Auditors have long suffered unease forming conclusions related to information technology controls. They have no standards or principles to guide them, no clear way to match IT controls to the objectives of Sarbanes-Oxley or myriad other requirements for internal controls, and no way to ensure consistency from year to year or company to company.
The Institute of Internal Auditors has taken a big first step toward generally accepted IT principles, or GAIT, with a proposed set of guidance principles on scoping the IT controls area of financial reporting.
Heriot Prentice, the IIA's director of technology practices, is the central organizer behind the proposal, and sees the principles as a big step toward better reporting and audits.
"This will revolutionize the way in which IT controls are tested, in that you will be able to define by using judgment and risk what controls are in scope and out of scope for any IT controls review," Prentice said. "This will allow the audit world to be far more effective and efficient, and allow IT management, management, chief information officers and information systems officers to challenge the auditor if they feel that they are addressing control objectives that are clearly out of scope."
Gene Kim, chief technology officer of Tripwire and a contributing author of the GAIT document, praised the clarity of the principles and said that he is relieved to know that there will soon be generally accepted principles relevant to IT.
"GAIT is a simplifying construct," Kim said. "It's cool because it lets you put a box around all of IT. Auditors can decide whether they want to audit around the box. If so, they can just take it out of scope. If they do want to audit in the box, here are the specific guidelines of what you need to bring into scope and why. I think it takes the mysteries out of technology. As a technologist, I find this very clarifying. Even non-technology people can say, 'I can understand that.'"
The principles address one of the most significant issues identified by the Public Company Accounting Oversight Board in a report on the problems and shorcomings that companies and auditors suffered while trying to comply with Sarbanes-Oxley. The main problem was one of scope - the preparers and auditors of financial reports working hard to assess controls that weren't worth the effort.
"In an audit firm, it's very difficult to carry out this work," Prentice said. "Firms had a tendency to try and document everything with equal detail, rather than prioritizing and focusing on those areas that posed the greatest risk, for fear that they would be viewed unfavorably by regulators. People were applying frameworks such as COSO [Committee of Sponsoring Organizations], COBIT [Control Objectives for Information and Related Technology] and ISO 17799 without the benefit of using a scoping tool upfront. So you'd have internal and external auditors and consultants all doing a lot of duplication of effort around the work on general controls."
Not a framework
Prentice emphasized that the proposed principles do not constitute a controls framework and do not include control objectives. GAIT also does not specifically determine the scope of all audits.
Rather, it is a tool that helps determine relevant IT controls on a consistent basis. It provides constructs to appropriately identify and link the COSO constructs of internal control objectives, assertions, risks and controls. The principles provide actionable guidance on how to determine in a top-down and risk-based manner how deep and wide an organization must go to reach a controls conclusion related to the achievement of a COSO internal control objective.
The GAIT document should help establish a common frame of reference and common language about business risks and internal controls, facilitating a discussion between management and auditors, a problem aggravated by the absence of a shared community of practice among internal auditors, external auditors, information security and other IT professionals to support such a scoping and linking discussion.
The document covers such issues as "risk distance," transactional process requirements, application controls, security and constructs for scoping. The GAIT documents include principles, frequently asked questions, application scenarios and a glossary.
Ultimately, as the GAIT concept expands into broader guidelines, it is expected to span internal and external audits, as well as business and IT management. Once vetted with relevant stakeholders, it should help organizations explain clearly the scope, complexity and cost of complying with Sarbanes-Oxley within the context of IT controls.
The IIA has posted the GAIT exposure draft on its Web site and requested comments by February 28. A summit meeting to discuss enforcement aspects of the initiative was scheduled to be held on February 15, with representation from all of the Big Four accounting firms.
A final pronouncement was anticipated by March 15.
The IIA, a global organization whose standards and guidelines are accepted in scores of countries, is working to have GAIT recognized and endorsed by like-minded organizations around the world. Global acceptance of the GAIT principles, Prentice said, would contribute to better reporting and IT management everywhere, though the most immediate benefits might be felt in the United States.
"Initially, the greatest realization of increased efficiencies will be experienced by people doing Sarbanes-Oxley work around financial reporting, an area where there have always been concerns about exorbitant fees," Prentice said. "Although the initial benefits will relate to the efficiency of financial reporting, ultimately GAIT will apply to all IT controls, and its efficiencies will be realized in operations and compliance arenas as well."
The GAIT document is posted on the IIA's Web site, at www.theiia.org.
