Administrative Reporting: See CAE Reporting Relationships
Administrative Time: Non-audit, non-training time used for a variety of activities
such as recruiting, performance appraisals, departmental expense budgeting,
organizing administrative files, and general (non-training) reading.
Allocating/Billing Audit Costs:
Distribution of the costs of the internal auditing function to customers,
either as actual cost billings (e.g., based on auditor's time and expenses) or
as overhead distribution (e.g., proportional allocation based on customer
assets, revenues, or employees), so that I/A costs impact the financial results
of the customers.
Assets: Total assets,
net of depreciation and other valuation reserves, in accordance with GAAP and
industry practice. For financial institutions and non-business entities (e.g.,
governmental agencies), total resources managed/administered.
Audit: See Audit
Universe for a definition of an "auditable activity."
Audit Committee:
Members of the board of directors, trustees, legislative bodies, or similar
governance boards, with responsibilities for oversight and direction of the
internal auditing function.
Audit Plan: The overall
plan for annual or multi-year audit coverage of the audit universe units (see
Audit Universe), including such elements as which units are to be audited,
planned scope, timing of the work, estimated time required, and total resources
required.
Audit Report: A written
document that presents the scope and results of the audit and, optionally,
detailed findings, conclusions, recommendations, implementation plans, grading
of the audited unit, etc.
Follow-up: A subsequent
review (of which the scope and formality can vary considerably), to determine
the implementation status of recommendations or agreed actions, results of
further studies, etc., related to an audit report.
Audit Risk
Assessment (Model): A systematic process for exercising and integrating
professional judgments about potential adverse conditions and events. This
process provides a means for development of the Audit Plan (see also Risk and
Risk Factors).
Audit Steering Committee:
An advisory body, generally made up of managers and senior executives selected
from among internal auditing's customers that provides input to assist in the
planning and performance of audit work as well as feedback on the results of
that work.
Audit Universe:
Auditable activities consist of those subjects, units, or systems that are
capable of being defined and evaluated. Auditable activities may include
policies, procedures, and practices; cost centers, profit centers, and
investment centers; general ledger account balances; information systems
(manual and computerized); major contracts and programs; organizational units
such as product or service lines; functions such as information technology,
purchasing, marketing, production, finance, accounting, and human resources;
transaction systems for activities such as sales, collection, production,
treasury, payroll, and capital assets; financial statements; and laws and
regulations. Source - SIAS No. 14, (the old red book). Glossary -
"Auditable Activities.”
Auditor/Audit
Professional/Supervisor/Staff: All internal audit personnel
reporting to the CAE, whether directly or functionally ("dotted
line"), except clerical and secretarial support staff. It includes
full-time equivalent (FTE) values for third-party providers of internal audit
services. It does not include the full-time equivalent of customer staff
members who work on audit teams or staff dedicated to such non-audit functions
as routine transaction review or reconciliations that are part of primary
internal accounting controls.
Audits/Auditors – Classification:
Most internal auditors appear to agree that audits and audit staff can be
classified on the basis of particular sets of skills and experience and/or by
the general areas in which the audit work is performed. Agreement as to usable
definitions or where the boundaries are between these classifications, however,
has been difficult to reach. The following classifications, as well as the GAIN
data that depend upon them, should be read with this caveat in mind.
Compliance: Evaluating compliance with laws, regulations, ethical standards,
and other similar reviews or investigations.
Financial: Evaluating internal accounting controls, financial information,
and related reports.
Integrated: Audit coverage of business units or processes using a broad range
of skills in business operations, finance, and information technology using
"integrated" teams or individuals who have the needed range of
auditing skills.
Operational: Evaluating controls, processes, and effectiveness (results),
other than those covered under Financial, including assessment and
implementation of process improvement.
Systems/IT: Evaluating controls and operations in
computer facilities, networks, systems, applications, etc.
Benefits:
All costs related to staff compensation other than salary, whether payable
currently or in the future and whether paid directly to the employee or to
another party/entity for the employee's benefit. This includes health care,
disability, pensions, fringes, etc.
Business Unit: A part
of the organization treated as a separate unit or activity for audit purposes.
Depending on how the organization is set up, it could be a division, a
subsidiary, or a region.
CAE: Chief audit
executive who is the full-time head of the internal auditing function, whatever
the title (e.g., general auditor, chief internal auditor, VP auditing, or
inspector general).
CAE Reporting Relationships:
Administrative: The executive line through which the CAE receives performance
appraisals, budget approvals, and various administrative services (but not
policy guidance and work direction guidance).
Functional: The executive line through which the CAE
is accountable for performance of the internal auditing function and through
which broad policy guidance and work direction are received.
Business Unit: A part of the organization that is
treated as a separate unit or activity for audit purposes. Depending on how the
organization is set up, it could be a division, a subsidiary, or a region.
Centralized Internal Audit Department:
Internal auditing function for the organization is located at and/or managed by
the chief audit executive from a single location (such as corporate
headquarters).
Certifications:
CBA/PE:
Certified Bank Auditor/Professional Engineer
CFE:
Certified Fraud Examiner
CIA/MIA:
Certified Internal Auditor/Member, Institute of Internal Auditors
CISA:
Certified Information Systems Auditor
CMA:
Certified Management Accountant
CPA/CA:
Certified Public Accountant/Chartered Accountant, or their certified/registered
equivalent in other jurisdictions
Other: Other professional or technical certifications
relevant to internal auditing (e.g., professional engineering qualifications).
Calendaring: Maintaining updated schedules by dates on PCs.
Certified Staff:
Internal auditing staff with one or more of the certifications listed above.
Computer-Assisted Audit Techniques
(CAAT): Computerized audit applications and other tools that
can be applied on a one-time basis or continuously to sample, search for
exceptions, or otherwise test computerized systems, applications, files, etc.
Examples:
Audit “Hooks”: Points in application programs ("exits") that can be
used to call in routines to perform audit testing on a current basis.
Embedded Test Routine: Any audit routine designed to detect exceptions to established
standards and parameters, to select statistical samples, and perform similar
tests that are built into an application to perform audit procedures concurrent
with application processing.
Integrated Test
Facility: A
"dummy" systems entity established on a live data file, to test
processing of automated transactions that update large, complex computer
applications (generally those with multiple user groups and diverse sources of
transactions).
Condensed Report Format: A shorter form of audit report that captures essential
findings and/or recommendations in abbreviated format. Used to reduce cycle
time.
Consulting by Internal Auditing:
Other than the usual audits, reviews, and similar internal auditing work, such
as leading or assisting management in process improvement projects,
facilitating self-assessments outside of "traditional" internal
control activities, training, or studies relating to implementation of audit
report recommendations.
Control/Control Environment:
Actions taken by management (e.g., planning, organizing, and directing) to
enhance the likelihood that established goals and objectives will be achieved.
The control environment refers to the attitude and actions of the board and
management regarding the significance of control within the organization and
provides the structure and discipline through which control is achieved. See
also SIAS No. 14, Glossary - Control, Control Environment, Effective Control,
and Internal Control.
Costs: See Total
Costs/Expenses
Customer (Client/Auditee): Any executive, department, function, subsidiary, or other
entity (such as Board of Directors, or external auditor) that is served by,
relied upon by, or to which internal auditing is otherwise accountable, in
connection with audit, review, investigation, consulting, or similar services.
Customer Satisfaction Survey:
A formal (written) survey of customers, whether taken periodically or at the
end of an audit, to determine their opinion of the effectiveness of internal
audit services, personnel, coverage, reports, and /or results.
Customer Satisfaction Ratings:
Statistical and/or qualitative results of customer satisfaction surveys.
Compilation of other feedback from customers.
Cycle Approach: A
method of determining which auditable units (see Audit Universe) to include in
an audit plan, based on pre-determined intervals between audits (usually
stratified so that more significant units are audited more frequently).
EDI/EFT: Electronic
data interchange. The electronic transmission (exchange) of business
information (e.g., orders, invoices, or inventory data) and funds transfer
(EFT) between computer systems of independent entities.
Effectiveness: A broad
measure of the selection of strategies and objectives, means employed, and
results achieved. "Doing the right things right." (Includes less
comprehensive terms such as efficiency, economy, and cost-effectiveness).
Employees: All personnel employed full-time by the organization and the
full-time equivalent of part-time staff, including contract personnel receiving
day-to-day work direction from regular employees. Does not include the
employees of independent contractors or consultants, even though they may be
performing work that could be considered that of regular employees if it were
not outsourced. However, such purchased services may vary considerably between
GAIN participants and should be considered in connection with comparisons of
GAIN data between organizations and industry groups.
End-User Computing: Development of systems, applications, networks, etc., by
customers (end users) of the information technology function, where customers
take responsibility not only for development of such systems, etc., but also
for their operation, security, data integrity and maintenance.
Expenses:
See Total Costs/Expenses
External Audit Services/Fees: Services/fees from independent auditors
in connection with examination of the financial statements and related
information provided in annual reports to stakeholders and regulatory
authorities. Does not include services/fees for tax and consulting services,
special reviews, investigations, or assistance with accounting and technology.
Functional Reporting: See CAE Reporting Relationships
Fiscal Year Budget: See Revenue
Full-Time Equivalent (FTE): The annual accumulation of hours of internal auditing
services provided by others, e.g., third party providers, divided by 2080
hours, results in a calculation of full-time equivalent employees.
ISO:
International Standards Organization, which is the broadly-recognized entity
charged with developing and promulgating standards against which business
organizations and other entities are measured in various areas of compliance
and achievement. Examples:
ISO 9000:
Worldwide standards for auditing/measuring quality management systems.
ISO 1400: Worldwide standards for auditing/
measuring environmental compliance systems.
Independent Working Paper Review: Review by audit management, other than
those who directed the work, to ensure consistency and conformity with The IIA
Standards.
Integrated Audit Approach: See Audits/Auditors – Classification
Integrated Auditor/Audit Staff: See Audits/Auditors – Classification
Local Area Network (LAN): An electronic communications/data transmission network
within a closely related local area (such as a department, floor, building, or
plant) through which PCs/work stations are connected.
Metric/Metrics: Measurements of performance or results (e.g., staff productivity,
cycle time, scoring of audit results, and customer satisfaction data).
Non-Audit Services: See Consulting by Internal Auditing and External Audit
Services/Fees.
Other (Audit) Costs: Costs and expenses of the internal auditing function, except
salaries, travel, and training. Does not include external audit fees or cost
allocations (in or out).
Outside Director: A director who is not an employee of the company.
Outsourcing/Outsourced Services:
Services provided by independent contractors who would otherwise be (and may
formerly have been) performed by employees of the organization. See Employees.
Participating Organizations:
Total number of companies/entities that submitted data to GAIN.
Partnering: A
participative approach whereby the internal auditor seeks to establish a more
cooperative working relationship with the customer. Involves consulting with
the customer and working as a team to deliver a value-added product.
Per Auditor: Relevant
statistic divided by total professional auditors.
Productivity Measures:
Statistics based on results per employee (audit staff members). See
"Metrics."
Purchased Audit Services:
See Outsourcing/Outsourced Services.
Quality Assurance Review:
By Internal Auditing: A formal assessment of the quality of the internal auditing
function and/or compliance with The IIA Standards and other relevant policies/standards,
performed under the control of the CAE.
Other Internal Review: As above, directed by an executive of the company/entity other
than the CAE.
External: As above, but performed by reviewers
independent of the company/entity, such as The IIA's QAR service or other
qualified independent team.
Reengineering: Analyzing and modifying, as necessary, business processes and
systems, to improve their effectiveness.
Revenue:
Total sales and other income, recognized in accordance with GAAP and industry
practice. For non-business entities, unless there is a relevant measure of
revenue similar to that for a commercial enterprise, use total annual
expenditure budget (Fiscal Year Budget).
Risk:
The probability that an event may adversely affect an organization, activity,
process, system, etc.
Risk Assessment: See Audit Risk Assessment.
Risk Factors: Criteria used to identify the nature, relative significance, and
likelihood of potential adverse conditions or events.
Salaries:
Base compensation, including cash incentives/bonuses paid to employees.
Self-Assessment: A review that an audit customer/auditable unit performs or
participates in, covering its own controls, processes, results, etc., for
compliance and/or process improvement purposes.
Staff Size: See Auditor/Audit Professional/Staff.
Third-Party Auditing Work: Auditing work performed by contract professionals.
Includes outsourcing and co-sourcing costs.
Total Costs/Expenses: Cost of sales, selling, general, and administrative expenses and
any others deducted from revenue to arrive at "operating" income.
Does not include "extraordinary" items or income taxes. For
non-business entities, total annual expenditure budget.
Training:
Costs:
Costs of all training received by internal auditing staff, such as course fees,
related travel expenses, training materials, and charges from other departments
for in-house courses. Does not include salary costs of internal auditing
personnel devoted full- or part-time to staff training.
Hours: Time spent by professional staff at
external courses (not including related travel time), at in-house courses and
other formal training sessions, and working on self-study during office hours.
Does not include "on-the-job" training time or time spent by internal
auditing personnel who prepare/present staff training sessions.
Wide Area Network (WAN): An electronic communications/data transmission network,
through which PCs/work stations are connected, covering a large geographic area
and usually served by a large-capacity "host" computer.
Wire Transfer: See EDI / EFT.