Norman Marks on Governance, Risk Management, and Internal Audit

A fact: most companies have included far too many IT General Controls (ITGC) in their scope for SOX.

Why: because they have taken an approach to scoping ITGC that is disconnected from the top-down and risk-based approach used to identify key controls within business processes. The scoping of ITGC has resulted in including ITGC controls in scope where a failure would not present a reasonable possibility of a material error omission in the financial statements.

“The identification of risks and controls within IT should not be a separate evaluation. Instead, it should be an integral part of management’s top-down, risk-based approach to identifying risks and controls and in determining evidential matter necessary to support the assessment.” – SEC Interpretive Guidance

The IIA recognized that there was a need to help practitioners define the right scope of ITGC for SOX, and a team of experts (including a representative from the PCAOB) developed the GAIT Methodology.

GAIT continues the top-down and risk-based approach recommended for companies by the SEC and mandated for their auditors in the PCAOB’s Auditing Standard 2201 (formerly AS5).

“The auditor should use a top-down approach to the audit of internal control over financial reporting to select the controls to test.” – PCAOB Auditing Standard 2201

“Management should identify those risks of misstatement that could, individually or in combination with others, result in a material misstatement of the financial statements (financial reporting risks).” – SEC Interpretive guidance

“In an audit of internal control, if the auditor selects an IT-dependent control for testing, the auditor should test the IT-dependent controls and the IT controls on which the selected control relies to support a conclusion about whether those controls address the risks of material misstatement.” – PCAOB Staff Alert No. 11

“For purposes of the evaluation of ICFR, management only needs to evaluate those IT general controls that are necessary for the proper and consistent operation of other controls designed to adequately address financial reporting risks.” – SEC Interpretive Guidance

Since its publication in 2007, GAIT has been adopted with great success by hundreds of companies and accepted (even recommended) by their CPA firms.

It has helped those organizations right-size their ITGC scope for SOX. Although it is focused on getting the scope right, rather than on cutting unnecessary ITGC out of their SOX scope, companies have been able to reduce the number of ITGC key controls significantly.

15 years have passed since GAIT was published. During that time, technology has advanced and practitioners have gained far more experience in SOX compliance.

It was time to update GAIT.

That update has now been completed (with the help of an eminent review panel of practitioners and partners from independent audit and consulting firms) and the product is available for free download by visiting a dedicated page on this website.

GAIT has stood the test of time very well! This is not surprising as it continues to be used extensively.

Its principles and methods continue to apply, even as technology and its use have changed.

The updated version of GAIT, developed independently from the IIA but with their full knowledge, simplifies the text, adds real-life examples, and references relevant regulatory guidance. The IIA is focused on an update to their International Professional Practices Framework and was not able to lead or participate in the update, but it is expected they will turn to their own update in 2023.

The dedicated web page includes links to the original GAIT Methodology, as well as to the two GAIT products that followed: for general technology-related business risk (GAIT-R), and for the assessment of ITGC deficiencies for SOX.

Comments and feedback are welcome.