In an effort to assist auditors, regulators and top management with a methodology for identifying which IT controls should be tested as part of an annual assessment of internal controls, the Institute of Internal Auditors has released GAIT -- the Guide to the Assessment of IT General Controls Scope Based on Risk.
The IIA said that the GAIT guidelines were designed to improve audit efficiency and reduce compliance costs such as those associated with Sarbanes-Oxley 404.
GAIT provides a universal methodology designed to efficiently scope ITGC (IT General Controls), regardless of the internal control framework used.
The GAIT guidelines were developed over an 18-month period with input from 30 IT audit experts, chief audit executives and others from a cross section of industries.
The core principles of the guidance are:
- Identifying risks and related controls in ITGC processes should be a continuation of the top-down and risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes.
- The IT general control process risks that need to be identified are those that affect critical IT functionality in financially significant applications and related data.
- The IT general control process risks that need to be identified exist in processes and at various IT layers: application program code, database, operating systems and network.
- Risks in IT general control processes are mitigated by the achievement of IT control objectives, not individual controls.
The principles and methodology are available for free download on IIA’s homepage at
