The A to Z of Audit Acronyms

The A to Z of Audit Acronyms


Starting out in a new job can be tough, especially when it seems as though everyone is speaking a foreign language as those in the know volley learned terminologies and abbreviations at each other while you unsuccessfully play the proverbial piggy in the middle.


Obtaining some inside knowledge from audit specialists, Pablo Giancarli, an Audit and Risk Consultant with RPG (Resources Global Professionals) and Jerusha Walker, Audit Manager at Macquarie Group, we were able to define the semantics applied across the internal audit and IT audit sectors. Noting firstly that every organisation will have its own take on acronym usage, Pablo explains that in some cases one term will fit all “for example, all internal audit departments have an audit plan, so it will be called ‘the plan’ and it refers to the three or five year summary of audits to be performed.” However, while this may be a universal term, for others there may be discrepancies. “All organisations will have a Summary of Business, however it will be called differently,” he says. “For example, in one organisation it was called UBT, meaning ‘Understanding the Business’.”


Understanding the vernacular of audit early in your career will prove an invaluable tool to have in your professional arsenal as you navigate the various internal audit opportunities on offer. Pablo further advises individuals entering their first audit jobs that “as part of the audit practice, professionals are encouraged to use plain English and even avoid acronyms used with a department or organisation.” He explains that the reason for this is because an audit report may be read by individuals not familiar with the area being audited, or may be read by external people such as regulators or a judge, who don’t have the knowledge and specialist interest to understand the names for processes or systems used within a company.


With that being said, there are a number of key audit acronyms and terms that any aspiring auditor should transcribe to memory, as follows:

COSO:  COSO stands for the Committee of Sponsoring Organisations of the Treadway Commission.  It is an organisation dedicated to providing thought leadership to executive management in a wide range of fields.  You will hear the term a “COSO approach” used is relation to the internal control model based on identifying, understanding and testing KEY risks across the organisation.

SOX:  Refers to the Sarbanes Oxley Act 2002, a legislation passed by the USA to protect shareholders from accounting errors. 

SOX testing:  Refers to the audit tests designed to mitigate risks related to financial statement risk, as per above legislation.

CAATS:  The traditional method of auditing which allows auditors to build conclusions based upon a limited sample of a population, rather than an examination of all available or a large sample of data.  CAATS (Computer-aided audit tools) are tests run across all data with the aim of finding duplicate transactions, missing key fields, etc.

KYC:  Refers to the Know Your Customer requirements by Anti-money laundering legislation (AML). 

GOVERNANCE:  Refers to the Company Governance and covers two parts. The internal governance comprises a set of rules, policies, systems and processes whereby the authority of the company is exercised.  External governance is related to regulations and legislation.

WP/WPS:  Stands for working papers. These are the formal documentations to document audit tests.  The Institute of Internal Auditors, a global professional audit standards body, has issued practice advisory 2330-1 stating the goals of audit working papers are to: Document the planning, performance, and review of audit work; provide the principal support for audit communication such as observations, conclusions, and the final report; facilitate third-party reviews and re-performance requirements; and provide a basis for evaluating the internal audit activity’s quality control program.

ERM:  Stands for Enterprise Risk Management (framework). The ERM framework, in a business setting, is the combination of processes and methods used by the organisation to identify and manage its risks in order to achieve its objectives.

IA:  Internal Audit. Used across the organisation, even in formal reports.

PR:  Stands for Peer Review and refers to the process of auditors reviewing the work of other auditors. Audit reports should be objective, written with straightforward language, use accurate data, be concise and should be issued immediately after the audit.

Requirements:  This is a word used for mandate actions indicated by: internal policies, legislations and regulations.

CAE/HIA: These terms stand for respectively the Chief Audit Executive and the Head of Internal Audit

BAC: The Board Audit Committee – typically the CAE/HIA will report into this board and the audit reports compiled are for their attention.

RACM/RCM: This stands for ‘Risk Control Matrix’ which involves the team documenting the risks and associated controls that they will be testing.

ITGC: This stands for ‘IT General Controls’ which are essentially the controls set up to protect the integrity of data contained within systems and spreadsheets.


Back to article list