Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

GRC application nomenclature updates and industry terminology

Log in to subscribe to topics and get notified when content changes.

GRC application nomenclature updates and industry terminology

The following terms are used within GRC applications and/or within the GRC industry.

GRC nomenclature updates

Starting with New York, many terms within all the GRC core applications were updated.
Note: These term updates apply to all navigation labels, buttons, info messages, report titles, related links, tabs, and other UI elements. The underlying table names for these terms have not changed. For example, the Profile [sn_grc_profile] table is now called Entity [sn_grc_profile].
GRC module Before New York New York
Scoping Profile Entity
Profile Types Entity Types
Profile Classes Entity Classes
My Profiles My Entities
All Profiles All Entities
Administration Profile Tiers Entity Tiers
Profile Class Rules Entity Class Rules
Indicators Indicators > Item field Control/Risk field
Category field indicates whether it is a compliance or risk indicator
Indicator Template > Content field Control Objective/Risk Statement
Issues Details > Content field Control Objective/Risk Statement
Details > Item field Control/Risk
Policy and Compliance Policy Statement Control Objective
Risk All Risks > Statement > field My Risks > Risk Statement field
My Risks > Statement field My Risks > Risk Statement field
Figure 1. Indicator form updates
indicator form showing the control/risk field
Figure 2. Indicator Template form updates
indicator template form showing the control/risk field
Figure 3. Issue form updates
GRC issue record with the Details tab showing highlighted areas for Control Objective/Risk Statement and Control/Risk
Risk record showing highlighted areas for Risk Statement field

GRC industry references

Table 1. Industry acronyms
Term Definition
Basel III An international standard for banking that regulators can use when making regulations on how much capital banks must have to offset potential risk. The more risk a bank has, the more capital it should have in place to ensure that it stays solvent. The regulation was the third such standard issued by the Basel Committee on Banking Supervision, and hence the name Basel III.
CISA Cybersecurity Information Sharing Act
CISM Certified Information Security Manager
COBIT Control Objectives for Information and Related Technologies (COBIT) provides an IT governance framework to manage risk and compliance issues based on best practices. Published by the IT Governance Institute and the Information Systems Audit and Control Association (ISACA).
COSO The Committee of Sponsoring Organizations (COSO) was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting. COSO is an independent private sector initiative that studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies, the SEC, and other regulators and educational institutions.
EDPA European Data Privacy Act
ENISA European Network & Information Security Agency
EUP Energy use in products (EUP) is an EU directive that requires companies to design products to use less energy.
European Directive on Data Protection One of the first and most important pieces of data privacy legislation that specifically addresses internet privacy.
FCA Financial Conduct Authority
GDPR General Data Protection Regulation (GDPR) is a regulation, effective May 25, 2018, replacing the Data Protection Directive 95/46/ec to strengthen and harmonize the data protection rights of European Union citizens.
GRI Global Reporting Initiative (GRI) is an international group that created the G3 framework for sustainability reporting.
ITGI IT Governance Institute
PII Personal Identifying Information / Personally Identifiable Information (PII) is the information that permits the identity of an individual to be directly or indirectly inferred.
PCI DSS Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.
SOX The Sarbanes-Oxley Act (SOX) established the Public Company Accounting Oversight Board and added requirements for publicly traded companies, their officers, boards, and auditors. It increased penalties for corporate financial fraud. This U.S. Legislation was enacted in response to the high profile Enron and WorldCom financial scandals. Its goal is to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. SOX applies to companies that trade publicly in the U.S.
Table 2. Industry terms
Term Definition
ALE Annualized loss expectancy (ALE) = Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO). Used in Quantitative risk scoring.
ARO Annualized rate of occurrence.
Acceptance A specific risk can be accepted by the management, stopping further investments into deeper controls or higher levels of mitigation, if it is within the level of Tolerance or if further mitigation and control would actually cost much more that the estimated Impact (or significance) of the risk.
Assertion Any formal declaration or set of declarations about the subject matter made by management.
Assessment A broad review of the different aspects of a company or function that includes elements not covered by a structured assurance initiative.
Attestation Process of validating that something is true. For instance, a control effectiveness or compliance can be attested through a questionnaire, electronically signed by its fulfiller.
Audit Formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met. In ServiceNow, an organization identifies all the controls that they want to test at one time and assigns responsibility of the overall audit to a single person. A single task manages the testing of all controls.
Audit activities One of the tasks within an audit that is assigned to an individual for execution of the audit.
Audit committee A committee, often including members of the board of directors, responsible for overseeing financial reporting and internal controls.
Audit documentation (working papers) Records kept by the auditor of procedures applied, tests performed, information obtained, and pertinent conclusions reached in the engagement. The documentation provides the principal support for the auditor's report.
Audit evidence Facts gathered during the audit procedures that provide a reasonable basis for forming an opinion regarding the financial statements under audit.
Audit objective When obtaining evidence in support of financial statement assertions, the auditor develops specific audit objectives in light of those assertions. For example, an objective related to the completeness assertion for inventory balances is that inventory quantities include all products, materials, and supplies on hand.
Audit observations Used by internal auditors for identifying control gaps or identifying new risks.
Automated controls Internal controls executed automatically by computer systems. Manual controls are executed by a person charged with that task and are typically performed on a subset of transactions and data. Automated controls can be executed on every relevant transaction or data element, ensuring greater accuracy with less effort.
Authority documents The regulations, certifications, frameworks, standards, and best practices that an organization chooses or are required for compliance with regulations. Authority Documents are related to controls, risks, and policies.
Business risk Risks that could adversely affect an entity's ability to achieve its objectives and execute its strategies.
Calculated score Calculated score is derived from the inherent score and residual score as an overall outcome. Refers to actual exposure of risk based on the quality of implemented control system.
Chain of custody A legal principle regarding the validity and integrity of evidence. It requires accountability for anything used as evidence in a legal proceeding. This ensures that it can be accounted for from the time it was collected until the time it is presented in a court of law.
Chief Compliance Officer (CCO) A corporate official in charge of overseeing and managing compliance issues within an organization. This person ensures that a company is complying with regulatory requirements, and that the company is complying with internal policies and procedures.
Chief Operating Officer (COO) Also called a Chief Operations Officer, an executive in charge of the company’s day‐to‐day operations.
Chief Risk Officer (CRO) Also called a Chief Risk Management Officer, an executive in charge of enterprise risk management and the compliance efforts of a company.
Citations Records with the specific requirements cited by an authority document. The citation record relates authority documents to its applicable control.
Compliance The act of adhering to and demonstrating adherence with laws, regulations, or policies. Compliance relates to regulations in many areas including finance, the environment, global trade, worker safety, and privacy.
Confidentiality Preserving authorized restrictions on access and disclosure, including means for protecting privacy and proprietary information.
Containment control Control designed to limit the impact (or significance) of a risk, if it would occur.
Control The actual control activities that are performed by an organization. Control records include basic required information about the control (owner, activity, frequency, and so forth.). Controls can be related to authoritative source contents, policies, and risks.

Any action taken by management, the board, and other parties to manage risk. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals are achieved. Control records include basic required information about the control (owner, activity, frequency, and so forth.). Controls can be related to authoritative source contents, policies, and risks.

Control framework A set of fundamental controls which perform and preserve the cross mapping of controls to prevent financial loss, information loss, or more generally to prevent risks within an enterprise.
Control instance The actual run of a Control Test Definition, periodically or on demand, showing the result data sample, the attestation, or the manual result of the test activities.
Control test definitions Control test definitions specify how and when controls are tested, including testing steps, expected results, the group or individual responsible for the testing, and the test schedule. Control test instances are automatically generated from the test schedule. Remediations are automatically created when control tests fail or when audit observations are noted.
Corrective controls Internal controls that come into play once a problem is discovered. An example would be removing access from users who have excessive privileges or executing a backup and recovery plan after a physical disaster has occurred.
Corporate Performance Management Corporate Performance Management (CPM) is a combination of strategy management, planning, reporting and consolidation, and revenue, cost, and profitability modeling that enables companies to measure their performance and improve it.
Detect Ongoing progress toward objectives as well as actual and potential undesirable conditions and events using management actions and controls.
Detective control A control designed to discover an unintended event or result. It may also detect if and when a specific risk occurs.
Effect A measure of the likelihood, timing, and impact of an event on something.
Effective internal control Reasonable assurance that operational objectives are achieved, that published financial statements are reliably prepared, and that the entity complies with applicable laws and regulations.
Engagement An audit project that may include audit tasks that accomplish a set of objectives or goals.
Event An observable action, occurrence, or a change in condition. An event includes change in knowledge about a condition, even if the condition did not change.
Entity Fundamental concept of GRC, entities are used to model any enterprise element for which controls and risks can be associated. For example: business units, servers, laptops.
Entity type Used to refer to multiple similar entities. For example: Asia/Pacific business unit, Linux servers, MacBook Pro.
Evaluate To measure something against criteria.
Evidence (evidential matter) Includes written and electronic information (such as checks, records of electronic fund transfers, invoices, contracts, and other information) that permits the auditor to reach conclusions through reasoning.
Fraud Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services and to avoid payment or loss of services or to secure personal or business advantage.
General controls Policies and procedures to assure proper operation of computer systems, including controls over network operations, software acquisition and maintenance, and access security.
Governance, Risk, and Compliance (GRC) Governance, risk management, and compliance with regulations have traditionally been separate corporate functions. GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives while addressing uncertainty and acting with integrity. It encompasses the governance, assurance and management performance, risk, and compliance.

GRC is the business of how an organization operates through the management of risk while remaining compliant with external and internal standards to optimize performance. GRC embraces how processes, controls, security, and culture integrate to ensure that the organization has integrity.

Impact Used to evaluate the severity of a risk, together with the Likelihood. It evaluates the level of consequence a specific risk would have on an organization if/when it would occur.
Indicator A metric used to collect data to monitor controls and risks, and collect audit evidence.
Inherent likelihood The likelihood of the identified risk occurring before any response strategy is implemented.
Inherent risk The level of risk exposure, in terms of Likelihood and Impact (or significance), assuming no related internal controls and no mitigation actions are yet in place.
Inherent score The score of the risk before any response strategy is implemented.
Inherent significance How significant the risk is before any response strategy is implemented.
Integrity The property whereby information, an information system, or a component of a system has not been modified or destroyed in an unauthorized manner.

A state in which information has remained unaltered from the point it's produced by a source, during transmission, storage, and eventual receipt by the destination.

Internal audit A department, division, team of consultants, or other practitioners that provides independent, objective assurance and consulting services designed to add value and improve an organization's operations. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes.
Internal auditors Employees of the client responsible for providing analyses, evaluations, assurances, recommendations, and other information to the entity's management and board. An important responsibility of internal auditors is to monitor performance of controls.
Internal controls The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives are achieved and undesired events are prevented or detected and corrected.
Issue A GRC task that allows end users to document Control and Risk issues and track the response to remediate or accept the issue.
IT Governance The leadership, organizational structures, and processes that ensure that the enterprise’s IT sustains and extends the enterprise’s strategies and objectives. It is the responsibility of executives and the board of directors.
IT GRC Encompasses the software and hardware and related policies and procedures used to support compliance and risk management efforts from an IT perspective based on established best practices.
Likelihood The probability that something happened.
Management The act of internally directing, controlling, and evaluating an entity, process, or resource.
Manual controls Controls performed manually, not by computer.
Material (materiality) A risk is material when it is possible to calculate its financial impact.
Mitigation Reducing the risk associated with a particular violation of a rule. Before a risk occurs, appropriate mitigation actions are put in place to resolve possible related control failures and/or to reduce the risk exposure.
Objective Something that an entity intends to attain or accomplish.
Operational audit An audit designed to evaluate the various internal controls, economy, and efficiency of a function or department.
Operational controls Controls relating to the daily operation of a company or enterprise to ensure that all objectives are achieved.
Operational risks Risks relating to the people, processes, and systems required to achieve an organization’s mission and objectives.
Objectivity The ability to evaluate client records with no preconceived notions or prejudices.
Obligations Assertions about obligations deal with whether liabilities are obligations of the entity at a given date. For example, management asserts that amounts capitalized for leases in the balance sheet represent the cost of the entity's rights to leased property and that the corresponding lease liability represents an obligation of the entity.
Owner The owner of a risk, a control, or a mitigation/remediation task accepts its accountability. They may delegate some tasks related to the ownership, but they stay accountable to the organization.
Peer review A practice monitoring program in which the audit documentation of one CPA firm periodically reviewed by independent partners of other firms to determine that it conforms to the standards of the profession.
Plan Audit planning is developing an overall strategy for conduct and scope of the audit. The nature, extent, and timing of planning vary with size and complexity of the entity, experience with the entity, and knowledge of the business. In planning the audit, the auditor considers the entity's business and its industry, its accounting policies and procedures, methods used to process accounting information, the planned assessed level of control risk, and the auditor's preliminary judgment about audit materiality.
Policy A document that records a high‐level principle or course of action that has been decided on. The intended purpose is to influence and guide both present and future decision making to be in line with the philosophy, objectives, and strategic plans established by the enterprise’s management teams. In addition to policy content, policies describe the consequences of failing to comply with the policy, the means for handling exceptions, and the manner in which compliance with the policy is checked and measured.

In ServiceNow, approved policies are published in the Knowledge Base. Policies are related to authority documents and control records. Policy statements define specific details that a process follows within a policy.

Preventative control A control designed to avoid an unintended event.
Procedure An action, such as a step performed as part of an audit program or as part of the client's internal controls.

Provides the “how to” of policies and guides their implementation. Procedures are audience-specific and provide exact instructions that ensures compliance with a given policy. ServiceNow treats policies and procedures in the same way; therefore, the terms may be used interchangeably. This may differ from frameworks, such as COBIT 5.1, which defines policies and procedures as two separate items.

Professional skepticism Approaching an audit with a questioning mind-set.
Qualitative Impact Includes Impact (refers to significance of a risk) and Likelihood (refers to probability of a risk occurring) ratings. Score is calculated by multiplying Impact by Likelihood. An impact often expressed using an ordinal scale or nominal scale.
Quantitative Impact A positive/negative effect on financial assets, tangible assets, intangible assets, business continuity, and health & safety. Calculated by Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO) = Annualized loss expectancy (ALE). A quantitative impact is expressed numerically.
Questionnaire An internal control questionnaire is a list of questions about the internal control system to be answered (with answers such as yes, no, or not applicable) during audit fieldwork. The questionnaire is part of the documentation of the auditor's understanding of the client's internal controls.
Random sample (random-number sampling) Identical probability of each population item being selected for a sample. Also, the use of random numbers to select a random sample from a population.
Reasonable assurance (an internal control) An internal control, no matter how well designed and operated, cannot guarantee that an entity’s objectives are met because of inherent limitations in all internal control systems.
Remediation After a failure is identified and assessed, appropriate remediation can take place to mitigate or eliminate the issue Residual likelihood: The likelihood of the identified risk occurring after any response strategy is implemented.
Requirement Something that an entity must address as a result of making a promise.
Residual likelihood The likelihood of the identified risk occurring after any response strategy is implemented.
Residual risk Level of the risk exposure, in terms of likelihood and impact (or significance), after related internal controls and mitigation actions are in place and effective.
Residual score The score of the risk after any response strategy is implemented.
Residual significance How significant the risk is after any response strategy is implemented.
Risk A risk is any threat or vulnerability that could adversely affect an organization’s business objectives. All risks are contained in one risk repository. Risks can be related to any item, policy, control, and remediation task. Risks requiring immediate or ongoing attention can be mitigated, prevented, or controlled using the defined controls and related control tests. A risk statement is a defined consequence that can occur if a threat exploits a vulnerability.

Risk is measured in terms of Impact (or Significance) and Likelihood. Types of risks include operational risks (fraud, for example), risks of noncompliance (not filing the proper documents to comply with legislation), and strategic risks (such as an incident that affects a brand’s reputation). The business risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise.

Risk analysis The systematic examination of available information to determine how often specified events may occur and the magnitude of their consequences.
Risk appetite The level of risk that an organization is willing to accept in pursuit of its objectives.
Risk assessment The appraisal of the risks facing an entity, asset, system or network, organizational operations, individuals, geographic area, other organizations, or society, and includes determining the extent to which adverse circumstances or events could result in harmful consequences.
Risk criteria Are quantitative or qualitative values against which level of risk is evaluated.
Risk management The objective of risk management is to reduce uncertainty. It's the act of managing processes and resources to address risk while pursuing the organization's objectives. The process of identifying, analyzing, assessing, and communicating risk and accepting, avoiding, transferring or controlling it to an acceptable level considering associated costs and benefits of any actions taken.
Risk management framework A formalized process for managing risk on an explicit basis. The framework consists of a risk assessment, response, and accountability for the risk and mitigation activities around it.
Risk mitigation The processes built into the controls environment, such as policies, frameworks, and accountabilities, that reduce a risk.
Risk register A repository of the key attributes of potential and known IT risk issues. Attributes may include name, description, owner, expected/actual frequency, inherent/residual level, potential/actual business impact, and mitigation/remediation plans.
Risk response The decision to accept a risk, decline a risk, treat or mitigate a risk, or share a risk with another party.
Risk statement General statements about potential risks or threats that could occur somewhere in an organization.
Risk tolerance The level of risk that the organization is unwilling to exceed to achieve objectives. The representation of the risk appetite in terms of threshold, generally financial, given to various management levels in the organization for specific risk categories.
Sample size The number of population items selected when a sample is drawn from a population.
Sampling Selecting a small but pertinent and representative number of records to represent the entire population of records.
Sampling risk The possibility that conclusions drawn from the sample may not represent correct conclusions for the entire population.
Segregation of duties (SoD) Assigning different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets. Segregation of duties reduces the opportunities for one person to both perpetrate and conceal errors or fraud.
Significance Used to evaluate the severity of a risk, together with the Likelihood. It evaluates the level of consequence a specific risk would have on an organization if/when it would occur.
SLE Single loss expectancy (SLE) = Single Loss Expectancy = Asset Value x Exposure Factor.
Stakeholder A person, group, or organization that has direct or indirect stake in an organization because it can affect or be affected by the organization’s actions, objectives, and policies.
Standard A professional pronouncement promulgated by the Internal Audit Standards Board that delineates the requirements for performing a broad range of internal audit activities, and for evaluating internal audit performance.
Strategic risks Relating to strategic objectives such as political factors, customer priorities, brand, or reputation.
Target A measurable value that an entity strives to achieve.
Test A sample from a population to estimate characteristics of the population.
Test plan A specific audit test of the design and operating effectiveness of a single control.
Threat An event that has, on balance, an undesirable effect on achieving objectives.
Tolerance The acceptable level of departure from a target.
Unified Compliance Framework (UCF) Network Frontiers Unified Compliance Framework (UCF) contains authority documents that can be imported into the ServiceNow® instance. For more information, see Unified Compliance Framework.
Uncertainty The state of being unable to completely predict, determine, or define something.