definitions

Question 1

Anchoring bias

Answer 1

The tendency to rely too heavily, or “anchor”, on one trait or
piece of information when making decisions (usually the first
piece of information acquired on that subject).

Question 2

Audit universe

Answer 2

An audit universe represents the potential range of all audit
activities and is comprised of a number of “auditable” entities.

Question 3

Availability bias

Answer 3

Tendency to judge an event more probable the more easily it

can be recalled or pictured mentally.

Question 4

Benford analysis

Answer 4

Data reasonableness test based upon the expected pattern

(Benford distribution) of digits in tabulated data.

Question 5

Black Swans

Answer 5

Events characterized by their (a) rarity, (b) extreme impact,
and (c) retrospective (but not prospective) predictability.

Question 6

Board

Answer 6

Governing body of an entity

Question 7

Cash larceny

Answer 7

The theft of an organization’s cash after it has been recorded in
the accounting system.

Question 8

COBIT

Answer 8

Control Objectives for Information and Related Technology.
COBIT is the generally accepted internal control framework
for IT.

Question 9

Confirmation bias

Answer 9

The tendency to search for, interpret, focus on and remember

information in a way that confirms one’s preconceptions.

Question 10

Control activities

Answer 10

The actions established through policies and procedures that
help ensure that management’s directives to mitigate risks to
the achievement of objectives are carried out.

Question 11

Control matrix

Answer 11

Tool to assist in evaluating the potential effectiveness of
controls in a business process by matching control goals with
relevant control plans.

Question 12

Control selfassessments

Answer 12

Control self-assessments (CSA) are all activities where the
people responsible for a business area, task, or objective use
some demonstrable approach to analyze the status of control
and risk to provide additional assurance related to the
achievement of none or more business objectives.

Question 13

Corporate governance

Answer 13

The system by which companies are directed and controlled

Question 14

Corruption

Answer 14

Fraud schemes in which an employee uses her/his influence
in a business transaction in a way that violates her/his duty to
her/his employer for the purpose of obtaining a benefit for
her/himself or someone else (e.g., bribery, extortion, conflicts
of interest).

Question 15

Data

Answer 15

Data are facts (“raw observations”) that are collected,

recorded, stored, and processed by an information system.

Question 16

Deficiency

Answer 16

A condition within enterprise risk management worthy of
attention that may represent a perceived, potential, or
real shortcoming, or an opportunity to strengthen enterprise
risk management to provide a greater likelihood that the
entity’s objectives will be achieved.

Question 17

Enterprise risk

management

Answer 17

The culture, capabilities, and practices, integrated with
strategy-setting and its execution, that organizations rely on to
manage risk in creating, preserving, and realizing value.

Question 18

Enterprise-wide

information systems

Answer 18

Enterprise-wide information systems (also known as
Enterprise Systems) are information systems (IS) that integrate
information across operations on a company wide basis.

Question 19

Event identification

Answer 19

The identification of potential events from internal or external
sources affecting the achievement of objectives. It includes
distinguishing between events that represent risks, those
representing opportunities, and those that may be both

Question 20

External corporate
governance
characteristics

Answer 20

The corporate governance structures and processes that are
outside the control of the firm’s shareholders and the board of
directors

Question 21

Framing effects

Answer 21

Drawing different conclusions from the same information,

depending on how that information is presented

Question 22

Fraud

Answer 22

An intentional act by one or more individuals among
management, those charged with governance, employees, or
third parties, involving the use of deception to obtain an
unjust or illegal advantage.

Question 23

Fraudulent

disbursement

Answer 23

A scheme in which an employee illegally or improperly causes
the distribution of funds in a way that appears to be
legitimate.

Question 24

Fraud risk factors

Answer 24

Events or conditions that indicate an incentive/pressure to

commit fraud or provide an opportunity to commit fraud

Question 25

Fraud triangle

Answer 25

Model that describes fraud as more likely to occur in the | presence of incentives, opportunity, and rationalization

Question 26

Gambler's fallacy

Answer 26

The tendency to think that future probabilities are altered by past events, when in reality they are unchanged. The fallacy arises from an erroneous conceptualization of the law of large numbers. For example, I’ve flipped heads with this coin five times consecutively, so the chance of tails coming out on the sixth flip is much greater than heads.

Question 27

Ghost employee

Answer 27

An individual on the payroll of an organization who does not | actually work for the organization.

Question 28

Heavy-tailed | distribution

Answer 28

Probability distribution whose tail is not exponentially | bounded

Question 29

Hindsight bias

Answer 29

The tendency to perceive events that have already occurred as having been more predictable than they actually were before the events took place (I-knew-it-all-along).

Question 30

Illusion of control

Answer 30

The tendency to overestimate one’s degree of influence over | other external events.

Question 31

Information

Answer 31

Information is data that have been organized and processed | into meaning to a user.

Question 32

Information bias

Answer 32

The tendency to seek information even when it cannot affect | action.

Question 33

Information overload

Answer 33

Information overload occurs when the amount of input to a system exceeds its processing capacity. Decision makers have fairly limited cognitive processing capacity. Consequently, when information overload occurs, it is likely that a reduction in decision quality will occur.

Question 34

Information systems

Answer 34

Man-made systems that generally consist of an integrated set of computer-based components and manual components established to collect, store, and manage data and to provide output information to users.

Question 35

Inherent limitations

Answer 35

Limitations inherent to (enterprise) risk management. The limitations relate to the limits of human judgment; resource constraints, and the need to consider the cost of controls in relation to expected benefits; the reality that breakdowns can occur; and the possibility of management override and collusion.

Question 36

Inherent risk

Answer 36

The risk to an entity in the absence of any actions management might take to alter either the risk’s likelihood or impact

Question 37

Insensitivity to sample | size

Answer 37

The tendency to under-expect variation in small samples.

Question 38

Internal control

Answer 38

A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (1) Effectiveness and efficiency of operations (2) Reliability of financial reporting (3) Compliance with applicable laws and regulations.

Question 39

Internal corporate governance characteristics

Answer 39

The corporate governance structures and processes that are within the control of the firm’s shareholders and the board of directors (e.g., the structure of the board of directors and committees, internal control systems, managerial incentives, firm’s ownership structure).

Question 40

Internal environment

Answer 40

The internal environment encompasses the tone of an entity, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.

Question 41

IT application controls

Answer 41

IT application controls are programmed procedures in application software and related manual procedures designed to help ensure the completeness, accuracy, authorization, and validity of data capture and processing (e.g., balancing control activities, checking digits, predefined data listings, data reasonableness test, logic tests). The objective of IT application controls is to prevent errors from entering the system, and to detect and correct errors once they are present.

Question 42

IT general controls

Answer 42

IT general controls (ITGC) are controls that apply to all systems components, processes, and data for a given organization or information technology (IT) environment. The objectives of ITGCs are to ensure the proper development and implementation of applications, as well as the integrity of programs, data files, and computer operations. ITGCs include controls over (a) IT management, (b) IT infrastructure, (c) security management, and (d) software acquisition, development and maintenance.

Question 43

Management | intervention

Answer 43

Management’s actions to overrule prescribed policies or procedures for legitimate purposes; management intervention is usually necessary to deal with non-recurring and non-standard transactions or events that otherwise might be handled inappropriately by the system (contrast this term with Management Override).

Question 44

Management override

Answer 44

Management’s overruling of prescribed policies or procedures for illegitimate purposes with the intent of personal gain or an improperly enhanced presentation of an entity’s financial condition or compliance status (contrast this term with Management Intervention).

Question 45

Mission

Answer 45

The mission of an organization defines the “purpose” of that | organization . That is, the reason why the organization exists.

Question 46

Overconfidence effect

Answer 46

Excessive confidence in one’s own answers to questions. For example, for certain types of questions, answers that people rate as “99% certain” turn out to be wrong 40% of the time.

Question 47

Reasonable assurance

Answer 47

The concept that enterprise risk management, no matter how well designed and operated, cannot provide a guarantee regarding achievement of an entity’s objectives. This is because of inherent limitations in enterprise risk management

Question 48

Residual risk

Answer 48

The remaining risk after management has taken action to alter the risk’s likelihood or impact.

Question 49

Retrievability bias

Answer 49

Frequency of similar events in our past reinforces preconceived notions of comparable situations occurring in the future.

Question 50

Risk

Answer 50

The possibility that an event will occur and adversely affect the achievement of objectives.

Question 51

Risk appetite

Answer 51

The broad-based amount of risk a company or other entity is | willing to accept in pursuit of its mission (or vision).

Question 52

Risk assessment

Answer 52

The process of analyzing events that might adversely affect the achievement of objectives.

Question 53

Risk culture

Answer 53

Risk culture is the system of values and behaviors present in an organization that shapes risk decisions of management and employees.

Question 54

Risk map

Answer 54

A graphic representation of likelihood and impact of one or | more risks.

Question 55

Risk philosophy

Answer 55

An entity’s risk management philosophy is the set of shared beliefs and attitudes characterizing how the entity considers risk in everything it does, from strategy development and implementation to its day-to-day activities. Its risk management philosophy reflects the entity’s values, influencing its culture and operating style, and affects how enterprise risk management components are applied, including how risks are identified, the kinds of risks accepted, and how they are managed.

Question 56

Risk response

Answer 56

The strategy of how to manage risks (accept, avoid, reduce, | share, or pursue).

Question 57

Risk tolerance

Answer 57

The acceptable variation relative to the achievement of an | objective.

Question 58

Risk universe

Answer 58

The full range of risks which could impact, either positively or negatively, on the ability of the organization to achieve its long term objectives.

Question 59

Segregation of duties

Answer 59

The concept of dividing, or segregating, duties among different people to reduce the risk of error or fraud. The basic idea underlying segregation of duties is that no one employee (or group of employees) should be in a position both to perpetrate and conceal errors or irregularities in the normal course of their duties. In general, the principal incompatible duties to be segregated are: authorization, execution, recoding, and custody.

Question 60

Skimming

Answer 60

The theft of an organization’s cash prior to its entry in the accounting system.

Question 61

SMART objectives

Answer 61

Objectives formulated in a way that is specific, measurable, | achievable, results oriented, and time bound.

Question 62

Stakeholders

Answer 62

Parties that are affected by the entity, such as shareholders, the communities in which the entity operates, employees, customers, and suppliers.

Question 63

Strategic objectives

Answer 63

High-level goals reflecting how an entity aims to achieve its mission.

Question 64

Survivorship bias

Answer 64

Cognitive bias that arises when we mistakenly treat the one realized outcome (the people or things that “survived” a certain event or process) among all possible random histories as the most representative one (i.e., overlooking the people or things that did not “survive” due to their invisibility).

Question 65

Tone at the top

Answer 65

The ethical environment within the firm created through | management practices and espoused values.

Question 66

Zero-risk bias

Answer 66

Preference for reducing a small risk to zero over a greater | reduction in a larger risk.