Key Terminology

Testing the full universe of transactions or records rather than a statistical sample. Population-level testing identifies every instance of an exception rather than estimating its frequency -- producing findings that are counts, not projections. The shift from sampling to population-level testing is one of the defining methodological changes driven by modern analytics capability. → See Methodology

A structured method for selecting a subset of a population and drawing conclusions about the whole based on that subset. Statistical sampling uses probability theory to estimate the rate of exception in a population given the rate observed in the sample. Traditional audit practice relied heavily on sampling because full-population testing was not feasible at scale. In analytics-enabled environments, sampling is increasingly reserved for situations where full populations are inaccessible or prohibitively large even with automation.

An ongoing audit or control oversight process that reviews transactions or signals on a regular cadence rather than through periodic point-in-time engagements. Continuous monitoring differs from continuous auditing in that it is typically designed to identify exceptions in near-real time and route them to owners for response, rather than producing a formal audit opinion. Effective continuous monitoring requires defined thresholds, escalation paths, and closure tracking. → See Continuous Monitoring

The current governing standard for internal audit practice, released by the Institute of Internal Auditors and effective January 2025. The 2024 standards introduced significant changes to how audit functions are expected to demonstrate competency, manage quality, and engage with technology and data. The standards explicitly require that audit functions possess or access skills appropriate to the complexity of their operating environment -- a requirement that has direct implications for analytics and technology capability. → See Data Access

The documentation produced during an audit engagement that records the work performed, the evidence obtained, and the conclusions reached. Working papers are the primary mechanism by which an audit is made reviewable by others. Modern audit practice extends the working paper concept to include data extractions, query logic, analytical procedures, and AI-assisted drafts -- each of which requires the same documentation discipline as traditional paper-based evidence.

The standard four-part framework for documenting an audit observation that rises to the level of a reportable issue. Condition is what was observed. Criteria is the standard the process should have met -- a policy, control design, or regulatory requirement. Cause is the root reason the condition exists. Effect is the business consequence of the gap between condition and criteria. A finding that does not address all four components is incomplete and difficult to defend or remediate.

A constraint on audit work that prevents the function from fully testing a population or process. Scope limitations may arise from data access restrictions, system configurations that prevent extraction, time constraints, or management decisions. When a scope limitation exists, it must be disclosed in audit reporting -- because an opinion formed from limited evidence has a different weight than one formed from complete evidence. → See ERP Transition

The threshold of quality and sufficiency that audit evidence must meet to support a finding or conclusion. Evidence must be sufficient (enough of it), reliable (from a credible source), relevant (tied to the specific question being tested), and useful (meaningful to the conclusion drawn). The evidence standard applies equally to AI-assisted output -- the fact that AI generated a draft does not alter the requirement that the underlying evidence be independently verifiable.

The documented path that data follows from its origin in a source system through any transformations, calculations, or aggregations to its final form in a report, dashboard, or audit workpaper. Data lineage documentation is an audit evidence requirement -- without it, a reviewer cannot confirm that the data used in testing is what the auditor claims it is. In complex ERP environments, data lineage spans multiple systems and may require IT support to trace fully. → See Data Access

An integrated software platform that manages core business processes -- finance, procurement, inventory, sales, HR, and others -- within a single system with a shared data model. ERP systems are significant for internal audit because they are the primary source of transaction data, they embed automated controls within process workflows, and they create a complex access governance environment. In electrical distribution, the dominant ERP platforms are SAP S/4HANA and Oracle.

SAP's current-generation ERP platform, built on an in-memory database (HANA) that enables real-time analytics at the data layer. S/4HANA differs from earlier SAP versions in its data model simplification, the elimination of aggregate tables, and the shift toward Fiori-based user interfaces. For audit, S/4HANA's real-time data access and CDS (Core Data Services) layer create new possibilities for direct data extraction without depending on pre-built reports. → See SAP Tool Ecosystem

The modern user interface layer for SAP applications. Fiori replaces legacy SAP transaction codes with role-based, browser-accessible applications optimized for specific job functions. From an audit perspective, Fiori's role-based access model is both a control mechanism and a scope of review -- understanding which roles have access to which Fiori apps is part of segregation of duties analysis in S/4HANA environments. → See SAP Tool Ecosystem

An SAP tool that screens business partner records -- vendors, customers, and others -- against external watchlists and sanctions databases. BIS is relevant to audit in regulatory compliance engagements and vendor due diligence reviews. Its presence in a SAP environment creates both a control mechanism (automated screening) and an audit scope (are screenings running, are hits reviewed, are overrides documented). → See SAP S/4HANA Monitoring

A category of software tools -- and the broader practice discipline -- that manages policy documentation, risk registers, control frameworks, audit issue tracking, and access risk analysis within a structured platform. SAP GRC is the dominant platform in SAP environments. For audit, GRC tools support continuous control monitoring, SoD conflict detection, and audit finding lifecycle management. GRC data is often a primary source for access governance reviews. → See SAP Tool Ecosystem

A control principle that prevents a single individual from controlling two or more steps in a sensitive business process -- preventing them from initiating and approving the same transaction, or creating a vendor record and authorizing payment. SoD controls are embedded in ERP access models through role and authorization design. In SAP S/4HANA, SoD analysis requires understanding which authorization objects are associated with which sensitive functions and whether any user's role combination creates a conflict. → See ERP Audit Universe

In audit, data access refers to the function's established pathways for independently retrieving transactional and master data from enterprise systems. Direct data access -- as opposed to requesting data extracts from IT or business teams -- is a capability that dramatically changes the speed, depth, and independence of audit work. Establishing and maintaining direct data access is one of the highest-return infrastructure investments an audit function can make. → See Data Access

In SAP S/4HANA, Core Data Services are semantic views defined on top of the underlying database tables. CDS views present data in a business-context-meaningful way -- combining tables, applying filters, and exposing calculated fields -- without requiring direct table-level knowledge. For audit teams building data extractions, CDS views provide a more stable and semantically clear entry point than raw table queries, and they are the foundation of SAP's analytical frameworks and reporting tools.

The standard language for querying relational databases. SQL allows users to retrieve, filter, join, aggregate, and transform data from database tables using a structured syntax. For audit practitioners, SQL is the most foundational data skill because it works across virtually every enterprise database environment -- SAP, Oracle, SQL Server, PostgreSQL, and others. Even a working-level SQL capability enables an auditor to independently extract and analyze data that previously required IT support. → See Skills and Development

An analytics technique that reconstructs the actual flow of business processes from event log data in enterprise systems, then compares actual flows against expected process models to identify deviations, bottlenecks, and control exceptions. In SAP environments, process mining tools (including SAP's own Signavio Process Intelligence) use transaction and timestamp data to visualize how processes actually executed -- making it possible to identify exceptions like retroactive approvals, skipped steps, or unusual user behavior at scale. → See SAP Tool Ecosystem

A defined interface that allows one software system to request data or functionality from another in a structured, automated way. APIs are relevant to audit in multiple contexts: they are a method for extracting data from enterprise systems without direct database access, they are a component of system integration architecture that requires IT general controls oversight, and they are increasingly a mechanism through which AI and automation tools interact with core business systems -- creating new audit scope in AI governance engagements.

A type of AI system trained on large volumes of text data to generate, summarize, translate, and analyze language. LLMs are the technology behind tools like ChatGPT, Claude, Gemini, and Microsoft Copilot. In audit contexts, LLMs are both tools for practitioner productivity (drafting, summarizing, designing procedures) and emerging subjects of audit scope (when organizations deploy LLM-based applications in business processes). → See Auditing AI

The phenomenon in which an AI language model generates plausible-sounding but factually incorrect output. Hallucinations occur because LLMs predict the most statistically likely continuation of a prompt based on training data -- they do not verify claims against a live database of facts. For audit practitioners using AI tools, hallucination is the primary reason that all AI-generated output used in workpapers must be independently verified against primary sources. → See AI Toolkit

The degradation of an AI model's predictive accuracy over time as the real-world distribution of data it was trained on diverges from current conditions. A fraud detection model trained on pre-pandemic transaction patterns will perform differently as purchasing behaviors change. Model drift is a governance risk because it may not be immediately visible in system outputs -- the model continues to produce predictions, but their reliability has degraded. Monitoring for model drift is a control design requirement for any AI system used in consequential business decisions. → See Auditing AI

The dataset used to develop an AI model's predictive behavior. The quality, representativeness, and documentation of training data are foundational governance questions for any AI system. Biased, incomplete, or undocumented training data produces models whose behavior cannot be fully explained or defended. For audit, training data documentation is a primary evidence request in AI governance engagements -- particularly when model outputs influence consequential decisions like credit approvals, pricing, or resource allocation.

The use of AI tools by employees outside of organizational policy, governance, or IT visibility -- analogous to shadow IT. Shadow AI typically emerges when employees discover productivity benefits from consumer AI tools faster than organizational policy can respond. The audit risk of shadow AI is that sensitive organizational data -- including audit evidence, personnel records, or customer information -- may be entered into external AI systems without appropriate controls. → See Auditing AI

A design principle in AI systems that requires a human reviewer to approve, modify, or override AI-generated outputs before they take effect. Human-in-the-loop requirements are a common governance control for high-stakes AI applications -- ensuring that automated recommendations are subject to human judgment before consequential action. From an audit perspective, the question is not just whether a human-in-the-loop requirement exists in policy, but whether it is actually operating as designed in practice.

An AI system architecture in which the model is given a goal and autonomously executes a sequence of actions -- including using tools, querying data, writing code, and making intermediate decisions -- to achieve it, with limited or no human intervention at each step. Agentic workflows represent a significant governance challenge because the audit trail for actions taken by an autonomous agent is less straightforward than for actions taken by a human user. → See Auditing AI

A voluntary framework published by the National Institute of Standards and Technology that provides organizations with a structured approach to identifying, measuring, and managing AI-related risks. The NIST AI RMF organizes risk management activities across four functions: Govern, Map, Measure, and Manage. It is increasingly referenced as a baseline in AI governance program design and audit scoping in U.S.-based organizations. → See Auditing AI

The European Union's comprehensive regulation of artificial intelligence, adopted in 2024. The EU AI Act establishes a risk-based framework that classifies AI systems by risk level and imposes corresponding obligations on developers and deployers. High-risk AI systems -- including those used in employment decisions, credit scoring, and critical infrastructure -- face the most stringent requirements for transparency, human oversight, and documentation. Organizations with EU operations or EU-exposed AI systems must assess applicability and maintain compliance documentation. → See Auditing AI

The practice of designing and refining the text inputs (prompts) given to AI language models to produce more useful, accurate, or specifically structured outputs. Effective prompt engineering for audit work involves providing sufficient context about the audit objective, system environment, evidence standard, and audience -- rather than asking generic questions. Practitioners who develop a personal library of well-engineered prompts produce more consistent and defensible AI-assisted output than those who rely on improvised inputs. → See AI Toolkit

The end-to-end business process that begins with a customer order and concludes with payment receipt. In electrical distribution, the OTC process includes order entry, pricing determination (including application of special pricing agreements and condition records), order fulfillment, shipping, invoicing, and cash application. OTC is one of the highest-volume and highest-risk process areas in distribution -- pricing errors, billing exceptions, and revenue recognition issues concentrate here. → See ERP Audit Universe

The end-to-end business process that begins with a purchase requisition and concludes with vendor payment. In electrical distribution, PTP includes requisitioning, purchase order creation, goods receipt, invoice receipt, three-way match, and payment execution. PTP is a primary focus area for audit because it contains controls over vendor management, purchasing authority, and disbursement -- including the three-way match control that is one of the most commonly tested in the industry. → See ERP Audit Universe

In SAP, a condition record is the master data object that stores a pricing rule for a specific combination of customer, product, sales organization, or other attributes. When a sales order is created, SAP's pricing procedure reads applicable condition records and determines the price. Audit significance: unauthorized changes to condition records, inactive records applied in error, or missing records for products that should have controlled pricing are common sources of billing exceptions in distribution. → See ERP Audit Universe

A commercial arrangement between a distributor and a manufacturer in which the manufacturer agrees to reimburse the distributor for selling a product below standard cost to a specific customer or project. SPAs are significant in electrical distribution because the reimbursement amounts are large, the authorization and documentation requirements are complex, and the audit trail -- from sales order to claim submission to manufacturer reimbursement -- spans multiple systems and business functions. SPA reconciliation is a material audit area. → See ERP Audit Universe

In SAP, a placeholder material record used when a specific product does not have its own master data at the time of order entry. Generic material numbers allow orders to be processed for products that are not yet in the item master, but they bypass the pricing and product controls that apply to properly configured materials. In audit contexts, high volumes of transactions processed through generic material numbers are a signal of potential pricing, inventory, or reporting control weaknesses. → See SAP S/4HANA Monitoring

The accounting process of recording an estimated rebate obligation or receivable as revenue is recognized, before the rebate is actually paid or received. In electrical distribution, rebate programs with suppliers are common -- and the accuracy of rebate accruals is both a financial reporting risk and an audit area. Errors in accrual rates, missing accruals for active programs, or accruals that do not tie to actual contract terms are frequent findings. → See ERP Audit Universe

In electrical distribution, the branch is the local operating unit -- a facility that holds inventory, processes orders, and serves customers in a geographic area. Branch operations include receiving, warehousing, order fulfillment, will-call sales, returns processing, and local pricing decisions. Branches are significant audit scope because they operate with varying levels of local control effectiveness, they hold physical inventory, and they are where system controls interact with human behavior at the transaction level. → See ERP Audit Universe

A fundamental accounts payable control in which the purchase order, the goods receipt confirmation, and the vendor invoice are compared before payment is authorized. All three documents must agree on vendor, quantity, and price within defined tolerances. When the three-way match fails, the transaction is held for manual review. In SAP S/4HANA, the three-way match is an automated system control -- audit scope includes confirming the control is configured correctly, that exceptions are being reviewed, and that workarounds or manual overrides are documented and authorized. → See ERP Audit Universe