Glossary

Glossary

The public sector covers such a wide and diverse range of services and organisations that this glossary can provide only an indication of the terminology that is commonly used.

Assurance

An evaluated opinion, based on evidence gained from review, on the organisation’s governance, risk management and internal control framework.

Assurance framework

A structured means of identifying and mapping the main sources of assurance in an organisation, and co-ordinating them to best effect.

Assurance mapping

A mechanism for linking assurances from various sources to the risks that threaten the achievement of an organisation’s outcomes and objectives.

Audit committee

The governance group independent from the executive charged with providing oversight of the adequacy of the risk management framework, the internal control environment and the integrity of financial reporting.

Corporate governance

The system by which organisations are directed and controlled.

External audit

Independent, qualified person(s) who carry out a review to give assurance to external stakeholders on an entity’s financial statements, systems and processes.

Governance

The arrangements put in place to ensure that the intended outcomes for stakeholders are defined and achieved. These arrangements include political, economic, social, environmental, administrative and legal, and other arrangements.

Governance statement

A public report on the extent to which organisations comply with their own code of governance on an annual basis, including how they have monitored the effectiveness of their governance arrangements in the year, and on any planned changes in the coming period. The process of preparing the governance statement should itself add value to the corporate governance and internal control framework of an organisation.

Head of internal audit opinion

The internal auditor’s opinion is usually expressed within an annual report, and is a key aspect of the review of the effectiveness of the governance statement.

The opinion is usually expressed as providing reasonable, not absolute assurance on the effectiveness of the governance, risk management and control framework, given that audit cannot review every risk, control or process in the organisation. The concept of materiality is an important part of the opinion, in that only those issues that would significantly affect the operation of controls or exposure to significant risk form part of the auditor’s conclusion.

Governing body

The person(s) or group with primary responsibility for overseeing an entity’s strategic direction, operations and accountability.

Internal audit

An independent, objective assurance and consulting activity designed to add value and improve the organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

Internal control

• ■A system or process: the entirety of an organisation’s system of internal control, ie an organisation’s internal control system.
• ■An activity or measure: the actual measure to treat risks and to effect internal control, ie individual internal controls.
• ■A state or outcome: the outcome of the internal control system or process, ie an organisation achieving or sustaining appropriate or effective internal control.

Risk

The effect of uncertainty on objectives. The effect can be negative (threats, loss, harm) or positive (opportunities).

Audit risk

• ■Key risks are not identified or key controls are not properly tested, meaning that issues are missed or a wrong opinion is given because of lack of the right skills, experience, supervision or specialist expertise.
• ■The audit is scoped too widely/loosely, leading to failure to meet resource and timeframe targets or to address issues on a timely basis.
• ■Real or perceived conflicts of interest impair audit objectivity and undermine the results of the audit.
• ■Audit work is performed in insufficient depth to meet specific management expectations or concerns.

Inherent risk

The risk that an activity would pose if no controls or other mitigating factors were in place (gross risk or risk before controls).

Residual risk

The risk that remains after controls are taken into account (net risk or risk after controls).

Risk appetite/tolerance

The amount of risk that an organisation is prepared to accept, tolerate or be exposed to at any point in time.

Risk management

Co-ordinated activities to direct and control an organisation with regard to risk. The term is usually applied to a logical and systematic method of establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating the risks associated with any activity, function or process in a way that will enable the organisation to minimise losses and maximise opportunities.

Risk policy/strategy

A document incorporating the risk management objectives (mission), procedures to implement the risk management process, and risk management structure.

Risk register

A document, which may incorporate the risk assessment of the organisation, identifying the key risks, non-key or contributory risks, allocation of responsibility, controls and assessment of significance (eg high, medium, low).