| Booklet:
Audit Section: Appendix B: Glossary |
|||||||||||||||||||||||||||
| Application controls | Controls related to transactions and data within application systems. Application controls ensure the completeness and accuracy of the records and the validity of the entries made resulting from both programmed processing and manual data entry. Examples of application controls include data input validation, agreement of batch totals and encryption of data transmitted |
| Application system | An integrated set of computer programs designed to serve a well-defined function and having specific input, processing, and output activities (e.g., general ledger, manufacturing resource planning, human resource management). |
| Audit charter | A document approved by the board of directors that defines the IT audit function's responsibility, authority to review records, and accountability. |
|
Audit plan |
A description and schedule of audits to be performed in a certain period of time (ordinarily a year). It includes the areas to be audited, the type of work planned, the high-level objectives and scope of the work and includes other items such as budget, resource allocation, schedule dates, and type of report issued. |
| Audit program | The audit policies, procedures, and strategies that govern the audit function, including IT audit. |
| Exposure | The potential loss to an area due to the occurrence of an adverse event. |
| General controls | Controls, other than application controls, that relate to the environment within which application systems are developed, maintained, and operated, and that are therefore applicable to all the applications at an institution. The objectives of general controls are to ensure the proper development and implementation of systems, and the integrity of program and data files and of computer operations. Like application controls, general controls may be either manual or programmed. Examples of general controls include the development and implementation of an IT strategy and an IT security policy, the organization of IT staff to separate conflicting duties and planning for disaster prevention and recovery. |
| Independence | Self-governance, freedom from conflict of interest and undue influence. The IT auditor should be free to make his or her own decisions, not influenced by the organization being audited, or by its managers and employees. |
| Outsourcing | A formal agreement with a third party to perform an IT function for an organization. |
| Risk | The possibility of an act or event occurring that would have an adverse effect on the organization and its information systems. |
| Risk assessment | A process used to identify and evaluate risks and their potential effect. |
| Systems development life cycle | An approach used to plan, design, develop, test, and implement an application system or a major modification to an application system. |
| Work program | A series of specific, detailed steps to achieve an audit objective. |