IIA Technology Updates

The IIA Technology Updates section features information about the latest technology guidance, conferences and IT seminars of interest to internal auditors, and other news from The Institute's Technology Practices Department.


Here is the latest technology news from The Institute of Internal Auditors (The IIA):


Survey Finds GAIT Methodology Is Valuable to Users

In early 2007, The IIA released its Guide to the Assessment of IT General Controls Scope Based on Risk (GAIT) to help organizations identify IT general controls that need to be included in their annual assessment of internal controls over financial reporting. Designed as a set of principles and related methodology, GAIT provides a framework that can help management and auditors scope key IT general controls where a failure might result in a material error in financial reporting. A year into the guidance, the Institute's professional practices department recently surveyed internal auditors in various industries to determine to what extent GAIT is being used and whether they found value in using the methodology within their organization.

According to the survey, which was performed using The IIA's Global Audit Information Network (GAIN) benchmarking program, 97 percent of respondents who use GAIT said that they found the methodology useful and found significant to moderate value added either through a reduction in key controls or in an improved understanding of risk. When asked to what extent GAIT has helped to reduce the number of key IT controls tested:

  • 13.7 percent stated that they were able to reduce controls by 41 percent to 60 percent.
  • 30.5 percent reduced controls by 21 percent to 40 percent.
  • Nearly 31 percent experienced an 11 percent to 20 percent reduction.
  • Approximately 20 percent reduced controls by 10 percent or less.

While some survey respondents indicated that they are not using the GAIT methodology and plan to stay with the IT controls framework they are currently using ― primarily the IT Governance Institute's Control Objectives for Information and related Technology (COBIT) ― others indicated that they are assessing or have plans to review the advantages of GAIT with regard to:

  • Implementing internal standards.
  • Ensuring their scope is in general alignment.
  • Comparing existing procedures.
  • Integrating the methodology into their enterprise risk management process.

Respondents to the GAIT survey also offered suggestions to improve the guidance, requesting more robust templates and controls examples and additional tools to document rationale for external audit use. Others suggested that it would be useful to have a comparison of GAIT to other frameworks, such as COBIT, the IT Infrastructure Library, and standards from the International Organization for Standardization. To this end, The IIA plans to release additional GAIT guidance in March ― GAIT for IT General Control Deficiency Assessment, and GAIT for Business and IT Risk. The latter focuses on identifying the critical aspects of IT processes that are essential to the management and mitigation of business risk, including all key controls that are critical to achieving business goals and objectives.

For a summary of responses to the GAIT survey, visit The IIA's GAIT Web site (PDF, 658 KB).


New GTAG Schedule Is Now Available

The IIA recently released its upcoming Global Technology Audit Guide (GTAG) production schedule, signaling its commitment to continue providing free, relevant, and useful guidance on the latest technology topics that are of interest to the internal audit community. Since March 2005, The Institute's GTAG series has served as a resource for chief audit executives, audit managers, and internal auditors who wish to learn more about a specific technology-associated risk and recommended best practices. To date, more than 164,000 guides have been downloaded from The IIA Web site.

The next GTAG will be published in July 2008 and will focus on business continuity management, while a guide on IT fraud detection and defining the IT audit universe will be available later in the year. In 2009 and beyond, GTAGs will discuss topics such as security management and auditing IT projects, entity-level controls, and user-developed applications. In addition, The IIA has started to translate GTAGs into Spanish and French. For more information about GTAG or to download a copy of volumes one through nine free of charge, visit The IIA GTAG Web page.