Acronyms and Glossary Flashcards Preview

CITP - Certified Information Technology Professional Exam > Acronyms and Glossary > Flashcards

Flashcards in Acronyms and Glossary Deck (133)
Loading flashcards...

Is this a blank card?

I don't know, let's try again.  Something's wrong with Card 1 in this app



Association of Certified Fraud Examiners

ACFE is important because AU section 316, the fraud standard, uses the Fraud Tree as described by ACFE.  Established in 1988 the Association of Certified Fraud Examiners is the professional organization that governs professional fraud examiners. Its activities include producing fraud information, tools and training. It governs the professional designation of Certified Fraud Examiner. The ACFE is the world's largest anti-fraud organization and a provider of anti-fraud training and education, with more than 75,000 members.



Accounting Information Systems


Application Controls

Give the two definitions - 1) not a CITP and 2) CITP specific.

IT controls are addressed in two broad categories:  application controls and IT General Controls (ITGC).

Generally speaking, application controls are those embedded in software applications.  For the CITP, application controls can be either automated or manual.   Applicaton controls are internal controls, whether automated or manual, that operate at the transaction-level with the objective of ensuring that:

  • Proper authorization is obtained to initiate and enter transactions;
  • Applications are protected from unauthorized access;
  • Users are only allowed access to those data and functions in an application that they should have access to;
  • Errors in the operation of an application will be prevented or detected and corrected in a timely manner;
  • Application output is protected from unauthroized access or disclosure;
  • Reconciliation activities are implemented when appropriate to ensure that informatino is complete and accurate; and
  • High-risk transactions are appropriately controlled.


Artificial Intelligence (AI)

AI is an area of computer science study that involves automated reasoning and problem solving, emulating human inteilligence.


Assertion Level Risks

Assertion level risks are risks that are limited to one or more specific assertions in an account or in several accounts, for example, the valuation of inventory or the occurrence of sales.  Assertion level risks are addressed by the nature, timing, and extent of further audit procedures, which may include substantive procedures or a combination of tests of controls and substantive procedures.  The risk of material misstatement at the assertion level has two components - Inherent Risk (IR) and Control Risk (CR). 



Google it, add a definition here.  List the assertions auditors normally test


Asset Misappropriation Schemes

The use of one's occupation for personal gain through the deliberate misuse or theft of the employing organizatoin's resources or assets.



A characteristic of something in a data file.  For example, the part number of an inventory item is an attribute of the item.  Also referred to as a field or column in relational databases.


Audit Risk (AR)

Audit risk (also referred to as residual risk) refers to the risk that an auditor may issue unqualified report due to the auditor's failure to detect material misstatement either due to error or fraud.  In the audit risk model, Audit Risk (AR) is a function of three primary risks: Inherent Risk (IR), Control Risk (CR), and Detection Risk (DR) and is calculated as:


Inherent Risk (IR) refers to the risk involved in the nature of business or transaction. For example, transactions involving exchange of cash may have higher IR than transactions involving settlement by checks.

Control Risk (CR) refers to the risk that a misstatement could occur but may not be detected and corrected or prevented by entity's internal control mechanism. Example,control risk assessment may be higher in an entity where separation of duties is not well defined.

Detection Risk (DR) is the probability that the audit procedures may fail to detect existence of a material error or fraud. While CR depends on the strength or weakness of the internal control procedures, DR is either due to sampling error or human factors.


Automated Control

Controls automation involves leveraging technology to build and enforce internal controls with the least manual intervention possible.  It can take many forms, including better use of available system configuration options of the kind common in enterprise resource plannning (ERP) systems, to using workflow and imaging technologies to automate and drive processes from start to completion.

The IT auditor has a dual focus on automated controls.  One focus is the fact that automated controls are a key objective in an IT audit.  The second focus is on leveraging effective controls - effective automated controls can be leveraged to reduce substantive testing in the FAP phase of a financial audit.


Balanced Scorecard

A BSC is a holistic perforemance measuring and managing methodology combining financial, customer, internal processes, and learning/growth objectives into a single report.



Board of Directors



Book of Knowledge




BP or BPs

Business Process or Business Processes

Business Processes, for the CITP, focus on automated business processes.  IT-related BPs are a key element of risk assessment and are a special case of controls.  The best way to evaluate risk in BP is to gain sufficient understanding of the flows and relationships of key data or transactions through all of the businsses processes, using some kind of flowchart.


Business Activity Montioring (BAM)

BAM is software that assists management in monitoring business activities, especially automated processes.  It refers to aggregating, analyzing, and presenting business process performance.  BAM can also address multiple business processes, including those that span multiple systems or applications.  Typically, the results are displayed in dashboard style, where real time results are compared to key performance indicators (KPIs).


Business Architecture

A business architecture is the organization and structure given to the information and IT of the business.  The business informaiton architecture should be properly documented, including the documents and diagrams that describe it.  An effective design bridges the business model, business units, and business operations into a coherent architecture that facilitates the management and use of relevant information.


Business Intelligence (BI)

BI is a structure and process that combines information architecture, databases, analytical tools, reporting tools, and other applications to gather and communicate business information for strategic and tactical purposes.


Business Performance Management


A BMP is a comprehensive structure and process that measures and analyzes enterprise performance, operational and financial, to achieve strategic advantages.


Business Process Improvement (BPI)

BPI has the goal of optimizing business processes to achieve efficiencies and effectiveness, using a structured approach.  The approach is generic and can apply equally to commercial, not-for-profit, or government entities.  BPI attempts to reduce variation and/or waste in processes, resulting in more efficient use of resources.  Successful BPI usually results in radical changes rather than incomremental change.  The primary goal of BPI is to align business processes to realize organizational goals (to do things right).  BPI usually involves automating former manual or semi-manual processes, collapsing multiple processes into a single process, or both.


Business Process Management


BPrM is a holistic management approach to managing business processes at the enterprise level to promote efficiency and effectiveness, while stressing improvements, innovation, and integration with technology.  BPrM is a professinof its own.  It focuses on more than efficiency and effectiveness gains in revising business processes, but rather takes a holistic approach that strives for innovation, more flexibility, and integration with technology.  A continuous improvement approach is also key to successful BPrM.  BPrM considers processes as potentially strategic tools that can be better managed, improved, and then deliver value-added products and services to the entity's clients. 


Business and Industry

B & I

Business and Industry

Generally speaking, accountants can work for publich accounting firms (called Public Accounting) or for clients in "business and industry" (called Industry accounting).

The same is true for CITPs.  CITPs can work for public acconting firms, or they can work in B&I.




Computer-Assisted Audit Tools

Computer-assisted audit techniques (CAATs) or computer-assisted audit tools and techniques (CAATTs) is a growing field within the audit profession. CAATs is the practice of using computers to automate the audit processes.



Understanding the control development life cycle (CDLC) is beneficial in understanding, evaluating, and managing controls.  The cyclical phases are:  design, implementation, operational effectiveness, and monitoring.





  Capability Maturity Model

The Capability Maturity Model for Software (CMM) is a framework that describes the key elements of an effective software process. The CMM describes an evolutionary improvement path from an ad hoc, immature process to a mature, disciplined process.   The CMM covers practices for planning, engineering, and managing software development and maintenance. When followed, these key practices improve the ability of organizations to meet goals for cost, schedule, functionality, and product quality.  The CMM establishes a yardstick against which it is possible to judge, in a repeatable way, the maturity of an organization's software process and compare it to the state of the practice of the industry. The CMM can also be used by an organization to plan improvements to its software process..



Control Objectives for Information and related Technology

COBIT is one of the relevant models for risk the CITP can use, along with COSO's ERM model and the P-D-C model.  The COBIT framework was created by ISACA for information technology (IT) management and IT governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.  The COBIT framework is IT process-focused, and is known for its practical application in performing evaluations of IT internal controls.  The system model looks at controls from a data processing, or information systems, view.


Conceptual Schema

The schema or view of informaiton requirements before it is converted into an actual database.  It is a composite view of all user views / schemas.  Also referred to as a logical view.

A composit of all external views or schemas is developed to represent the entity's view or schema, or the composite users' view, whch is known as the conceptual schema.  The conceptual schema exists only on paper or in digital document but describes the formats of the databases with specificity of the data to be captured, stored, and processed at the enterprise level.  The conceptual schema is also referred to as the logical schema.


See also user schema and physical schema.


Continuous monitoring (CM)

Continuous monitoring is the system of processes and technology that is used to ensure compliance and avoid risk issues associated with an entity's financial and operating systems.  CM involves people, processes, and technology that work together to detect weak or poorly designed controls, allowing managmeent to correct or replace them.


Control Deficiency (CD)

A control deficiency is a breakdown in an internal control where the design or operation of the control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct material misstatements in a timely basis.


Control Gaps

One outcome of an effectual IT risk assessment is the identification of IT risks where no controls exists - that is, a control gap. If any IT risk has no mitigating control, this gap is an exposure, by defintiion, that the entity has, whether management is aware of it or not.  Control gaps represent serious risk and significant flaws in the control environment.  The CITP would want to identify any control gap, and make a recommendation to mitigate that gap/exposure, or use that information in evaluatng audit evidence.