GAIT Methodology

GAIT Methodology

What is GAIT Methodology?
GAIT Methodology is a guide to assessing the scope of IT general controls using a top-down and risk-based approach.

Who is it for?
Management and external auditors can use this guide in their identification of key controls within IT general controls as part of and a continuation of their top-down and risk-based scoping of key controls for internal control over financial reporting.

How Can it Help You?
The IIA developed this guidance to help organizations identify key IT general controls where a failure might indirectly result in a material error in a financial statement. More specifically, this methodology enables management and auditors to identify key IT general controls as part of and as a continuation of the company's top-down, risk-based scoping efforts for Section 404 compliance.

If a failure is likely, the methodology identifies the IT general control process risks in detail and the related IT general control objectives that, when achieved, mitigate these risks. CobiT and other methodologies then can be used to identify the key controls that address these IT general control objectives.

The Principles
The four principles that form the basis for the methodology are consistent with the methodology described in the Public Company Accounting Oversight Board's Auditing Standard No. 5. They are:

• The identification of risks and related controls in IT general control processes (e.g., in change management, deployment, access security, and operations) should be a continuation of the top-down and risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes.
• The IT general control process risks that need to be identified are those that affect critical IT functionality in financially significant applications and related data.
• The IT general control process risks that need to be identified exist in processes and at various IT layers: application program code, databases, operating systems, and networks.
• Risks in IT general control processes are mitigated by the achievement of IT control objectives, not individual controls.

GAIT Methodology enables organizations to implement the principles and gives management and auditors guidance around scoping IT general controls and the tools to defend these decisions.