Audit plan
Working methodology
Key policies
Glossary
Consultancy
Past reviews
Training

Glossary

This glossary is provided by the Institute of Internal Auditors and provide clarification of terms used in the Internal Audit profession.

Add Value

Value is provided by improving opportunities to achieve organizational objectives, identifying
operational improvement, and/or reducing risk exposure through both assurance and consulting
services.

Adequate Control

Present if management has planned and organized (designed) in a manner that provides
reasonable assurance that the organization’s risks have been managed effectively and that the
organization’s goals and objectives will be achieved efficiently and economically.

Assurance Services


An objective examination of evidence for the purpose of providing an independent assessment
on governance, risk management, and control processes for the organization. Examples may
include financial, performance, compliance, system security, and due diligence engagements.

Board


A board is an organization’s governing body, such as a board of directors, supervisory board,
head of an agency or legislative body, board of governors or trustees of a nonprofit
organization, or any other designated body of the organization, including the audit committee to
whom the chief audit executive may functionally report.

Charter


The internal audit charter is a formal document that defines the internal audit activity’s purpose,
authority, and responsibility. The internal audit charter establishes the internal audit activity’s
position within the organization; authorizes access to records, personnel, and physical
properties relevant to the performance of engagements; and defines the scope of internal audit
activities.

Chief Audit Executive


Chief audit executive is a senior position within the organization responsible for internal audit
activities. Normally, this would be the internal audit director. In the case where internal audit
activities are obtained from external service providers, the chief audit executive is the person
responsible for overseeing the service contract and the overall quality assurance of these
activities, reporting to senior management and the board regarding internal audit activities, and
follow-up of engagement results. The term also includes titles such as general auditor, head of
internal audit, chief internal auditor, and inspector general.

Code of Ethics


The Code of Ethics of The Institute of Internal Auditors (IIA) are Principles relevant to the
profession and practice of internal auditing, and Rules of Conduct that describe behavior
expected of internal auditors. The Code of Ethics applies to both parties and entities that
provide internal audit services. The purpose of the Code of Ethics is to promote an ethical
culture in the global profession of internal auditing.

Compliance


Adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements.

Conflict of Interest


Any relationship that is, or appears to be, not in the best interest of the organization. A conflict of
interest would prejudice an individual’s ability to perform his or her duties and responsibilities
objectively.

Consulting Services


Advisory and related client service activities, the nature and scope of which are agreed with the
client, are intended to add value and improve an organization’s governance, risk management,
and control processes without the internal auditor assuming management responsibility.
Examples include counsel, advice, facilitation, and training.

Control


Any action taken by management, the board, and other parties to manage risk and increase the
likelihood that established objectives and goals will be achieved. Management plans, organizes,
and directs the performance of sufficient actions to provide reasonable assurance that
objectives and goals will be achieved.

Control Environment


The attitude and actions of the board and management regarding the significance of control
within the organization. The control environment provides the discipline and structure for the
achievement of the primary objectives of the system of internal control. The control environment
includes the following elements:

  • Integrity and ethical values.
  • Management’s philosophy and operating style.
  • Organizational structure.
  • Assignment of authority and responsibility.
  • Human resource policies and practices.
  • Competence of personnel.

Control Processes

The policies, procedures, and activities that are part of a control framework, designed to ensure
that risks are contained within the risk tolerances established by the risk management process.

Engagement


A specific internal audit assignment, task, or review activity, such as an internal audit, control
self-assessment review, fraud examination, or consultancy. An engagement may include
multiple tasks or activities designed to accomplish a specific set of related objectives.

Engagement Objectives


Broad statements developed by internal auditors that define intended engagement
accomplishments.

Engagement Work Program


A document that lists the procedures to be followed during an engagement, designed to achieve
the engagement plan.

External Service Provider


A person or firm outside of the organization that has special knowledge, skill, and experience in
a particular discipline.

Fraud


Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not
dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and
organizations to obtain money, property, or services; to avoid payment or loss of services; or to
secure personal or business advantage.

Governance


The combination of processes and structures implemented by the board to inform, direct,
manage, and monitor the activities of the organization toward the achievement of its objectives.

Impairment


Impairment to organizational independence and individual objectivity may include personal
conflict of interest, scope limitations, restrictions on access to records, personnel, and
properties, and resource limitations (funding).

Independence


The freedom from conditions that threaten objectivity or the appearance of objectivity. Such
threats to objectivity must be managed at the individual auditor, engagement, functional, and
organizational levels.

Information Technology Controls


Controls that support business management and governance as well as provide general and
technical controls over information technology infrastructures such as applications, information,
infrastructure, and people.

Information Technology Governance

Consists of the leadership, organizational structures, and processes that ensure that the
enterprise’s information technology sustains and supports the organization’s strategies and
objectives.

Internal Audit Activity


A department, division, team of consultants, or other practitioner(s) that provides independent,
objective assurance and consulting services designed to add value and improve an
organization’s operations. The internal audit activity helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of governance, risk management and control processes.

International Professional Practices Framework


The conceptual framework that organizes the authoritative guidance promulgated by The IIA.
Authoritative Guidance is comprised of two categories – (1) mandatory and (2) strongly
recommended.

Must


The Standards use the word “must” to specify an unconditional requirement.

Objectivity
An unbiased mental attitude that allows internal auditors to perform engagements in such a
manner that they have an honest belief in their work product and that no significant quality
compromises are made. Objectivity requires internal auditors not to subordinate their judgment
on audit matters to others.

Residual Risk


The risk remaining after management takes action to reduce the impact and likelihood of an
adverse event, including control activities in responding to a risk.

Risk


The possibility of an event occurring that will have an impact on the achievement of objectives.
Risk is measured in terms of impact and likelihood.

Risk Appetite


The level of risk that an organization is willing to accept.

Risk Management


A process to identify, assess, manage, and control potential events or situations to provide
reasonable assurance regarding the achievement of the organization’s objectives.

Should


The Standards use the word “should” where conformance is expected unless, when applying
professional judgment, circumstances justify deviation.

Significance


The relative importance of a matter within the context in which it is being considered, including
quantitative and qualitative factors, such as magnitude, nature, effect, relevance, and impact.
Professional judgment assists internal auditors when evaluating the significance of matters
within the context of the relevant objectives.

Standard


A professional pronouncement promulgated by the Internal Audit Standards Board that
delineates the requirements for performing a broad range of internal audit activities, and for
evaluating internal audit performance.

Technology-based Audit Techniques


Any automated audit tool, such as generalized audit software, test data generators,
computerized audit programs, specialized audit utilities, and computer-assisted audit techniques
(CAATs).