Guide to the Assessment of IT Risk (GAIT)
The GAIT series describes the relationships among business risk, key controls within business processes, automated controls and other critical IT functionality, and key controls within IT general controls. Each practice guide in the series addresses a specific aspect of IT risk and control assessments.
GAIT Practice Guides include
The GAIT Methodology PG: a risk-based approach to assessing the scope of IT general controls as part of management’s assessment of internal control required by Section 404 of the Sarbanes-Oxley Act
GAIT for IT General Control Deficiency Assessment PG: an approach for evaluating whether any ITGC deficiencies identified during Section 404 assessments represent material weaknesses or significant deficiencies
- GAIT for Business and IT Risk PG: : guidance for helping identify the IT controls that are critical to achieving business goals and objectives
Case Studies of Using GAIT-R to Scope PCI Compliance: Following the GAIT-R principles and methodology, this paper provides two case studies of applying GAIT-R to PCI compliance. (PDF, 400KB)