After four years of struggles with the Sarbanes-Oxley Section 404 assessment process, the Institute of Internal Auditors (IIA) stepped forward last week with a blueprint to make the IT audit process more manageable and predictable. The release, called the Guide to the Assessment of IT General Controls Scope Based on Risk (GAIT), provides guidance in the form of principles and methodology for executive management, internal audit staffs and external auditors, outlining what the IIA believes is a more efficient and less costly IT general controls assessment process.

Of course, the IIA is hardly alone trying to rationalize resource-intensive 404 audits. The Securities and Exchange Commission and Public Company Accounting Oversight Board have also turned their attention to providing better guidance to management and auditors–although far more broad than what the IIA has provided in GAIT.

The IIA document is designed for early stage IT scoping assessments–helping with decisions as to which areas of technology, down to specific applications and servers, pose the greatest risk to a company and should be the focus of 404 control reviews. In that way, it is meant to complement existing, frameworks such as COBIT. “GAIT is a structured reasoning process that can be tailored for an organization,” says Heriot Prentice, director of technology practices at the IIA, who led the two-year process to establish new IT audit guidelines. “The business process risks and related key controls identified by the top-down and risk-based approach are its starting point.” Prentice expects company executives that use GAIT to be able to challenge external auditor disagreements about scoping decisions for particular systems.

GAIT is based on a top-down, risk-based approach, based on four core principles involving identifying those risks and related controls in IT general controls processes. This is in line with the recommendations of both the PCAOB and SEC; in fact, both agencies were given access to GAIT drafts as the guidelines were being written. There is also a GAIT methodology and scenarios available that can be used as training tools.

The IIA enlisted the help of an advisory board made up of the leading audit firms and 16 Fortune 500 issuers, and on a pilot basis, several large companies, including Microsoft, Intel and General Motors, have begun using GAIT. “We hope people will come back to us and say 'this part worked' or 'this part did not,'” Prentice says.

According to at least one financial management and compliance consultant, GAIT shows promise but is still a work in progress. “This is not written for IT people, but for internal auditors and SOX directors,” says James Clendenen, engagement director for the risk and consulting section at Chicago-based Parson Consulting. “How you would convert this to something IT people can use is where the big disconnect is.” GAIT is written at too high a level, he argues, and not technical enough for use by IT staff, unless the intent is that internal audit or other compliance staff would translate its principles into a more useful framework for IT. Clendenen also points out there is no discussion of segregation of duty issues as they arise, something that many smaller companies struggle with, and that improvements could be made in some of the IT layer categories to make them work with all areas of technology.

Some practitioners take a different view. Brad Ames, internal audit director in charge of SOX testing at Hewlett-Packard Co., believes the IIA guidance is exactly what companies should be following. HP developed its own set of general controls guidelines several years ago and in many ways they are similar to the principles outlined in the GAIT guidance. “We're into our third year and I find that framework to be the most straightforward for persuading my external auditors that the controls we identify are key and they are operating effectively,” says Ames, whose responsibilities include oversight of IT audits. “Our approach is very similar to the GAIT process.” One strategic idea emphasized in GAIT that Ames finds especially important involves benchmarking controls, a process of monitoring automated controls that allows comparisons among different applications as a way to identify outliers or controls that may be faulty. “It's a way to compare applications and isolate those susceptible to emerging risk,” he says.

Instant Insights /

Internal Auditors Are Taking the Initiative on 404

Related Stories

Recommended For You