January 2007

New Scoping Methodology May Ease Section 404 Audits

The IIA will release a new methodology to help organizations scope key IT general controls as part of their Sarbanes-Oxley compliance work.

Raquel Filipek
Editor, ITAudit

Since the advent of Section 404 of the U.S. Sarbanes-Oxley Act of 2002 — which requires companies to assess the effectiveness of a company's internal controls and procedures for financial reporting — management and internal auditors have had a difficult time ensuring that the scope of work performed around IT general controls is appropriate. This is because there has been little guidance on how to scope or identify the necessary IT general controls for Section 404 compliance. To aid public companies in this effort, The Institute of Internal Auditors (The IIA) developed a set of IT Principles and a Methodology that can be used to scope the IT general controls that need to be included in annual assessments of internal controls over financial reporting. Known as the Guide to the Assessment of IT General Controls Scope Based on Risk (GAIT), the recently released Principles and upcoming Methodology can help organizations prepare compliance programs that are in line with the internal control objectives established by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

THE PROBLEM

When it comes to defining the scope of work for Section 404 compliance, the Public Company Accounting Oversight Board (PCAOB) and U.S. Securities and Exchange Commission (SEC) advocate the use of a top-down, risk-based approach. This approach enables management and internal auditors to ensure their work focuses on the key controls necessary to complete their assessments. As the SEC states, "the overall focus of internal control reporting should be on those items that could result in material errors in the financial statements." However, the PCAOB and SEC have found that internal control assessments and testing by management and external auditors were not always efficient or focused on the risk of material errors, because a top-down and risk-based approach was not followed every time.

At the same time, internal auditors and management have realized that a substantial portion of their overall Section 404 costs pertain to IT general controls — controls that assure the proper operation of IT applications and automated controls, as well as controls that help to protect data and programs from unauthorized change. The assessment of key IT general controls is critical to organizations because failures can lead to significant business disruption, an inability to deliver functionality to support the business, and errors in information used to report financial results.

IT general controls and processes do not impact financial statements directly. Instead, they provide assurance that key application functions and automated controls — sometimes referred to as application controls — operate consistently. These automated controls also are needed to prevent or detect material errors and changes to data that could impact financial statements. However, the relationship between the risk of material errors in financial reports to specific IT general controls or processes needed to ensure the effectiveness of key automated controls and protect data is not always clear. The main problem with IT general controls then becomes one of defining the key controls that are required to address risks of material errors in financial reports because only these controls need to be included in annual Section 404 compliance activities.

Noticing this need for guidance, The IIA developed GAIT to help organizations identify key IT general controls where a failure might indirectly result in a material error in a financial statement. More specifically, GAIT enables management and internal auditors to identify key IT general controls as part of and as a continuation of the company's top-down, risk-based scoping efforts for Section 404 compliance.

"GAIT was developed in response to perceptions that too much time, effort, and resources are spent on IT general control reviews without commensurate benefit to internal auditors, regulators, and management," says Thomas Ellis, Grant Thornton's national director of quality assurance for business advisory services and co-chair of the GAIT Project Advisory Board. "The more expansive, complex, and dynamic the IT infrastructures that enable financial reporting, the more benefit GAIT is likely to yield."

WHAT IS GAIT?

Simply stated, GAIT is a set of Principles and a Methodology that facilitates the cost-effective scoping of IT general control assessments. The Principles were released to the public on December 2006 and a final version of the Methodology will be available after Jan. 18, 2007.

"The application of GAIT helps improve the cost-effectiveness of IT general controls auditing by including within audit scope all and only those elements or layers of IT infrastructure and IT general control processes that are relevant to financial reporting risks," Ellis adds. "Hence, GAIT not only helps to improve the scoping of IT general controls and risk assessments, but also assists in the documentation of scoping decisions."

In addition, GAIT presents a granular approach to determine specific IT general control objectives and key controls by assessing risks at each level of the IT infrastructure and by considering risks within each IT general control process, as well as helps to assess potential risks that are introduced other than as part of a top-down, risk-based assessment. "GAIT is based on the principle that IT general controls provide assurance over the continued functionality of key controls that are automated within business processes, which in turn provides assurance that data used in the preparation of financial reports is protected from unauthorized change," says IIA Director of Technology Practices Heriot Prentice and the central organizer behind the GAIT project.

Finally, GAIT discusses the issue of pervasiveness: The perception that IT general controls are pervasive in nature and apply across the organization and its computer systems. GAIT equates this with the PCAOB's principle of "aggregation" in Auditing Standard No. 2 (AS2). This principle states that failures in key IT general controls (e.g., controls related to the security of data in a common database) are unlikely to be material when only one application is considered. But, if failures are reasonably likely to occur and affect multiple applications at the same time, the risks to these applications should be aggregated and included as part of the IT general controls' scope.

HOW DOES GAIT WORK?

As stated earlier, GAIT consists of two parts, a set of Principles and a Methodology. Below is a description of each.

The GAIT Principles
GAIT is comprised of four core Principles. "These Principles define the relationship between business risk, IT general controls risk, and the IT general controls that can mitigate these threats as they pertain to financial reporting objectives," explains Gene Kim, chief technology officer of Tripwire Inc. and a member of the GAIT Core Team. The purpose of the Principles, which are consistent with the methodology described in the PCAOB's AS2, is to help organizations identify key IT general controls that are part of their top-down, risk-based scoping of key internal controls over financial reporting.

"The Principles were originally developed to help IIA members who are concerned about scoping Section 404 IT risks that are related to IT general controls," says Steve Mar, Microsoft's senior director of IT audit and team leader of the GAIT Core Team. "However, we soon realized that GAIT allows key stakeholders, such as registrants with the SEC, certified public accounting firms, and other participants, a forum where they can discuss issues concerning their Section 404 annual assertions."

GAIT's four Principles address one of the most significant issues identified by the PCAOB in public companies trying to comply with Section 404 — the issue of scope. In the past, management and auditors worked hard to assess controls that ultimately weren't worth the effort. "Firms had a tendency to document everything with equal detail, rather than prioritizing and focusing on those areas that posed the greatest risk, for fear that they would be viewed unfavorably by regulators," explains Prentice. "Companies were applying different frameworks without the benefit of using a scoping tool upfront." The end result was a lot of duplication effort by internal and external auditors around the work on IT general controls.

The four GAIT Principles are:

1. The identification of risks and related controls in IT general control processes (e.g., in change management, deployment, access security, and operations) should be a continuation of the top-down and risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes. GAIT continues the top-down approach in AS2, using the results to help users identify potential failures in IT general controls processes that could lead to errors or fraud and result in material errors in financial statements, as well as identify key IT general controls over those risks.
2. The IT general control process risks that need to be identified are those that affect critical IT functionality in financially significant applications and related data. The scope of Section 404 works needs only to address risks in IT general controls processes that, indirectly through their impact on critical IT functionality, represent a reasonably likely risk of material error in financial statements. AS2's top-down approach includes identifying potential failure points in business processes and related key controls. Where IT functionality is relied upon (e.g., where there is financially significant data), the application is considered financially significant and risks to the functionality from defects in IT general controls processes need to be addressed.
3. The IT general control process risks that need to be identified exist in processes and at various IT layers: application program code, databases, operating systems, and networks. IT activities, such as performing network scans and testing changes to applications, belong to IT general control processes. GAIT assumes the activities that relate to IT general controls exist in change management, operations, and security business processes.
4. Each IT general control process contains controls that help achieve IT control objectives. Failure to achieve these objectives might imply that critical IT functionality fails to perform appropriately and consistently. GAIT helps companies identify the IT control objectives required for financially significant applications.

Although the Principles do not constitute a controls framework and do not include control objectives, they are a tool that can help management and internal auditors determine relevant IT general controls on a consistent basis. It is important to note that the GAIT Principles can be used with other frameworks, such as COSO and ISACA's Controls Objectives for Information and related Technology (CobiT). As Kim notes, "COSO provides tools for defining internal control objectives, risks, and controls, but how this framework applies to IT is ambiguous. And, while CobiT provides an exhaustive catalog of IT controls, it often is difficult to link CobiT to internal control objectives. GAIT bridges the two by showing how to continue the risk-based approach defined by COSO and the PCAOB's AS2 into IT processes and general controls."

The GAIT Methodology
In addition to GAIT's four principles, the Core Team created a Methodology that enables organizations to implement the
Principles. This Methodology gives management and auditors guidance around scoping IT general controls and the tools to defend these decisions. "The four core Principles are not meant to stand totally alone. The GAIT methodology enables organizations to apply the Principles in practice," explains Ellis.

The Methodology helps organizations to examine each financially significant application and determine whether failures in the IT general control processes at each layer of the IT infrastructure represent a likely threat to the consistent operation of the application's critical functionality. If a failure is likely, GAIT identifies the IT general control process risks in detail and the related IT general control objectives that, when achieved, mitigate these risks. CobiT and other methodologies then can be used to identify the key controls that address these IT general control objectives.

The GAIT Methodology consists of an extended discussion of the Principles, a detailed process and documentation for applying the Principles, and a section with implementation examples and a glossary of terms. The Methodology also explains how to document GAIT results and customize GAIT based on the organization's needs, and provides a description of the implementation team and a step-by-step process for applying GAIT. Management and auditors are guided through the GAIT implementation process by a series of three questions:

1. What IT functionality in financially significant applications is critical to the proper operation of the key controls that prevent or detect material misstatements (i.e., What is the critical IT functionality)?
2. For each IT process at each layer of the IT infrastructure, also called the stack, is there a reasonable likelihood that a process failure would cause the critical functionality to fail indirectly, thus representing a risk of material misstatement (i.e., If an IT process failed at a specific layer, what effect would there be on the application's critical functionality? Would it cause the functionality to fail in such a way that there would be a reasonably likely risk of material error)?
3. If such IT general controls process risks exist, what are the relevant IT control objectives (i.e., What IT control objectives need to be achieved to provide assurance over the application's critical functionality)?

For example:

1. Risk: Untested application changes could lead to a failure of critical functionality. This risk was found within the change management process at the application layer of the IT infrastructure.
2. Control Objective: All program changes are tested appropriately and the results reviewed and approved prior to implementation.

3. Key Controls:

   • Program changes are tested in a separate test environment.
   • All test results are reviewed and approved by a manager.
   • User testing is performed for all major changes and the results approved by a manager.
   • Emergency changes are reviewed and approved by senior IT management.

Implementation of the GAIT Methodology is divided in five phases. Phase 1 reviews the key manual and automated controls that need to be in scope for Section 404 compliance and the critical functionality of each application. Phase 2 extends this discussion by providing information to help organizations understand whether their financially significant applications and IT infrastructure are in scope. Phase 3 then identifies and assesses the risk of IT process failures at each layer of the IT infrastructure and identifies related control objectives, while Phase 4 identifies the key IT general controls necessary to achieve each control objective. Finally, Phase 5 discusses how to conduct a reasonable person review.

Finally, the Appendix section provides a sample of a partially completed GAIT matrix with explanations that can help management and auditors see how the Methodology works, as well as a template for documenting the results of the GAIT assessment.

When implementing GAIT, it is important to remember that GAIT only helps to determine if a control is within scope. "GAIT does not take anything out of scope or put it in scope," emphasizes Norman Marks, vice president of internal audit for Business Objects S.A. and a member of the GAIT Core Team. "Instead, it provides a thinking process that continues the top-down, risk-based approach used to understand risks in IT business processes and identifies key controls in those processes." As Marks explains, this enables users to obtain a better understanding of how potential control failures within IT general controls could affect the risk of error in financial statements. "Once management and internal auditors understand the potential effect of control failures in financial reports, they can make informed decisions regarding the scope of IT general controls."

RECOMMENDATIONS FOR IMPLEMENTING GAIT

To make the best use of GAIT, organizations should perform a top-down, risk-based assessment of their business processes and identify the key controls in those processes prior to implementing GAIT. "Performing a top-down and risk-based assessment is necessary because GAIT takes that information and uses it to define what functionality within the IT applications is critical and to see what IT applications provide this functionality," Marks says. "If this scoping is not done correctly, GAIT does not make the IT general control portions any more correct," adds Kim.

When it comes to implementing GAIT's methodology, management and internal auditors should take into consideration the organization's use of IT processes and applications. "Each organization uses IT differently and configures their infrastructure in unique ways to meet their business objectives," comments Mar. "Adopters should use GAIT as a guide that can help them make decisions about whether to scope in or out certain IT general controls. GAIT also helps organizations to document why an IT general control was or was not selected."

To maximize GAIT's implementation, Marks recommends that management and internal auditors:

1. Understand that using GAIT is not easy. "Some of the conclusions, especially those related to security, may be difficult to accept," Marks cautions. "I know a very experienced IT auditor who used GAIT and concluded some IT security risks should be out of scope because the risks were operational and not to the financial statement. She felt uncomfortable about taking these risks out of scope, although she agreed that the risk of a material impact in the financial statement was low."
2. Start with a top-down, risk-based assessment of each risk and key control in the business process being evaluated.
3. Get the external auditor on board early and make sure the GAIT assessment is completed in a way that the external auditor can understand.
4. Do the GAIT assessment early in the review process.
5. Use a team of internal control experts with both business and IT knowledge to complete or review GAIT results.
6. Make sure enough time is allocated to understand each automated control. "A lot of organizations do not have a good understanding of their automated controls," notes Marks. "Internal auditors need to understand how each automated control operates before determining its scope."
7. Realize it is not just important to get the scope down; it is just as important to get it right.
8. Follow the methodology carefully and in full, paying special attention to the reasonable-person review and the issue of pervasiveness.
9. Contact the GAIT team if you have any questions.

MOVING FORWARD

Currently, GAIT provides guidance for the scoping of IT general controls related to Section 404. In the future, GAIT will be tailored to provide guidance for other purposes, such as the assessment of controls that assure compliance with other applicable laws and regulations. As Kim adds, "The anecdotal evidence so far is that organizations can identify phenomenal areas for reducing scoping activities and are finding some incredibly subtle areas that have been overlooked in the last two to three years of Sarbanes-Oxley work. Our hope is that GAIT will be used to make all kinds of IT general control scoping decisions and provide organizations with far more effective and efficient answers."

One of the good aspects of GAIT is that organizations of all sizes can use the Principles and Methodology. "GAIT can help small and mid-size organizations take advantage of the lessons learned by large organizations that have gone through the Section 404 compliance process," says Mar. "The GAIT Principles and Methodology can be used by those without prior experience or level of resources to get a solid start."

In addition, GAIT is a flexible concept to implement. "GAIT's Principles and Methodology can be tailored to the company's circumstances. Although GAIT is not intended to be a mechanical process, it does facilitate the application of informed auditing, technology, and sound business judgment," Ellis concludes.

To learn more about GAIT, internal auditors can visit the following resources available on The IIA Web site:

• GAIT Web page.
• GAIT starter kit (PDF, 3.57 KB).
• GAIT Principles document (PDF, 723 KB).
• GAIT Methodology document draft (PDF, 724 KB). The final Methodology will be released to the public after Jan. 18, 2007.

In addition, the GAIT Core Team is available to answer questions by contacting Dr. GAIT at drgait@theiia.org. Answers to questions will be posted on upcoming GAIT status reports. To read the most recent GAIT Status Report, visit www.theiia.org/download.cfm?file=39892 (PDF, 1.52 MB).

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

---

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

---