Guide Pratiche - GAIT

GAIT for IT General Control Deficiency Assessment

What is GAIT for IT General Control Deficiency Assessment?
GAIT for IT General Control Deficiency Assessment, or GAIT 2, provides an approach for evaluating IT general controls deficiencies identified during the annual assessment of internal control over financial reporting. GAIT 2 provides a platform for internal auditors to use in discussing their deficiency assessment with external auditors, management, and others.

In addition, GAIT 2 builds on the guidance provided in A Framework for Evaluating Control Exceptions and Deficiencies, a methodology developed in 2004 by nine certified public accounting firms that has guided management and internal and external auditors in assessing deficiencies in their organization's system of internal control over financial reporting. GAIT 2 incorporates three years of practical experience applying this guidance, and addresses the extensive changes to the standards and practices related to assessments of Section 404 that have occurred in that time.

Who is it for, and How Can it Help you?
This practice guide provides an updated approach to the assessment of IT general control deficiencies, helping auditors or management assess whether they represent material weaknesses or significant deficiencies.

GAIT 2's assessment process consists of 10 steps that are based on six principles. These principles are:

  • To assess ITGC deficiencies, it is necessary to understand the reliance chain between the financial statements and the key ITGCs that have failed.
  • For there to be a material weakness, two tests have to be met: a) likelihood and b) impact (i.e., the potential misstatement of the financial statements).
  • Because an ITGC deficiency does not directly affect the financial statements, the assessment is similarly not direct. The assessment is in stages or steps, and the likelihood and impact tests are applied across a combination of the steps.
  • All ITGC deficiencies that relate to the same ITGC objective should be assessed as a group.
  • All ITGC objectives that are not achieved and relate to the same key automated controls, key reports, or other critical functionality should be assessed as a group.
  • The principle of aggregation requires that control deficiencies of all types — including manual and automated control deficiencies related to the same significant account or disclosure — be considered as a group.

 

Guida pratica Altro

Guida pratica

Riservato ai soci

GAIT for IT General Control Deficiency Assessment

Questo contenuto è riservato ai soci.
Per accedere diventa socio oggi o accedi!

GAIT Methodology

What is GAIT Methodology?
GAIT Methodology is a guide to assessing the scope of IT general controls using a top-down and risk-based approach.

Who is it for?
Management and external auditors can use this guide in their identification of key controls within IT general controls as part of and a continuation of their top-down and risk-based scoping of key controls for internal control over financial reporting.

How Can it Help You?
The IIA developed this guidance to help organizations identify key IT general controls where a failure might indirectly result in a material error in a financial statement. More specifically, this methodology enables management and auditors to identify key IT general controls as part of and as a continuation of the company's top-down, risk-based scoping efforts for Section 404 compliance.

If a failure is likely, the methodology identifies the IT general control process risks in detail and the related IT general control objectives that, when achieved, mitigate these risks. CobiT and other methodologies then can be used to identify the key controls that address these IT general control objectives.

The Principles
The four principles that form the basis for the methodology are consistent with the methodology described in the Public Company Accounting Oversight Board's Auditing Standard No. 5. They are:

  • The identification of risks and related controls in IT general control processes (e.g., in change management, deployment, access security, and operations) should be a continuation of the top-down and risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes.
  • The IT general control process risks that need to be identified are those that affect critical IT functionality in financially significant applications and related data.
  • The IT general control process risks that need to be identified exist in processes and at various IT layers: application program code, databases, operating systems, and networks.
  • Risks in IT general control processes are mitigated by the achievement of IT control objectives, not individual controls.


GAIT Methodology enables organizations to implement the principles and gives management and auditors guidance around scoping IT general controls and the tools to defend these decisions.

IIA - The Institute of Internal Auditors IPPF- Best Practices & Report Methodology Governance & ESG - Sostenibilità Altro
Riservato ai soci

GAIT Methodology

Questo contenuto è riservato ai soci.
Per accedere diventa socio oggi o accedi!

GAIT for Business and IT Risk

What is GAIT for Business and IT Risk?
GAIT for Business and IT Risk, or GAIT-R, focuses on identifying the key controls that are essential to achieving business goals and objectives.

Who is it for?
GAIT-R was developed primarily for internal audit practitioners. It also can be used by IT governance and security managers or those who are charged with designing and managing IT risks within their organizations.

How Can it Help You?
GAIT-R improves the efficiency and effectiveness of internal audit functions by enabling a focus on business risk and minimizing attention to IT risks that are not critical to the organization. It enables chief audit executives (CAEs) to provide assurance on business risk with the comfort that IT-related issues are given the appropriate level of consideration.

Similarly to the other practice guides in the GAIT series, the GAIT-R methodology is built around a set of principles:

  • The failure of technology is only a risk that needs to be assessed, managed, and audited if it represents a risk to the business.
  • Key controls should be identified as the result of a top-down assessment of business risks, risk tolerance, and the controls — including automated controls and IT general controls (ITGCs) — required to manage or mitigate business risk.
  • Business risks are mitigated by a combination of manual and automated key controls.
  • To assess the system of internal control to manage or mitigate business risks, key automated controls need to be assessed.
  • ITGCs may be relied upon to provide assurance of the continued and proper operation of automated key controls.


This methodology also delivers a scope that is based on the risks to each identified business objective, which includes manual key controls within each business process; automated and hybrid key controls within each business process; key controls within ITGC processes; and controls at the entity level, including activities in the control environment, information and communication, and other layers of COSO's internal control model.

IIA - The Institute of Internal Auditors Risk Management - Strategy & Performance Technology - Cybersecurity - Innovation Altro
Riservato ai soci

GAIT for Business and IT Risk

Questo contenuto è riservato ai soci.
Per accedere diventa socio oggi o accedi!

Iscriviti a Guide Pratiche - GAIT