IT AUDIT GLOSSARY

Access control list (ACL). An internal computerized table of access rules regarding the levels of
computer access permitted to logon IDs and computer terminals.

Access rights. The permission or privileges granted to users, programs or workstations to create,
change, delete or view data and files within a system, as defined by rules established by data owners
and the information security policy.

Application. A set of programs, data and clerical procedures which together form an information
system designed to handle a specific administrative or business function (e.g. accounting, payment of
grants, recording of inventory). Most applications can usefully be viewed as processes with input,
processing, stored data, and output.

Audit trail. A visible trail of evidence enabling one to trace information contained in statements or
reports back to the original input source.

Availability. The accessibility of a system, resource or file, where and when required. The time that a
system is not available is called downtime. Availability is determined by reliability, maintainability,
serviceability, performance, and security.

Backup. A duplicate copy (e.g. of a document or of an entire disc) made either for archiving purposes
or for safeguarding valuable files from loss should the active copy be damaged or destroyed. A backup
is an "insurance" copy.

Batch. A set of computer data or jobs to be processed in a single program run.

Buffer overflow. It occurs when a program or process tries to store more data in a buffer (temporary
data storage area) than it was intended to hold. Although it may occur accidentally through
programming error, buffer overflow is an increasingly common type of security attack on data
integrity.

Business continuity plan (BCP). A logistical plan to recover and restore the critical business operations
within a predetermined time after a disaster or extended disruption. Some of the critical business
operations need IT services to continue: these are the critical IT services. A part of the BCP is the
Disaster Recovery Plan that addresses the restoration of the critical IT services.

Change management. The process responsible for controlling the lifecycle of all changes. The primary
objective of change management is to enable beneficial changes to be made, with minimum disruption
to IT Services.

Check digit. A numeric value, which has been calculated mathematically, is added to data to ensure
that original data have not been altered or that an incorrect, but valid match has occurred.

Control objective. A statement of the desired result or purpose to be achieved by implementing

Data dictionary. A database that contains the name, type, source and authorization for access for each
data element in the organisation’s files and databases. It also indicates which application programmes
use that data so that when a data structure is contemplated, a list of the affected programmes can be
generated.

Disaster recovery plan (DRP). A plan used to restore the critical IT services in case of a disaster
affecting IT infrastructure. A DRP is not valid unless tested at least once a year. The DRP is a part of the
BCP.

Hash total. A figure obtained by some operations upon all the items in a collection of data and used
for control purposes. A recalculation of the hash total, and comparison with a previously computed
value, provides a check on the loss or corruption of the data.

Input. Information/data received by the computer system either from an external source or from
another area within the computer environment.

Integrity. One of the information criteria that information is valid, complete and accurate.

IT governance. The responsibility of executives and the board of directors, and consists of the
leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and
extends the organization's strategies and objectives.
IT risks. The business risk associated with the use, ownership, operation, involvement, influence and
adoption of IT within an enterprise

IT risk map. A tool for ranking and displaying IT risks by defined ranges for frequency and magnitude.

IT Steering Committee. Comprising of user representatives from all areas of the business, and IT. The
steering committee would be responsible for the overall direction of IT. Involvement of the
management in this committee is indispensable to assure business alignment in IT governance. The IT
steering committee assists the executive in the delivery of the IT strategy, oversees day-to-day
management of IT service delivery and IT projects and focuses on implementation.

IT strategic plan. A long term plan, i.e., three to five year horizon, in which business and IT
management cooperatively describe how IT resources will contribute to the enterprise’s strategic
objectives (goals).

Job description. A document which defines the roles, responsibilities, skills and knowledge required by
a particular person.

Log. A log is to record details of information or events in an organized record-keeping system, usually
sequenced in the order they occurred.

Logical access controls. The use of software to prevent unauthorized access to IT resources (including
files, data, and programs) and the associated administrative procedures.

Output. Information/data produced by computer processing, such as graphic display on a terminal and
hard copy.

Outsourcing. A formal agreement with a third party to perform a function for an organization.

Owner. The individual (or unit) responsible for particular (IS or IT) assets.

Recovery point objective (RPO). The RPO is determined based on the acceptable data loss in case of a
disruption of operations. It indicates the earliest point in time to which it is acceptable to recover the
data.

Recovery time objective (RTO). The amount of time allowed for the recovery of a business function or
resource after a disaster occurs.
Production environment. A controlled environment containing live configuration items used to deliver
it services to customers.

Segregation of duties. is a control which aims to ensure that transactions are properly authorised,
recorded, and that assets are safeguarded. It has two dimensions: separation of the responsibility for
the controls of assets from the responsibility for maintaining the related accounting records; and
separation of functions within the IT environment.

Sequence check. A verification that the control number follows sequentially and any control numbers
out of sequence are rejected or noted on an exception report for further research.

Service level agreement (SLA). A written agreement between the provider of a service and the users.
A SLA contains “service level objectives” such as uptime (when an application must be available), and
the acceptable response time. SLAs should exist between IT and the users for each service and
application. SLAs must also be a part of the contract with external providers.

Source code. The text written in a computer programming language. The source code consists of the
programming statements that are created by a programmer with a text editor or a visual programming
tool and then saved in a file.

Source documents. The forms used to record data that have been captured. A source document may
be a piece of paper, a turnaround document or an image displayed for online data input.

Token. A device that is used to authenticate a user, typically in addition to a username and password.

User. Individual or unit that makes use of information systems. Specifically, in business and
administration, a managed organisational unit which uses information systems to carry out the
functions for which it is responsible in the organization, and is thus the customer for a service provided
by the IT department.

Validity check. Software control over input of data to a computer system. Data is compared with the
type of data properly included in each input field, e.g., only letters in a name field.