OK, I am more than a little biased. But the IIA’s
GAIT Methodology has been not only proven in practice but widely acknowledged as a valuable way to identify the right key IT General Controls (ITGC) for an effective SOX program. As a practice guide, it is strongly recommended guidance by the IIA.
You can download the entire document (it is free to IIA members), but here are the principles that form its foundation:
- The identification of risks and related controls in IT general control processes (e.g., in change management, deployment, access security, and operations) should be a continuation of the top-down and risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes.
- The IT general control process risks that need to be identified are those that affect critical IT functionality in financially significant applications and related data.
- The IT general control process risks that need to be identified exist in processes and at various IT layers: application program code, databases, operating systems, and networks.
- Risks in IT general control processes are mitigated by the achievement of IT control objectives, not individual controls.
The primary principle is the first one: that the identification of key ITGC should not be a separate exercise. Instead, it should be an integral part of the overall scoping for SOX. This way, you ensure that you identify all and only the controls relied upon to prevent/detect a material misstatement of the financial statements.
This methodology works. A survey of organizations that have adopted GAIT showed satisfaction levels in the high 90%, and everybody achieved substantial right-sizing of their SOX program.
Questions for you:
- Are you familiar with the GAIT Methodology?
- If not, why not?
- If so, are you using it? If not, why not?
- If you are using it, does it work for you?