Internal Audit

Terminology
Glossary of Terms

Prepared by: Sharifa A Qatter 1

Activity Reports
Activity Reports of the Internal Audit department highlight significant audit findings
and recommendations and inform senior management and the board of any
significant deviations from approved audit work schedules, staffing plans, and
financial budgets, and the reasons for them.
Add Value
Organizations exist to create value or benefit to their owners, other stakeholders,
customers, and clients. This concept provides purpose for their existence. Value is
provided through their development of products and services and their use of
resources to promote those products and services. In the process of gathering data to
understand and assess risk, internal auditors develop significant insight into
operations and opportunities for improvement that can be extremely beneficial to
their organization. This valuable information can be in the form of consultation,
advice, written communications, or through other products all of which should be
properly communicated to the appropriate management or operating personnel.
Adequate Control
Adequate Control is present if management has planned and organized (designed) in
a manner which provides reasonable assurance that the organization's objectives and
goals will be achieved efficiently and economically.

2
Analytical Review
Analytical review includes the examination of ratios, trends and changes in balances
and other values between periods to obtain a broad understanding of the
Organization’s financial or operational position and identify areas that may require
further or closer investigation. Usually, this technique is used when planning the
scope of audit assignments.
Appreciation
It means the ability to recognize the existence of problems or potential problems and
to determine the further research to be undertaken or the assistance to be obtained.
Assurance Services
An objective examination of evidence for the purpose of providing an independent
assessment on risk management, control, or governance processes for the
organization. Examples may include financial, performance, compliance, system
security, and due diligence engagements.
Audit Objectives
Audit Objectives are broad statements developed by internal auditors and define
intended audit accomplishments. Audit objectives are accomplished in accordance

3
with the Institute of Internal Auditor's (IIA) Code of Ethics and the International
Standards for the Professional Practice of Internal Auditing.
Auditee
Auditee is any individual, unit, or activity of the organization that is under audit.
Audit Procedures
These are the tasks the Internal Auditor undertakes for collecting, analyzing,
interpreting, and documenting information during an audit. Audit procedures are the
means to attain audit objectives.
Audit Program
It is a document which lists the audit procedures to be followed during an audit. The
audit program also states the objectives of the audit.
Audit Report
Audit report is a signed, written document which presents the purpose, scope, and
results of the audit. Results of the audit may include findings, conclusions
(opinions), and recommendations.

4
Audit Risk
It is the risk that an auditor may arrive at the wrong conclusions and opinions of the
work that they have undertaken. Audit risk is calculated by formula:
AR = IR x CR x DR
Where, AR = Audit Risk, IR = Inherent Risk, CR = Control Risk and DR =
Detection Risk.
Audit Scope
The audit scope refers to the activities covered by an Internal Audit. Audit scope
includes, where appropriate: 
§Audit objectives
§Nature and extent of Audit procedures performed
§Time period audited
§Related activities not audited in order to delineate the boundaries of the audit
Audit Work Schedules
Such schedules include:
§What activities are to be audited
§When they will be audited
§The estimated time required taking into account the scope of the audit work
planned and the nature and extent of audit work performed by others

5
Audit Working Papers
They record the information obtained, the analyses made, and conclusions reached
during an audit. Audit working papers support the bases for the findings and
recommendations to be reported.
Auditable Activities
Such activities consist of those subjects, units, or systems which are capable of being
defined and evaluated. Auditable activities may include:
§Policies, procedures, and practices
§Cost centers, profit centers, and investment centers
§General ledger account balances
§Information systems (manual and computerized)
§Major contracts and programs
§Organization units such as product or service lines
§Functions such as electronic data processing, purchasing, marketing, production,
finance, accounting, and human resources
§Financial statements
§Laws and regulations

6
Authorizing
Authorizing includes initiating or granting permission to perform activities or
transactions. In other words, the authorizing authority verifies and validates that the
activity or transaction conforms with established policies and procedures.

Behavioral Risk
It means risk associated with productivity loss (poor management practices or poor
work environment, under-utilizing human assets, poor leadership, favoritism)
dysfunctional workplaces and opportunity cost (making less-than-optimum decisions
about human asset - people, knowledge and skills -acquisition and disposition).

Business Risk
Business risk is a concept used by auditors and managers to express concerns about
the probable material effects of an uncertain environment on achieving established
objective.

Cause
Cause is the reason for the difference between the expected and actual conditions
(why the difference exists).

7
Charter
Charter of the internal Audit department is a formal written document which defines
the department’s purpose, authority, and responsibility. The charter should:
§Establish the department's position within the organization
§Authorize access to records, personnel, and physical properties relevant to the
performance of audits
§Define the scope of internal Audit activities

Code of Ethics
The Institute of Internal Auditors (IIA) Code of Ethics sets forth standards of
conduct for Members of The IIA and Certified Internal Auditors to effectively
discharge their responsibilities. The Code of Ethics calls for high standards of
honesty, objectivity, diligence, and loyalty.

Compliance
Compliance is the ability to reasonably ensure conformity and adherence to the
Organization's policies, plans, procedures, laws, regulations, contracts, etc.

8
Conclusions (Opinions)
Conclusions are the internal auditor's evaluations of the effects of the findings on the
activities reviewed. Conclusions usually put the findings in perspective based upon
their overall implications.

Condition
It is the factual evidence which the Internal Auditor found in the course of the
examination (what does exist).

Conflict of Interest
It refers to any relationship which is or appears to be not in the best interest of the
Organization. A conflict of interest would prejudice an individual's ability to carry
out their duties and responsibilities objectively.

Control
Control is any action taken by management to enhance the likelihood that
established objectives and goals will be achieved. Management plans, organizes, and
directs the performance of sufficient actions to provide reasonable assurance that
objectives and goals will be achieved. Thus, control is the result of proper planning,
organizing, and directing by management.
9
Control Environment
Control environment refers to the attitude and actions of the board and senior
management regarding the significance of control within the Organization. The
control environment provides the discipline and structure for the achievement of the
primary objectives of the system of internal control. The control environment
includes the following elements:
§Integrity and ethical values
§Management's philosophy and operating style
§Organizational structure
§Assignment of authority and responsibility
§Human resource policies and practices
§Competence of personnel
Control Framework
A recognized system of control categories that covers all internal controls expected
in an organization.
Control Processes
They include the policies, procedures, and activities that are part of a control
framework, designed to ensure that risks are contained within the risk tolerances
established by the risk management process.
10
Control Risk
It is the tendency of the internal control system to lose effectiveness over time and to
expose, or fail to prevent /detect weaknesses in the systems of control.
Control Self-Assessment (CSA)
A class of techniques used in an audit or in place of an audit to assess risk and
control strength and weaknesses against a Control Framework. The "self"
assessment refers to the involvement of management and staff in the assessment
process, often facilitated by internal auditors. There are many self-assessment
techniques in use.
Cost-Benefit Relationship
Cost-benefit relationship means that the potential loss associated with any exposure
or risk is weighed against the cost to control it.
Criteria
Criteria are the standards, measures, or expectations used in making an evaluation
and/or verification (what should exist).
Detective Controls
Detective controls are actions taken to detect and correct undesirable events which
have occurred.
11
Detection Risk
The probability that an incorrect audit conclusion will be drawn from the results of
the examination or that the audit work will fail to detect any serious errors.
Directive Controls
Directive controls are actions taken to cause or encourage a desirable event to occur.
Director of Internal Audit
Director identifies the top position in an Internal Audit department. The term also
includes such titles as General Auditor, Chief Internal Auditor, Chief Audit
Executive, and Inspector General.
Due Professional Care
Calls for the application of the care and skill expected of a reasonably prudent and
competent Internal Auditor in the same or similar circumstances. Due professional
care is exercised when Internal Audits are performed in accordance with the
Standards for the Professional Practice of Internal Audit. The exercise of due
professional care requires that:
§Internal Auditors be independent of the activities they audit
§Internal Audits be performed by those persons who collectively possess the
necessary knowledge, skills, and disciplines to conduct the audit properly
12
§Audit work be planned and supervised
§Audit reports be objective, clear, concise, constructive, and timely
§Internal Auditors follow up on reported audit findings to ascertain that appropriate
action was taken

Economical Performance
Objectives and goals are accomplished at a cost adequate with the risk.

Effect
Effect is the risk or exposure the auditee Organization and/or others encounter
because the condition is not the same as the criteria (the impact of the difference).

Effective Control
Effective control is present when management directs systems in such a manner to
provide reasonable assurance that the Organization’s objectives and goals will be
achieved.

Efficient Performance
Objectives and goals are accomplished in an accurate and timely fashion with
minimal use of resources.
13
Error
It relates to Internal Audit reports when an unintentional misstatement or omission
of significant information included in a final audit report.

External Auditors
External Auditors refers to those audit professionals who perform independent
annual audits of an Organization's financial statements.

External Reviews
External reviews of the Internal Audit department are performed to appraise the
quality of the department's operations. External reviews should be performed by
qualified persons who are independent of the Organizations and who do not have
either a real or apparent conflict of interest.

Findings
Audit findings are relevant statements of fact. Audit findings emerge by a process of
comparing what should be with what is.

Flowchart
Flowchart is a representation, primarily through the use of symbols, of the sequence
of activities in a system (process, operation, function, or activity).
14
Follow-up
Internal Auditors follow-up is defined as a process by which they determine the
adequacy, effectiveness, and timeliness of actions take by management on reported
audit findings. Such findings also include relevant findings made by External
Auditors and others.
Formal Internal Reviews
Are periodic self-assessments of the Internal Audit department to appraise the
quality of the audit work performed. These reviews generally are performed by a
team or an individual selected by the Internal Audit Director.
Fraud
Fraud is any illegal acts characterized by deceit, concealment or violation of trust.
These acts are not dependent upon the application of threat of violence or of
physical force. Frauds are committed by individuals and organizations to obtain
money, property or services; to avoid payment or loss of services; or to secure
personal or business advantage.
Goals
Goals are specific objectives of specific systems and may be otherwise referred to as
operating or program objectives or goals, operating standards, performance levels,
targets, or expected results.
15
Internal Audit
Internal Audit is an independent appraisal function established within an
Organization to examine and evaluate its activities as a service to the Organization.
The objective of Internal Audit is to assist members of the Organization in the
effective discharge of their responsibilities. To this end, Internal Audit furnishes
them with analyses, appraisals, recommendations, counsel, and information
concerning the activities reviewed. The audit objective includes promoting effective
control at reasonable cost.
Internal Audit Department
Internal Audit department includes any unit or activity within an Organization which
performs Internal Audit functions.
Internal Auditor
Internal Auditor is an individual within an Organization's Internal Audit department
who is assigned the responsibility of performing Internal Audit functions.
Internal Control
Internal control is a process within an organization designed to provide reasonable
assurance regarding the achievement of the following primary objectives:
§The reliability and integrity of information
16
§Compliance with policies, plans, procedures, laws, and regulations
§The safeguarding of assets
§The economical and efficient use of resources
§The accomplishment of established objectives and goals for operations or
programs

Irregularity
Irregularities refer to the intentional misstatement or omission of significant
information in accounting records, financial statements, other reports, documents
or records. Irregularities include fraudulent financial reporting which renders
financial statements misleading and misappropriation of assets. Irregularities
involve:
§Falsification or alteration of accounting or other records and supporting
documents
§Intentional misapplication of accounting principles
§Misrepresentation or intentional omission of events, transactions, or other
significant information

Impairments
Impairments to individual objectivity and organizational independence may
include personal conflicts of interest, scope limitations, restrictions on access to
records, personnel, and properties amid resource limitations (funding).
17
Inherent Risk
Is the risk that an account or class of transactions being audited contains material
misstatements irrespective of the effects of the internal controls due to error. The
assessment of inherent risk depends on the professional judgment of the auditor,
and it is done after assessing the business environment of the unit being audited.

Management
Management includes those individuals with responsibilities for setting and/or
achieving the Organization's objectives.

Monitoring
Monitoring encompasses supervising, observing, and testing activities and
appropriately reporting to responsible individuals. Monitoring provides an ongoing
verification of progress toward achievement of objectives and goals.

Objectives
Objectives are the broadest statements of what the organization chooses to
accomplish.

Objectivity
Objectivity is an independent mental attitude which requires Internal Auditors to
perform audits in such a manner that they have an honest belief in their work
18
product and that no significant quality compromises are made. Objectivity requires
Internal Auditors not to subordinate their judgment on audit matters to that of
others.

Operations
Operations refer to the recurring activities of an Organization directed toward
producing a product or rendering a service. Such activities may include, but are not
limited to, marketing, sales, production, purchasing, human resources, finance and
accounting, and governmental assistance.

Pervasive Risk
The type of risk found throughout the environment. The focus is on the
environment of the business activity instead of the activity itself. Think of it as the
"corporate culture."

Planning Risk
It is the risk that the planning process is imperfect. In risk assessment, it is the risk
that the assessment process is inappropriate or improperly implemented.

Portfolio Risk
In risk analysis, it is the risk that a particular combination of projects, assets, units
19
or whatever is in the portfolio will fail to meet the overall objectives of the portfolio
because of poor balance of risks within the portfolio.

Preventive Controls
Preventive Controls are actions taken to deter undesirable events form occurring.

Proficiency
It means the ability to apply knowledge to situations likely to be encountered and to
deal with them without extensive recourse to technical research and assistance.

Programs
Programs refer to special purpose activities of an Organization. Such activities
include, but are not limited to, the raising of capital, sale of a facility, fund-raising
campaigns, new product or service introduction campaigns, capital expenditures,
and special purpose government grants.

Purpose Statements
Purpose Statements in audit reports describe the audit objectives and may, where
necessary, inform the reader why the audit was conducted and what it was
expected to achieve.

20
Probability
It is a measure (expressed as a percentage or a ratio) of estimation sometimes used
as a basis of measuring the likelihood and impact of risks when undertaking risk
assessments.

Professional Skepticism
Professional skepticism is an attitude that includes a questioning mind and critical
assessment of audit evidence. Some examples demonstrating the application of
professional skepticism in response to the auditor's assessment of the risk of
material misstatement due to fraud include:
§Increased sensitivity in the selection of the nature and extent of documentation to
be examined in support of material transactions
§Increased recognition of the need to corroborate management explanations or
representations concerning material matters, such as further analytical
procedures, examination of documentation, or discussion with others within or
outside the entity

Quality Assurance
Quality assurance is a program by which the director of Internal Audit evaluates
the operations of the Internal Audit department. The purpose of the quality
assurance program is to provide reasonable assurance that Internal Audit work
21
conforms with the Standards for the Professional Practice of Internal Audit, the
Internal Audit department's charter, and other applicable standards. The quality
assurance program should include the following elements:
§ Supervision
§ Internal reviews
§ External reviews

Ratio Analysis
Ratio analysis is the study of financial condition and performance through ratios
derived from items in the financial statements or from other financial or non-
financial information.

Recommendations
Recommendations are actions the Internal Auditor believes necessary to correct
existing conditions or improve operations.

Residual Risk
It is also known as 'net risk'. This is the level of risk remaining after the relevant
controls have been applied by management to the gross (or 'absolute') risk.
Residual risk represents the actual level of exposure that any Organization faces.

22
Risk
Risk is the probability that an event or action may adversely affect the organization
or activity under audit. It is measured in terms of impact and likelihood.
Importantly, risk can be positive or negative, although most positive risks are
sometimes known as opportunities and negative risks are called simply risks.

Risk Analysis
It means the assessment of risk, the management of risk, and the process of
communicating about risks. A systematic use of available information to determine
how often specified events may occur and the magnitude of the consequences. The
management decision science that seeks to optimize decisions among competing
alternatives to achieve business goals.

Risk Assessment
Risk assessment is a systematic process for assessing and integrating professional
judgments about probable adverse conditions and/or events. The risk assessment
process should provide a means of organizing and integrating professional
judgments for development of the audit work schedule.

Risk-Based Audit
An approach that focuses upon how an Organization responds to the risks it faces
in 23
achieving its goals and objectives; it aims to provide assurance on the management
of the identified risks within the framework of the Organization’s corporate plans
and aims.

Risk Classification/ Identification

Part of the risk assessment process that categorizes risks, typically into high,
medium, low, and intermediate values.

Risk Factors
Risk factors are measurable or observable characteristics of a process that either
indicates the presence of risk or tends to increase risk exposure.

Risk Management
It means the proactive steps that management can take to assess and manage
business risks. Also, it is the culture, processes and structures that are directed
toward the effective management of potential opportunities and adverse effects.

Risk Management Process

It indicates the systematic application of management policies, procedures and
practices to the tasks of establishing the context, identifying, analyzing, assessing
(evaluating), managing (treating), monitoring and communicating risk.
24
Risk Management Strategy
Is a structure for linking the firm's business strategy and Organization to its risk
management objectives.

Risk Management Systems

Principles relating to the design, development, and management (primarily
information technology) of systems for providing reliable, accurate and timely
information related to risk management.

Risk Measurement
It indicates the evaluation of the magnitude of risk which usually involves
developing a set of risk factors that are observed and measured to detect the
presence of risk.

Risk Prioritization
Ability to measure risks into a logical order by establishing how significant they are
in comparison to the achievement of business goals and objectives. Also, it is the
relation of acceptable levels of risks among alternatives.

Risk Ranking
It is the ordinal or cardinal rank prioritization of the risks in various alternatives,
projects or units.
25
Risk Register
It implies a central register of the Organization's key risks that identifies the
classification of risks by area, impact and likelihood. The register also identifies
who has responsibility for managing risks and the potential triggers and indicators
of a risk.

Scope Limitation
Is a restriction placed upon the Internal Audit department that prevents the
department from accomplishing its objectives and plans. Among other things, a
scope limitation may restrict:
§Scope defined in the charter
§Department's access to records, personnel, and physical properties relevant to the
performance of audits
§Approved audit work schedule
§Performance of necessary audit procedures
§Approved staffing plan and financial budget

Senior Management
Refers to those individuals to whom the Internal Audit Director is responsible.

26
Significant
Is the level of importance or magnitude assigned to an item, event, information, or
problem by the Internal Auditor

Significant Audit Findings

Are those conditions which, in the judgment of the Internal Audit Director, could
adversely affect the organization. Significant audit findings may include conditions
dealing with irregularities, illegal acts, errors, inefficiency, waste, ineffectiveness,
conflicts of interest, and control weaknesses.

Standards for the Professional Practice of Internal Audit (the Standards)

They are the criteria by which the operations of an internal Audit department are
evaluated and measured. They are intended to represent the practice of internal
Audit as it should be.

Statement of Responsibilities of Internal Audit

Is a document which presents in summary from the:
§ Objective and scope of Internal Audit
§ Responsibility and authority of the Internal Audit department
§ Independence of Internal Auditors

27
Supervision
Is a continuing process, beginning with planning and ending with the conclusion of
the audit assignment. Supervision includes:
§Providing suitable instructions to subordinate at the outset of the audit and
approving the audit program
§Seeing that the approved audit program is carried out unless deviations are both
justified and authorized
§Determining that audit working papers adequately support the audit findings,
conclusions, and reports
§Making sure that audit reports are accurate, objective, clear, concise, constructive,
and timely
§Determining that audit objectives are being met

Survey
Is a process for gathering information, without detailed verification, on the activity
being examined. The main purposes are to:
§Understand the activity under review
§Identify significant areas warranting special emphasis
§Obtain information for use in performing the audit
§Determine whether further Audit is necessary

28
System
(Process, operation, function, or activity) is an arrangement, a set, or a collection of
concepts, parts, activities, and/or people that are connected or interrelated to
achieve objectives and goals. (This definition applies to both manual and automated
systems.) A system may also be a collection of subsystems operating together for a
common objective or goal.

Trend Analysis
Is the analysis of the changes in a given item of information over a period of time.

Threat
A combination of risk, the consequences of that risk, and the likelihood that the
negative event will take place. It is often used in analysis in place of risk. It also,
means the possibility that one or more individuals or Organizations will experience
adverse consequences from an event or circumstance.

Uncertainty
Refers to a condition where the outcome can only be estimated due to incomplete or
imperfect knowledge of the area / subject in question. In practice, uncertainty
impacts upon the quality of risk assessments by managers.

29
Understanding
It means the ability to apply broad knowledge to situations likely to be
encountered, to recognize significant deviations, and to be able to carry out the
research necessary to arrive at reasonable solutions.

30