GAIT Methodology - Download PDF
- Item No. : 2026.dl
- Publisher : The Institute of Internal Auditors
- Publish Date : August 2007
- Media : Download
- Page count : 41
- Member Price : $0.00
- Non-Member Price : $25.00
This GAIT is provided as a service to members of The IIA.
Learn more about the value of an IIA Membership. What is it? Who is it for?
The GAIT Methodology is a guide to assessing the scope of IT general controls using a top-down and risk-based approach.
Management and external auditors can use this guide in their identification of key controls within IT general controls as part of and a continuation of their top-down and risk-based scoping of key controls for internal control over financial reporting.
Learn more about the value of an IIA Membership.
What is it?
Who is it for?
How can it help you?
The IIA developed this guidance to help organizations identify key IT general controls where a failure might indirectly result in a material error in a financial statement. More specifically, this methodology enables management and auditors to identify key IT general controls as part of and as a continuation of the company's top-down, risk-based scoping efforts for Section 404 compliance.
If a failure is likely, the methodology identifies the IT general control process risks in detail and the related IT general control objectives that, when achieved, mitigate these risks. CobiT and other methodologies then can be used to identify the key controls that address these IT general control objectives.
The four principles that form the basis for the methodology are consistent with the methodology described in the Public Company Accounting Oversight Board's Auditing Standard No. 5. They are:
1. The identification of risks and related controls in IT general control processes (e.g., in change management, deployment, access security, and operations) should be a continuation of the top-down and risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes.
2. The IT general control process risks that need to be identified are those that affect critical IT functionality in financially significant applications and related data.
3. The IT general control process risks that need to be identified exist in processes and at various IT layers: application program code, databases, operating systems, and networks.