GAIT for IT General Controls Deficiency Assessment
Download this guide (PDF, 1MB)
Rate this guide

What is it?
GAIT for IT General Controls Deficiency Assessment, or GAIT 2, provides an approach for evaluating IT general controls deficiencies identified during the annual assessment of internal control over financial reporting. GAIT 2 provides a platform for internal auditors to use in discussing their deficiency assessment with external auditors, management, and others.

In addition, GAIT 2 builds on the guidance provided in A Framework for Evaluating Control Exceptions and Deficiencies, a methodology developed in 2004 by nine certified public accounting firms that has guided management and internal and external auditors in assessing deficiencies in their organization's system of internal control over financial reporting. GAIT 2 incorporates three years of practical experience applying this guidance, and addresses the extensive changes to the standards and practices related to assessments of Section 404 that have occured in that time.

Who is it for, and how can it help you?
This practice guide provides an updated approach to the assessment of IT general control deficiencies, helping auditors or management assess whether they represent material weaknesses or significant deficiencies.

GAIT 2's assessment process consists of 10 steps that are based on six principles, which are:

  1. To assess ITGC deficiencies, it is necessary to understand the reliance chain between the financial statements and the key ITGCs that have failed.
  2. For there to be a material weakness, two tests have to be met: a) likelihood and b) impact (i.e., the potential misstatement of the financial statements).
  3. Because an ITGC deficiency does not directly affect the financial statements, the assessment is similarly not direct. The assessment is in stages or steps, and the likelihood and impact tests are applied across a combination of the steps.
  4. All ITGC deficiencies that relate to the same ITGC objective should be assessed as a group.
  5. All ITGC objectives that are not achieved and relate to the same key automated controls, key reports, or other critical functionality should be assessed as a group.
  6. The principle of aggregation requires that control deficiencies of all types - including manual and automated control deficiencies related to the same significant account or disclosure - be considered as a group.

Additional Information
The IIA is available to answer questions regarding the GAIT series by contacting guidance@theiia.org.

GAIT Team
Steve Mar (team chairman) - Microsoft Corp.
Norman Marks (author) - Business Objects
Tom Ellis - Grant Thornton LLP
Ed Hill - Protiviti, Inc.
Hussain Hasan - RSM McGladrey, Inc.
Heriot Prentice - The Institute of Internal Auditors

 
© 2012 The Institute of Internal Auditors / 247 Maitland Avenue Altamonte Springs, FL. 32701-4201 USA / +1-407-937-1100 / FAX +1-407-937-1101 • www.theiia.org