servicenow Vancouver Governance, Risk, and Compliance Industry acronyms {An intemational standard for banking that regulators, can use when making regulations on how much) Capital banks must have to offset potential risk. The more risk a bank has, the more capital it should Basel il have in place to ensure that it stays solvent. The regulation was the third such standard issued by the Basel Committee on Banking Supervision, and hence: the name Bose Il Isa Cybersecurity Information Sharing Act cis Certified Information Security Manager Control Objectives for information and Related, Technologies (COBIT) provides an IT governance cos framework to manage risk and compliance issues based on best practices. Published by the IT Governance Institute and the information Systems Audit and Control Association {ISACA] The Committee of Sponsoring Organizations (COS) ‘was formed in 1985 fo sponsor the National ‘Commission on Fraudulent Financial Reporting, coso COSO is an independent private sector initiative that studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies, the SEC, and other regulators and educational institutions. EDPA European Dala Privacy Act ENISA European Network & Information Security Agency Energy use in products (EUP) is an £U directive that EP requires companies lo design products to use less energy.servicenow Vancouver Govemance, Risk, and Compliance European One of the first and most important pieces of data Directive on privacy legislation thal specifically addresses inlemet Data Protection _ privacy. FCA Financial Conduct Authority General Data Protection Regulation (GDPR) is a regulation, effective May 25, 2018, replacing the GDPR Data Protection Directive 95/46/ec to strengthen and harmonize the data protection rights of European Union citizens. Global Reporting Initiative (GRI) is on intemational RI group thal created the G3 framework for sustainability reporting, nel IT Govemance Institute Personal Identifying Information / Personally Identifiable Information (Pil) is the information that permits the identity of an individual to be directly or indirectly inferred, Pil Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure PCI Dss that all companies that accept, process, store, or transmit credit card information maintain a secure environment. SOLVENCY II SOLVENCY i The Sarbanes-Oxley Act (SOX) established the Public Company Accounting Oversight Board and added requirements for publicly traded companies, their officers, boards, and auditors. It increased penalties SOx for corporate financial fraud. This U.S. Legislation ‘was enacted in response to the high profile Enron and WorldCom financial scandals. Its goal is to protect shareholders and the general public from accounting errors and fraudulent practices in theservicenow Vancouver Governance, Risk, and Compliance ‘enterprise, SOX applies fo companies that trade publicly in the US. Industry terms a Pd Annualized loss expectancy (ALE} = Single Loss ALE Expectancy (SLE x Annualized Rate of Occurrence {ARO}. Used in Quantitative risk scoring ARO Annualized rate of occurrence. A specific isk can be accepted by the management, sloping further invesiments into deeper controls or higher levels of mitigation, if itis Acceptance ythin the level of Tolerance or if further mitigation and control would actually cost much more tha! the eslimated Impact (or significance) of the risk, “Assertion Any formal declaration or set of declarations about the subject matter made by management. A broad review of the different aspects of a Assessment company or function that includes elements not covered by a structured assurance initiative, Process of validating that something is true, For instance, a control effectiveness or compliance can be attested through a questionnaire, electronically signed by its fuller. Attestation Formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met. In ServiceNow®), an organization identifies all the controls that they want lo les! at one time and assigns responsibilty of the overall audit to a single person. A single task manages the testing of all controls Auditservicenow Vancouver Governance, Risk, and Compliance ‘i ‘One of the fasks within an aucit that is assigned to Ausit activities Gn ingividual for execution of Ine audi Acommittee, often including members of the board Audit committee of directors, responsible for overseeing financial reporting and internal control. Records kept by the auditor of procedures applied, Audit tests performed, information obtainea, and pertinent documentation conclusions reached in the engagement. The (working papers) documentation provides the principal support for the augitor’s repor. Facts gathered during the auait procedures that Audit evidence provide a reasonable basis for forming an opinion regarding the financial statements under audit. When obtaining evidence in support of financial statement assertions, the auditor develops specific audit objectives in light of those assertions. For Audit objective example, an objeclive related fo the completeness assertion for inventory balances is that inventory quantities include all products, materials, and supplies on hand. Audit Used by intemal auditors for identifying control gaps observations —_or identifying new risks. Intemal controls execuled automatically by computer systems. Manual controls are executed by a person charged with that task and are Avromples typically performed on a subset of transactions and, dota. Automated controls can be executed on every relevant fransaction or data element, ensuring greater accuracy with less effort. The regulations, ceriiicalions, frameworks, uthoty Mn ans ratios tol an rganzaton jocuments chooses or are required for compliance withservicenow Business risk Calculated score Chain of custody Chief Compliance Officer (CCO} Chief Operating Officer (COO} Chief Risk Officer {CRO} Citations Compliance Vancouver Govemance, Risk, and Compliance regulations. Authorily Documents are related to controls, risks, and policies. Risks that could adversely affect an entity's ability to achieve its objectives and execute its strategies, Calculated score is derived from the inherent score and residual score as an overall outcome. Refers to actual exposure of risk based on the quality of implemented control system. A legal principle regarding the validity and integrity of evidence. It requires accountability for anything used as evidence in a legal proceeding, This ensures that it can be accounted fer from the time it was collected until the time itis presented in a cour! of low. A corporate official in charge of overseeing and managing compliance issues within an organization This person ensures that a company is complying with regulatory requirements, and that the company is complying with internal policies and procedures. Also called a Chief Operations Officer, an executive in charge of the company's day-to-day operations. Also called a Chief Risk Management Officer, an executive in charge of enterprise risk management and the compliance efforts of a company. Records with the specific requirements cited by an authority decument. The citation record relates authority documents to its applicable control. The act of adhering to and demonstrating adherence with laws, regulations, or policies Compliance relates to regulations in many areas including finance, the environment, global trade, worker safety, and privacy.servicenow Vancouver Governance, Risk, and Compliance Preserving authorized restrictions on access and Confidentiality disclosure, including means for protecting privacy and proprietary information, Containment Control designed fo limit the impact (or significance) control of a tisk, Fit would occur. The actual control activities that ore performed bby an organization. Control records include basic required information about the control (owner, activity, frequency, and so forth). Controls can be related to authoritative source contents, policies, cand risks. Any action taken by management, the board, Control and other parties to manage risk, Management plans, organizes, and direcis the performance of sufficient actions to provide reasonable assurance that objectives and goals are achieved. Control records include basic required information about the control (owner, activily, frequency, and so forth.). Controls can be related fo authoritative source contents, policies, and risks. ‘set of fundamental controls which perform and Control preserve the cross mapping of controls to prevent framework financial loss, information loss, or more generally to prevent risks within an enterprise. The actual run of a Control Test Definition, periodically or on demand, showing the result data sample, the attestation, or the manual result of the test activities. Control instonce Control test definitions specify how and when controls are tested, including testing steps, expected Control test results, the group or individual responsible for the definitions testing, and the test schedule. Control test instances are automaticaly generated from the test schedule. Remediations are automatically created when i sem ota vac satanservicenow Corrective controls Corporate Performance Management Detect Detective control Effect Effective internal control Engagement Event Entity Vancouver Govemance, Risk, and Compliance control fests fail or when aucit observations are noted. Internal controls that come into play once a problem's discovered. An example would be removing access from users who have excessive privileges or executing a backup and recovery plan after a physical disaster has occurred. Corporate Performance Management (CPM) is a combination of strategy management, planning, reporting and consolidation, and revenue, cost, and profitability modeling that enables companies to measure their performance and improve it. Ongoing progress toward objectives as well as actual and potential undesirable conditions and events using management actions and control. A conirol designed to discover an unintended event or result. It may also detect if and when a specific risk occurs. ‘A measure of the ikelinood, timing, and impact of an event on something, Reasonable assurance that operational objectives are achieved, that published financial statements are reliably prepared, and that the entity complies with applicable laws and regulations. An audit project that may include audit tasks that accomplish a set of objectives or goals. ‘An observable action, occurrence, or a change in condition, An event includes change in knowledge about a condition, even if the condition did not change. Fundamental concept of GRC, entities are used to model any enterprise element for which controls i sem ota vac stataservicenow Entity type Evaluate Evidence (evidentiol matter) Froud General controls Governance, Risk, and Compliance (GRC) Vancouver Governance, Risk, and Compliance ‘and risks can be associated. For example: business units, servers, laptops. Used to refer to multiole similar entities. For example: Asia/Pacific business unit, Linux servers, MacBook Pro, To measure something against criteria, Includes written and electronic information (such as checks, records of electronic fund transfers, invoices, contracts, and other information} that permits the auditor to reach conclusions through reasoning. Any ilegal act characterized by deceit, concealment, of violation of trust. These acts are: not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services and to avoid payment or loss of services or to secure personal or business advantage. Policies and procedures to assure proper operation of computer systems, including controls over network operations, software acquisition and maintenance, and access security. Governance, risk management, and compliance with regulations have traditionally been separate corporate functions. GRC is the integrated Collection of capabilities that enable an organization to reliably achieve objectives while addressing uncertainty and acting with integrity. Itencompasses the governance, assurance and management performance, risk, and compliance. GRC is the business of how an organization operates through the management of risk while remaining compliant with external and internal standards to optimize performance. GRC embraces how i sem ota vac satanservicenow Impact Indicator Inherent likelinood Inherent risk Inherent score Inherent significance Integrity Intemal audit Vancouver Govemance, Risk, and Compliance processes, controls, securily, and cullure integrate to ensure that the organization has integrity. Used to evaluate the severity of a risk, together with the Likelihood. It evaluates the level of consequence specific risk would have on an organization if/ when it would occur. A metric used to collect data fo monitor controls cand risks, and collect audit evidence. The lkellhood of the identified risk occurring before any response strategy is implemented. The level of risk exposure, in terms of Likelinood and impact (or significance}, assuming no related intemal controls and no mitigation actions are yet in place. The score of the risk before any response strategy is implemented. How significant the risk is before any response: strategy is implemented. The properly whereby information, an information system, or a component of a system has not been, modified or destroyed in an unauthorized manner. Asiate in which information has remained unaltered from the point its produced by a source, during transmission, storage, and eventual receipt by the destination. A department, division, team of consultants, or other practitioners that provides independent, objective assurance and consulting services designed to add value and improve an organization's operations The intemal audit activity helps an organization i sem ota vac tataservicenow Intemal auditors Intemal controls Issue IT Governance merc Likelihood Management Manual controls Vancouver Governance, Risk, and Compliance ‘accomplsh is objectives by bringing a systematic, discipiined approach to evaluate and improve the effectiveness of governance, risk management, and control processes. Employees of the client responsible for proviaing analyses, evaluations, assurances, recommendations, and other information to the entity's management and board, An important responsibilty of internal auditors is to monitor performance of controls. The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives are achieved and undesired events are prevented or detected and corected, ‘A GRC task that allows end users to document Control and Risk issues and track the response to remediate or accept the issue, The leadership, organizational structures, and processes thal ensure that the enterprise's IT sustains and extends the enterprise's strategies and objectives. Its tne responsibility of executives and the board af directors, Encompasses the software and hardware and related policies and procedures used to support compliance and risk management efforts from an IT perspective based on established best practices, The probability that something happened. The act of internally directing, controling, and evaluating an enfily, process, or resource. Controls performed manually, not by computer. i sem ota vac satanservicenow Vancouver Governance, Risk, and Compliance Material Arrisk is material when it is possible to calculate its (materiality) financial impact. Reducing the risk associated with @ particular violation of a rule. Before a tisk occurs, appropriate, Mitigation mitigation actions are put in place to resolve possible related control failures and/or to reduce the risk exposure. Something that an enfity intends to attain or Objective ‘accomplish, An audit designed lo evaluate the various internal Operational sels economy. and elfiteney ofa uneton ot depariment Operational Controls relating fo the daily operation ofa Operon Gompany or enterprise to ensure that all objectives are achieved, Risks relating to the people, processes, and systems Operational risks required to achieve an organization's mission and objectives. The abilly to evaluate client records with no Objectivity preconceived notions or prejudices. Assertions about obligations deal with whether liablities are obligations of the entity at a given date. For example, management asserts that amounts Obiigations capitalized for leases in the balance sheet represent the cost of the entity's rights to leased property and that the coresponding lease liability represents an obligation of the entity The owner of a risk, a control, ora mitigation/ remediation task accepts its accountability. They may delegate some tasks related to the ownership, but they stay accountable to the organization. Owner i sem ota ivacy statesservicenow Vancouver Governance, Risk, and Compliance A practice monitoring program in which the audi! documentation of one CPA firm periodically Peerreview reviewed by independent poriners of other firms to determine that it conforms to the standards of the. profession. ‘Audit planning is developing an overall strategy for conduct and scope of the audit. The nature, extent, and timing of planning vary with size and complexity of the enfily. experience with the entity, and knowledge of the business. In planning the Plan audit, the auditor considers the enfitys business and, its industry, its accounting policies and procedures, methods used to process accounting information, the planned assessed level of control risk, and the auditor's preliminary judgment about audit materiality. A document Ihat records a high-level principle or course of action that has been decided on. The intended purpose is to influence and guide both present and future decision making to be in line with the philosophy, objectives, and strategic plans established by the enterprise's management teams. In addition to policy content, policies describe the consequences of faling to comply with the policy, the means for handling exceptions, and the manner in which compliance with the policy is checked and measured, Policy In ServiceNow®, approved policies are published in the Knowledge Base. Policies are related to authority documents and control records. Policy statements define specific details that a process follows within a policy. Preventative A control designed to avoid an unintended event. control i sem ota vac satanservicenow Vancouver Governance, Risk, and Compliance An action, such as a step performed as par! of an auait program or as part of the client's internal controls, Provides the “how to” of policies and guides their implementation, Procedures are audience- specific and provide exact instructions that ensures compliance with a given policy. ServiceNow® treats policies and procedures in the same way; therefore, the terms may be used interchangeably. This may differ from frameworks, such as COBIT§.1, which defines policies and procedures as two separate items. Procedure Professional Approaching an audit with a questioning mind-set. skepticism. Includes impact (refers to significance of a risk) and, Quoliative Likelihood [fefers to probabilly of a risk occuring) impact ratings. Score is calculated by multiplying Impact bby Likelihood. An impact offen expressed using an ordinal scale or nominal scale. A positive /negative effect on financial assets, tangible assels, intangible assets, business continuity, Quantitative and health & safety. Calculated by Single Loss Impact Expectancy (SLE} x Annualized Rate of Occurrence [ARO] = Annualized loss expectancy (ALE). A quantitative impact is expressed numerically. An internal control questionnaire is a list of questions about the internal control system to be answered (with answers such as yes, no, or not applicable} during auait fieldwork. The questionnaire is part of the documentation of the auditor's understanding of the client's intemal controls. Questionnaire i sem ota vac satanservicenow Vancouver Governance, Risk, and Compliance Identical probability of each population item being selected for a sample. Also, the use of random, numbers to select a random sample from a population. Random sample {random-number sampling) An internal control, no matter how welll designed and operated, cannot guarantee that an entity's objectives are met because of inherent limitations in all internal control systems. Reasonable assurance (an intemal control) After a failure is identified and assessed, appropriate remediation can take place to mitigate or eliminate Remediation —_ the issue Residual likelihood: The lixelinood of the identified risk occurring after any response strategy is implemented. Requirement Something that an entity must address as a result of at making a promise. Residual The lkellhood of the identified risk occurring after likelinood any response strategy is implemented. Level of the risk exposure, in terms of likelihood, and impact (or significance}, atter related internal controls and mitigation actions are in place and effective. Residual risk Residualscore TRE SCOFE OF the risk after any response stralegy is implemented. Residual How significant the risk is after any response strategy significance is implemented. Asks any threat or vulnerability that could adversely affect an organization's business objectives. All risks are contained in one risk repository. Risks can be related to any item, policy, control, and remediation task. Risks reauiring immediate or ongoing attention can be mitigated, Prevented, or controlled using the defined controls, and related control tests. A risk statement is a Risk i sem ta ivacy satanservicenow Risk analysis Risk appetite Risk assessment Risk criteria Risk management Vancouver Govemance, Risk, and Compliance defined consequence thal can occur if a Inreat exploits a vulnerability. Risk is measured in terms of impact (or Significance] and Likelihood. Types of risks include operational fisks (fraud, for example). risks of noncompliance (not fling the proper decuments to comply with legislation), and strategic risks (such as an incident that affects a brand's reputation). The business tisk associated with the use, ownership, operation, involvement, influence, and adoption of IT within on enterprise. ‘The systematic examination of available information fo determine how often specified events may occur and the magnitude of their consequences. The level of risk that an organization is wiling to accept in pursuit of its objectives. The appraisal of the risks facing an entity, asset, system or network, organizational operations, individuals, geographic area, other organizations, or society, and includes determining the extent to which adverse circumstances or events could result in harmful consequences. Are quantitative or qualitative values against which level of risk is evaluated. The objective of risk management is to reduce uncerlainty. I's the act of managing processes and resources to address risk while pursuing the organization's objectives. The process of identifying, analyzing, assessing, and communicating risk and accepting, avoiding, transfering or controlling it to an acceptable level considering associated costs and benefits of any actions taken, i sem ota vac tataservicenow Vancouver Governance, Risk, and Compliance A formalized process for managing risk on an Rik expel boss. The romework corsa of 9 sk management Gisessment, expanse, and aecountabily for the rik and mitigation activities around tt. The processes built into the controls environment, Risk mitigation such as policies, frameworks, and accountabilities, that reduce a tisk, A repository of the key attributes of potential and known IT risk issues. Attributes may include name, Risk register description, owner, expected/actual frequency, inherent/residval level, potential/actual business impact, and mitigation/remediation plans. Riskresponse ‘The decision to accept a risk, deciine a risk, reat or me mitigate a risk, or share a risk with another party. General statements about potential rsks or threats Riskstatement nat could occur somewhere in an organization. The level of isk that the organization is unwilling to exceed to achieve objectives. The representation Risk tolerance _of the risk appetite in terms of threshold, generally financial, given to various management levels in the organization for specific risk categories. The number of population items selected when a Sample size sample is drawn from a population Selecting a small but pertinent and representative sampling number of records to represent the entire population of records. The possibilty that conclusions drawn from the Sampling risk sample may not represent correct conclusions for the entire population. Assigning different people the responsibillies of authorizing transactions, recording transactions, and. maintaining custody of assets. Segregation of duties Segregation of duties (SoD) i sem ota ivacy satanservicenow Significance SLE Stakeholder Standard Strategic risks Target Test Test plan Threat Tolerance Unified Compliance Framework (UCF) Vancouver Governance, Risk, and Compliance reduces the opportunities for one person fo bolh perpetrate and conceal errors or fraud. Used fo evaluate the severity of a risk, together with the Likehood. it evaluates the level of consequence {@ specific risk would have on an organization if/ when it would occur. Single loss expectancy {SLE} = Single Loss Expectancy = Asset Value x Exposure Factor. ‘A person, group, of organization that has direct or indirect stake in an organization because it can affect or be affected by the organization's actions, objectives, and policies. ‘A professional pronouncement promulgated by the intemal Audit Standards Board that deiineates tne requirements for performing a broad range of intemal audit activities, and for evaluating intemal audit performance. Relating lo strategic objectives such as political factors, customer priorities, brand, or reputation. A measurable value that an entity strives to achieve, ‘A somple from a population to estimate characteristics of the population. Aspecific augit test of the design and operating effectiveness of a single control. ‘An event that has, on balance, an undesirable effect on achieving objectives. The acceptable level of departure from a largel. Network Frontiers Unified Compliance Framework (UCF} contains authority documents that can be i sem ota vac stataservicenow Uncertainty Vancouver Govemance, Risk, and Compliance imported into the ServiceNow® instance. For more information, see Unified Compliance Framework. The state of being unable to completely predict, determine, or define something.