| Adding Value: By virtue of our position within the University, Internal Audit are able to gather data to understand and assess risk and develop significant insight into operations and opportunities for improvement that can be beneficial to the University. This valuable information can be in the form of consultation, advice, written communications, or through other products. |
| Absolute Risk: "Pure" risk without the mitigating effects of internal controls – this is also known as gross risk. |
| Adequate Control: Present if management has planned and organised (designed) their operations in a manner that provides reasonable assurance that the University’s risks have been managed effectively and that its goals and objectives will be achieved efficiently and economically. |
| Analytical Review: The examination of ratios, trends and changes in balances and other values between periods to obtain a broad understanding of the University financial or operational position and identify areas that may require further or closer investigation. We often use this technique when planning the scope of our audit assignments. |
| Assurance Services: An objective examination of evidence for the purpose of providing an assessment on risk management, control, or governance processes for the University. Examples may include financial, performance, compliance, and system security engagements. |
| Audit Committee: A committee of the University's Council that has no operational responsibilities for any of the activities undertaken by the University. Their primary function is to help Council fulfill its stewardship role by reviewing the systems of risk management, governance and internal control. The University's Audit Committee meets three times a year. |
| Audit Risk: is the risk that an auditor may arrive at the wrong conclusions and opinions of the work that they have undertaken. Audit risk is calculated by formula: AR = IR x CR x DR Where, AR = Audit Risk, IR = Inherent Risk, CR = Control Risk and DR = Detection Risk. |
| Audit Scope: Refers to the activities covered by an internal audit. Audit scope often includes: - Audit objectives - Nature and extent of auditing procedures performed - Time period audited - Related non-audit activities that delineate the boundaries of the audit When planning audit assignments at the University, we always agree the scope of our reviews with the unit managers before starting the audit. |
| Audit Test Schedules: Audit Test schedules include: - Risks - Audit Objectives - What activities are to be audited and the methodology adopted - the estimated time required, taking into account the scope of the audit work performed by others |
| Audit Working Papers: Record the information obtained, the analyses made, and the conclusions reached during an audit. Audit working papers support the bases for the findings and recommendations to be reported. Audit working papers are a key part of the evidence used by us in arriving at our conclusions and recommendations. |
| Auditable Activities: Consist of those subjects, units, or systems. which are capable of being defined and evaluated. Auditable activities may include: - Policies, procedures and practices - Cost centres, profit centres and investment centres - General ledger account balances - Information systems (manual and computerised) - Major contracts and programmes - Organisational units such as product or service lines - Functions such as information technology, purchasing. marketing, production, finance, accounting and human resources - Transaction systems for activities such as sales, collection, purchasing, disbursement, inventory and cost accounting, production. treasury, payroll and capital assets - Financial statements - Laws and regulations We have adopted risk-based approach in recent years as an approach that uses the University's Risk Register as a means of identifying our audit universe. |
| Audit Universe: An inventory of audit areas that is compiled and maintained to identify areas for audit during the audit planning process. Traditionally, the list included all financial and key operational systems as well as schools and other units that would be audited as part of the overall cycle of planned work. The audit universe serves as the source from which the five-year audit plan and the annual audit schedule are prepared. Developments in the approach to auditing and audit planning have meant that the audit universe is now determined by risk (i.e. a risk universe) and that the new risk-based approach to auditing results in planning that is driven by the University’s risk register. The universe will be periodically revised to reflect changes in the overall risk profile. An inventory of audit areas, or audit universe, will be complied and maintained. |
| Authorisation: Implies that the authorising authority has verified and validated that the activity or transaction conforms with established policies and procedures. |
| Authorising: Includes initiating or granting permission to perform activities or transactions. |
| Behavioural Risk: Risk associated with productivity loss (poor management practices or poor work environment, under-utilizing human assets, poor leadership, favoritism) dysfunctional workplaces and opportunity cost (making less-than-optimum decisions about human asset - people, knowledge and skills -acquisition and disposition). |
| Business Risk: Business risk is a concept used by auditors and managers to express concerns about the probable material effects of an uncertain environment on achieving established objective. |
| Charter: The charter of the internal audit activity is a formal written document that defines the activity’s purpose, authority, and responsibility. Details of how we operate at the University can be found on our service commitment page. |
| Code of Ethics: A code that promotes an ethical culture in the global profession of internal auditing. A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on the trust placed in its objective assurance about risk, control, and governance. A code applies to both individuals and entities that provide internal audit services. Most professional accounting and auditing bodies have such a code. |
| Compliance: The ability to reasonably ensure conformity and adherence to University's policies, plans, procedures, laws, regulations, contracts, ordinances and statutes. |
| Conclusions: Our evaluation of the effects of the findings on the activities reviewed. Conclusions usually put the findings in perspective based upon their overall implications, particularly in a risk-based audit approach which will provide an audit viewpoint in relations to the aims and objectives of the University. |
| Conflict of Interest: Any relationship that is or appears to be not in the best interest of the University. A conflict of interest would prejudice an individual’s ability to perform his or her duties and responsibilities objectively. |
| Consequence: The outcome of an event expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain. |
| Consulting Services: The range of services, beyond internal audit’s assurance services, provided to assist management in meeting its objectives. The nature and scope of work are agreed upon with the client. Examples include facilitation, process design, training, and advisory services. |
| Control: Any action taken by management, the board, and other parties to enhance risk management and increase the likelihood that established objectives and goals will be achieved. Management plans, organises, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. (See internal control also). A fuller explanation can be found on our controls page of our site. |
| Control and Risk Self-Assessment: Abbreviated CRSA. See control self assessment. |
| Control Environment: The attitude and actions of the board and management regarding the significance of control within the organisation. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements: - Integrity and ethical values - Management’s philosophy and operating style - Organisational structure - Assignment of authority and responsibility - Human resource policies and practices - Competence of personnel |
| Control Framework: A recognized system of control categories that covers all internal controls expected in an organization. |
| Control Processes: The policies, procedures, and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management process. |
| Control Risk: The tendency of the internal control system to lose effectiveness over time and to expose, or fail to prevent /detect weaknesses in the systems of control. |
| Control Self-Assessment: Abbreviated CSA. A class of techniques used in an audit or in place of an audit to assess risk and control strength and weaknesses against a Control Framework. The "self" assessment refers to the involvement of management and staff in the assessment process, often facilitated by internal auditors. There are many self-assessment techniques in use. At the University, we operate a quarterly risk monitoring system that is a form of self-assessment. |
| CRSA: See control and risk self-assessment. |
| CSA: See control self-assessment. |
| Custodial Risk: The risk associated with owning and safeguarding assets (i.e. obsolescence, damage in handling or in storing assets and theft from storage). |
| Detection Risk: The probability that an incorrect audit conclusion will be drawn from the results of the examination or that the audit work will fail to detect any serious errors. |
| Detective Controls: Actions taken to detect and correct undesirable events which have occurred. |
| Directive Controls: Actions taken to cause or encourage a desirable event to occur. |
| Due Professional Care: Calls for the application of the care and skill expected of a reasonably prudent and competent internal auditor in the same or similar circumstances. Due professional care is exercised when internal audits are performed in accordance with the Standards for the Professional Practice of Internal Auditing. The exercise of due professional care requires that: - Internal auditors be independent of the activities they audit - Internal audits are performed by those persons who collectively possess the necessary knowledge skills and disciplines to conduct the audit properly - Audit work be planned and supervised - Audit reports be objective, clear, concise, constructive and timely - Internal auditors follow up on reported audit findings to ascertain that appropriate section was taken. At the University, we have agreed procedures in place to ensure that we work to recognised professional audit standards. |
| Effect: Effect is the risk or exposure the auditee, organisation and/or others encounter because the condition is not the same as the criteria (the impact of the difference). |
| Effective Control: Present when management directs systems in such a manner as to provide reasonable assurance that the organisation’s objectives and goals will be achieved. |
| Error: As it relates to internal audit reports, it is an unintentional misstatement or omission of significant information in a final audit report. |
| External Auditors: Refers to those audit professionals who perform independent annual audits of an organisation’s financial statements. The University's external audit is provided by KPMG, a firm of registered auditors. |
| Findings: Pertinent statements of fact. Audit findings emerge by a process of comparing what should be with what is. |
| Follow-up: This is a process that we use to determine the adequacy, effectiveness and timeliness of actions taken by management on previous audit findings and recommendations. Our web site contains more details on the method we adopt when undertaking follow-up audits. |
| Fraud: Any illegal acts characterised by deceit, concealment or violation of trust. These acts are not dependent upon the application of threat of violence or of physical force. Frauds are perpetrated by individuals and organisations to obtain money, property or services; to avoid payment or loss of services; or to secure personal or business advantage. Our web page on managing fraud contains further information. |
| Goals: Goals are specific objectives of specific systems and may be otherwise referred to as operating or programmes, objectives or goals, operating standards, performance levels, targets or expected results. |
| Governance Process: The procedures used by the representatives of the University’s stakeholders to provide oversight of risk and control processes administered by management. Governance is the University's strategic response to risk, which brings together related components such as strategic planning, risk management, assurance that goals and objectives will be achieved, and internal auditing |
| Impairments: Impairments to individual objectivity and organisational independence may include personal conflicts of interest, scope limitations, restrictions on access to records, personnel, and properties amid resource limitations (funding). |
| Inherent Risk: Risks that an account or class of transactions contains material misstatements irrespective of the effects of the controls. |
| Internal Audit: The University's in-house team that provides independent, objective assurance and consulting services designed to add value and improve the University’s operations. Our mission statement provides a fuller explanation of our role. |
| Internal Control: A process within an organisation designed to provide reasonable assurance regarding the achievement of the following primary objectives: - The reliability and integrity of information - Compliance with policies, plans, procedures, laws, regulation and contracts - The safeguarding of assets - The economical and efficient use of resources - The accomplishment of established objectives and goals for operations or programmes. Further explanations can be found by visiting our pages on controls |
| Irregularity: Refers to the intentional misstatement or omission of significant information in accounting records, financial statements, other reports, documents or records. Irregularities include: - fraudulent financial reporting which renders financial statements misleading, and - misappropriation of assets. Irregularities involve: - Falsification or alteration of accounting or other records and supporting documents - Internal misapplication of accounting principles - Misrepresentation or intentional omission of events, transactions or other significant information. The University's approach to this area can be found by visiting our pages on fraud. |
| Likelihood: A qualitative description of a probability or frequency. |
| Management: Used to indicate, firstly, the level of management to whom the Head of Internal Audit is responsible and secondly anyone who has responsibilities for setting and/or achieving objectives. A more detailed explanation can be found by visiting our web pages about our relationship with University managers. |
| Monitoring: Encompasses supervising, observing and testing activities and appropriately reporting to responsible individuals. Monitoring provides an ongoing verification of progress toward the achievement of objectives and goals. |
| Net Risk: See also Residual Risk. |
| Objectivity: An unbiased mental attitude that requires internal auditors to perform engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Objectivity requires internal auditors not to subordinate their judgment on audit matters to that of others. |
| Operations: Refers to the recurring activities of an organisation directed toward producing a product or rendering a service. Such activities may include, but are not limited to, marketing, teaching, research, procurement, personnel, finance and accounting. |
| Opportunity: An uncertain event with a positive probable consequence. Related to risk. The possibility that one or more individual organizations will experience beneficial consequences from an event or circumstance. |
| Outside Service Provider: Refers to a person or firm, independent of the organisation, who has special knowledge, skill and experience in a particular discipline. Outside service providers include, environmental specialist, information technology specialist, the organisations external auditors and other auditing organisations. At the University we employ the firm, KPMG to provide a specialist computer audit service that we could not provide from in-house means. Decisions to engage outside service providers for audit purposes are taken by the Audit Committee. |
| Pervasive Risk: The type of risk found throughout the environment. The focus is on the environment of the business activity instead of the activity itself. Think of it as the "corporate culture." |
| Planning Risk: The risk that the planning process is flawed. In risk assessment, it is the risk that the assessment process is inappropriate or improperly implemented. |
| Portfolio Risk: In risk analysis, it is the risk that a particular combination of projects, assets, units or whatever is in the portfolio will fail to meet the overall objectives of the portfolio because of poor balance of risks within the portfolio. |
| Preventative Controls: Actions taken to deter undesirable events from occurring. |
| Probability: A measure (expressed as a percentage or a ratio) of estimation sometimes used as a basis of measuring the likelihood and impact of risks when undertaking risk assessments. |
| Quality Assurance: A programme by which the Head of Internal Audit evaluates operations of the internal auditing service. The purpose of the programme is to provide reasonable assurance that our work conforms with the Standards for the Professional Practice of Internal Auditing, our charter, and other applicable standards. |
| Ratio Analysis: The study of financial conditions and performance through ratios derived from items in the financial statements or from other financial or non financial information. |
| Reasonableness Test: A comparison of an estimated amount calculated by the use of relevant financial and non-financial information with a recorded amount. |
| Recommendations: Actions we believe are necessary to correct existing conditions or improve operations. Recommendations fall into 3 categories: - Fundamental - Significant - Merits Attention Further details can be found by visiting our clicking reports and recommendations page. |
| Residual Risk: Also known as 'net risk'. This is the level of risk remaining after the relevant controls have been applied by management to the gross (or 'absolute') risk. Residual risk represents the actual level of exposure that the University faces. |
| Risk Analysis: The assessment of risk, the management of risk, and the process of communicating about risks. A systematic use of available information to determine how often specified events may occur and the magnitude of the consequences. The management decision science that seeks to optimize decisions among competing alternatives to achieve business goals. |
| Risk Assessment: The identification of risk, the measurement of risk, and the process of communicating about risks. A systematic process for assessing and integrating professional judgments about probably adverse conditions and/or events. The risk assessment process measures risk by the use of two factors: impact and likelihood. |
| Risk-Based Auditing: An approach that focuses upon how an organisation responds to the risks it faces in achieving its goals and objectives; it aims to provide assurance on the management of the identified risks within the context of the University’s corporate plans and aims. Other pages of our web site contain more about risk-based auditing. |
| Risk Classification: Part of the risk assessment process that categorizes risks, typically into high, medium, low, and intermediate values. |
| Risk Evaluation: See risk measurement. |
| Risk Factors: Measurable or observable characteristics of a process that either indicates the presence of risk or tends to increase risk exposure. |
| Risk Identification: The method of identifying and classifying risks. See risk classification. |
| Risk Management (modern view): Proactive steps that management can take to assess and manage business risks. The culture, processes and structures that are directed toward the effective management of potential opportunities and adverse effects. Our web pages on managing risk contain more detail on this issue. |
| Risk Management Process: The systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analyzing, assessing (evaluating), managing (treating), monitoring and communicating risk. |
| Risk Management Strategy: A structure for linking the firm's business strategy and organisation to its risk management objectives. The University's risk management strategy outlines our institution's position. |
| Risk Management Systems: Principles relating to the design, development, and management (primarily information technology) of systems for providing reliable, accurate and timely information related to risk management. |
| Risk Measurement: The evaluation of the magnitude of risk which usually involves developing a set of risk factors that are observed and measured to detect the presence of risk. |
| Risk Prioritisation: Ability to measure risks into a logical order by establishing how significant they are in comparison to the achievement of business goals and objectives. The relation of acceptable levels of risks among alternatives. See risk ranking. |
| Risk Ranking: The ordinal or cardinal rank prioritisation of the risks in various alternatives, projects or units. |
| Risk Register: A central register of the University's key risks that identifies the classification of risks by area, impact and likelihood. Our register also identifies who has responsibility for managing risks and the potential triggers and indicators of a risk. |
| Risk: The chance of something happening that will have an impact on the University's or one of its unit’s objectives. It is measured in terms of impact and likelihood. Importantly, risk can be both positive or negative, although most positive risks are sometimes known as opportunities and negative risks are called simply risks. |
| Significant Audit Findings: Those conditions which in the judgment of the chief internal auditor could adversely affect the organisation. Significant audit findings may include conditions dealing with irregularities, illegal acts, errors, inefficiency, waste, ineffectiveness, conflicts of interest, and control weaknesses. |
| Standards: The Standards for the Professional Practice of Internal Auditing are the criteria by which the operations of an internal auditing department are evaluated and measured. They are intended to represent the practice of internal auditing as it should be. |
| Supervision: A process which begins with planning and continues throughout the examination, evaluation, report and follow-up phases of the audit assignment. Supervision includes: - Ensuring that the auditors assigned possess the requisite knowledge and skills. Providing appropriate instructions during the planning of the audit and approving the audit programme - Seeing that the approved audit programme is carried out unless changes are both justified and authorised - Determining the audit working papers adequately support the audit findings conclusions and reports - Ensuring the audit reports are accurate, objective, clear, concise, constructive and timely - Ensuring that audit objectives are met - Providing opportunities for developing internal auditors knowledge and skills |
| System: System (process operation, function or activity) is an arrangement, a set, or a collection of concepts, parts, activities and/or people that are connected or interrelated to achieve objectives and goals. (This definition applies to both manual and automated systems). A system may also be a collection of subsystems operating together for a common objective or goal. |
| Threat: A combination of risk, the consequences of that risk, and the likelihood that the negative event will take place. Often used in analysis in place of risk. The possibility that one or more individuals or organizations will experience adverse consequences from an event or circumstance. |
| Uncertainty: A condition where the outcome can only be estimated due to incomplete or imperfect knowledge of the area / subject in question. In practice, uncertainty impacts upon the quality of risk assessments by managers. |
| Understanding: Means the ability to apply broad knowledge to situations likely to be encountered, to recognise significant deviations and to be able to carry out the research necessary to arrive at reasonable solutions. |
This glossary is based on a document produced by the Institute of Internal Auditors. It has been updated and adapted to reflect approaches used by the Internal Audit Service of the University of Birmingham and changes since the original publication of the glossary, specifially in areas that relate to the audit role in risk management.
