Glossary

Tools used for managing user permissions and access rights in IT systems.

Mechanisms within ITGCs to ensure that only authorized personnel can access critical systems and information, managing internal risks like unauthorized access and data leakage.

Procedures for requesting, evaluating, and approving user access to information systems.

Analysis involves scrutinizing data and information to identify patterns, anomalies, and trends. This often entails analyzing system logs, financial records, and transaction data in IS auditing.

This technique is used to identify unusual patterns that do not conform to expected behaviour. It is instrumental in fraud detection and identifying outliers that may warrant further investigation.

Specialized internal controls within an organization's IS designed to ensure the accuracy, completeness, and validity of the data processed by these systems.

The quality or reliability of audit evidence, reflecting its relevance and reliability in providing support for the conclusions on which an auditor's opinion is based.

This technique identifies interesting associations or relationship patterns among large data items. It helps uncover hidden patterns that could indicate control weaknesses or fraud.

Independent evaluation or verification of information concompassing the reliability of processes, systems, and information.

A systematic, independent examination and evaluation of financial records, processes, systems, or organizational performance to determine their accuracy, completeness, and compliance with regulatory standards, internal policies, and procedures.

Standards or benchmarks used to assess the subject matter of an audit.

Information gathered during an audit to support the auditor's conclusions, including both qualitative and quantitative data.

Results obtained from the audit process, providing insights into the organization’s IS processes and controls, pivotal in assessing the health and integrity of an organization's IS environment.

The goals and intended outcomes of an audit, guiding the audit process and defining its focus.

The auditor's formal evaluation or judgment about the subject matter of the audit.

The process of gathering information and designing audit strategies.

Specific actions, techniques, and methods employed by auditors to obtain audit evidence as well as verify the accuracy and reliability of an organization's financial statements and internal controls.

Suggestions provided in an audit report for addressing issues found, meant to be practical and achievable, adding value to the audited organization.

The process of formally communicating the outcomes of an IS audit, including findings, conclusions, and recommendations, to stakeholders.

The risk that an auditor may unknowingly fail to appropriately modify their opinion on financial statements that are materially misstated.

A framework comprising inherent risk, control risk, and detection risk, guiding auditors in assessing and managing the risk of incorrect audit conclusions.

The process of examining a subset of data or transactions to conclude on the entire dataset in an audit.

The extent and boundaries of an audit, including the areas to be examined and the time period covered.

Tracks changes to data throughout the processing phase.

Tracks access to output data.

The complete range of areas, processes, and activities within an organization that may be subject to audit.

Documents that record the planning, conduct, and results of an audit, providing a trail of the audit procedures performed.

The freedom of the auditor from relationships that could compromise professional judgment and objectivity.

Security measures used to verify the identity of users, ranging from passwords to biometric verification.

Checks the accuracy of system calculations.

Automatically identifies and flags errors in data processing.

Notifies relevant personnel of critical data outputs.

Ensures output data can be recovered in case of system failure.

Technologies and techniques used to analyze large and diverse data sets to uncover patterns, correlations, and other insights.

Block sampling begins with IS auditors partitioning the dataset into distinct blocks or groups based on specific criteria such as transaction types, periods, or data categories.

A holistic management process that identifies potential threats to an organization and the impacts to business operations those threats might cause.

The reason behind the condition and answers why the issue exists. Understanding the cause is essential for addressing the root of the problem rather than just its symptoms.

A certification designed for professionals who detect and deter fraud, vital for auditors, accountants, fraud investigators, and loss prevention specialists.

A globally recognized certification for IS audit professionals, validating expertise in managing vulnerabilities, ensuring compliance, and instituting controls within an enterprise.

The CISM certification is designed for management-focused professionals who are responsible for designing, managing, and overseeing an organization's information security by emphasizing the relationship between information security and the broader business goals, rather than just technical expertise.

A prestigious certification in information security covering critical topics in security such as risk management, cloud computing, and application development security.

The only globally recognized internal audit certification, suited for auditors involved in monitoring, analyzing, and evaluating business processes and procedures.

A highly respected accounting qualification essential for accountants aiming for senior financial positions.

Establishes a formalized process for approving proposed changes to information systems, ensuring only authorized changes proceed to implementation.

Ensures approved changes are implemented in a controlled and systematic manner, minimizing disruptions.

The approach to transitioning individuals, teams, and organizations to a desired future state, particularly in the context of new IT systems or changes to existing IT infrastructure.

Controls overseeing IT system modifications to ensure smooth, secure, and efficient implementation, addressing risks like unauthorized changes and security breaches.

The process of managing changes to the IT environment, including software updates, infrastructure changes, and policy revisions.

Metrics in this area could include the number of changes implemented, the success rate, and the frequency of emergency changes.

Ensures proposed changes to information systems undergo a rigorous evaluation process assessing feasibility, impact, and alignment with organizational objectives.

Input control method that adds a digit to numbers to validate their authenticity.

Classification algorithms categorize data into different classes. This can be used in Auditing to classify transactions into normal and suspicious categories.

The delivery of different services through the Internet, including data storage, servers, databases, networking, and software.

Clustering involves grouping objects so that objects in the same group are more like each other than those in other groups. This can help segment data into meaningful clusters for deeper analysis in IS auditing.

A framework for managing and governing enterprise IT, developed by ISACA to create a comprehensive approach to IT governance.

Controls that compensate for weaknesses in other control areas.

The process of ensuring that IT systems and processes meet established laws, policies, and regulations.

Input controls that ensure all required data fields are entered.

Adherence to established standards, regulations, and other stipulated requirements relevant to IS.

Audits that evaluate an organization's adherence to external standards, laws, and regulations as well as internal policies and procedures.

Compliance metrics measure adherence to various regulatory and internal policy requirements. This might involve tracking the number of compliance violations, audit findings, and corrective actions taken.

Covers data backup, restoration, system performance monitoring, and compliance reporting. Essential for the smooth and secure operation of IT systems.

Specialized software and programs used by auditors to facilitate the audit process and assist in the analysis and testing of an organization's financial records, systems, and internal controls.

A range of software applications and tools used by auditors to analyze an organization's data, evaluate controls, and test compliance within computerized systems as well as enable auditors to perform various audit procedures electronically, including data extraction and analysis, anomaly detection, and simulation of control tests

The specific issue or situation identified during the audit. It is the factual evidence observed by the auditor. Detailing the condition involves describing what the auditor has found clearly and precisely.

Confirmation is a technique used to obtain a direct response from a third party verifying the accuracy of information.

The impact or ramifications of the condition. It answers the question of the implications if the issue is not addressed.

Audits that evaluate an organization's adherence to external standards, laws, and regulations as well as internal policies and procedures.

Tools like CaseWare Monitor and Inflo are designed for automating the collection and analysis of data over time, providing real-time insights into system performance and anomalies.

Methods for conducting audits on a more frequent or continuous basis, as opposed to traditional periodic audits.

The need for ongoing learning and adaptation to stay abreast of technological changes, regulatory updates, and evolving industry best practices.

The ongoing process of overseeing risk factors to identify and respond to risks in real-time.

The policies and procedures implemented in IT to mitigate identified risks.

The organizational culture, structure, and processes that influence the effectiveness of internal controls.

Structured systems of guidelines and practices that provide the basis for managing and controlling IT processes and risks.

The risk that a client’s internal controls will fail to prevent or detect an error or fraud.

The evaluation of the design and effectiveness of controls to prevent, detect, or correct errors or fraud.

The process of finding areas where internal controls are insufficient or lacking.

The mechanisms, policies, or procedures that ensure the integrity of an information system, accurate and reliable financial reporting, and compliance with applicable laws.

Mechanisms by which a business is directed and controlled, involving transparency and accountability in organizational stewardship.

Involves proposing steps to rectify the condition. Corrective actions should be realistic, practical, and tailored to the organization’s context.

Controls that rectify problems identified by detective controls.

A model for evaluating internal controls, providing a comprehensive and integrated framework for organizational governance.

The standard or benchmark against which the condition is evaluated. It could be company policies, industry standards, legal requirements, or best practices that set expectations for what should happen.

These findings indicate a severe problem that poses an immediate and significant risk to the organization. They often involve violations of law or regulations, major security breaches, or significant financial losses.

Compares data entered in one field against another.

A set of guidelines and best practices for managing and reducing cybersecurity risk.

Threats to information technology systems that can compromise data integrity, confidentiality, and availability.

Systematic examination of datasets to conclude the information they contain, fundamental in evaluating IT systems and processes.

Data analysis tools enable auditors to analyze large datasets, create pivot tables, and generate insightful charts and graphs.

Essential ITGC components that mitigate data loss or corruption risks, ensuring data restoration in case of loss.

The intentional or unintentional release of secure or private/confidential information to an untrusted environment.

Involves data classification, handling policies, encryption, privacy controls, and auditing data management and governance practices.

The accuracy and consistency of data stored in a database, data warehouse, or other construct.

Verifies data remains unchanged during processing.

The practice of examining large databases in order to generate new information.

The right of individuals to have their personal data secured and used appropriately, including considerations for how data is stored, accessed, and shared.

This involves summarizing and describing various aspects of data, such as averages, variances, and frequencies. It helps auditors understand the baseline characteristics of the data.

The risk that the auditors’ procedures will fail to detect an error or fraud within the audit area.

Controls that identify errors or irregularities after they have occurred.

This technique investigates specific issues or anomalies identified during the descriptive analysis. It involves more in-depth exploration to understand the causes of particular patterns or irregularities.

Controls designed to encourage desirable behavior or outcomes.

The process of developing plans and capabilities for effective response to catastrophic events that disrupt normal operations.

Controls that prevent entering the same information more than once in input and processing stages.

Ensures accuracy and security in EDI transactions.

Defines who can grant emergency access privileges and under what circumstances, ensuring controlled access during crises.

Methods of converting data into a code to prevent unauthorized access during transaction processing and data storage.

A comprehensive strategy for identifying, assessing, and preparing for potential risks at an enterprise level.

Input control mechanism that alerts users to incorrect data entries immediately.

Enables reporting of discrepancies in output data.

Situations where auditors face challenges in making decisions that align with core ethical principles of their profession.

Methods used by auditors to collect evidence, such as inquiry, observation, and analysis.

Processing controls that flag transactions falling outside normal parameters.

Involves users having more access rights than necessary, increasing the risk of data breaches and compliance issues.

Independent auditors not employed by the organization, focusing on providing an unbiased opinion on financial statements and internal controls.

Input controls that verify the data type of an input.

Audits focused on the veracity and completeness of an organization's financial statements.

A network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.

The process of monitoring and reporting on the progress of actions taken in response to audit recommendations, ensuring effective implementation.

Confirm that data is entered in the correct format.

Techniques used by auditors to identify fraudulent activities within an organization.

Allows auditors to perform various data analysis tasks by accessin and analyzing data from different sources and formats, as well as performing data extraction, sorting, comparison, and stratification tasks.

The framework of rules, practices, and processes by which a firm is directed and controlled, particularly relevant in managing IT resources and strategies.

The integration of IT governance within the broader corporate governance, focusing on aligning IT strategy with business goals and ensuring value delivery from IT investments.

An integrated approach that ensures an organization's activities, like managing IT systems, are aligned with its objectives, and are compliant with necessary regulations.

Haphazard sampling allows auditors to select items without any predetermined pattern or criteria. The selection process relies on auditors' discretion and can involve simply picking items at random or based on convenience.

High-severity findings are severe but may have a limited impact, like critical findings. They still represent a significant risk and require prompt attention.

When access controls are weak, unauthorized individuals can gain entry to critical systems and data.

With a well-defined incident response plan and monitoring capabilities, the organization may be able to detect and respond to security incidents promptly.

The lack of oversight in user activities can lead to undetected unauthorized access or security incidents.

These metrics assess the effectiveness of an organization's incident response capabilities.

Risk that arises when access rights are not promptly updated, leading to potential unauthorized use of systems or data.

Without clearly defined and enforced IT policies and procedures, employees may lack guidance on handling sensitive data, leading to inconsistent and risky practices.

Insufficient backup and recovery procedures put the organization at risk of data loss during system failures or disasters.

The flow of relevant and reliable information regarding IT governance and controls throughout the organization.

The process of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

An integrated set of components for collecting, storing, processing, and communicating information, including hardware (computers, servers), software (applications, operating systems), data, procedures (policies, practices), and people (users, IT professionals).

A specialized branch of auditing focusing on assessing the controls and processes around Information Technology (IT) systems, including hardware, software, data, people, and processes.

The use of computers, storage, networking, and other physical devices, infrastructure, and processes to create, process, store, secure, and exchange all forms of electronic data.

The susceptibility of an audit area to error or fraud before considering any related controls.

Ensures only authorized personnel enter data.

These controls verify the integrity of data inputted into a business application. This data can be entered directly, remotely, or through a web-enabled application or interface.

Inquiry is often the starting point in evidence gathering and involves engaging with personnel to gain insights and information.

Risks posed by insiders with malicious intent exploiting their legitimate access for harmful purposes.

Inspection involves the examination of records, documents, and tangible assets. This could include reviewing contracts, policies, system configurations, and physical verification of assets. Inspection provides concrete evidence and is essential in verifying the existence and accuracy of assets and information.

Employees who lack awareness of cybersecurity best practices and potential risks can unwittingly become targets for social engineering attacks or inadvertently compromise security.

Audits that combine IS auditing with other assurance disciplines like financial, operational, and compliance auditing, providing a comprehensive understanding of an organization's risks, controls, and overall performance.

Processes established within an organization to ensure the reliability of financial reporting, effective operations, and compliance with laws and regulations.

Controls related to the acquisition and development of information systems, including evaluating vendor reliability, secure software development practices, and data privacy considerations during development.

A formal document defining the purpose, authority, and responsibility of the IS audit function within an organization.

A comprehensive framework outlining the objectives, scope, timing, and direction of IS audits.

The overall plan that guides how an audit will be conducted, incorporating materiality and audit risk considerations.

The approaches and techniques used in conducting IS audits.

A collection of recognized guidelines defining the process and implementation of IS audits, developed by expert committees like ISACA.

Fundamental ethical principles guiding IS auditors, focusing on integrity, objectivity, confidentiality, and competency.

Controls overseeing IT system modifications to ensure smooth, secure, and efficient implementation, addressing risks like unauthorized changes and security breaches

Covers data backup, restoration, system performance monitoring, and compliance reporting. Essential for the smooth and secure operation of IT systems

The process of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

The process of tracking and managing the physical and software assets of an IT environment.

The practice of providing confidence to stakeholders that IT is secure, reliable, and efficient.

The specific goals and outcomes an IT audit is designed to achieve.

The process of determining the focus, objectives, and scope of an IT audit.

The methods and tools used by auditors to examine and evaluate an organization's IT infrastructure, policies, and operations.

The overall system of controls, policies, and procedures that govern the IT infrastructure and operations of an organization.

Fundamental controls within information systems ensuring security, integrity, and efficiency. They encompass practices and procedures crucial for the proper functioning and reliability of information systems, mitigating risks like data breaches and compliance issues.

The comprehensive set of hardware, software, networks, facilities, etc., required for the operation, management, and maintenance of an enterprise IT environment.

The use of external service providers to effectively deliver IT-enabled business processes, application services, and infrastructure solutions.

Enhancing the efficiency and effectiveness of IT processes to better support business objectives.

The process of managing IT resources effectively, including human resources, infrastructure, and applications.

Formalized rules and procedures that dictate how an organization's IT resources and information are managed and protected.

The implementation and management of quality IT services that meet the needs of the business, typically aligned with ITIL practices.

Relies on the auditor's experience and knowledge. In situations where certain aspects of the system are deemed more critical, this method allows auditors to target these areas specifically.

Failing to conduct regular IT audits to assess the effectiveness of controls and identify vulnerabilities can result in prolonged exposure to risks and weaknesses.

Checks for data exceeding a specific limit.

Restrict processing functions to authorized users.

Low-severity findings are minor issues with minimal risk or impact. These findings are often more about optimization and minor improvements rather than urgent fixes.

These controls allow management to trace transactions and events from their inception to their final output and vice versa.

The significance of an omission or misstatement of information that could influence the economic decisions of users.

Medium severity findings are concerns that have a moderate impact and risk level. These issues are essential but may take time to take action.

Regular review and assessment of the IT governance framework to ensure its effectiveness and relevance.

An authentication method that requires users to provide multiple verification factors, improving access security

Monitoring network performance and traffic is vital for companies with extensive network infrastructures.

Part of ITGCs ensuring data confidentiality, integrity, and availability through controls like firewall management and intrusion detection systems.

Part of user access administration, involves creating user accounts and establishing authentication mechanisms for new users.

Sampling methods based on auditors' judgment without the use of statistical theory.

Observation is another fundamental technique, where the IS auditors observe processes, operations, and activities to understand how systems and controls are implemented and functioning.

Type of audit that focuses on the efficiency and effectiveness of an organization's operations, particularly IT processes.

The risk of loss resulting from inadequate or failed internal processes, people, and systems, or external events in IT.

These controls focus on processing the data and aim to validate the output by comparing it with the expected outcome, ensuring that the results align with the original input.

Output controls that manage who receives output data.

Protects data integrity and confidentiality during transmission.

Ensures output data is presented in a consistent and understandable format.

Implements robust password policies and procedures to ensure user passwords are secure and updated regularly.

The use of various metrics to measure the efficiency and effectiveness of IT processes and controls.

Communicating key performance indicators related to the audit subject matter.

Regular examinations of user access privileges to maintain appropriate access levels and security

Regular examinations of user access privileges to maintain appropriate access levels and security.

When change management processes are deficient, the organization needs help tracking and regulating system modifications.

Gathering and analyzing responses from stakeholders regarding the audit process and findings.

Conducts thorough reviews of changes after implementation to evaluate effectiveness and identify lessons learned.

Leveraging statistical models and forecasting techniques, predictive analysis helps auditors anticipate potential future risks or issues based on historical data trends.

Guides data entry with a specific layout.

This advanced form of analysis suggests possible courses of action. It helps in decision-making by evaluating the potential impact of different decisions or actions.

Controls designed to prevent errors or irregularities from occurring.

A mandate for auditors to safeguard sensitive information and use it only for legitimate business purposes.

Demands the highest level of professional integrity in IS Auditors' work, encompassing honesty, fairness, and impartiality.

Secure handling and disposal of printed reports.

Manages access for users with elevated access rights, implementing strict controls and continuous monitoring.

These controls are designed to verify that the processing of the input data is complete, accurate, and authorized in a timely manner.

Sets thresholds for transaction processing.

Conducting oneself consistently with the profession's good reputation, complying with relevant laws and regulations.

An attitude of questioning and critical assessment of evidence and representations made during an audit.

Objectives related to the development and running of computer programs.

Applies project management principles to effectively oversee development or acquisition processes.

The process of examining non-numerical data to understand its qualities, characteristics, and meanings.

Systematic processes and practices to verify that audit activities meet established standards, guidelines, and regulatory requirements.

The process of examining numerical data, using statistical tools to interpret its significance.

Random sampling stands on the principle of equal chance, where every item in the population is equally likely to be selected, ensuring a bias-free approach.

Input controls that ensure data falls within a predefined range.

Processing controls that match processed data with source documents.

Adherence to laws, regulations, guidelines, and specifications relevant to an organization's business processes.

Adherence to laws, regulations, and guidelines specific to IT operations within an organization.

Reperformance is a technique where the auditor independently executes procedures or controls to validate their effectiveness. This includes recalculating financial figures or reprocessing transactions.

Communicating the progress and outcomes of follow-up actions taken after an IS audit, ensuring transparency and accountability.

A term used to describe the process by which an organization handles a data breach or cyberattack.

The level of risk an organization is willing to accept in pursuit of its objectives.

The process of identifying, analyzing, and evaluating risks inherent in information systems.

The process of identifying potential risks that could affect an organization's IT operations.

The process of identifying, assessing, and controlling threats to an organization's capital and earnings, which includes IT-related risks.

The actions taken to manage and reduce the impact of risks on an organization’s IT environment.

The process of managing IT-related risks in alignment with the organization’s broader risk management strategy.

An approach focusing on areas with the highest risk and impact to efficiently allocate resources in auditing.

A method of assigning access rights based on the user's role within the organization, enhancing security and efficiency.

Errors that occur when the selected sample does not accurately represent the entire population.

Scripting languages that offer flexibility to create custom scripts for specific audit tasks, such as data scraping, log analysis, or custom data analytics.

In ITGCs, aims to ensure newly developed systems are secure and compliant with relevant laws and regulations

Security metrics are crucial in assessing the effectiveness of an organization's cybersecurity measures.

Risks in IS acquisition and development, including weaknesses that expose the organization to cyber threats.

A fundamental control principle that prevents error and fraud by ensuring that no single individual has control over all aspects of any significant transaction.

Weak SoD controls can result in conflicts of interest and the potential for fraud or errors in financial reporting.

The process of categorizing audit findings as critical, high, medium, or low based on impact and likelihood, guiding the formulation of recommendations and risk management.

Specialized tools are designed for specific audit areas such as assessing vulnerabilities and analyze network traffic or testing database security or scanning vulnerabilities.

The process of involving those impacted by the audit in various stages of the audit process.

Sampling methods based on probability theory, used to provide a quantifiable measure of sampling risk.

Stratified sampling enhances audit efficiency by dividing the population into subgroups or strata. and is particularly effective when dealing with heterogeneous populations as it ensures that each stratum is adequately represented in the sample, providing a more accurate view of the entire population.

Testing for the actual existence of a financial statement item to ensure its validity and correctness.

The measure of the quantity of audit evidence. It refers to the amount of evidence gathered by an auditor to form a reasonable basis for an opinion regarding an entity's financial statements.

The measure of the quantity of audit evidence. It refers to the amount of evidence gathered by an auditor to form a reasonable basis for an opinion regarding an entity's financial statements.

Records that provide a traceable path of a transaction through the information system for review and auditing.

Protecting information systems from unauthorized access or modification to ensure confidentiality, integrity, and availability.

Systematic sampling, in which an interval (i) is first calculated (population size divided by sample size), and then an item is selected from each interval by randomly selecting one item from the first interval and selecting every ith item until one item is selected from all intervals.

In user access administration, involves swiftly revoking access when employees depart or no longer require access.

Ensures output data is generated and distributed promptly.

Records that document the details of each transaction processed, used for tracking and verification purposes.

Ensures related transactions are correctly matched.

Summarizes numerical data for verification.

Adjusts user access privileges to align with new responsibilities or departmental changes.

Occurs when individuals access systems or data they are not permitted to, leading to potential security breaches.

Focuses on the secure and timely removal of access rights for individuals whose roles change or who depart the organization

Tracks who retrieves output data.

The process of granting access rights to new or transferred employees, ensuring alignment with job functions.

Verifies whether data is reasonable and logical.

Processes included in ITGCs to mitigate risks arising from reliance on third-party vendors for IT services and products.

Manages updates to the software to ensure consistency.

The process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system.