GRC Glossary
Definitions and core concepts around Governance, Risk, and Compliance — from risk appetite to DORA, SOX, ISO 27001 and beyond.
Risk Appetite
The level of risk an organization is prepared to accept in pursuit of its objectives.
SOX Compliance
Requirements of the Sarbanes-Oxley Act to prevent financial statement fraud.
Internal Audit
An independent, objective assurance and consulting activity to add value to operations.
Control Deficiency
A flaw in the design or operation of an internal control.
Material Weakness
A severe deficiency that could result in a material misstatement of financial statements.
Significant Deficiency
A deficiency less severe than a material weakness but requiring management attention.
IT General Controls (ITGC)
Foundational controls supporting the reliability of information systems.
IPPF (International Professional Practices Framework)
The IIA's global framework of standards and guidance for internal audit.
CIA Certification
Certified Internal Auditor — the only global internal audit certification issued by the IIA.
CISA Certification
Certified Information Systems Auditor — the global standard for IS audit and governance.
CRMA Certification
Certification in Risk Management Assurance — a risk specialization for internal auditors.
Three Lines Model
A governance framework distributing control responsibilities across three levels.
Risk Register
A centralized document listing all identified risks of an organization.
Risk Matrix
A visual tool crossing likelihood and impact to prioritize risks.
Inherent Risk
The level of risk before any controls or mitigations are applied.
Residual Risk
The level of risk remaining after controls and mitigations have been applied.
Control Objective
A statement of what a control aims to ensure.
Segregation of Duties (SoD)
A principle preventing one person from controlling all steps of a critical process.
Audit Universe
A comprehensive inventory of auditable processes and entities in an organization.
Audit Opinion
The auditor's formal conclusion on the adequacy of the control system examined.
DORA Regulation
Digital Operational Resilience Act — EU regulation on digital operational resilience.
NIS2 Directive
EU directive on the security of network and information systems — revised version.
GDPR
General Data Protection Regulation — the European framework for personal data protection.
ISO 27001
The international standard for Information Security Management Systems (ISMS).
NIST CSF
NIST Cybersecurity Framework — the US reference for managing cyber risks.
COBIT
An IT governance and management framework published by ISACA.
PCAOB
Public Company Accounting Oversight Board — US regulator of public company auditors.
Key Risk Indicator (KRI)
A metric measuring the evolution of risk exposure over time.
KPI vs KRI
KPI measures performance; KRI anticipates risk exposure.
Enterprise Risk Management (ERM)
An integrated, holistic approach to identifying and managing all organizational risks.
GRC Platform
Integrated software to manage Governance, Risk, and Compliance in one place.
Prepare for CIA, CISA, CRMA and more with AI-powered adaptive practice.
Explore NexusGRC Academy