An action is included in an action plan and represents a transformation or processing in an organization or system.

 

An action plan comprises a series of actions, its objective being to reduce risks and events that have a negative impact on company activities.

An activity program is an activity template relating to the main characteristics of an audit activity to be carried out.

An aggregation method is the mathematical operation carried out over the key indicator aggregated values in order to compute the indicator current value and status.

An aggregation period is the period over which the indicator values are aggregated to compute the current key indicator value and status.

An aggregation rule handles calculation of values for a parent assessment characteristic from one or several child assessment characteristics. A few rules are defined by default, for instance: max, min, sum, average

An aggregation schema is a series of steps enabling consolidation of assessment results according to specified assessment rules.

 

An application is a set of software tools coherent from a software development viewpoint.

 

An article is a citation from a regulatory framework and is usually associated to a mandated control directive.

An assessed characteristic defines what the assessment seeks to assess. It can be associated with a MetaClass, and more specifically with one of its MetaAttributes, for example: Risk MetaClass, MetaAttribute: Criticality.

Assessment is a mechanism enabling sending of questionnaires to an identified population to obtain assessments (qualitative or quantitative) on identified objects. The assessment is then supplemented by results analysis tools.

An assessment campaign enables creation and planning of several assessment sessions over a given time period.

Assessment freshness is the number of days elapsed since an indicator value was last entered.

An assessment session is an assessment carried out over a determined time period. When an assessment session is published, an assessment form containing questions is sent to targeted users.

An assessment template is used as a model for creating campaigns and assessment sessions.

The assessment template defines the assessment scope, the questionnaire template to be used, and if required, the aggregation schemas to be applied for interpretation of global results.

 

An audit is a mission assigned to an internal auditor in the context of an audit plan.

 

An audit activity is an element of an audit that can relate to a set of processes, applications, risks or controls to be audited in an enterprise organization unit.

An audit program is a template relating to the main characteristics of an audit.

 

An audit theme is a collection of audit activities dealing with the same topic. Audit themes consist of sub-audit themes.

 

A business document is a document whose content is independent from the HOPEX repository. This document can be MS Word, MS Powerpoint, or other files. A report (MS Word) generated on an object can become a business document.

 

A business line is a skill or grouping of skills of interest for the enterprise. It corresponds for example to major product segments, to distribution channels or to business activities.

 

A business policy is an internal document issued by an organization (security measure, best practice, etc.).

 

A business process represents a system that offers products or services to an internal or external client of the company or organization. At the higher levels, a business process represents a structure and a categorization of the business. It can be broken down into other processes. The link with organizational processes will describe the real implementation of the business process in the organization. A business process can also be detailed by a functional view.

A calendar is divided into time periods called calendar periods. Calendars can ben used in assessment campaigns, in report generation as well as to schedule audits/tests.

A calendar period is a division of a calendar.

Central currency is the currency adopted as reference currency.

A company is a legal entity.

The compliance rate is the percentage of “Pass” controls.

 

A control is a set of rules and means enabling the assurance that a legal, regulatory, internal or strategic requirement is respected.

The Control assessor is responsible for assessing and executing controls within his/her scope, as well as implementing action plans related to these controls.

 

Control directives are an interpretation of the law and contribute to the enforcement of any regulation article your organization has to comply with.

Risk control level enables characterization of control efficiency in mitigating the risk.

The Control level characterizes the efficiency level of control elements deployed (controls) to mitigate the risk.

A control redundancy formalizes the fact that several controls are redundant. This can be, for example, because they have been successively installed to cover the same risk in the contexts of different regulations.

 

A control type allows the classification of controls implemented in a company in accordance with regulatory or domain specific standards (Cobit, etc.).

An organization unit (org-unit) is an element of the enterprise structure such as a department or a service. It is defined based on how detailed you require your view of the enterprise to be. Example: financial management, sales management, marketing department, account manager.

An enterprise stage is a past, current or future stage of an enterprise.

 

An org-unit represents a person or a group of persons that intervenes in the enterprise business processes or information system.

An entity can be internal or external to the enterprise: an entity represents an organizational element of enterprise structure such as a management, department, or job function. It is defined at a level depending on the degree of detail to be provided on the organization (see org-unit type). Example: financial management, sales management, marketing department, account manager. An external entity represents an organization that exchanges flows with the enterprise, Example: customer, supplier, government office.

The execution rate is the percentage of objects in the control scope that were included in the last control execution campaign.

 

Audit findings are the results of assessment of the collected audit evidence against audit criteria. Audit findings can indicate either conformity or nonconformity with audit criteria or opportunities for improvement.

Forecast risk represents the residual risk forecast for the year to come.

 

A gain is the positive financial consequence of an incident.

 

An incident is an event occurrence, internal or external, that has an impact on the organization. It is the basic element for collection of data concerning operational risk.

Incident approver is the role used in standard workflows to approve incidents.

The incident declarant is in charge of creating incidents within his/her scope.

 

An indicator is a measure of achievement of an objective, impact of a risk factor, frequency and impact of a risk, effectiveness of a control, etc.

An indicator interpretation logic contains the logic behind the computation of the indicator status, Time to Failure, together with the list of possible statuses for the indicator.

The status of an indicator enables to define whether an alert must be triggered. An indicator is computed automatically based on the latest indicator values, the aggregation period and the aggregation method.

The inherent (gross) risk indicates the risk to which the organization is exposed in the absence of measures taken to modify the occurrence or impact.

Internal audit is an independent and objective activity assuring an organization on the degree of control of its operations, proposing recommendations for their improvement, and contributing to added value. It helps an organization achieve its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes (source: IIA).

 

A key indicator is a metric used by organizations to provide an early warning of increasing risk exposures in various areas of the enterprise.

The key indicator category enables to specify how indicator values are interpreted, in order to compute the indicator status and Time to Failure.

Libraries are collections of objects used to split HOPEX repository content into several independent parts. Two objects owned by different libraries can have the same name.

A local currency is defined for each user. By default it is the same as central currency.

 

A loss is the negative financial result of an event.

 

A macro-incident is an event that impacts more than one business or company of the same group.

A materialized risk is a risk for which an incident occurred.

A metric provides quantitative indications on value of a measurement (for example risk prevention level).

A near-miss is an incident that did not result in injury, illness, or damage - but had the potential to do so.

 

An objective is a goal that a company or organization wants to achieve, or is the target set by a process or an operation. An objective allows you to highlight the features in a process or operation that require improvement.

An operation is an elementary step in an organizational process. It corresponds to the intervention of an entity withing the organization.

 

An organizational process describes how to implement all or part of the process required to make a product or handle a flow.

A period corresponds to the fiscal period over which audits are carried out. It enables chronological grouping of several audit plans.

A person is defined by his/her name and e-mail. The person can access an application after assignment of a connection identifier. One or several business roles can also be assigned.

 

A policy framework consists of a set of business policies. Policy frameworks may contain sections.

 

A product represents commodities offered for sale, either goods or merchandise produced as the result of manufacturing, or a service, ie. work done by one person or group that benefits another.

A profile defines access to application functions, as well as the level of intervention in the workflow and validation process.

 

A provision is an amount deducted from the result to cover risks or unexpected charges. Several provisions can concern a single risk.

An assessment questionnaire is a list of questions relating to a particular object and addressed to users.

A questionnaire template represents definition of questionnaire content.

 

A recommendation describes what must be done to correct noncompliance detected during an audit.

 

A recovery is a sum, which in certain circumstances can reduce the amount of losses linked to operational risk. It enables recovery of a proportion of the amounts involved in the incident.

A regulation framework is a set of directives, compulsory or not, defined by a government in a law, by standard bodies as "best practices" or as an internal policy in an organization.

A regulation or policy is a set of directives, compulsory or not, defined by a government in a law, by standard bodies as "best practices" or as an internal policy in an organization.

 

A regulatory framework is an authority document falling under any of following categories: regulations (rules of law that, if not followed, can result in penalties), or standards.

A requirement is a need or expectation explicitly expressed, imposed as a constraint to be met within the context of a project. This project can be a certification project or an organizational project or an information system project.

The residual (or net) risk indicates the risk to which the organization remains exposed after management has processed the risk.

A respondent is a person in the enterprise questioned in the context of the assessment. This person should complete the assessment questionnaire and return it.

 

A risk is a hazard of greater or lesser probability to which an organization is exposed.

A control system is a set of controls that ensure risk prevention and management, application of internal operating rules, respect a law or regulation, or work towards achievement of an objective as defined by company strategy. Examples: quality control system, management control system, internal audit system.

Risk appetite is the level of risk an organization is ready to accept to reach its objectives, before any measure is taken to mitigate the risk.

The Risk assessor is responsible for assessing risks within his scope, as well as implementing action plans related to these risks.

 

A risk consequence can be positive or negative. It is associated with a type, which enables its characterization, for example: image, environment, employees.

 

A risk factor is an element which contributes to the occurrence of a risk or which triggers a risk. Several Risks can originate from a same Risk Factor Examples: the use of a hazardous chemical product, the complexity of an application, the size of a project, the number of involved parties, the use of a new technology, the lack of quality assurance, the lack of rigor in requirements definition…

The Risk Manager is responsible for executing the following tasks on risks within his/her responsibility domain: identify risks, perform direct assessments, manage assessment campaigns, define action plans, analyze and follow report creation.

 

A risk type defines a risk typology standardized within the context of an organization.

A role is the association of a profile with a user in a specific organizational context.

Scoring rules indicate how the answers to a questionnaire populate the characteristics of assessed objects.

 

A section is a citation from a regulatory framework without any mandated control directive, but containing other sections or articles.

A computer which provides a service to the users connected to it via a network. This computer can have a database and run Applications.

A steering calendar enables performing recurring actions at predefined due dates. It can be used for example for sending recurrent reminders to the person responsible for an action plan so that they can indicate progress of this element. A steering calendar can also be used

to automatically trigger assessment sessions at regular intervals,...

 

A test is assigned to a controller in the framework of a plan.

 

The test plan is a description of the expected scope and conduct of the audit. It is carried out in accordance with auditing standards and practices. It comprises a description of the audit approach and the planning schedule. It comprises several tests carried out during a given period.

Time to failure is the number of days before the key indicator turns to "Failed" status.

 

A workpaper comprises points to be checked on a given subject in the course of an audit activity.