The IIA’s Guide to the Assessment of IT General Controls Based on Risk — which the IIA succinctly refers to as GAIT — does not define which IT controls are critical; rather, it helps companies determine which ones are critical for their unique needs and goals as they relate to financial reporting. Norman Marks, vice president of internal audit at Business Objects, cautions about getting caught up with an arbitrary number of controls. “GAIT is not about limiting the number of key controls,” he said during an IIA Webcast. “It’s all about getting at the right ones.”
The IIA has been working on these principles for the past 18 months, partly with the help of input from companies that had already gone through Sarbox compliance, including General Motors, Intel, and Microsoft. The IIA says it hopes the methodology will be particularly helpful to smaller companies that have not yet had to comply with the law.
GAIT also incorporates feedback from the Big Four and several midsize accounting firms, several companies registered with the SEC, the PCAOB, the American Institute of Certified Public Accountants, and the International Federation of Accountants. The association released four principles related to GAIT in the fall, but waited to release its methodology for reaching those ideals until it could review the proposed revision to the internal-control provisions of Sarbox’s Section 404 and the PCAOB’s AS2. The guidance will still be in compliance if the new PCAOB standard, commonly referred to as AS5, is approved, says IIA president David Richards.
GAIT relies on the following four principles:
• While identifying risks and related controls in processes related to IT general controls, companies need to use a top-down, risk-based approach.
• Scoping for risks in IT control systems should result in assessing only those controls that could “reasonably” and likely lead to a risk of a material error.
• To identify risk, companies should look at all levels of their technology systems, such as programming codes and databases.
• Risk mitigation should be based on the impact a failing control could have on the goals of a company’s IT systems, and not the risk of failure to an IT control itself.
GAIT’s 40-page methodology, available on the IIA’s Website, is a work in progress and will likely change as standards change, Richards noted.