GRC Glossary

Definitions and core concepts around Governance, Risk, and Compliance — from risk appetite to DORA, SOX, ISO 27001 and beyond.

Risk Appetite

The level of risk an organization is prepared to accept in pursuit of its objectives.

SOX Compliance

Requirements of the Sarbanes-Oxley Act to prevent financial statement fraud.

Internal Audit

An independent, objective assurance and consulting activity to add value to operations.

Control Deficiency

A flaw in the design or operation of an internal control.

Material Weakness

A severe deficiency that could result in a material misstatement of financial statements.

Significant Deficiency

A deficiency less severe than a material weakness but requiring management attention.

IT General Controls (ITGC)

Foundational controls supporting the reliability of information systems.

IPPF (International Professional Practices Framework)

The IIA's global framework of standards and guidance for internal audit.

CIA Certification

Certified Internal Auditor — the only global internal audit certification issued by the IIA.

CISA Certification

Certified Information Systems Auditor — the global standard for IS audit and governance.

CRMA Certification

Certification in Risk Management Assurance — a risk specialization for internal auditors.

Three Lines Model

A governance framework distributing control responsibilities across three levels.

Risk Register

A centralized document listing all identified risks of an organization.

Risk Matrix

A visual tool crossing likelihood and impact to prioritize risks.

Inherent Risk

The level of risk before any controls or mitigations are applied.

Residual Risk

The level of risk remaining after controls and mitigations have been applied.

Control Objective

A statement of what a control aims to ensure.

Segregation of Duties (SoD)

A principle preventing one person from controlling all steps of a critical process.

Audit Universe

A comprehensive inventory of auditable processes and entities in an organization.

Audit Opinion

The auditor's formal conclusion on the adequacy of the control system examined.

DORA Regulation

Digital Operational Resilience Act — EU regulation on digital operational resilience.

NIS2 Directive

EU directive on the security of network and information systems — revised version.

GDPR

General Data Protection Regulation — the European framework for personal data protection.

ISO 27001

The international standard for Information Security Management Systems (ISMS).

NIST CSF

NIST Cybersecurity Framework — the US reference for managing cyber risks.

COBIT

An IT governance and management framework published by ISACA.

PCAOB

Public Company Accounting Oversight Board — US regulator of public company auditors.

Key Risk Indicator (KRI)

A metric measuring the evolution of risk exposure over time.

KPI vs KRI

KPI measures performance; KRI anticipates risk exposure.

Enterprise Risk Management (ERM)

An integrated, holistic approach to identifying and managing all organizational risks.

GRC Platform

Integrated software to manage Governance, Risk, and Compliance in one place.