internal controls 2

Anchoring bias

Relying too heavily on the first piece of information you hear when making a decision.

Audit universe

The complete list of everything in a company that could potentially be audited.

Availability bias

Thinking an event is more likely simply because it is easy to remember or picture in your mind.

Benford analysis

A mathematical test that checks if digits in a dataset follow a natural pattern to detect potential fraud.

Black Swans

Extremely rare and unpredictable events that have a massive impact and only seem obvious after they happen.

Board

The top governing group (like a board of directors) responsible for overseeing the organization.

Cash larceny

Stealing a company's money after it has already been recorded in the accounting books.

COBIT

The standard "best practices" framework used specifically for managing and controlling IT.

Confirmation bias

Only looking for or believing information that proves what you already think is true.

Control activities

Specific actions, policies, and rules established to lower risks and carry out management directives.

Control matrix

A table used to check if your control plans actually match your specific goals.

Control self-assessments (CSA)

When the people actually doing the tasks check their own risks and controls.

Corporate governance

The general system used to direct and lead a company while balancing stakeholder interests.

Corruption

When an employee wrongly uses their power for personal gain, such as taking a bribe.

Data

Raw, unorganized facts and observations collected by a system.

Deficiency

A weak spot or shortcoming in the risk management system that needs to be fixed.

Enterprise risk management (ERM)

The culture and practices a company uses to handle risks while trying to create value.

Enterprise-wide information systems (ERP)

Software that connects and unifies all of a company's data across every department into one system.

Event identification

Spotting potential occurrences—both risks and opportunities—that affect goals.

External corporate governance characteristics

Rules and processes outside a company's control, like the legal system or capital markets.

Framing effects

Reaching different conclusions depending on how the same information is presented.

Fraud

Intentionally deceiving someone to get an illegal or unfair advantage.

Fraudulent disbursement

A scheme where an employee illegally causes the company to pay out funds in a way that looks legitimate.

Fraud risk factors

Events or conditions that provide an incentive, opportunity, or rationalization to commit fraud.

Fraud Triangle

A model showing that fraud is most likely when there is incentive (pressure), opportunity (weak rules), and rationalization (an excuse).

Gambler's fallacy

Wrongly thinking that past random events change the chances of what happens next.

Ghost employee

Someone listed on the company payroll who does not actually work there.

Heavy-tailed distribution

A statistical pattern where extreme "outlier" events happen much more often than a normal "bell curve" predicts.

Hindsight bias

The "I-knew-it-all-along" feeling where past events seem more predictable than they really were.

Illusion of control

Overestimating how much influence you actually have over random external events.

Information

Data that has been organized and cleaned up so it actually has meaning for a user.

Information bias

The tendency to look for information even when it won't change your decision or action.

Information overload

Having so much info that you can't process it, which makes your decision-making worse.

Information systems

The integrated set of computer and manual components used to collect, store, and manage data.

Inherent limitations

The reality that no system is perfect because humans make mistakes and controls have costs.

Inherent risk

The level of risk that exists before you do anything to stop it.

Insensitivity to sample size

The tendency to expect small samples to look just like large populations, ignoring natural variation.

Internal control

A process used by the board and staff to give reasonable (not 100%) confidence that the company is meeting its goals.

Internal corporate governance characteristics

Structures within a company's control, like the board structure and internal control systems.

Internal environment

The "vibe" or culture of a company that determines how its people view and handle risk.

IT application controls

Automated checks inside software to catch errors and ensure data is accurate and valid.

IT general controls (ITGC)

Broad controls for the whole IT system, like security and password rules, to keep the environment safe.

Management intervention

Bosses breaking the rules for a legitimate, good reason, like handling a rare, non-standard event.

Management override

Bosses breaking the rules for bad reasons, like to hide losses or steal.

Mission

The core reason why an organization exists.

Overconfidence effect

Being excessively sure that your own answers or predictions are correct.

Reasonable assurance

The idea that risk management cannot guarantee success, but it can make it very likely.

Residual risk

The risk that is left over after you have put controls in place.

Retrievability bias

Thinking something is more likely because similar events are easy to remember from your past.

Risk

The chance that something happens that hurts your ability to reach your objectives.

Risk appetite

The broad level of risk a company is willing to take to get what it wants.

Risk assessment

The process of figuring out how likely a risk is and how much it would hurt.

Risk culture

The system of values and behaviors that shapes how management and staff make risk decisions.

Risk map

A visual graph showing the likelihood and impact of various risks.

Risk philosophy

The shared beliefs and attitudes about how a company considers risk in everything it does.

Risk response

The strategy for managing risk—choosing to accept, avoid, reduce, share, or pursue it.

Risk tolerance

The specific, measurable amount of variation a company can handle in its goals.

Risk universe

The full range of every risk that could possibly affect an organization.

Segregation of duties

Dividing tasks among different people so no one can steal or make a major error without help.

Skimming

Stealing money before it is ever entered into the company's accounting system.

SMART objectives

Goals that are Specific, Measurable, Achievable, Results-oriented, and Time-bound.

Stakeholders

People or groups affected by the company, such as employees, customers, and suppliers.

Strategic objectives

Big-picture goals that show how a company will achieve its mission.

Survivorship bias

Only looking at the "survivors" or winners of an event and ignoring the failures that disappeared.

Tone at the top

The ethical atmosphere created by the actions and values of the management team.

Vision

Similar to a mission; it defines the purpose and future aim of the organization.

Zero-risk bias

Preferring to totally eliminate a tiny risk rather than making a bigger reduction in a much larger risk.