as a long-term asset.
CAPM & PMP Certifications: Certified Associate in Project Management and Project Management Professional
These designations signify that an individual has undergone training in the practice of project planning and that they have an adequate ability to project plan in the field.
An estimation of the cash inflows and outflows for a business or individual over a specific period of time.
Cash overs/shorts become apparent when end of day reports indicate that the funds taken in total more or less than the expected amount which indicate that the books do not balance. The cause of cash overs/shorts are operational errors and theft, respectively.
In an internal audit report, the reason for the difference between the expected criteria and actual conditions (why the difference exists).
Certification Checklist for Sarbanes-Oxley Compliance
One method used to identify the steps that need to be completed before the designated officers sign the Sarbanes-Oxley 203 certification. The checklist helps ensure the certifying officers are directly involved in the review of the report and in the design, maintenance and evaluation of the company’s disclosure controls and procedures.
Certifying Officers for Sarbanes-Oxley Compliance
Those officers required to certify the reports - generally the CEO and CFO. Although rare in practice, companies have the flexibility to have others sign the certification in addition to the CEO and CFO if they determine it is appropriate.
Uncollectible receivables that have been written off the books and records of a target company. The target company cannot collect on an uncollectible receivable.
Chart of Accounts
A list of all accounts generally used in an individual accounting system. In addition to account title, the chart includes an account number.
A formal document that defines the internal audit activity’s purpose, authority and responsibility. The internal audit charter establishes the internal audit activity’s position within the organization; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities.
A number that is part of an identification number and is used to detect key-entry errors.
Chief Audit Executive
A person in a senior position responsible for effectively managing the internal audit activity in accordance with the internal audit charter and the Definition of Internal Auditing, the Code of Ethics and the IIA Standards
. The chief audit executive or others reporting to the chief audit executive will have appropriate professional certifications and qualifications. The specific job title of the chief audit executive may vary across organizations.
The control model developed by the Criteria of Control Committee of the Canadian Institute of Chartered Accountants. CoCo focuses on behavioral values rather than control structure procedures as the fundamental basis for internal control in a company.
Code of Ethics
The Code of Ethics of The Institute of Internal Auditors (IIA) are principles relevant to the profession and practice of internal auditing, and rules of conduct that describe behavior expected of internal auditors. The Code of Ethics applies to both parties and entities that provide internal audit services. The purpose of the Code of Ethics is to promote an ethical culture in the global profession of internal auditing.
A short-term, unsecured loan that is issued by a corporation or financial institution, usually to finance accounts receivable or inventory. The maturities on a commercial paper are typically between 90 and 180 days and are rarely over 270 days.
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
A voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls and corporate governance.
Costs incurred prior to the split-off point. Common costs cannot be identified with a particular joint product.
Competence of Evidence
The degree to which evidence can be considered believable, worthy of trust, reliable. Evidence is competent when it is obtained from:
- An independent provider
- A client with an effective internal control structure
- The auditor’s physical examination, observation, computation and inspection
- Qualified providers, such as law firms and banks
- Objective sources
Controls upon which other controls depend. Also known as supporting controls.
The state when all transactions, events and circumstances that occurred during a specific period, and should have been recognized in that period, have, in fact, been recorded.
Adherence to policies, plans, procedures, laws, regulations, contracts or other requirements.
A review and examination of records and activities in order to test for adequacy of controls, to ensure compliance with an established set of criteria. Criteria may include laws, regulations, policies, contracts, etc.
Objectives set in accordance with and in direct response to current laws and regulations. These objectives cover a wide range of legal requirements in such diverse areas as pricing, taxes, environmental regulations, employee safety, and international trade. Compliance objectives are also designed to ensure standards of conduct as well as policies and procedures in areas such as those concerned with employee communications, site inspections, and training.
Computer Operations Controls
Controls that monitor transactions and data processing to help ensure that batch postings and reports are completed in a timely manner and include all appropriate business information.
Computer-Assisted Audit Techniques (CAATs)
Can be used by internal auditors to complete some tests more efficiently and effectively than otherwise possible with traditional manual audit techniques. CAATs include many types of tools and techniques including audit software, utility software, test data, application software tracing and mapping, and audit expert systems. The two categories of CAATs include (1) tools and techniques that involve retrieving and manipulating data and (2) tools and techniques that allow auditors to verify the presence and operating effectiveness of application and system controls.
The customers that make up a target company's outstanding accounts receivable.
The internal auditor's evaluations of the effects of the findings on the activities reviewed. Conclusions usually put the findings in perspective based upon their overall implications. Also known as opinions.
The factual evidence which the internal auditor found in the course of the examination (what does exist).
An entity that issues asset-backed commercial papers. A conduit is a special, bankruptcy-remote purpose entity. The entity purchases assets from a company or a set of companies and, in exchange, issues asset-backed commercial papers to investors.
The level of certainty (+/- margin of error) to which an estimate can be trusted.
The risk that information that is considered confidential in nature has been or may have been accessed, used or copied by someone or disclosed to someone not authorized to have access to the information.
An audit process by which an auditor obtains and evaluates a direct communication from a knowledgeable third party in response to a request for information regarding account balances, transactions or other items that comprise a company's financial statements.
Conflict of Interest
Any relationship which is, or appears to be, not in the best interest of the organization. A conflict of interest would prejudice an individual's ability to carry out their duties and responsibilities objectively.
Inventory that is in the possession of the customer, but still owned by the supplier.
Constant Gross Margin Percentage
Method of allocating common costs where the overall gross margin percentage (a company's total sales revenue minus its cost of goods sold, divided by the total sales revenue) is identical for each joint product.
Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation and training.
Provides a quick glimpse of the overall complexity of a process. Context flowcharts illustrate all of the critical internal and external entities along with their corresponding inputs and outputs.
Method used by auditors to perform audit related activities on a continuous basis. Activities range from continuous control assessment to continuous risk assessment.
Process that management puts in place to ensure that its policies and procedures are adhered to, and that business processes are operating effectively. Continuous monitoring typically involves automated continuous testing of all transactions within a given business process area against a suite of controls.
Contribution Approach/Contribution Statement
Income statement in which all variable expenses are deducted from sales to arrive at a contribution margin, from which all fixed expenses are then subtracted to arrive at the net profit or loss for the period.
Any action taken by management to enhance the likelihood that established objectives and goals will be achieved. Management plans, organizes and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Thus, control is the result of proper planning, organizing and directing by management.
Control Activities (COSO)
Any action taken by management to enhance the likelihood that established objectives and goals will be achieved. Management plans, organizes and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Thus, control is the result of proper planning, organizing and directing by management. Control activities fall under the categories to which they relate: strategic, operations, reporting, and compliance. Control activities can overlap and used effectively in multiple categories. Additionally, multiple control activities may be used in a single category. Control activities are intended to prevent certain transactions from occurring and have two parts: providing guidance as to proper procedures and policies as well as providing procedures to ensure that the policies are activated.
Occurs when the design or operation of a control does not allow management employees in the normal course of business to prevent or detect misstatements on a timely basis. This indicates proper execution of an inappropriate control which returns unexpected results.
A description of the who, what, when, where and how of the control execution.
The attitude and actions of the board and management regarding the significance of control within the organization. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control.
A departure from the acceptable or effective performance of the prescribed control activity.
How many times a particular control is performed. Frequency can also be impacted by the number of individuals executing the control.
Refers to the purpose for which a particular action (i.e., control) was established/is performed, in order to achieve an objective.
Control Objectives for Information and Related Technologies (COBIT)
The guidance provided by the Control Objectives for Information Related Technologies (COBIT) enables a business to implement governance over IT that has been proven effective, comprehensive, and fundamental throughout the enterprise.
The entire group of transactions, control applications, or relevant attributes and items about which management wishes to draw conclusions, find statistical measures to provide more compelling evidence supporting management's conclusions about the effectiveness of the control operation, or the number of transactions, control applications, or relevant attributes and items from which to draw a sample.
The policies, procedures (both manual and automated) and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level that an organization is willing to accept.
Control self-assessment (CSA) is a technique that allows managers and work teams directly involved in business units, functions or processes to participate in assessing the organization's risk management and control processes. In its various formats, CSA can cover objectives, risks, controls and processes. Internal auditors can utilize CSA programs for gathering relevant information about risks and controls; for focusing audit work on high risk, unusual areas; and to forge greater collaboration with operating managers and work teams.
A business unit, division, subsidiary or common operational area that is relatively autonomous in terms of setting business objectives and managing operations on a day-to-day basis.
A cost level that management can influence.
The exchange of a convertible type of asset into another type of asset, usually at a predetermined price. In an M&A deal, this primarily refers to an exchange of stock in the purchasing firm for stock from shareholders of the firm to be purchased.
Manufacturing overhead and direct labor costs.
Differ from bribes in that they are characterized as being modest or nominal in cost; given routinely in business; and are not cash but instead other tangible items such as food, flowers, etc. Additionally, items are generally small in value; (may be) branded with a company logo; are unrelated to a customer order; and intended to foster goodwill.
Acting to influence a foreign official to misuse his or her official position.
COSO Enterprise Risk Management (ERM) - Integrated Framework
The Enterprise Risk Management - Integrated Framework is a document developed by the COSO Project Advisory Council that expands on internal control, providing more robust and extensive focus on the broader subject of enterprise risk management. This includes strategy, operations, reporting, and compliance at a high level.
An accounting entry that either decreases assets or increases liabilities and equity on the company's balance sheet.
The process of reducing credit risk by requiring collateral, insurance or other agreements to provide the lender with reassurance that it will be compensated if the borrower defaults.
A financial loss incurred when stolen or fake credit cards are used to purchase items. The financial impact of credit fraud is found directly on the gross profit margin as the funds used are not collectable. The main cause of credit fraud is organized retail crime.
Issued by a vendor to offset all or part of an invoice (reduction).
Credit Memo Lag
The date difference between (a) the initial invoice and credit memo, (b) the initial invoice and rebill, and (c) the credit memo and rebill.
Credit Memo Test
This test identifies reasons for credits and rebills to ensure they are being issued appropriately. It also identifies time lags, dilution horizons and potentially ineligible invoices and rebills.
Critical Path Milestone
A critical path milestone is used to mark a specific point along a project timeline, particularly at the close of a certain stage of a project which signifies that a major task has been completed.
To verify that the sum of the totals in various columns also agrees to a grand total.
A point in time to terminate any further activity.
Counting small samples of inventory items on an ongoing basis. Over a period of time, all inventory items would be counted. The cycle continues after each inventory item has been counted to ensure ongoing accuracy of the inventory count.
Data Backup and Recovery Controls
Controls that ensure business data and applications are available to end users and customers in the event of system breakdown.
Days Past Due
Found on the accounts receivable aging report, days past due describes the number of days a customer is late (or outstanding) in making a payment.
Days Past Invoice
Found as part of invoice date aging, days past invoice refers to how many days a customer is late (or outstanding) from making a payment as of the original date of the invoice issuance.
Days Sales Outstanding (DSO)
Can be used a predictor of the accounts receivable aging. DSO is calculated by dividing total accounts receivable by total sales and multiplying this amount by 365 days. It shows on average how long it takes for a company to collect on its receivables.
The set of factors and circumstances which will be used in the valuation of a deal or target.
Billing a customer again. A debit memo would be required, for example, when a customer has made a payment on their account by check, but the check bounced, or a company short-pays an invoice.
Controls designed to provide reasonable assurance that errors and irregularities will be discovered in a timely manner. Detective controls are used to identify errors that were not prevented. Typically this involves comparing actual performance results against standards.
A departure from acceptable/effective performance of the prescribed control activity. This indicates that the control is not being performed as required and employee operations need to be adjusted to reflect accurate control activity ending in normal/expected results.
The percentage of items in a population that exhibit evidence of error.
A committee that considers the materiality of information, determines disclosure requirements, identifies relevant disclosure issues and coordinates the development of the appropriate infrastructure to ensure that quality material information is disclosed in a timely fashion to management for the potential action and disclosure. Typically the disclosure committee reports to and on occasion includes senior officers. The disclosure committee usually includes the CAO, General Counsel, Chief Risk Management Officer, CIO, and the Chief Investor Relations Officer.
Disclosure Controls and Procedures
The activities in place to ensure material financial and nonfinancial information is “recorded, processed, summarized and reported within the time periods specified by the [SEC’s] rules and forms.” They may include ongoing processes for training personnel, monitoring change, and keeping the inventory of reporting requirements up to date with current rules and regulations. These are slightly different than internal controls over financial reporting.
The partial or full disposal of a business unit through sale, exchange, closure or bankruptcy.
Dollar Unit Sampling
Also known as "monetary-unit sampling." A method of statistical sampling used to assess the amount of monetary misstatement that may exist in an account balance. The method, also known as probability-proportional-to-size sampling, involves three key steps:
- Determining the proper sample size
- Selecting the sample and performing the audit procedures
- Evaluating the results and arriving at a conclusion about the recorded population value
Any individual who is a citizen, national, or resident of the United States, or any corporation, partnership, association, joint-stock company, business trust, unincorporated organization, or sole proprietorship which has its principal place of business in the United States; or which is organized under the laws of a State or of the United states, or with a territory, possession, or commonwealth of the United States.
Double Blind Counting Method
Two teams (with two people per team) with their own set of tickets separately perform counts of the same area. Each item in the shop floor area is counted by both teams and each team is unaware of the count quantities that the other team came up with.
Dual Reporting of Financial Statements
Dual Reporting can occur during the rollover period when a company is changing from use of local GAAP to IFRS. If dual reporting was being used, the company would report their financial statements in both IFRS and GAAP formats.
The activity and period during which the buyer confirms the seller’s financials, contracts, customers and other pertinent information.
The risk or exposure the auditee organization and/or others encounter because the condition is not the same as the criteria (the impact of the difference).
Present when management directs systems and activities in such a manner as to provide reasonable assurance that the organization's objectives and goals will be achieved.
Accomplishes objectives and goals in an accurate and timely fashion with optimal use of resources.
Eligible Receivables Pool Balance
The remaining receivables balance after subtracting ineligible receivables, which includes government receivables, foreign receivables or receivables aged past a specific number of days.
A specific internal audit assignment, task or review activity, such as an internal audit, control self-assessment review, fraud examination or consultancy. An engagement may include multiple tasks or activities designed to accomplish a specific set of related objectives.
Broad statements developed by internal auditors that define intended engagement accomplishments.
The rating, conclusion and/or other description of results of an individual internal audit engagement, relating to those aspects within the objectives and scope of the engagement.
Engagement Work Program
A document that lists the procedures to be followed during an engagement, designed to achieve the engagement plan.
Enterprise Risk Management
A process effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
Enterprise Risk Management Components
Enterprise risk management is composed of eight interrelated components: Internal Environment, Objective Setting, Event Identification, Risk Assessment, Risk Response, Control Activities, Information and Communication, and Monitoring.
Controls that management relies upon to establish the appropriate “tone at the top.”
In Enterprise Risk Management terms, an event is any occurrence within or outside of the organization that can affect the intended outcome of strategic planning. An event may be either positive or negative. In a business enterprise, one of management's most important responsibilities is to be able to react to an event by analyzing its potential as either an opportunity or as a possible obstruction to the advancement of the entity's goals and objectives. While the time frame, scope, and impact of an event cannot be predicted, ERM provides management with the tools to respond appropriately.
Exception-Based Reporting (EBR)
Analysis of any unusual trends or patterns across reports and is used to identify any suspicious activity. The cause is investigated and any mitigating actions are taken accordingly. In the retail industry, exception-based reporting analyzes every transaction that occurs at a Point of Sale; typically the types of transactions that are caught by exception based reporting include fraudulent refunds or voids.
External Auditor Responsibilities
External auditors are responsible for affirming the accuracy of financial reports to all outside parties including investors and regulatory agencies. In the US, external auditors also provide an evaluation of publicly-held company's internal control over financial reporting as required by Section 404 of the Sarbanes-Oxley Act.
External Service Provider
A person or firm outside of the organization that has special knowledge, skill and experience in a particular discipline.
When consumers steal from a company, either alone or as part of a group. External theft is globally the largest source of shrink in the retail industry and typically comes in the form of merchandise theft, credit card fraud, check fraud, and price tag switching.
Facilitating Payments (Grease Payments)
Facilitating payments (also known as Grease Payments) are payments made to facilitate or expedite performance of a routine, non-discretionary governmental action. Grease Payments must be small and infrequent in nature. The types of Grease Payments that are allowed in accordance with FCPA regulations include: obtaining non-discretionary permits and licenses; scheduling inspections associated with contract performance or transit of goods across a country; obtaining or processing governmental papers such as visas and work orders; providing police protection, mail pickup and delivery; and providing phone service, power, and water supply, loading and unloading of cargo, or protecting perishable goods.
Financial Accounting Standards Board (FASB)
The main objective of the Financial Accounting Standards Board (FASB) is to establish and improve standards of financial accounting and reporting for the guidance and education of the public, including issuers, auditors, and users of financial information. Typically, pronouncements from FASB are generally accepted for the purposes of filings with the SEC. FASB operates in the private sector.
Financial Fraud (Retail Industry)
Non-inventory shrinkage, which includes cash over/shorts, check fraud, credit fraud, gift card fraud and refund fraud.
A formal record of a company's financial position. Financial statements may include balance sheet(s), income statement(s) and cash flow statement(s).
Goods that have gone through the complete production process are completely assembled that are to be held for sale to external customers.
Fixed assets are physical plant, equipment, land and other tangible resources used for production of a company's goods and services. They are long-term in nature and usually subject to depreciation.
A pictorial summary that shows with symbols and words the steps, sequence and relationship of the various operations and people involved in a process. Internal audit typically highlights risk and control points on these.
The sum of a column of figures.
Foreign Corrupt Practices Act of 1977 (FCPA)
The Foreign Corrupt Practices Act of 1977 (FCPA) is a United States federal law known primarily for two of its main provisions, one that addresses accounting transparency requirements under the Securities Exchange Act of 1934 and another concerning bribery of foreign officials. The anti-bribery provisions of the FCPA prohibit: Issuers, domestic concerns, and any person from making use of interstate commerce corruptly, in furtherance of an offer or payment of anything of value to a foreign official, foreign political party, or candidate for political office, for the purpose of influencing any act of that foreign official in violation of the duty of that official, or to secure any improper advantage in order to obtain or retain business.
Any officer or employee of a foreign government, a public international organization, or any department or agency thereof, or any person acting in an official capacity. This typically includes: employees of non-US Governments; non-US political parties or candidates; employees of non-US state owned or state-controlled entities; and officials of public international organizations.
Any illegal act characterized by deceit, concealment or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property or services; to avoid payment or loss of services; or to secure personal or business advantage.
The three factors involved with committing fraud. Fraud occurs when there is an opportunity, financial pressure, and the action can be rationalized.
Free on Board (FOB) Destination
The title and the risk of loss transfer to the buying entity when a shipment reaches its destination. Also known as Freight on Board Destination.
Free on Board (FOB) Shipping Point
The title of the goods and the risk of loss transfer to the buying entity when the item is placed into the custody of the shipping carrier. Also commonly known as Freight On Board Origin.
The core of a company's financial records. These constitute the central "books" of the accounting system, and every transaction flows through the general ledger.
Gift Card/Refund Fraud
When transactions are completed for fake gift cards or refunds. Gift card/refund fraud impact the gross margin directly and stem from either internal or external theft. Internally, refunds can be completed by employees when no returned merchandise exists resulting in the employees pocketing the cash or gift card. External refund fraud involves a customer returning an unpaid item for a cash refund.
The combination of processes and structures implemented by the board to inform, direct, manage and monitor the activities of the organization toward the achievement of its objectives.
Guide to the Assessment of IT Controls (GAIT)
A methodology that companies can use to evaluate a universe of IT controls to identify the most critical controls that support a specific process.
Any document that aims to streamline particular processes according to a set routine.
A non-probabilistic method of sample selection in which items are chosen without regard to their size, source or other distinguishing characteristics.
Understanding recording, valuation, and disclosure requirements of IFRS; identifying gaps between status quo and IFRS; scope and structure of conversion; enterprise-wide review of accounting policy compliance; and training staff to operate within IFRS.
IFRS Conversion Assessment
The Assessment phase of the IFRS Conversion typically encompasses: identifying similarities and differences between current GAAP practices and IFRS requirements; evaluation of current ERP tracking, converting, and reporting functionalities; and calculating the potential enterprise-wide cost of IFRS conversion.
IFRS Conversion Planning
IFRS Conversion Planning entails translation of the IFRS rules into models and concepts compliant with the business systems; creation of detailed plans, gap analysis, and adjustment or establishment of system requirements and short term workarounds; as well as sourcing additional help, if required.
Illustrative Flowcharts document the beginning and end of a process with no more than six or seven critical steps in between.
From a quantitative perspective, an error is not large enough to cause the reader/user to change their decision (specific to each client).
Impairment to organizational independence and individual objectivity may include personal conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations (funding).
Implementation Standards in the IIA Standards are provided to expand upon the Attribute and Performance Standards by providing the requirements applicable to assurance or consulting activities.
Independence of Internal Audit
An environment free from peer persuasion and other undue internal influence. This surrounds the reporting structure of the internal audit function in a virtual pressure-free zone, ensuring open and clear access equally to the audit committee, board of directors, or the company CEO.
A term used to refer to the inventory items "going out" or feeding into another inventory item, which in this context is the parent item.
The use of systems to store, retrieve, transmit and manipulate data, often in the context of a business or other enterprise.
Information Technology Controls
Controls that support business management and governance as well as provide general and technical controls over information technology infrastructures such as applications, information, infrastructure and people.
Information Technology Governance
Consists of the leadership, organizational structures and processes that ensure that the enterprise’s information technology supports the organization’s strategies and objectives.
The danger that the organization might not have an effective information technology infrastructure such as hardware, networks, software, people, and processes to effectively support he current and future needs of the business in an efficient, cost-effective, and well-controlled manner.
The risk that exists in the absence of any controls.
Controls such as proper authorization of documents, adequate documentation of transactions, and check digits, designed to assure that the information processed by the computer is valid, complete and accurate.
A form of gathering audit evidence via discussion only with relevant individuals. Inquiry is considered the weakest form of evidence.
A form of gathering audit evidence via looking at documentation and other evidence.
Full IFRS-compliant implementation containing a simultaneous automatic conversion to dual accounting principles and an automatic closure of the US GAAP environment at the end of the specified transition period.
Integration Management Office (IMO)
The integration management office performs a project management role and is responsible for compiling and reporting information on the status of the project to the project steering committee.
Risks that are inherent in the lack of completeness and accuracy of data and/or transactions that are entered into, processed by, summarized by, and reported on by the various applications systems employed by an organization. Integrity risk can be caused by programming errors.
Any product of the human intellect that the law protects from unauthorized use by others. Intellectual property traditionally comprises four categories: patent, copyright, trademark and trade secrets.
Interfunctional Flowcharts show cross functionality of a process and highlights the handoffs during the process. The cross functional focus (illustrated by division into swim lanes) facilitates analyzing processes for simplification, streamlining, and elimination of nonessential tasks.
Internal Audit Activity
A department, division, team of consultants or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization’s operations. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management and control processes.
Internal Audit Profession
According to the IIA, Internal audit is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
A process within an organization designed to provide reasonable assurance regarding the achievement of the following primary objectives:
- The reliability and integrity of information
- Compliance with policies, plans, procedures, laws and regulations
- The safeguarding of assets
- The economical and efficient use of resources
- The accomplishment of established objectives and goals for operations or programs
Internal environment is an ERM component that is the bedrock philosophy of business. This includes shared beliefs, its culture and operational approach, and the way it presents itself to customers and employees. In many cases, the Internal Environment is dictated by a top-down culture, indicating that the culture comes from the C-Level Suite and Board of Directors. The "tone at the top" often filters down and becomes the tone for the whole company.
Internal theft consists of employees stealing from the company in a variety of ways. Cash theft could include falsifying expense reports or siphoning money via vendor agreements with related parties. In a retail environment, typically, this involves employees stealing cash, giving away merchandise to friends and family without permission, theft of merchandise, and discount abuse. Cash theft is the major portion of internal theft, typically occurring in retail settings at the till.
International Financial Reporting Standards (IFRS)
International Financial Reporting Standards (IFRS) are accounting and reporting standards set by the International Accounting Standards Board (IASB). IFRS has been gradually adopted worldwide since 2000 as a replacement to local GAAP.
International Professional Practices Framework
The conceptual framework that organizes the authoritative guidance promulgated by the IIA. Authoritative Guidance is comprised of two categories – (1) mandatory and (2) strongly recommended.
Consists of owned items that are held for sale or consumption in the production of goods and services. These include: Items physically on hand at all locations other than items on consignment; Items not on hand but those which the risk of loss rests with the company; in transit to the company with shipping terms of FOB Shipping Point; Items held by a vendor when the risk of loss has passed to the company; Items held on consignment where the entity is the consignor; Inventory in possession of bailers; Items in transit to a customer with shipping terms of FOB Destination.
An inventory roll-forward is the periodic analytical procedure used to rationalize the change in inventory using financial statements and operational data.
An intentional misstatement of the financial statements.
An exception noted in an internal audit. The components of a well-written issue include the five Cs: Condition, Criteria, Cause, Consequence and Corrective Action.
An issuer is a corporation that has issued securities that have been registered in the United States or who otherwise is required to file periodic reports with the SEC.
IT Asset Management (ITAM)
IT asset management is the set of business practices that join financial, contractual and inventory functions to support lifecycle management and strategic decision making for the IT environment. Assets include all elements of software and hardware that are found in the business environment. A comprehensive IT asset management program tracks all an organization’s IT assets, including hardware, software and licenses.
IT Asset Management Controls
IT Asset Management Controls pertain to the tracking and managing of IT assets including hardware and software inventory.
The examination of evidence of the organization’s IT infrastructure and the collection and evaluation of evidence of their information systems, practices and operations.
IT Change Management
The practice of managing and controlling system changes from the initial request through deployment.
IT Change Management Controls
Change Management Controls are controls that help to ensure the accuracy, completeness, and authorization over program and code changes to the business applications that support the business.
IT General Controls
Controls related to systems used to generate, change, house and transport data. The four categories of IT general controls include program development, program changes (sometimes referred to as systems development life cycle or SDLC), access control and IT operations.
IT Infrastructure Library (ITIL)
A series of documents that are used to aid the implementation of a framework for IT service management. This framework defines how service management is applied within an organization. ITIL provides comprehensive “best practice” guidelines on all aspects of end-to-end IT service management and covers the complete spectrum of people, processes, products and the use of partners.
IT Logical Security Controls
Logical Security Controls are controls that help to ensure that only authorized individuals can enter, approve, and monitor systems transactions and business data.
IT Operations Management
The process and mechanics to support continuity of service for critical systems. Specific areas include backup and recovery, batch processing/job scheduling, IT asset management, third party/vendor management, business continuity management, and physical security and environment controls.
IT Physical Security Controls
Physical Security Controls are controls that help protect computer hardware and infrastructure operating the systems that house business data.
A business arrangement in which two or more parties agree to pool their resources for the purpose of accomplishing a specific task.
Used to describe a non-statistical sampling method of choosing a sample from a population by applying certain logic to how a sample is chosen from the population, based on known information.
Legal Day 1
The day at which two or more combined organizations are officially one legal entity. Integration work can and often does continue after this point, but the entity is considered unitary on this date.
Letter of Intent (LOI)
This is a document which outlines the specific terms of an agreement, including the offered purchase price and the accepted selling price. A letter of intent will also frequently contain information on further conditions, shares vs assets, and a period of exclusivity during which the firms will go through the due diligence process and negotiate any terms without courting outside parties.
The purpose and mission of the loss prevention function is to assist companies in identifying and reducing internal, external, and operational shrink. It encompasses the entire process from identifying and investigating a problem immediately, while making suggestions and putting operational improvements in place that will prevent such loss in the future.
Mandatory Guidance is required and essential for the professional practice of internal auditing, which includes the definition of internal auditing, the code of ethics, and the International Standards for the Professional Practice of Internal Auditing.
Manual Controls are controls within a process that are typically completed by an individual within the entity. Manual controls require a significant amount of human judgment in design, development, performance, and evaluation.
The combining of two or more companies, generally by offering owners of the target company securities in the acquiring company in exchange for the surrender of their stock.
Monetary Unit Sampling
See Dollar Unit Sampling above.
Management must constantly monitor the effectiveness of its risk management procedures and be prepared to make modifications as required. Monitoring can be accomplished through ongoing activities or through independent or separate evaluations. Regular ongoing monitoring is typically conducted by mid-level management.
The IIA Standards
use the word "must" to specify an unconditional requirement.
The description of a process, including background information, policies in place, roles and responsibilities, typically highlighting the controls within that process.
Negative assurance tells the data user that nothing has come to the auditor's attention of an adverse nature or character regarding the information reviewed.
A written request by the auditor sent to a party having a financial relationship with the client and asking for a reply only in the case of disagreement.
Net Receivables Pool Balance
The total receivables owed to a company by its customers or clients minus the receivables/money owed by the customer or clients that will likely never be paid back.
No Bias Sampling ensures that each sampling unit has an equal chance to be selected. This includes haphazard sampling, random sampling, and systematic sampling.
A legal contract that outlines confidential material, knowledge or information that will be protected and held confidential.
Setting objectives based on a company's strategic vision is the formula for the creation and preservation of value. Objectives should be measurable and easily understood by not only the employees responsible for achieving them but also all employees within the entity.
An impartial, unbiased attitude free from conflict of interest.
A form of gathering audit evidence by physical observation of the control being performed. This term is also used to describe audit issues/exceptions identified in an audit.
Open PO Report
A list of pending purchase orders where a receipt was not yet recorded by the entity. This could be due to shipments not yet occurring or it can be due to incomplete receipt input.
A structured review of the systems and procedures of an organization in order to evaluate whether they are being conducted efficiently and effectively. An operational audit involves establishing performance objectives, agreeing the standards and criteria for assessment, and evaluating actual performance against targeted performance.
Refers to the recurring activities of an organization directed toward producing a product or rendering a service. Such activities may include, but are not limited to, marketing, sales, production, purchasing, human resources, finance and accounting, and governmental assistance.
Operations objectives are intended to bolster and enhance an entity's basic production operations such as manufacturing, inventory control, quality assurance, and cycle time. The demands of the marketplace are the driver setting operations objectives and are critical to the success of the company. They provide a focal point and the motivation for allocation of company resources.
A chart that depicts the reporting structure of an organization. Typically the chart is tiered, starting at the C-Suite (CEO, CFO, COO, etc.)
Controls, such as review of data for reasonableness, designed to assure that the data generated by the computer is valid, accurate, complete and distributed only to authorized personnel.
The rating, conclusion, and/or other description of results provided by the chief audit executive addressing, at a broad level, governance, risk management, and/or control processes of the organization. An overall opinion is the professional judgment of the chief audit executive based on the results of a number of individual engagements and other activities for a specific time interval.
Per Discussion With…
Refers to the fact that a discussion was held with an individual and includes the results of the conversation.
Performance standards describe the nature of internal auditing and provide quality criteria against which the performance of these services can be measured.
A process in which one identifies all the in-feeding items at the various stages (operation steps or numbers) and records the in-feeding inventory items only.
The Population consists of all of the items constituting an account balance or a class of transactions subject to testing. The population should be defined in a way that can be related to specific control objectives and should be specified clearly and completely. A population should be homogenous.
Position papers address the IIA's view on the roles and responsibilities of the internal auditing function regarding a particular issue. They assist a wide range of interested parties, including those not in the internal audit profession, in understanding the significant governance; risk or control issues; and outlining related roles and responsibilities of internal auditing.
A written or oral request by the auditor of a party having financial dealings with the client about the accuracy of an item. A response is required whether the particular item is correct or incorrect.
Practice advisories address Internal Audit's approach, methodologies, and considerations. Typically, practice advisories relate to international, country, or industry specific issues specifically relating to types of engagements and legal or regulatory issues. Practice advisories help assist internal auditors in applying the definition of internal auditing, the code of ethics, and the standards as well as promoting good practices overall. Practice Advisories are strongly recommended by the IIA but not mandatory.
Practice guides provide detailed guidance for conducting internal audit activities. They typically include detailed processes and procedures such as: tools and techniques; programs; and step by step approaches, including example deliverables. Practices guides are divided into three categories: Global Technology Audit Guides (GTAG), Guide to the Assessment of IT Risk (GAIT), and General Practice Guides.
Preventative controls are designed to provide reasonable assurance that only valid transactions will be initiated, approved, recorded, processed, and reported. These controls tend to be proactive in nature and when implemented effectively and efficiently, help minimize or reduce the impact of risk within a process. They are specifically designed to reduce the likelihood that an error or irregularity will occur. Preventative controls are designed to address risks at their roots and build quality control within a process.
Primary controls are the key controls in the business process.
Process Classification Scheme (PCS)
The Process Classification Scheme (PCS) is a framework for defining the functions or processes of a business.
Process maps facilitate a uniform understanding of the risks and controls within a given process or function. They help provide a universal language, reduce project risk, facilitate analysis, and document evidence.
A process narrative provides a representation of how work is performed for the purposes of assessing process risk, identifying key process controls, recommending improvements, and evaluating segregation of duties.
Profit and Loss (P&L) Accounts
Profit and Loss expense accounts that are involved in the income statement.
Profit drain occurs when a company's assets are removed from their inventory without compensation, causing a loss. The causes of profit drain can be theft, operational error, or damaged goods. When an item is not in inventory, it cannot be sold and therefore the original investment cannot be recovered.
A project plan articulates the scope and approach of a project in as much detail as possible. A project plan should document all key assumptions, key activities to accomplish project objectives, milestones, responsible parties, and tools and technology needed.
A project sponsor is a senior executive who can assume responsibility for providing overall direction to the project team and for communicating the project to the organization with credibility.
Project Steering Committee
A steering committee is comprised of high level executives at a client who are internally responsible for the success of a project and for setting the tone and goals which the project needs to accomplish. In addition, the committee is responsible for outside communications to shareholders and/or media sources about the status of a project.
Information that is not public knowledge, such as financial data or trade secrets.
Public Company Accounting Oversight Board (PCAOB)
The Public Company Accounting Oversight Board (PCAOB) is the governing body over the external auditors created by section 105(a) of the Sarbanes-Oxley Act. The PCAOB's role is to ensure, by rule, that public company financial statements are audited according to the highest standards of quality, independence, and ethics. The responsibilities of the PCAOB include: overseeing audits of public companies subject to US Federal Securities Laws, registering public accounting firms, establishing standards relating to public company audits, conducting inspections of registered accounting firms, and enforcing compliance with the Sarbanes-Oxley Act.
Purchase Order (PO)
A purchase order is the purchaser's authorization used to formalize a purchase transaction with a supplier. A purchase order, when given to a supplier, should contain statements of the name, part number, quantity, description, and price of the goods or services ordered; agreed-to terms as to payment, discounts, date of performance, and transportation.
A sample in which every possible combination of items in the population has an equal chance of constituting the sample. A random sample may be obtained by using random number tables, computer programs or systematic sampling.
Raw Materials (RM)
Raw materials are typically raw inputs such as steel or purchased items used in the production or assembly of finished goods to be held for sale by the entity.
A statement provided that inspires confidence, certainty or a guarantee around a topic, subject, review, etc. with an acceptable level of certainty.
An internal control, no matter how well designed and operated, cannot guarantee that an entity’s objectives will be met because of inherent limitations in all internal control systems.
In an audit report, an auditor works within economic limits. The audit opinion, to be economically useful, must be formed in a reasonable time and at reasonable cost. The auditor must decide, exercising professional judgment, whether evidence available within limits of time and cost is sufficient to justify an opinion.
A comparison of an estimated amount, calculated by the use of relevant financial and non-financial information, with a recorded amount.
Receivables Purchase Agreement
Establishes key terms and conditions between the target company and the financial institution. Also called an indenture.
A quality control procedure that helps the engagement team make sure that the information included in the report is internally consistent, grammatically correct and supported by the workpapers.
Adherence to laws and regulations relevant to a company's business.
A transaction between parties that are not at arm's length.
A form of gathering audit evidence via re-execution of the control to test for effectiveness of the control. The expectation is that through reperformance, the result would be the same as when the control was originally executed.
Reporting Objectives set standards for the provision of accurate information to individuals and entities responsible for decision-making and monitoring company activities and performance. Typically, this includes internal reporting data to relevant marketing decisions, sales, production, quality and customer feedback, and external reporting information such as financial statements, disclosures, analyses, and reports to regulatory agencies.
A formal, written letter statement made by an auditee and addressed to the external auditor, in which the auditee confirms that statements made are true and can be relied upon.
A sample of a population that sufficiently represents the characteristics of the entire population.
The remaining risk that faces the organization after controls are put in place to mitigate the effects of these risks.
The probability that an event or action may adversely affect the organization or activity under audit.
Risk acceptance involves taking no action to affect risk likelihood or impact. Risk acceptance indicates that the risk is within an adequate range of tolerance.
Risk and Control Matrix (RCM)
Risk and Control Matrices are typically created to supplement a process map which depicts the company's objectives, the risks to achieving the objectives, and the existing controls that mitigate those risks. RCMs are typically created in a spreadsheet matrix and serve as a summary which helps prioritize risks and assessments of controls design effectiveness.
The level of risk that an organization is willing to accept.
A systematic process for assessing and integrating professional judgments about probable adverse conditions and/or events. The risk assessment process should provide a means of organizing and integrating professional judgments for development of the audit work schedule.
Risk avoidance involves eliminating the risk, or stopping the activities that create the risk. Risk avoidance suggests that there are no other readily identifiable alternatives that would lessen the probability or impact of the risk to a more reasonable level.
Criteria used to identify the relative significance of, and likelihood that, conditions and/or events may occur that could adversely affect the organization.
A process to identify, assess, manage and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives.
A risk model is a tool used to establish a common language around risk. It is a risk sourcing framework that allows businesses to develop insights into the sources of uncertainty within their businesses to create value and to truly understand their risks. The risk model helps define and explain the potential risk areas existing in a business.
Risk of Loss
Typically when the title of the good transfers from one entity to another, the risk of loss does as well. The entity that holds the title to the goods is subject to the risk of loss if damage or destruction occurs to the goods.
Risk reduction involves acting to minimize the risk or its impact, or both. This could involve changing courses of action throughout the company to reduce overall level of risk.
Risk response entails management response to the risks present. Risk response falls into four categories: Avoidance, Reduction, Sharing and Acceptance.
Risk sharing involves the allocation of risk through insurance, outsourcing, or transferring portions of risk to others. When a company opts for risk sharing, management can typically spread the risk reduction expenses as well as the benefits across the organization.
Sales and Purchase Agreement (SAPA)
A document that obligates a buyer to buy and a seller to sell certain assets, services or products.
The act of selecting a certain number of items out of a population for testing.
The probability that the auditor has reached an incorrect conclusion because an audit sample, rather than the whole population, was tested.
The sampling unit is the unit to be tested. It constitutes one distinct unit in the population to be tested.
Sarbanes-Oxley Act of 2002
The Sarbanes-Oxley Act of 2002 legislation is intended to protect investors by improving accuracy and reliability of corporate disclosure. The act imposes heavy penalties including fines and jail sentences for executives associated with corporate business fraud. The legislation includes the following requirements: reporting requirements and accountabilities for public companies, prohibiting certain actions, audit committee expanded responsibilities, increases penalties for officers and directors committing a crime, oversight for external auditors, and increased SEC oversight activity.
A restriction placed upon the internal auditing department that precludes the department from accomplishing its objectives and plans. Among other things, a scope limitation may restrict the:
Scoping the Audit
- Scope defined in the charter
- Department's access to records, personnel and physical properties relevant to the performance of audits
- Approved audit work schedule
- Performance of necessary auditing procedures
- Approved staffing plan and financial budget
Also known as "survey." Process for gathering information, without detailed verification, on the activity being examined. The main purposes are to:
- Understand the activity under review
- Identify significant areas warranting special emphasis
- Obtain information for use in performing the audit
- Determine whether further auditing is necessary
Scrap is material created through the manufacturing process, which is not usable for a finished good. The items are physically disposed of (scrapped) which may include an element of reclamation. When an item is disposed of, it is written off the inventory asset account onto the P&L accounts.
Secondary controls are supplemental controls beyond the primary controls, and are found most frequently in environments in which manual controls are used to mitigate risk.
Section 302 of the Sarbanes-Oxley Act
Section 302 of the Sarbanes-Oxley Act of 2002 requires certification in the quarterly and annual financial report from an issuer’s principal executive officer or officers and the principal financial officer and officers, or persons performing similar functions around disclosure controls and procedures.
Section 404 of the Sarbanes-Oxley Act
Section 404 of the Sarbanes-Oxley Act requires an annual review of effectiveness of internal control over financial reporting. Section 404 specifically contains two sections: (a) management's assertion on the effectiveness of internal control over financial reporting and (b) the auditor attestation of internal control over financial reporting. If a company's revenue is greater than $75 million per annum, the company is required to comply with both sections of SOX 404. However, if a company has revenues less than $75 million, the company is only required to comply with section (a).
Section 409 of the Sarbanes-Oxley Act
Section 409 of the Sarbanes-Oxley Act requires that each issuer give rapid and current disclosures in plain English regarding material changes in the financial condition or operations of the issuer.
Section 906 of the Sarbanes-Oxley Act
Section 906 of the Sarbanes-Oxley Act includes the criminal provisions of Sarbanes-Oxley. It states that each periodic report containing financial statements must be accompanied by a written statement by the CEO and CFO (or equivalent) certifying that information in the report fairly presents the financial condition and results of operations.
Securities and Exchange Commission (SEC)
The SEC (US Securities and Exchange Commission) protects investors and maintains the integrity of the securities markets by requiring public companies to disclose meaningful financial and other information to the public and by overseeing the following organizations: Stock Exchanges, Broker-Dealers, Investment Advisors, Mutual Funds and Public Utility Holding Companies. The SEC works with both federal and private entities.
Full IFRS-Compliant implementation with no conversion of the detailed transactions to both IFRS and US GAAP. This typically includes recording detailed transactions in the IFRS Format and creating US GAAP financial statements in a secondary accounting environment based on manual recalculation and adjustments.
Shared services is the provision of a service by one part of an organization or group where that service had previously been found in more than one part of that organization or group. In an M&A deal, this may commonly refer to providing HR or benefits services to multiple portions of a newly created entity through an existing department at one of the portions of the organization.
The IIA Standards
use the word "should" where conformance is expected, unless, when applying professional judgment, circumstances justify deviation.
Shrink is a common term used to describe loss within organizations. Typically, shrink is associated with inventory shrink, which refers to any discrepancy between the items booked in inventory as a result of purchasing and sales versus how much inventory is actually on hand. The formula for determining shrink is: Book Inventory (Inventory on the General Ledger) - Inventory on Hand (Physically in Warehouses) = Shrink
The rate at which shrinkage is happening in relation to inventory. The formula for shrink rate is: Shrink / Book Inventory = Shrink Rate
The level of importance or magnitude an internal auditor assigns to an item, event, information or problem.
Significant Audit Findings
Those conditions which, in the judgment of the director of internal auditing, could adversely affect the organization. Significant audit findings may include conditions dealing with irregularities, illegal acts, errors, inefficiency, waste, ineffectiveness, conflicts of interest and control weaknesses.
Simple Average Dilution Horizon (SADH)
One type of test to calculate dilution horizon (the lag between the time an invoice is generated and when a credit is issued). The SADH represents an average of the total number of lag days between the time an invoice is generated and a credit is issued. To calculate the SADH, a simple numerical average is taken between a set of calculated lags.
Six Elements of Infrastructure
The Six Elements of Infrastructure identify the key components that must be considered to effectively manage risk within an organization. These key components are: business policies, business processes, people and organization structure, management reports, methodologies, and systems and data.
The Standards are principles-focused, mandatory requirements consisting of statements of basic requirements for the professional practice of internal auditing and for evaluating the effectiveness of performance. They are internationally acceptable at the organizational and individual levels. Additionally, the Standards consist of interpretations which clarify terms or concepts within the statements. Interpretations are typically incorporated to assist in the application of the standards. The Standards have two divisions: Attribute Standards and Division Standards.
Statistical sampling occurs when the transactions in the process are primarily automated and the population of transactions is uniform and well documented. Selection is random because each transaction has an equal chance of being selected. Results of statistical sampling can be extrapolated to the population based on the confidence level and tolerable level of error provided that the sample size is adequate.
Strategic Objectives are those set out in broad terms to establish and affirm the entity's long-range goals. While internal and external conditions may change and the business environment may be dynamic and subject to adjustment and course correction, the company’s tactical and process objectives should always be realigned with its fundamental strategic objectives.
Strongly Recommended Guidance
Strongly recommended guidance is endorsed by the IIA and consists of the following three components: Practice Advisories, Position Papers, and Practice Guides.
A stock item (item with a part number) that has an element of conversion but is not considered to be a finished good. It typically feeds into other subassemblies, which in turn feed up into higher-level subassemblies, eventually turning into a finished good. Subassemblies are considered works in process.
An individual or business firm contracting to perform part or all of another's contract.
The general ledger typically contains a number of sub-ledgers that are specifically for items such as cash, accounts receivable, accounts payable and inventory. Sub-ledgers contain all of the daily detailed transactions that flow through each of these accounts, which will be summarized and posted to the accounts on the GL.
A process that occurs within a larger business process.
An event that occurs after a company’s financial report date (e.g., month, quarter or year), but before the financial statements have been finalized and reported publicly.
Procedures designed to verify the correctness of financial statement balances.
The three forms of substantive tests are: (1) tests of transactions (which are often conducted concurrently with compliance testing ); (2) tests of balances; and (3) analytical review procedures.
Tests of transactions and balances gather evidence of the validity of the accounting treatment of transactions and balances. They are designed to identify errors and irregularities. Statistical sampling may be used in determining the accuracy of financial statement numbers. Tests of transactions may be conducted continually throughout the audit year or at or close to the balance sheet date.
When the auditor traces a sales invoice from the journal to the ledger for correctness, it is called a transaction test. When the auditor compares the book balance of cash to the book balance, it is a test of balances. This test is done near or at the year-end reporting date.
Another substantive test involves calculating interest expense on corporate debt and verifying the amount in the financial records. Analytical review procedures involve examining the reasonableness of relationships in financial statement items and uncovering variations from trends. The procedures may be applied to overall financial information, financial data of segments and individual elements. If relationships appear reasonable, evidence corroborating the account balance exists.
A schedule that is used to provide backup evidence of how and where a number has been derived.
Also known as "scoping the audit." A process for gathering information, without detailed verification, on the activity being examined. The main purposes are to:
- Understand the activity under review
- Identify significant areas warranting special emphasis
- Obtain information for use in performing the audit
- Determine whether further auditing is necessary
Divisions within process interfunctional charts that designate the person responsible for each step of the process being documented.
System Conversion Project Management
System Conversion Project Management includes changing existing systems or implementing new business systems based on solutions designed in the planning phase; time for testing and improving conversion issues relating to reconciliations and reporting; and adjusting policies and processes, long term system changes, and training and follow-up diagnostics.
A company which is the subject of a merger or acquisition attempt.
Target Operating Model (TOM)
A description of the desired state of the operations of a business. This may be outlined in the Letter of Intent and will be discussed by all relevant parties to the transaction.
The underlying elements of technology infrastructure.
The core functions performed by the IT department.
Technology-Based Audit Techniques
Any automated audit tool, such as generalized audit software, test data generators, computerized audit programs, specialized audit utilities and computer-assisted audit techniques (CAATs).
The test period is the timeframe for which the auditor is evaluating the control. Samples are typically taken from the population within this window.
Tests of Balance
Also known as "substantive testing." The method by which account balances are tested to verify the correctness of the amounts.
Third-party payments occur when an individual, group of individuals, or an organization channels funds through an intermediary with the intention and knowledge that the final recipient will be a foreign official.
Vendor management refers to the processes for managing relationships with key third parties and may include the processes for identifying vendors, selecting vendors, approving vendors, determining service-level agreements (SLAs), monitoring performance against SLAs, and reporting performance metrics to management.
Symbols used by auditors to indicate that they have performed a certain operation, such as agreeing a number on a trial balance to the source document or checking the addition of a column of numbers. A legend should appear on the work papers to indicate the meaning of each tick mark.
Tolerable Error Rate
The maximum monetary or transactional deviations that can be accepted without causing a significant financial misstatement. The tolerable error rate is subject to changed based on the scope of the audit and the type of company being audited.
Trailing Twelve Months (TTM)
A 12-month period of time commonly used to evaluate a company's financial results or financial statements.
Transactional Flowcharts display a series of actions and decisions in a manner that is easy to understand and allows companies to document things quickly. The process flowchart portrays key inputs, activities, interfaces, and outputs. Additionally, it can be used to source risks and identify control points. Transactional flowcharts can be created by drilling down from an illustrative flowchart.
Transitional Service Agreement (TSA)
A Transitional Service Agreement is made between a buyer and a seller and contemplates having the seller provide infrastructure support such as accounting, IT, and HR after the transaction closes.
A report that reflects all the existing balances in a company’s chart of accounts at a particular date.
Un-Invoiced receipts are items that an entity logged in as received from a vendor but an invoice cannot be related to these items because the invoice is unavailable or has not been received.
Confirming the operating effectiveness of internal controls through performing testing, which may include inspection, inquiry, observation or re-performance. In Sarbanes Oxley compliance, validation is not a one-time event but a continuous and ongoing process.
An IT governance framework that can be used to create business value from IT investments. It consists of a set of guiding principles and a number of processes and best practices that are further defined as a set of key management practices to support and help executive management and boards.
The process or activities by which a company adds value to an article, including production, marketing and the provision of after-sales service.
Variable testing is typically focused on testing detailed items that support an account total. An example of variable testing is reviewing an account balance to determine if it is fairly stated.
A type of audit evidence gathering technique used when applying a substantive testing approach. Vouching is the process of matching documentary evidence (of an account balance or a transaction) with the details recorded in accounting records and provides evidence as to the completeness, validity or accuracy of an account balance or underlying class of transaction.
The act of "walking through" a process with the process owner with the purpose of:
Weighted Average Dilution Horizon (WADH)
- Understanding the process
- Verifying the accuracy of the process (if it has already been documented)
- Understanding where controls exist in the process
- Validating that the control design is sufficient to address the risk
One type of test to calculate dilution horizon (the lag between the time an invoice is generated and when a credit is issued). The WADH represents the weighted average of the total number of lag days between the time an invoice is generated and a credit is issued. To arrive at WADH, divide each credit memo amount by the total amount of credits and multiply by the individual lag time and then sum the total.
Willful blindness implies that the individual failed to make inquiries judged to be that of a reasonable person to identify the third party in question, the nature of the payment, and other information available.
Work in Progress (WIP)
Inventory composed of partially completed items that have not yet reached the finished goods state.
A work order is a document, group of documents, or schedule conveying authority for the manufacture of specified parts or products in specified quantities. A work order is also known as a job order, manufacturing authorization, production order, production release, run order or shop order. A work order can either refer to the actual production of goods or the sale of finished goods or subassemblies to customers.
Documentation that evidences the work performed in an internal audit review as well as the issues (if any) that have been identified as a result of the review.
Also known as "audit program." A document which lists the audit procedures to be followed during an audit.
The progressive completion of tasks by different groups within a company which are required to finish a single project.
A collection of individuals who come together to complete a stated objective. On an M&A deal, this may mean working on bringing together a particular function of the merging organizations.