A major challenge facing both management of organizations and their independent auditors was defining an effective and efficient scope for the annual assessments of internal control over financial reporting (ICFR) required by Section 404 of the U.S. Sarbanes-Oxley Act of 2002.
The U.S. Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) recommended a top-down and risk-based approach to defining §404 scope and related key controls. That recommendation was made and accepted, and enabled an efficient assessment focused on the more likely and significant risks to financial reporting
The GAIT series, or Guide to the Assessment of IT General Controls Scope based on Risk, was developed in 2007–08 and provided a methodology that both management and external auditors could use in their identification of key controls within ITGC as part of a continuation of their top-down and risk-based scoping of key controls for ICFR. It was consistent with the methodology described in the PCAOB’s Auditing Standard Number 5 (AS/5), the SEC’s proposed interpretive guidance (published in June 2007), and The IIA’s “Sarbanes-Oxley Section 404: A Guide for Management by Internal Controls Practitioners” (§404 Guide).
Though The IIA has retired the GAIT series and technology has since advanced incalculably, there is still value in the concepts of these guides for those whose jurisdictions are proposing or have already passed legislation similar to Sarbanes-Oxley.