Glossary
Audit Terms
| Term | Definition |
|---|---|
| Audit Universe | The complete inventory of auditable entities across the organization (processes, departments, systems, locations) |
| Engagement | A single audit assignment progressing through planning, fieldwork, reporting, and follow-up |
| Workpaper | Documentation supporting audit procedures, findings, and conclusions |
| Finding | A documented gap between the expected state (criteria) and the actual state (condition) |
| CCCER | Finding documentation format: Condition, Criteria, Cause, Effect, Recommendation |
| PBC | Prepared by Client — evidence requests sent to auditees for fulfilling |
| Action Plan | Documented remediation steps agreed by management to address audit findings |
| KRI | Key Risk Indicator — a metric monitored against thresholds to detect emerging risks |
| CAE | Chief Audit Executive — the head of the internal audit function |
| IPPF | International Professional Practices Framework — the IIA's authoritative guidance |
| IIA | Institute of Internal Auditors — the global professional association |
| SoD | Segregation of Duties — prevents one person from performing conflicting roles (e.g., preparer and reviewer) |
| Gate Check | A quality control point requiring approval before an engagement can advance to the next phase |
| Board Pack | An executive summary report compiled for board of directors consumption |
| Signoff Chain | The ordered sequence of reviewers who must approve a governed record |
Technology Terms
| Term | Definition |
|---|---|
| RBAC | Role-Based Access Control — permissions assigned to roles, roles assigned to users |
| RLS | Row-Level Security — PostgreSQL feature enforcing data isolation at the database level |
| RAG | Retrieval-Augmented Generation — AI technique grounding responses in actual data |
| LLM | Large Language Model — the AI model providing natural language capabilities |
| OIDC | OpenID Connect — authentication protocol used with Keycloak |
| JWT | JSON Web Token — the token format used for authentication and licensing |
| OCI | Oracle Cloud Infrastructure — the cloud platform hosting AIIA SaaS |
| pgvector | PostgreSQL extension for vector similarity search (used in RAG) |
| MinIO | S3-compatible object storage for evidence files |
| Keycloak | Open-source identity and access management solution |
Compliance Terms
| Term | Definition |
|---|---|
| NCA ECC | National Cybersecurity Authority Essential Cybersecurity Controls (Saudi Arabia) |
| PDPL | Personal Data Protection Law (Saudi Arabia's data privacy regulation) |
| CSCC | Cloud Security Cybersecurity Controls |
| Vision 2030 | Saudi Arabia's strategic framework for economic and social transformation |
AIIA Platform Terms
| Term | Definition |
|---|---|
| AI Companion | Contextual AI chat assistant available within engagements |
| AI Diff Review | Side-by-side comparison of current vs. AI-suggested content |
| Data Agent | AI capability that generates SQL queries from natural language questions |
| KRI Playground | Visual drag-and-drop builder for creating and testing KRI definitions |
| AI Wizard | Guided, step-by-step AI-assisted creation workflow |
| Commercial Module | The billing, licensing, and tenant management subsystem |
| Subscription Tier | The level of service: Essentials, Professional, Enterprise, or Sovereign |
| Shared SaaS | Multi-tenant deployment on shared OCI infrastructure |
| Private Tenant | Dedicated infrastructure (namespace or cluster) on OCI |
| License Key | RS256-signed JWT encoding the organization's tier, modules, and expiry |