The GAIT Methodology
Download this guide (PDF, 2MB)
Rate this guide

What is it?
The GAIT Methodology is a guide to assessing the scope of IT general controls using a top-down and risk-based approach.

Who is it for?
Management and external auditors can use this guide in their identification of key controls within IT general controls as part of and a continuation of their top-down and risk-based scoping of key controls for internal control over financial reporting.

How can it help you?
The IIA developed this guidance to help organizations identify key IT general controls where a failure might indirectly result in a material error in a financial statement. More specifically, this methodology enables management and auditors to identify key IT general controls as part of and as a continuation of the company's top-down, risk-based scoping efforts for Section 404 compliance.

If a failure is likely, the methodology identifies the IT general control process risks in detail and the related IT general control objectives that, when achieved, mitigate these risks. CobiT and other methodologies then can be used to identify the key controls that address these IT general control objectives.

The Principles
The four principles that form the basis for the methodology are consistent with the methodology described in the Public Company Accounting Oversight Board's Auditing Standard No. 5. They are:

1. The identification of risks and related controls in IT general control processes (e.g., in change management, deployment, access security, and operations) should be a continuation of the top-down and risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes.
2. The IT general control process risks that need to be identified are those that affect critical IT functionality in financially significant applications and related data.
3. The IT general control process risks that need to be identified exist in processes and at various IT layers: application program code, databases, operating systems, and networks.
4. Risks in IT general control processes are mitigated by the achievement of IT control objectives, not individual controls.

The GAIT Methodology enables organizations to implement the principles and gives management and auditors guidance around scoping IT general controls and the tools to defend these decisions.

Other Resources Related to the Methodology

• Q&A About GAIT (20KB, PDF)
• Dr. GAIT Answers Questions (126KB, PDF)
• Less Complex GAIT Scenario (PDF)
• More Complex GAIT Scenario (PDF)
• Case Study in the application of the methodology from a Year 2 perspective (PPT)
• "New Scoping Methodology May Ease Section 404 Audits," ITAudit, January 2007. Click "Previous Issues" to search for that issue, and find the article under "Features".
• GAIT Survey executive summary. The IIA conducted a Global Audit Information Network (GAIN) survey in February 2008 to seek your thoughts on the application of this guidance. Our goal was to determine the use of the methodology and whether or not you found value in using the methodology within your organization.

Additional Information
The IIA is available to answer questions regarding the GAIT series by contacting drgait@theiia.org.

GAIT Core Team
Steve Mar (team chairman) - Microsoft Corp.
Christine Bellino - Jefferson Wells International, Inc.
Ed Hill - Protiviti, Inc.
Gene Kim - Tripwire, Inc. and IT Process Institute
Norman Marks - Business Objects
Heriot Prentice - The Institute of Internal Auditors
Fawn Weaver - Intel Corporation