IIA Technology Updates

The IIA Technology Updates section features information about the latest technology guidance, conferences and IT seminars of interest to internal auditors, and other news from The Institute's Technology Practices Department.

Here is the latest technology news from The Institute of Internal Auditors (The IIA):

The Institute Releases New GAIT Guidance

A year after The IIA released the first practice guide in its Guide to the Assessment of IT Risk (GAIT) series, The GAIT Methodology, managers and internal auditors around the world have requested additional information to help them determine whether any IT general control (ITGC) deficiencies identified during assessments of Section 404 of the U.S. Sarbanes-Oxley Act of 2002 represent material weaknesses or significant deficiencies. They also have asked for guidance to help them identify the IT controls that are critical to achieving business goals and objectives. To address these two needs, The IIA recently released GAIT for IT General Control Deficiency Assessment and GAIT for Business and IT Risk, respectively.

GAIT for IT General Control Deficiency Assessment

Although part of the GAIT series, each new practice guide addresses a specific aspect of IT risk and control assessments. "GAIT for IT General Control Deficiency Assessment provides a platform for internal auditors to use in discussing their deficiency assessment with external auditors, management, and others," says Heriot Prentice, IIA director of standards and practices and the central organizer behind the GAIT project.

In addition, the practice guide builds on the guidance provided in A Framework for Evaluating Control Exceptions and Deficiencies, a methodology developed in 2004 by nine certified public accounting firms that has guided management and internal and external auditors in assessing deficiencies in their organization's system of internal control over financial reporting.

"This document expands the guidance provided in the nine-firm framework by referencing the U.S. Public Company Accounting Oversight Board's Auditing Standard No. 5, related management guidance from the U.S. Securities and Exchange Commission, and the experience obtained by management, external auditors, and audit practitioners over the last several years," Prentice comments.

GAIT for IT General Control Deficiency Assessment's assessment process consists of 10 steps that are based on six principles:

  1. To assess ITGC deficiencies, it is necessary to understand the reliance chain between the financial statements and the key ITGCs that have failed.
  2. For there to be a material weakness, two tests have to be met: a) likelihood and b) impact (i.e., the potential misstatement of the financial statements).
  3. Because an ITGC deficiency does not directly affect the financial statements, the assessment is similarly not direct. The assessment is in stages or steps, and the likelihood and impact tests are applied across a combination of the steps.
  4. All ITGC deficiencies that relate to the same ITGC objective should be assessed as a group.
  5. All ITGC objectives that are not achieved and relate to the same key automated controls, key reports, or other critical functionality should be assessed as a group.
  6. The principle of aggregation requires that control deficiencies of all types — including manual and automated control deficiencies related to the same significant account or disclosure — be considered as a group.

GAIT for Business and IT Risk

On the other hand, the purpose of GAIT for Business and IT Risk is to help practitioners understand and apply the relationship between IT and business risk, according to Norman Marks, vice president of internal audit for Business Objectives, an SAP company, and a member of the GAIT Core Team. "GAIT for Business and IT Risk provides a methodology for developing the scope for an audit of business risk that looks at the necessary IT controls."

Furthermore, the practice guide improves the efficiency and effectiveness of internal audit functions by enabling a focus on business risk and minimizing attention to IT risks that are not critical to the organization. "The guide also addresses the misconception that IT and business risk need to be assessed and audited independently. It enables CAEs to provide assurance on business risk with the comfort that IT-related issues are given the appropriate level of consideration," adds Marks.

As with GAIT for IT General Control Deficiency Assessment, GAIT for Business and IT Risk is built around a set of principles. These four principles are as follows:

  1. The failure of technology is only a risk that needs to be assessed, managed, and audited if it represents a risk to the business.
  2. Key controls should be identified as the result of a top-down assessment of business risks, risk tolerance, and the controls — including automated controls and ITGCs — required to manage or mitigate business risk.
  3. Business risks are mitigated by a combination of manual and automated key controls. To assess the system of internal control to manage or mitigate business risks, key automated controls need to be assessed.
  4. ITGCs may be relied upon to provide assurance of the continued and proper operation of automated key controls.

This methodology also delivers a scope that is based on the risks to each identified business objective, which includes manual key controls within each business process; automated and hybrid key controls within each business process; key controls within ITGC processes; and controls at the entity level, including activities in the control environment, information and communication, and other layers of COSO's internal control model.

"By using GAIT for Business and IT Risk, internal auditors can define the scope of work to be performed with a more complete understanding of the controls that provide reasonable assurance of the achievement of business objectives," says Marks. "The end product of using this methodology is a list of the key controls needed to provide reasonable assurance that selected business risks and objectives will be adequately managed or mitigated."

GAIT for IT General Control Deficiency Assessment and GAIT for Business and IT Risk can be downloaded from the IIA Web site. For more information about the GAIT series or The GAIT Methodology, visit The IIA's Information Technology Web page or read "New Scoping Methodology May Ease Section 404 Audits," available in the Jan. 10, 2007 issue of ITAudit.