Application Controls—Programmed procedures in application software and related manual procedures designed to help ensure the completeness and accuracy of information processing.

Automated Controls—Control activities mostly or wholly performed through technology (e.g., automated control functions programmed into computer software; contrast with Manual Controls).

Board—Governing body of an entity, which may take the form of a board of directors or supervisory board for a corporation, board of trustees for a not-for-profit organization, board of governors or commissioners for government entities, general partners for a partnership, or owner for a small business.

Category—One of three groupings of objectives of internal control. The categories relate to operations, reporting, and compliance.

Compliance—Having to do with conforming with laws and regulations applicable to an entity.

Component—One of five elements of internal control. The internal control components are the Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities.

Control—(1) As a noun (i.e., existence of a control), a policy or procedure that is part of internal control. Controls exist within each of the five components. (2) As a verb (i.e., to control), to establish or implement a policy or procedure that effects a principle.

Control Activity—An action established through policies and procedures that help ensure that management's directives to mitigate risks to the achievement of objectives are carried out.

Control Deficiency—A synonym for Internal Control Deficiency. A control deficiency may also describe a deficiency with respect to a particular control or control activity.

COSO—The Committee of Sponsoring Organizations of the Treadway Commission. COSO is a joint initiative of five private-sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence (see www.coso.org).

Design—(1) Intent; as used in the definition of internal control, the internal control system design is intended to provide reasonable assurance of the achievement of objectives; when the intent is realized, the system can be deemed effective. (2) Plan; the way a system is supposed to work, contrasted with how it actually works.

Detective Control—A control designed to discover an unintended event or result after the initial processing has occurred but before the ultimate objective has concluded (contrast with Preventive Control).

Effected—Used with an internal control system: devised and maintained.

Effective Internal Control—An effective system of internal control provides reasonable assurance of achieving an entity's objectives. It requires that each of the five components of internal control and relevant principles is present and functioning, and that the five components of internal control are operating together.

Entity—A legal entity or management operating model of any size established for a particular purpose. A legal entity may, for example, be a business enterprise, not-for-profit organization, government body, or academic institution. The management operating model may follow product or service lines, division, or operating unit, with geographic markets providing for further subdivisions or aggregations of performance.

Entity-level—Higher levels of the entity, separate and distinct from other parts of the entity including subsidiaries, divisions, operating units, and functions.

Entity-wide—Activities that apply across the entity—most commonly in relation to entity-wide controls.

Ethical Values—Moral values that enable a decision-maker to determine an appropriate course of behavior; these values should be based on what is right, which may go beyond what is legal.

Financial Statements—Typically a statement of financial position, a statement of income, a statement of changes in equity, a statement of cash flow, and notes to the financial statements.

Inherent Limitations—Those limitations of all internal control systems. The limitations relate to the preconditions of internal control, external events beyond the entity's control, limits of human judgment, the reality that breakdowns can occur, and the possibility of management override and collusion.

Inherent Risk—The risk to the achievement of objectives in the absence of any actions management might take to alter either the risk likelihood or impact.

Integrity—The quality or state of being of sound moral principle; uprightness, honesty, and sincerity; the desire to do the right thing, to profess and live up to a set of values and expectations.

Internal Control—A process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

Internal Control Deficiency—A shortcoming in a component or components and relevant principle(s) that reduces the likelihood that the entity can achieve its objectives.

Major Deficiency—An internal control deficiency or combination of deficiencies that severely reduces the likelihood that the entity can achieve its objectives.

Management Intervention—Management's overruling of prescribed policies or procedures for legitimate purposes when dealing with non-recurring or non-standard transactions or events that otherwise might be handled inappropriately.

Management Override—Management's overruling of prescribed policies or procedures for illegitimate purposes with the intent of personal gain or an enhanced presentation of an entity's financial condition or compliance status.

Management Process—The series of actions taken by management to run an entity. An internal control system is a part of an integrated management process.

Manual Controls—Controls performed manually, not through technology (contrast with Automated Controls).

Operating Together—The determination that all five components collectively reduce, to an acceptable level, the risk of not achieving an objective.

Operations—Used with "objectives" or "controls": having to do with the effectiveness and efficiency of an entity's operations, including performance and profitability goals, and safeguarding resources.

Organization—People, including the board of directors, senior management, and other personnel.

Policy—Management or board member statement of what should be done to effect control. Such statements may be documented, explicitly stated in communications, or implied through actions and decisions. A policy serves as the basis for procedures.

Present and Functioning—Applied to components and principles. "Present" refers to the determination that components and relevant principles exist in the design and implementation of the system of internal control to achieve specified objectives. "Functioning" refers to the determination that components and relevant principles continue to exist in the conduct of the system of internal control to achieve specified objectives.

Preventive Control—A control designed to avoid an unintended event or result at the time of initial occurrence (contrast with Detective Control).

Procedure—An action that implements a policy.

Reasonable Assurance—The concept that internal control, no matter how well designed and operated, cannot guarantee that an entity's objectives will be met. This is because of Inherent Limitations in all internal control systems.

Relevant Principle—Principles represent fundamental concepts associated with components. There may be a rare industry, operating, or regulatory situation in which management has determined that a principle is not relevant to a component.

Residual Risk—The risk to the achievement of objectives that remains after management's response has been designed and implemented.

Risk—The possibility that an event will occur and adversely affect the achievement of objectives.

Risk Response—The decision to accept, avoid, reduce, or share a risk.

Risk Tolerance—The acceptable variation relative to performance to the achievement of objectives.

Senior Management—The chief executive officer or equivalent organizational leader and senior management team.

Stakeholders—Parties that are affected by the entity, such as shareholders, the communities in which an entity operates, employees, customers, and suppliers.

Technology—Software applications running on a computer, manufacturing controls systems, etc.

Technology General Controls—Control activities that help ensure the continued, proper operation of technology. They include controls over the technology infrastructure, security management, and technology acquisition, development, and maintenance. Other terms sometimes used to describe technology general controls are "general computer controls" and "information technology controls."

Transaction Controls—Control activities that directly support the actions to mitigate transaction processing risks in an entity's business processes. Transaction controls can be manual or automated and will likely cover the information-processing objectives of completeness, accuracy, and validity.