AuditNet® Audit-library::Auditnet glossary-of-audit-terms
Appearance
the act of giving the idea or impression of being or doing something.
Application Acquisition Review
an evaluation of an application system considered for acquisition, which
considers such matters as: appropriate controls are designed into the
system; the application will process information in a complete, accurate
and reliable manner; the application will function as intended; the
application will function in compliance with any applicable statutory
provisions; the system is acquired in compliance with the established
system acquisition process.
Application Controls
these relate to the transactions and standing data appertaining to each
computer-based application system and are therefore specific to each such
application. The objectives of application controls, which may be manual
or programmed, are to ensure the completeness and accuracy of the records
and the validity of the entries made therein resulting from both manual
and programmed processing. Examples of application controls include data
input validation, agreement of batch totals, encryption of data
transmitted, etc.
Application Development Review
an evaluation of an application system under development, which
considers matters such as; appropriate controls are designed into the
system; the application will process information in a complete, accurate
and reliable manner; the application will function as intended; the
application will function in compliance with any applicable statutory
provisions; the system is developed in compliance with the established
systems development process.
Application Implementation Review
an evaluation of any part of an implementation project (e.g. project
management, test plans, user acceptance testing procedures, etc.).
Application Software Tracing and Mapping
specialized tools that can be used to analyze the flow of data through
the processing logic of the application software and document the logic,
paths, control conditions, and processing sequences. Both the command
language or job control statements and programming language can be
analyzed. This technique includes program/system: mapping, tracing,
snapshots, parallel simulations, and code comparisons.
Applications System
an integrated set of computer programs designed to serve a particular
function that has specific input, processing and output activities (e.g.,
general ledger, manufacturing resource planning, human resource
management).
Application Upgrade Review
an evaluation of any part of an upgrade project (e.g. project
management, test plans, user acceptance testing procedures, etc.).
Attitude
way of thinking, behaving, feeling, etc.
Audit Accountability
performance measurement of service delivery including cost, timeliness
and quality against agreed service levels.
Audit Authority
a statement of the position within the organization, including lines of
reporting and the rights of access.
Audit Evidence
the Information Systems Auditor (IS Auditor) gathers information in the
course of performing an IS audit. The information used by the IS Auditor
to meet audit objectives is referred to as audit evidence (evidence).
Audit Expert Systems
expert or decision support systems that can be used to assist IS
Auditors in the decision-making process by automating the knowledge of
experts in the field. This technique includes automated risk analysis,
system software, and control objectives software packages.
Audit Program
a series of steps to achieve an audit objective.
Audit Responsibility
the roles, scope and objectives documented in the service level
agreement between management and audit.
Audit Sampling
the application of audit procedures to less than 100% of the items
within a population to obtain audit evidence about a particular
characteristic of the population.
CAATs -(Computer Assisted Audit Techniques)
any automated audit techniques, such as generalized audit software,
utility software, test data, application software tracing and mapping, and
audit expert systems.
Cadbury
the Committee on the Financial Aspects of Corporate Governance, set up
in May 1991 by the UK Financial Reporting Council, the London Stock
Exchange and the UK accountancy profession, was chaired by Sir. Adrian
Cadbury and produced a report on the subject commonly known, in the UK, as
the Cadbury Report.
COBIT
™
Control Objectives for Information and related Technology, the
international set of IT control objectives published by ISACF, © 1998,
1996.
COCO
Criteria Of Control, published by the Canadian Institute of Chartered
Accountants in 1995.
Computer Assisted Audit Techniques see
CAATs
Corporate Governance
the system by which organizations are directed and controlled. Boards of
directors are responsible for the governance of their organization.
(Source: The Cadbury Report)
COSO
the Committee of Sponsoring Organizations of the Treadway Commission
produced the "Internal Control - Integrated Framework" report in
1992, commonly known as the COSO Report.
Detailed IS Controls
controls over the acquisition, implementation, delivery and support of
IS systems and services. Examples include controls over the implementation
of software packages, system security parameters, disaster recovery
planning, data input validation, exception report production, locking of
user accounts after invalid attempts to access them, etc. Application
controls are a subset of detailed IS controls. Data input validation for
example, is both a detailed IS control and an application control.
Installing and accrediting systems (AI5) is a detailed IS control, but not
an application control.
Due Care
diligence which a person would exercise under a given set of
circumstances.
Due Professional Care
diligence which a person, who possesses a special skill, would exercise
under a given set of circumstances.
Embedded Audit Module
integral part of an application system that is designed to identify and
report specific transactions or other information based on pre-determined
criteria. Identification of reportable items occurs as part of real-time
processing. Reporting may be real-time on-line, or may use store and
forward methods. Also known as Integrated Test Facility or Continuous
Auditing Module.
Error
control deviations (compliance testing) or misstatements (substantive
procedures).
General Controls
controls, other than application controls, which relate to the
environment within which computer-based application systems are developed,
maintained and operated, and which are therefore applicable to all the
applications. The objectives of general controls are to ensure the proper
development and implementation of applications, and the integrity of
program and data files and of computer operations. Like application
controls, general controls may be either manual or programmed. Examples of
general controls include the development and implementation of an IS
strategy and an IS security policy, the organization of IS staff to
separate conflicting duties and planning for disaster prevention and
recovery.
Generalized Audit Software
a computer program or series of programs designed to perform certain
automated functions. These functions include reading computer files,
selecting data, manipulating data, sorting data, summarizing data,
performing calculations, selecting samples, and printing reports or
letters in a format specified by the IS Auditor. This technique includes
software acquired or written for audit purposes and software embedded in
production systems.
Independence
self-governance, freedom from conflict of interest and undue influence.
The IS Auditor should be free to make his/her own decisions, not
influenced by the organization being audited and its people (managers and
employers).
Independent Appearance
the outward impression of being self-governing and free from conflict of
interest and undue influence.
Independent Attitude
impartial point of view which allows the auditor to act objectively and
with fairness.
Internal Control
"The policies, procedures, practices and organizational structures,
designed to provide reasonable assurance that business objectives will be
achieved and that undesired events will be prevented or detected and
corrected." (Source: COBIT
Framework).
Irregularities
intentional violations of established management policy or deliberate
misstatements or omissions of information concerning the area under audit
or the organization as a whole.
Materiality
an expression of the relative significance or importance of a particular
matter in the context of the organization as a whole.
Objectivity
the ability to exercise judgment, express opinions and present
recommendations with impartiality.
Outsourcing
a formal agreement with a third party to perform an IS function for an
organization.
Pervasive IS Controls
those general controls which are designed to manage and monitor the IS
environment and which therefore affect all IS-related activities. Examples
include controls over IS processes defined in COBIT's Planning and
Organization domain and Monitoring domain, e.g. "PO1 - Define a
strategic plan", "M1 - Monitor the processes," etc.
Pervasive IS controls are a subset of general controls, being those
general controls which focus on the management and monitoring of IS.
Population
the entire set of data from which a sample is selected and about which
the IS Auditor wishes to draw conclusions.
Professional Competence
proven level of ability, often linked to qualifications issued by
relevant professional bodies and compliance with their codes of practice
and standards.
Project Team
group of people responsible for a project, whose terms of reference may
include the development, acquisition, implementation or upgrade of an
application system. The team members may include line management,
operational line staff, external contractors and IS Auditors.
Reasonable Assurance
a level of comfort short of a guarantee but considered adequate given
the costs of the control and the likely benefits achieved.
Relevant Audit Evidence
audit evidence is relevant if it pertains to the audit objectives and
has a logical relationship to the findings and conclusions it is used to
support.
Reliable Audit Evidence
audit evidence is reliable if, in the IS Auditor's opinion, it is valid,
factual, objective and supportable.
Sampling Risk
the probability that the IS Auditor has reached an incorrect conclusion
because an audit sample rather than the whole population was tested. While
sampling risk can be reduced to an acceptably low level by using an
appropriate sample size and selection method, it can never be eliminated.
Service Level Agreement (SLA)
defined minimum performance measures at or above which the service
delivered is considered acceptable.
Service Provider
the organization providing the outsourced service.
Service User
the organization using the outsourced service.
Sufficient Audit Evidence
audit evidence is sufficient if it is adequate, convincing and would
lead another IS Auditor to form the same conclusions.
Systems Acquisition Process
the procedures established to purchase application software, including
evaluation of the supplier's financial stability, track record, resources
and references from existing customers.
Systems Development Process
an approach used to plan, design, develop, test and implement an
application system or a major modification to an application system.
Test Data
simulated transactions that can be used to test processing logic,
computations and controls actually programmed in computer applications.
Individual programs or an entire system can be tested. This technique
includes Integrated Test Facilities (ITFs) and Base Case System
Evaluations (BCSEs).
Useful Audit Evidence
audit evidence is useful if it assists the IS Auditors in meeting their
audit objectives.
Utility Software
computer programs provided by a computer hardware manufacturer or
software vendor and used in running the system. This technique can be used
to examine processing activity, test programs and system activities and
operational procedures, evaluate data file activity, and analyze job
accounting data.