​​Getting Key IT General Controls for SOX Right

Comments Views

​OK, I am more than a little biased. But the IIA’s GAIT Methodology has been not only proven in practice but widely acknowledged as a valuable way to identify the right key IT General Controls (ITGC) for an effective SOX program. As a practice guide, it is strongly recommended guidance by the IIA.

You can download the entire document (it is free to IIA members), but here are the principles that form its foundation:

  1. The identification of risks and related controls in IT general control processes (e.g., in change management, deployment, access security, and operations) should be a continuation of the top-down and risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes.
  2. The IT general control process risks that need to be identified are those that affect critical IT functionality in financially significant applications and related data.
  3. The IT general control process risks that need to be identified exist in processes and at various IT layers: application program code, databases, operating systems, and networks.
  4. Risks in IT general control processes are mitigated by the achievement of IT control objectives, not individual controls.

The primary principle is the first one: that the identification of key ITGC should not be a separate exercise. Instead, it should be an integral part of the overall scoping for SOX. This way, you ensure that you identify all and only the controls relied upon to prevent/detect a material misstatement of the financial statements.

This methodology works. A survey of organizations that have adopted GAIT showed satisfaction levels in the high 90%, and everybody achieved substantial right-sizing of their SOX program.​​

Questions for you:

  1. Are you familiar with the GAIT Methodology?
  2. If not, why not?
  3. If so, are you using it? If not, why not?
  4. If you are using it, does it work for you?

​The opinions expressed by Internal Auditor's bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this article

comments powered by Disqus
  • Your-Voices-Recruitment-January-2022-Blog-1
    • IT-General-Controls-Certificate-January-2022-Blog-3