Abend

An abnormal end to a computer job; termination of a task prior to its completion because of an error condition that cannot be resolved by recovery facilities while the task is executing

Access control

The process that limits and controls access to resources of a computer system; a logical or physical control designed to protect against unauthorized entry or use. Access control can be defined by the system (mandatory access control, or MAC) or defined by the user who owns the object (discretionary access control, or DAC).

Access control table

An internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals

Access method

The technique used for selecting records in a file, one at a time, for processing, retrieval or storage. The access method is related to, but distinct from, the file organization that determines how the records are stored.

Access path

The logical route an end user takes to access computerized information. Typically, it includes a route through the operating system, telecommunications software, selected application software and the access control system.

Access rights

Also called permissions or privileges, these are the rights granted to users by the administrator or supervisor. Access rights determine the actions users can perform (e.g., read, write, execute, create and delete) on files in shared volumes or file shares on the server.

Accountability

The ability to map a given activity or event back to the responsible party

ACK (acknowledgement)

A flag set in a packet to indicate to the sender that the previous packet sent was accepted correctly by the receiver without errors, or that the receiver is now ready to accept a transmission

Active recovery site (mirrored)

Recovery strategy that involves two active sites, each capable of taking over the other’s workload in the event of a disaster. Each site will have enough idle processing power to restore data from the other site and to accommodate the excess workload in the event of a disaster.

Active response

A response, in which the system (automatically or in concert with the user) blocks or otherwise affects the progress of a detected attack. The response takes one of three forms--amending the environment, collecting more information or striking back against the user.

Address

The code used to designate the location of a specific piece of data within computer storage

Address space

The number of distinct locations that may be referred to with the machine address. For most binary machines, it is equal to 2n, where n is the number of bits in the machine address.

Addressing

The method used to identify the location of a participant in a network. Ideally, addressing specifies where the participant is located rather than who they are (name) or how to get there (routing).

adjusting period

The calendar can contain “real” accounting periods and/or adjusting accounting periods. The “real” accounting periods must not overlap, and cannot have any gaps between “real” accounting periods. Adjusting accounting periods can overlap with other accounting periods. For example, a period called DEC-93 can be defined that includes 01-DEC-1993 through 31-DEC-1993. An adjusting period called DEC31-93 can also be defined that includes only one day: 31-DEC-1993 through 31-DEC-1993.

Administrative controls

The actions/controls dealing with operational effectiveness, efficiency and adherence to regulations and management policies

allocation entry

A recurring journal entry used to allocate revenues or costs. For example, an allocation entry could be defined to allocate costs to each department based on headcount.

Alpha

The use of alphabetic characters or an alphabetic character string

Analog

A transmission signal that varies continuously in amplitude and time and is generated in wave formation. Analog signals are used in telecommunications.

Anomaly

Unusual or statistically rare

Anomaly detection

Detection on the basis of whether the system activity matched that defined as abnormal

Anonymity

The quality or state of not being named or identified

Anonymous File Transfer Protocol (FTP)

A method for downloading public files using the File Transfer Protocol (FTP). Anonymous FTP is called anonymous because users do not need to identify themselves before accessing files from a particular server. In general, users enter the word anonymous when the host prompts for a username; anything can be entered for the password, such as the user's e-mail address or simply the word guest. In many cases, an anonymous FTP site will not even prompt users for a name and password.

Antivirus software

Applications that detect, prevent and possibly remove all known viruses from files located in a microcomputer hard drive

Appearance

The act of giving the idea or impression of being or doing something

Appearance of independence

Behavior adequate to meet the situations occurring during audit work (interviews, meetings, reporting, etc.). The IS auditor should be aware that appearance of independence depends upon the perceptions of others and can be influenced by improper actions or associations.

Applet

A program written in a portable, platform independent computer language, such as Java. It is usually embedded in an HTML page and then executed by a browser. Applets can only perform a restricted set of operations, thus preventing, or at least minimizing, the possible security compromise of the host computers.

application

A computer program or set of programs that perform the processing of records for a specific function

Application acquisition review

An evaluation of an application system being acquired or evaluated, which considers such matters as: appropriate controls are designed into the system; the application will process information in a complete, accurate and reliable manner; the application will function as intended; the application will function in compliance with any applicable statutory provisions; the system is acquired in compliance with the established system acquisition process.

Application controls

Refer to the transactions and data relating to each computer-based application system and are therefore specific to each such application. The objectives of application controls, which may be manual, or programmed, are to ensure the completeness and accuracy of the records and the validity of the entries made therein resulting from both manual and programmed processing. Examples of application controls include data input validation, agreement of batch totals and encryption of data transmitted.

Application development review

An evaluation of an application system under development which considers matters such as: appropriate controls are designed into the system; the application will process information in a complete, accurate and reliable manner; the application will function as intended; the application will function in compliance with any applicable statutory provisions; the system is developed in compliance with the established systems development life cycle process

Application implementation review

An evaluation of any part of an implementation project (e.g., project management, test plans, user acceptance testing procedures)

Application layer

A layer within the International Organization for Standardization (ISO)/Open Systems Interconnection (OSI) model. It is used in information transfers between users through application programs and other devices. In this layer various protocols are needed. Some of them are specific to certain applications and others are more general for network services.

Application maintenance review

An evaluation of any part of a project to perform maintenance on an application system (e.g., project management, test plans, user acceptance testing procedures)

Application program

A program that processes actions upon business data, such as data entry, update or query. It contrasts with systems program, such as an operating system or network control program, and with utility programs, such as copy or sort.

Application programming

The act or function of developing and maintaining applications programs in production

Application programming interface (API)

A set of routines, protocols and tools referred to as "building blocks" used in business application software development. A good API makes it easier to develop a program by providing all the building blocks related to functional characteristics of an operating system, which applications need to specify when, for example, interfacing with an operating system (e.g., provided by MS-Windows, different versions of UNIX). A programmer would utilize these APIs in developing applications that can operate effectively and efficiently on the platform chosen.

Application proxy

A proxy service that connects programs running on internal networks to services on exterior networks by creating two connections, one from the requesting client and another to the destination service

application security

Refers to the security aspects supported by the ERP, primarily with regard to the roles or responsibilities and audit trails within the applications

Application software tracing and mapping

Specialized tools that can be used to analyze the flow of data, through the processing logic of the application software, and document the logic, paths, control conditions and processing sequences. Both the command language or job control statements and programming language can be analyzed. This technique includes program/system: mapping, tracing, snapshots, parallel simulations and code comparisons.

Application system

An integrated set of computer programs designed to serve a particular function that has specific input, processing and output activities (e.g., general ledger, manufacturing resource planning, human resource management)

Arithmetic-logic unit (ALU)

The area of the central processing unit that performs mathematical and analytical operations

Artificial intelligence

Advanced computer systems that can simulate human capabilities, such as analysis, based on a predetermined set of rules

ASCII

(American Standard Code for Information Interchange)
An eight-digit/seven-bit code representing 128 characters; used in most small computers

ASP/MSP (application or managed service provider)

A third party that delivers and manages applications and computer services, including security services to multiple users via the Internet or a private network

Assembler

A program that takes as input a program written in assembly language and translates it into machine code or relocatable code

Assembly language

A low-level computer programming language which uses symbolic code and produces machine instructions

Asymmetric key (public key)

A cipher technique whereby different cryptographic keys are used to encrypt and decrypt a message (see public key cryptosystems)

Asynchronous Transfer Mode (ATM)

ATM is a high-bandwidth low-delay switching and multiplexing technology. It is a data link layer protocol. This means that it is a protocol-independent transport mechanism. ATM allows integration of real-time voice and video as well as data. ATM allows very high speed data transfer rates at up to 155 Mbit/s.

Asynchronous transmission

Character-at-a-time transmission

Attest reporting engagement

An engagement where an IS auditor is engaged to either examine management’s assertion regarding particular a subject matter or the subject matter directly. The IS auditor’s report consists of an opinion on one of the following:
* The subject matter. These reports relate directly to the subject matter itself rather than an assertion. In certain situations management will not be able to make an assertion over the subject of the engagement. An example of this situation is when IT services are out-sourced to third party. Management will not ordinarily be able to make an assertion over the controls that the third-party is responsible for. Hence, an IS auditor would have to report directly on the subject matter rather than an assertion

* Management’s assertion about the effectiveness of the control procedures

* Examination reporting engagement where the IS auditor is engaged to issue an opinion on particular subject matter. These engagements can include reports on controls implemented by management and on their operating effectiveness

Attitude

Way of thinking, behaving, feeling, etc.

Attribute sampling

An audit technique used to select items from a population for audit testing purposes based on selecting all those items that have certain attributes or characteristics (such as all items over a certain size)

Audit

The process of generating, recording and reviewing a chronological record of system events to ascertain their accuracy

Audit accountability

Performance measurement of service delivery including cost, timeliness and quality against agreed service levels

Audit authority

A statement of the position within the organization, including lines of reporting and the rights of access

Audit charter

A document which defines the IS audit function's responsibility, authority and accountability

Audit evidence

The information systems auditor (IS auditor) gathers information in the course of performing an IS audit. The information used by the IS auditor to meet audit objectives is referred to as audit evidence (evidence). Also used to describe the level of risk that an auditor is prepared to accept during an audit engagement.

Audit expert systems

Expert or decision support systems that can be used to assist IS auditors in the decision-making process by automating the knowledge of experts in the field. This technique includes automated risk analysis, systems software and control objectives software packages.

Audit objective

The specific goal(s) of an audit. These often center on substantiating the existence of internal controls to minimize business risk.

Audit plan

A high level description of the audit work to be performed in a certain period of time (ordinarily a year). It includes the areas to be audited, the type of work planned, the high level objectives and scope of the work, and topics such as budget, resource allocation, schedule dates, type of report and its intended audience and other general aspects of the work.

Audit program

A series of steps to complete an audit objective

Audit responsibility

The roles, scope and objectives documented in the service level agreement between management and audit

Audit risk

The risk of giving an incorrect audit opinion

Audit sampling

The application of audit procedures to less than 100 percent of the items within a population to obtain audit evidence about a particular characteristic of the population

Audit trail

A visible trail of evidence enabling one to trace information contained in statements or reports back to the original input source

auditability

The level to which transactions can be traced and audited through a system

Authentication

The act of verifying the identity of a system entity (e.g., a user, a system, a network node) and the entity’s eligibility to access computerized information. Designed to protect against fraudulent logon activity. Authentication can also refer to the verification of the correctness of a piece of data.

authorization

The process of determining what types of activities are permitted. Ordinarily, authorisation is in the context of authentication: once you have authenticated a user, he/she may be authorised to perform different types of access or activity

Automated teller machine (ATM)

A 24-hour, stand-alone mini-bank, located outside branch bank offices or in public places like shopping malls. Through ATMs, clients can make deposits, withdrawals, account inquiries and transfers. Typically, the ATM network is comprised of two spheres: a proprietary sphere, in which the bank manages the transactions of its clients, and the public or shared domain, in which a client of one financial institution can use another’s ATMs.

Availability

Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.

Backup

Files, equipment, data and procedures available for use in the event of a failure or loss, if the originals are destroyed or out of service

Bandwidth

The range between the highest and lowest transmittable frequencies. It equates to the transmission capacity of an electronic line and is expressed in bytes per second or Hertz (cycles per second).

Bar case

A standardized body of data created for testing purposes. Users normally establish the data. Base case validates production application systems and tests the ongoing accurate operation of the system.

Bar code

A printed machine-readable code that consists of parallel bars of varied width and spacing

Base case

A standardized body of data created for testing purposes. Users normally establish the data. Base cases validate production application systems and test the ongoing accurate operation of the system.

Baseband

A form of modulation in which data signals are pulsed directly on the transmission medium without frequency division and usually utilize a transceiver. In baseband the entire bandwidth of the transmission medium (e.g., coaxial cable) is utilized for a single channel.

Batch control

Correctness checks built into data processing systems and applied to batches of input data, particularly in the data preparation stage. There are two main forms of batch controls: 1) sequence control, which involves numbering the records in a batch consecutively so that the presence of each record can be confirmed, and 2) control total, which is a total of the values in selected fields within the transactions.

Batch processing

The processing of a group of transactions at the same time. Transactions are collected and processed against the master files at a specified time.

Baud rate

The rate of transmission for telecommunication data. It is expressed in bits per second (bps).

Benchmark

A test that has been designed to evaluate the performance of a system. In a benchmark test, a system is subjected to a known workload and the performance of the system against this workload is measured. Typically, the purpose is to compare the measured performance with that of other systems that have been subject to the same benchmark test.

Binary code

A code whose representation is limited to 0 and 1

Biometric locks

Door and entry locks that are activated by such biometric features as voice, eye retina, fingerprint or signature

Biometrics

A security technique that verifies an individual’s identity by analyzing a unique physical attribute, such as a handprint

Black box testing

A testing approach which focuses on the functionality of the application or product and does not require knowledge of the code intervals.

Blackbox testing

A testing approach which focuses on the functionality of the application or product and does not require knowledge of the code intervals

Border router

See external router.

Bridge

A device that connects two similar networks together

Broadband

In broadband, multiple channels are formed by dividing the transmission medium into discrete frequency segments. It generally requires the use of a modem.

Brouters

Devices that perform the functions of both bridges and routers, are called brouters. Naturally, they operate at both the data link and the network layers. A brouter connects same data link type LAN segments as well as different data link ones, which is a significant advantage. Like a bridge it forwards packets based on the data link layer address to a different network of the same type. Also, whenever required, it processes and forwards messages to a different data link type network based on the network protocol address. When connecting same data link type networks, they are as fast as bridges besides being able to connect different data link type networks.

browser

A computer program that enables the user to retrieve information that has been made publicly available on the Internet; also, that permits multimedia (graphics) applications on the World Wide Web

Brute force

The name given to a class of algorithms that repeatedly try all possible combinations until a solution is found

BSP (business service provider)

An ASP that also provides outsourcing of business processes such as payment processing, sales order processing and application development

budget

Estimated cost and revenue amounts for a given range of periods and set of books. There can be multiple budget versions for the same set of books.

budget formula

A mathematical expression used to calculate budget amounts based on actual results, other budget amounts and statistics. With budget formulas, budgets using complex equations, calculations and allocations can be automatically created.

budget hierarchy

A group of budgets linked together at different levels such that the budgeting authority of a lower-level budget is controlled by an upper-level budget.

budget organization

An entity (department, cost center, division or other group) responsible for entering and maintaining budget data.

Buffer

Memory reserved to temporarily hold data. Buffers are used to offset differences between the operating speeds of different devices, such as a printer and a computer. In a program, buffers are reserved areas of RAM that hold data while they are being processed.

Bulk data transfer

A data recovery strategy that includes a recovery from complete backups that are physically shipped off site once a week. Specifically, logs are batched electronically several times daily, and then loaded into a tape library located at the same facility as the planned recovery.

Bus

Common path or channel between hardware devices. It can be between components internal to a computer or between external computers in a communications network.

Bus topology

A type of local area network (LAN) architecture in which each station is directly attached to a common communication channel. Signals transmitted over the channel take the form of messages. As each message passes along the channel, each station receives it. Each station then determines, based on an address contained in the message, whether to accept and process the message or simply to ignore it.

Business impact analysis (BIA)

An exercise that determines the impact of losing the support of any resource to an organization and establishes the escalation of that loss over time, identifies the minimum resources needed to recover and prioritizes the recovery of processes and supporting systems

business process integrity

Controls over the business processes that are supported by the ERP

Business process reengineering (BPR)

Modern expression for organizational development stemming from IS/IT impacts. The ultimate goal of BPR is to yield a better performing structure, more responsive to the customer base and market conditions, while yielding material cost savings. To reengineer means to redesign a structure and procedures with intelligence and skills, while being well informed about all of the attendant factors of a given situation, so as to obtain the maximum benefits from mechanization as basic rationale.

Business risk

Risks that could impact the organization’s ability to perform business or provide a service. They can be financial, regulatory or control oriented.

Business-to-consumer e-commerce (B2C)

Refers to the processes by which organisations conduct business electronically with their customers and or public at large using the Internet as the enabling technology.

Bypass label processing (BLP)

A technique of reading a computer file while bypassing the internal file/data set label. This process could result in bypassing of the security access control system.

CAATs

See computer-assisted audit techniques

Cadbury

The Committee on the Financial Aspects of Corporate Governance, set up in May 1991 by the UK Financial Reporting Council, the London Stock Exchange and the UK accountancy profession, was chaired by Sir Adrian Cadbury and produced a report on the subject commonly known, in the UK, as the Cadbury Report.

Capacity stress testing

Testing an application with large quantities of data to evaluate its performance during peak periods. It also is called volume testing.

Card swipes

A physical control technique that uses a secured card or ID to gain access to a highly sensitive location. Card swipes, if built correctly, act as a preventative control over physical access to those sensitive locations. After a card has been swiped, the application attached to the physical card swipe device logs all card users that try to access the secured location. The card swipe device prevents unauthorized access and logs all attempts to enter the secured location.

Cathode ray tube (CRT)

A vacuum tube that displays data by means of an electron beam striking the screen, which is coated with suitable phosphor material or a device similar to a television screen upon which data can be displayed

Central office (CO)

A telecommunications carrier’s facilities in a local area in which service is provided where local service is switched to long distance

Central processing unit (CPU)

Computer hardware that houses the electronic circuits that control/direct all operations of the computer system

Centralized data processing

Identified by one central processor and databases that form a distributed processing configuration

Certificate authority (CA)

A trusted third party that serves authentication infrastructures or organizations and registers entities and issues them certificates

Certificate Revocation List

A list of retracted certificates

Challenge/response token

A method of user authentication. Challenge response authentication is carried out through use of the Challenge Handshake Authentication Protocol (CHAP). When a user tries to log into the server, the server sends the user a "challenge," which is a random value. The user enters a password, which is used as an encryption key to encrypt the "challenge" and return it to the server. The server is aware of the password. It, therefore, encrypts the "challenge" value and compares it with the value received from the user. If the values match, the user is authenticated.

The challenge/response activity continues throughout the session and this protects the session from password sniffing attacks. In addition, CHAP is not vulnerable to "man in the middle" attacks as the challenge value is a random value that changes on each access attempt.

Check digit

A numeric value, which has been calculated mathematically, is added to data to ensure that original data have not been altered or that an incorrect, but valid match has occurred. This control is effective in detecting transposition and transcription errors.

Check digit verification (self-checking digit)

A programmed edit or routine that detects transposition and transcription errors by calculating and checking the check digit

Checkpoint restart procedures

A point in a routine at which sufficient information can be stored to permit restarting the computation from that point

Ciphertext

Information generated by an encryption algorithm to protect the plaintext. The ciphertext is unintelligible to the unauthorized reader.

Circuit-switched network

A data transmission service requiring the establishment of a circuit-switched connection before data can be transferred from source data terminal equipment (DTE) to a sink DTE. A circuit-switched data transmission service uses a connection network.

Circular routing

In open systems architecture, circular routing is the logical path of a message in a communications network based on a series of gates at the physical network layer in the open systems interconnection (OSI) model.

Cleartext

Data that is not encrypted. Also known as plaintext.

Client-server

A group of computers connected by a communications network, where the client is the requesting machine and the server is the supplying machine. Software is specialized at both ends. Processing may take place on either the client or the server but it is transparent to the user.

Cluster controller

A communications terminal control hardware unit that controls a number of computer terminals. All messages are buffered by the controller and then transmitted to the receiver.

Coaxial cable

It is composed of an insulated wire that runs through the middle of each cable, a second wire that surrounds the insulation of the inner wire like a sheath, and the outer insulation which wraps the second wire. Coaxial cable has a greater transmission capacity than standard twisted-pair cables but has a limited range of effective distance.

COBIT®

Control Objectives for Information and related Technology, the international set of IT control objectives published by ISACF,® 2000, 1998, 1996

COCO

Criteria Of Control, published by the Canadian Institute of Chartered Accountants in 1995

Cohesion

The extent to which a system unit--subroutine, program, module, component, subsystem--performs a single dedicated function. Generally, the more cohesive are units, the easier it is to maintain and enhance a system, since it is easier to determine where and how to apply a change.

Cold site

An IS backup facility that has the necessary electrical and physical components of a computer facility, but does not have the computer equipment in place. The site is ready to receive the necessary replacement computer equipment in the event the users have to move from their main computing location to the alternative computer facility.

Combined Code on Corporate Governance

The consolidation in 1998 of the "Cadbury," "Greenbury" and "Hampel" Reports. Named after the Committee Chairs, these reports were sponsored by the UK Financial Reporting Council, the London Stock Exchange, the Confederation of British Industry, the Institute of Directors, the Consultative Committee of Accountancy Bodies, the National Association of Pension Funds and the Association of British Insurers to address the Financial Aspects of Corporate Governance, Directors' Remuneration and the implementation of the Cadbury and Greenbury recommendations.

Communications controller

Small computers used to connect and coordinate communication links between distributed or remote devices and the main computer, thus freeing the main computer from this overhead function

Comparison program

A program for the examination of data, using logical or conditional tests to determine or to identify similarities or differences

Compensating control

An internal control that reduces the risk of an existing or potential control weakness resulting in errors and omissions

Compiler

A program that translates programming language (source code) into machine executable instructions (object code)

Completeness check

A procedure designed to ensure that no fields are missing from a record

Compliance testing

Tests of control designed to obtain audit evidence on both the effectiveness of the controls and their operation during the audit period

Components (as in component-based development)

Cooperating packages of executable software that make their services available through defined interfaces. Components used in developing systems may be commercial off-the-shelf software (COTS) or may be purposely built. However, the goal of component-based development is to ultimately use as much predeveloped, pretested components as possible.

Comprehensive audit

An audit designed to determine the accuracy of financial records, as well as evaluate the internal controls of a function or department

Computationally greedy

Requiring a great deal of computing power; processor intensive

Computer sequence checking

Verifies that the control number follows sequentially and any control numbers out of sequence are rejected or noted on an exception report for further research

computer server

1) A computer dedicated to servicing requests for resources from other computers on a network. Servers typically run network operating systems. 2) A computer that provides services to another computer (the client).

Computer-aided software engineering (CASE)

The use of software packages that aid in the development of all phases of an information system. System analysis, design programming and documentation are provided. Changes introduced in one CASE chart will update all other related charts automatically. CASE can be installed on a microcomputer for easy access.

Computer-assisted audit technique (CAATs)

Any automated audit technique, such as generalized audit software, test data generators, computerized audit programs and specialized audit utilities

Concurrent access

A fail-over process, in which all nodes run the same resource group (there can be no IP or MAC addresses in a concurrent resource group) and access the external storage concurrently

Confidentiality

Confidentiality concerns the protection of sensitive information from unauthorized disclosure

Console log

An automated detail report of computer system activity

consumer

One who obtains products or services from a bank to be used primarily for personal, family or household purposes.

Content filtering

Controlling access to a network by analyzing the contents of the incoming and outgoing packets and either letting them pass or denying them based on a list of rules. Differs from packet filtering in that it is the data in the packet that are analyzed instead of the attributes of the packet itself (e.g., source/target IP address, TCP flags).

Continuity

The acts preventing, mitigating and recovering from disruption. The terms business resumption planning, disaster recovery planning and contingency planning also may be used in this context; they all concentrate on the recovery aspects of continuity.

Continuous auditing approach

This approach allows IS auditors to monitor system reliability on a continuous basis and to gather selective audit evidence through the computer.

Control group

Members of the operations area that are responsible for the collection, logging and submission of input for the various user groups

Control objective

The objectives of management that are used as the framework for developing and implementing controls (control procedures).

Control Objectives for Enterprise Governance

A discussion document which sets out an "Enterprise Governance Model" focusing strongly on both the enterprise business goals and the information technology enablers which facilitate good enterprise governance, published by the Information Systems Audit and Control Foundation in 1999

Control perimeter

The boundary defining the scope of control authority for an entity. For example, if a system is within the control perimeter, the right and ability exists to control it in response to an attack.

Control risk

The risk that an error which could occur in an audit area, and which could be material, individually or in combination with other errors, will not be prevented or detected and corrected on a timely basis by the internal control system

control risk self-assessment

An empowering method/process by which management and staff of all levels collectively identify and evaluate IS related risks and controls under the guidance of a facilitator who could be an IS auditor. The IS auditor can utilise CRSA for gathering relevant information about risks and controls and to forge greater collaboration with management and staff. CRSA provides a framework and tools for management and employees to:
*Identify and prioritise their business objectives.
*Assess and manage high risk areas of business processes.
*Self-evaluate the adequacy of controls.
*Develop risk treatment recommendations

Control section

The area of the central processing unit (CPU) that executes software, allocates internal memory and transfers operations between the arithmetic-logic, internal storage and output sections of the computer

Control weakness

A deficiency in the design or operation of a control procedure. Control weaknesses can potentially result in risks relevant to the area of activity not being reduced to an acceptable level (relevant risks are those that threaten achievement of the objectives relevant to the area of activity being examined). Control weaknesses can be material when the design or operation of one or more control procedures does not reduce to a relatively low level the risk that misstatements caused by illegal acts or irregularities may occur and not be detected by the related control procedures.

Controls

(Control procedures) Those policies and procedures implemented to achieve a related control objective

corporate exchange rate

An exchange rate, which can be used optionally to perform foreign currency conversion. The corporate exchange rate is generally a standard market rate determined by senior financial management for use throughout the organization.

Corporate governance

"...the structure through which the objectives of an organization are set, and the means of attaining those objectives, and determines monitoring performance guidelines. Good corporate governance should provide proper incentives for board and management to pursue objectives that are in the interests of the company and stakeholders and should facilitate effective monitoring, thereby encouraging firms to use resources more efficiently." (Source: Principles of Corporate Governance, 1999 issued by the Organization for Economic Cooperation and Development (OECD))

Corrective controls

These controls are designed to correct errors, omissions and unauthorized uses and intrusions, once they are detected.

COSO

A report on "Internal Control--An Integrated Framework" sponsored by the Committee of Sponsoring Organizations of the Treadway Commission in 1992. It provides guidance and a comprehensive framework of internal control for all organizations.

Coupling

Measure of interconnectivity among software program modules’ structure. Coupling depends on the interface complexity between modules. This can be defined as the point at which entry or reference is made to a module, and what data passes across the interface. In application software design, it is preferable to strive for the lowest possible coupling between modules. Simple connectivity among modules results in software that is easier to understand, maintain and less prone to a ripple or domino effect caused when errors occur at one location and propagate through the system.

Coverage

The proportion of known attacks detected by an intrusion detection system

Credentialed analysis

In vulnerability analysis, passive monitoring approaches in which passwords or other access credentials are required. This sort of check usually involves accessing a system data object.

credit risk

The risk to earnings or capital arising from an obligor’s failure to meet the terms of any contract with the bank or otherwise to perform as agreed. Internet banking provides the opportunity for banks to expand their geographic range. Customers can reach a given bank from literally anywhere in the world. In dealing with customers over the Internet, absent any personal contact, it is challenging for banks to verify the good faith of their customers, which is an important element in making sound credit decisions.

Criteria

The standards and benchmarks used to measure and present the subject matter and against which the IS auditor evaluates the subject matter. Criteria should be:
Objective—free from bias
Measurable—provide for consistent measurement
Complete—include all relevant factors to reach a conclusion
Relevant—relate to the subject matter

Cross-certification

A certificate issued by one certification authority to a second certification authority so that users of the first certification authority are able to obtain the public key of the second certification authority and verify the certificates it has created. Often cross certification refers specifically to certificates issued to each other by two CAs at the same level in a hierarchy.

Cryptography

The art of designing, analyzing and attacking cryptographic schemes