After four years of struggles with the Sarbanes-Oxley Section404 assessment process, the Institute of Internal Auditors (IIA)stepped forward last week with a blueprint to make the IT auditprocess more manageable and predictable. The release, called theGuide to the Assessment of IT General Controls Scope Based on Risk(GAIT), provides guidance in the form of principles and methodologyfor executive management, internal audit staffs and externalauditors, outlining what the IIA believes is a more efficient andless costly IT general controls assessment process.

Of course, the IIA is hardly alone trying to rationalizeresource-intensive 404 audits. The Securities and ExchangeCommission and Public Company Accounting Oversight Board have alsoturned their attention to providing better guidance to managementand auditors–although far more broad than what the IIA has providedin GAIT.

The IIA document is designed for early stage IT scopingassessments–helping with decisions as to which areas of technology,down to specific applications and servers, pose the greatest riskto a company and should be the focus of 404 control reviews. Inthat way, it is meant to complement existing, frameworks such asCOBIT. “GAIT is a structured reasoning process that can be tailoredfor an organization,” says Heriot Prentice, director of technologypractices at the IIA, who led the two-year process to establish newIT audit guidelines. “The business process risks and related keycontrols identified by the top-down and risk-based approach are itsstarting point.” Prentice expects company executives that use GAITto be able to challenge external auditor disagreements aboutscoping decisions for particular systems.