Flashcards in Glossary of Terms Deck (182)
tracing and mapping
Specialized tools that can be used to analyze the flow of data through the processing logic of the application software and document the logic, paths, control conditions and processing sequences
Scope Note: Both the command language or job control statements and programming language can be analyzed. This technique includes program/system: mapping, tracing, snapshots, parallel simulations and code comparisons.
An integrated set of computer programs designed to serve a particular function that has specific input, processing and output activities
Scope Note: Examples include general ledger, manufacturing resource planning and human resource (HR) management.
Description of the fundamental underlying design of the components of the business system, or of
one element of the business system (e.g., technology), the relationships among them, and the manner in which they support enterprise objectives
A group of stakeholders and experts who are accountable for guidance on enterprise‐architecture‐ related matters and decisions, and for setting architectural policies and standards.
Scope Note: COBIT 5 perspective
Arithmetic Logic Unit (ALU)
The area of the central processing unit (CPU) that performs mathematical and analytical operations
Artifical Intelligence (AI)
Advanced computer systems that can simulate human capabilities, such as analysis, based on a
predetermined set of rules.
Representing 128 characters, the American Standard Code for Information Interchange (ASCII) code
normally uses 7 bits. However, some variations of the ASCII code set allow 8 bits. This 8‐bit ASCII code allows 256 characters to be represented.
A program that takes as input a program written in assembly language and translates it into machine
code or machine language
A low‐level computer programming language which uses symbolic code and produces machine
Any formal declaration or set of declarations about the subject matter made by management.
Scope Note: Assertions should usually be in writing and commonly contain a list of specific attributes about the subject matter or about a process involving the subject matter.
A broad review of the different aspects of a company or function that includes elements not covered by a structured assurance initiative.
Scope Note: May include opportunities for reducing the costs of poor quality, employee perceptions on quality
aspects, proposals to senior management on policy, goals, etc.
Something of either tangible or intangible value that is worth protecting, including people,
information, infrastructure, finances and reputation
Pursuant to an accountable relationship between two or more parties, an IT audit and assurance professional is
engaged to issue a written communication expressing a conclusion about the subject matters for which the
accountable party is responsible. Assurance refers to a number of related activities designed to provide the reader or user of the report with a level of assurance or comfort over the subject matter.
Scope Note: Assurance engagements could include support for audited financial statements, reviews of controls, compliance with required standards and practices, and compliance with agreements, licenses, legislation and regulation.
An objective examination of evidence for the purpose of providing an assessment on risk management, control or
governance processes for the enterprise.
Scope Note: Examples may include financial, performance, ccoommpplliiaannccee and system security engagements
An objective examination of evidence for the purpose of providing an assessment on risk management, control or governance processes for the enterprise.
Scope Note: Examples may include financial, performance, compliance and system security engagements.
Asymmetric key (public
A cipher technique in which different cryptographic keys are used to encrypt and decrypt a message
Scope Note: See Public key encryption.
A high‐bandwidth low‐delay switching and multiplexing technology that allows integration of real‐ time voice and video as well as data. It is a data link layer protocol.
Scope Note: ATM is a protocol‐independent transport mechanism. It allows high‐speed data transfer rates at up to 155 Mbit/s.
The acronym ATM should not be confused with the alternate usage for ATM, which refers to an automated teller machine.
An actual occurrence of an adverse event
A method used to deliver the exploit. Unless the attacker is personally performing the attack, an attack mechanism may involve a payload, or container, that delivers the exploit to the target.
A path or route used by the adversary to gain access to the target (asset)
Scope Note: There are two types of attack vectors: ingress and egress (also known as data exfiltration)
Reduction of signal strength during transmission
An engagement in which an IS auditor is engaged to either examine management’s assertion regarding a particular subject matter or the subject matter directly
Scope Note: The IS auditor’s report consists of an opinion on one of the following: The subject matter. These reportsrelate directly to the subject matter itself rather than to an assertion.
In certain situations management will not be able
to make an assertion over the subject of the engagement. An example of this situation is when IT services are outsourced to third party.
Management will not ordinarily be able to make an assertion over the controls that the third party is responsible for. Hence, an IS auditor would have to report directly on the subject matter rather than
on an assertion.
Way of thinking, behaving, feeling, etc
Method to select a portion of a population based on the presence or absence of a certain
Formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met.
Scope Note: May be carried out by internal or external groups
Performance measurement of service delivery including cost, timeliness and quality against agreed
A statement of the position within the enterprise, including lines of reporting and the rights of
A document approved by those charged with governance that defines the purpose, authority and responsibility of the
internal audit activity
Scope Note: The charter should:
‐ Establish the internal audit funtion’s position within the enterprise
‐ Authorise access to records, personnel and physical properties relevant to the performance of IS audit and assurance engagements.
Define the scope of audit function’s activities