access control: Access control refers to what a person can do in a computer system or application once he/she has signed on. Role-based access control defines a person’s access to transactions according to their job function.
accounting controls: Procedures and documentation concerned with safeguarding of assets, the conduct and recording of financial transactions, and the reliability of financial records.
audit committee: A committee, often including members of the board of directors, responsible for overseeing financial reporting and internal controls.
automated controls: Internal controls that are executed automatically by computer systems. Manual controls are executed by a person charged with that task and are typically performed on a subset of transactions and data. Automated controls can be executed on every relevant transaction or data element, ensuring greater accuracy with less effort.
Basel II: An international standard for banking that regulators can use when making regulations on how much capital banks must have to offset potential risk. The more risk a bank has, the more capital it should have in place to ensure that it stays solvent. The regulation was the second such standard issued by the Basel Committee on Banking Supervision, and hence the name Basel II.
C-11: A 2005 Canadian law that establishes a procedure for the disclosure of wrongdoings in the public sector and ensures protection for the person who discloses them.
CAFTA-DR: Dominican Republic-Central America-United States Free Trade Agreement. According to the USDA’s web site, “CAFTA-DR is a comprehensive trade agreement among Costa Rica, the Dominican Republic, El Salvador, Guatemala, Honduras, Nicaragua, and the United States.”
CCO (Chief Compliance Officer): A corporate official in charge of overseeing and managing compliance issues within an organization, ensuring that a company is complying with regulatory requirements, and that the company is complying with internal policies and procedures.
CFO (Chief Financial Officer): Responsible for a company’s finances, the CFO typically reports to the CEO and is a member of the company’s board of directors.
chart of accounts: A list of all accounts tracked by a single accounting system. Most charts of accounts classify each account into one of five categories: Assets, Liabilities, Equity, Income, or Expenses.
CIO (Chief Information Officer): An executive who is responsible for a company’s IT strategy and infrastructure. The CIO may or may not sit on the company’s board of directors and typically reports to the CEO. Some organizations have two related roles: the CIO and the CTO (chief technology officer), putting the former in charge of the flow of information and the latter in charge of IT infrastructure.
Clause 49: An Indian law enacted in 2005 that regulates companies that trade on the Indian Stock Exchange. It requires that companies establish risk management processes, report on their internal controls (and unlike SOX, all internal controls, not just financial internal controls must be certified), have an appropriate number of independent directors, establish a code of conduct, and issue a compliance report.
CLERP 9: An Australian law comparable to, though less stringent than, SOX. CLERP 9 is part of the Corporate Law Economic Reform Program (CLERP).
COBIT: Published by the IT Governance Institute and the Information Systems Audit and Control Association (ISACA), COBIT (Control Objectives for Information and Related Technologies) provides an IT governance framework to manage risk and compliance issues based on best practices.
compliance: The C in GRC, compliance is the act of adhering to and demonstrating adherence with laws, regulations, or policies. Compliance relates not just to financial regulations but also to regulations in a host of other areas including the environment, global trade, worker safety and privacy.
COO (Chief Operating Officer): Also called a Chief Operations Officer, an executive in charge of the company’s day-to-day operations.
corrective controls: Internal controls that come into play once a problem is discovered. An example would be removing access from users who have excessive privileges or executing a backup and recovery plan after a physical disaster has occurred.
COSO (Committee of Sponsoring Organizations): COSO was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private sector initiative that studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies, the SEC and other regulators, and educational institutions.
CPM (Corporate Performance Management): A combination of strategy management, planning, reporting and consolidation, and revenue, cost, and profitability modelling that enables companies to measure their performance and improve it.
CRO (Chief Risk Officer): Sometimes also called the Chief Risk Management Officer, an executive in charge of enterprise risk management and the compliance efforts of a company.
CSO (Chief Sustainability Officer): An executive in charge of the company’s emphasis on sustainability.
CSR (Corporate Social Responsibility): Through the practice of sustainability, companies practice a commitment to sustainable growth and ethics and promote the health and well-being of all stakeholders, including the community in which they are situated.
data privacy: Keeping data confidential requires protecting data, sometimes through security measures such as encryption. Data privacy is increasingly being regulated, especially as it relates to personal information that could be used to perpetrate crimes such as identity theft.
denied persons list: Also referred to as a denied parties list. Technically, a list that used to be referenced in the U.S. Export Administration Regulations, of specific persons who have been denied export privileges, in whole or in part. This term can also refer to a consolidated list of all restricted entities published by many different U.S., UN, and EU bodies.
detective controls: Internal controls that determine whether a bad event has already happened. For example, when a bank statement is received, it is reconciled to the customer’s records to detect processing errors by the bank or customer.
directive: A model law that the European Union sets out. Directives are implemented into specific laws by member nations.
ECA (European Chemicals Agency): An organization based in Helsinki, Finland that oversees the enforcement of REACH (Regulation on Registration, Evaluation, Authorisation and Restriction of Chemicals).
EUP (Energy Use in Products): An EU directive that requires companies to design products to use less energy.
European Directive on Data Protection: One of the first and most important pieces of data privacy legislation that specifically addresses Internet privacy.
FASB (Financial Accounting Standards Board): The official rulemaking body in the accounting profession.
FCPA (Foreign Corrupt Practices Act): A U.S. law enacted in 1977 but increasingly enforced in the 1980s and 1990s. Cases brought under the act doubled between 2006 and 2007. Under the act, companies can be prosecuted for their business partners’ corrupt practices such as, bribing local officials. It includes anti-bribery provisions as well as provisions relating to the accounting of partner firms, both in terms of internal accounting controls and the keeping of books and records.
Federal Trade Commission: An agency of the U.S. government that promotes fair trade. Among other things, the FTC enforces antitrust regulations and educates the public about identity theft.
financial compliance: Compliance relating to accounting-related laws such as Sarbanes-Oxley. Other types of compliance include global trade compliance and environmental compliance.
GAAP (Generally Accepted Accounting Principles): The standard framework of guidelines for financial accounting. It includes the standards, conventions, and rules accountants follow in recording and summarizing transactions and in the preparation of financial statements.
GHG (Green House Gases): Greenhouse gas emissions are increasingly the subject of emissions laws. Greenhouse gases include not only CO2, but also CH4, N2O, HFCs, PFCs, and SF6 as specified by the Kyoto Protocol.
governance: In business, governance develops and manages consistent, cohesive policies, processes, and decision-rights for a given area of responsibility. For example, managing issues at a corporate level such as privacy, internal investment, and the use of data.
GRAS (Generally recognized as safe): A U.S. Food and Drug Administration designation for food additives.
GRC (Governance, Risk, and Compliance):Risk management, governance, and compliance with regulations have traditionally been separate corporate functions.
GRC is the business of how an organisation operates through the management of risk whilst remaining compliant with external and internal standards to optimise performance. GRC embraces how processes, controls, security and culture integrate to ensure the organisation has integrity.
GRI (Global Reporting Initiative): An international group that has create the G3 framework for sustainability reporting.
HCS (Hazard Communication Standard): An OSHA regulation that relates to handling and classification of hazardous materials.
HIPAA (Health Insurance Portability and Accountability Act): A 1996 U.S. regulation requiring all participants in the healthcare field to increase electronic communication and security of personal data. HIPAA also provides portability of health coverage for individuals.
HMR (Hazardous Materials Regulations): Issued by the U.S. Department of Transportation (USDOT) to regulate the transport of hazardous materials in the U.S. and for goods leaving or entering the U.S.
HTS (Harmonized Tariff System): An international, multipurpose classification system designed to improve the collection of import and export statistics. It is harmonised with the tariff schedules of the major trading nations of the world in that it follows a basic structure and has the same basic language. The rates of duty and the specific provisions vary from country to country.
IASB (International Accounting Standards Board): The international body governing the accounting profession.
ICS (Integrated Cargo System): The Australian Customs Service’s electronic customs initiative.
identity theft: The act of impersonating another for financial gain.
incident: In risk management, when a risk becomes a reality it is an incident. From the standpoint of employee, health, and safety, an accident or a near-miss is an incident.
internal control: A procedure or test designed to verify that a business process is achieving its goals efficiently and is protected from fraud and other forms of abuse.
IT GRC: Encompasses the software and hardware and related policies and procedures used to support compliance and risk management efforts from an IT perspective based on established best practices.
ITIL (IT Infrastructure Library): A framework of best practices for IT by the UK’s Office of Government Commerce.
J-SOX: The nickname for Japan’s Financial Instruments and Exchange Law, which was modelled on SOX.
KPI (Key Performance Indicator): A statistical measure of how well an organization is doing. KPIs represent quantifiable goals or targets established in a business’s strategic plan.
KRI (Key Risk Indicator): A statistical measure of risk that links directly to a unique or key corporate goal and initiative. This is the way risk is assessed or the goal and associated initiative.
KonTraG: The Act on Control and Transparency in Enterprises: A German law that specifies that companies must perform risk management in a way that allows them to address risks before they turn into incidents and in a way that aligns with their corporate objectives.
Kyoto Protocol: An international treaty regarding reduction of greenhouse gases. Some 170 nations have ratified the treaty, which is legally binding, but the U.S. is not among them.
LEED (Leadership in Energy and Environmental Design): A rating system created by the United States Green Building Council (USGBC) for green building and green renovation.
material weakness: A weakness that would be likely to affect the fair and true representation of the financial status of the corporation and thus the stock’s price once the weakness becomes known by the public.
mitigating controls: Controls that have an element of supervision in place to reduce risk involved with a violation of a rule. For example, a typical rule is that the same person should not be able to create a vendor and cut a check. In smaller branch offices, a person may have many such conflicting duties. To manage this, companies put in a mitigating control, such as having a supervisor review the transactions.
mitigation: Reducing the risk associated with a particular violation of a rule.
MSDS (Material Safety Data Sheet): A document required by OSHA that must accompany hazardous materials. The MSDS describes how to handle such a substance in transit, for example.
NAFTA (North American Free Trade Agreement): If certain requirements are met, goods exported from Canada or Mexico into the United States will qualify for reduced rates of duty (or may be duty-free) and may not require quota or visa.
negligence: A crime involving the failure to do something that was required. Negligence, unlike fraud, is easy to prove because intent is not required.
OCEG (Open Compliance and Ethics Group): A non-profit offering comprehensive guidance, standards, benchmarks, and tools for integrating GRC processes.
operational risks: Risks relating to the people, processes, and systems required to achieve a firm’s mission and objectives.
PCAOB (Public Company Accounting Oversight Board): A private non-profit
that was created to oversee implementation of Sarbanes-Oxley.
Periodic User Review: Regular validation by business users in the organisational hierarchy as to the appropriateness of access for their workgroup
Personal Information Privacy Act: A Japanese data privacy law.
Personal Information Protection and Electronic Documents Act: A Canadian data privacy law.
privacy: The right of an individual not to have data about them disclosed or used without consent.
process control: The concept of inserting internal controls into business processes so that they become part of the normal execution of that process.
REACH (Registration, Evaluation and Authorization of Chemicals): A European law that went into effect in June 2007 (though its provisions are being phased in over time). Companies must register substances that they produce in quantities of more than 1 ton per hear. Alternatives should be substituted for dangerous chemicals where possible. The aim is to protect the quality of life of Europe’s citizens and its environments by tracking and setting limits on chemicals that come into the continent.
restatement: The resubmission of financial reports because of errors or mis-statements found during the audit process.
risk: Anything that impacts the achievement of an organization’s objectives. Types of risks include operational risks (fraud, for example), risks of non-compliance (not filing the proper documents to comply with legislation), and strategic risks (such as an incident that affects a brand’s reputation).
Risk analysis: A systematic use of available information to determine how often specified events may occur and the magnitude of their consequences.
risk appetite: Risk appetite is the amount of risk an entity is willing to accept in pursuit of objectives. It reflects that organization’s risk management philosophy and influences the organization’s culture and operating style.
risk management framework: A formalized process for managing risk on an explicit basis. The framework consists of a risk assessment, response, and accountability for the risk and mitigation activities around it.
risk mitigation: The processes built into the controls environment, such as policies, frameworks, and accountabilities, to reduce a risk.
risk response: The decision to accept a risk, decline a risk, treat or mitigate a risk, or share a risk with another party.
RoHS (Reduction of Hazardous Substances): A European directive that regulates the use of six substances: lead, mercury, cadmium, hexavalent chromium, polybrominated biphenyls, and polybrominated diphenyl ether.
SEC (Securities and Exchange Commission): Publicly traded U.S. companies must file annual reports with the SEC.
SoD (Segregation of Duties): The separation of conflicting tasks and its assignment to different persons. For example, taking a process that is too valuable for one person to carry it out and separating the tasks so that different users perform key steps in the process. Segregation of duties helps to eliminate fraud.
SIEF (Substance Information Exchange Forum): An organization tasked with providing data to companies to help them achieve REACH compliance.
SOX (Sarbanes-Oxley Act): U.S. legislation enacted in response to the high profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. Applies to companies that trade publicly in the U.S.
strategic risks: Relating to strategic objectives such as political factors, competition, customer priorities, and brand or reputation.
SVHC (Substances of Very High Concern): Substances that are particularly harmful to humans and the environment. The European law REACH aims to phase out these substances in Europe.
TSCA (Toxic Substances Control Act): An EPA law that regulates the use of certain chemicals in the U.S.. The law particularly applies to lead, radon, asbestos, and PCBs.
WEEE (Waste Electrical and Electronic Equipment): A European directive for the disposal of electrical and electronic wastes.
