After four years of struggles with the Sarbanes-Oxley Section404 assessment process, the Institute of Internal Auditors (IIA)stepped forward last week with a blueprint to make the IT auditprocess more manageable and predictable. The release, called theGuide to the Assessment of IT General Controls Scope Based on Risk(GAIT), provides guidance in the form of principles and methodologyfor executive management, internal audit staffs and externalauditors, outlining what the IIA believes is a more efficient andless costly IT general controls assessment process.

Of course, the IIA is hardly alone trying to rationalizeresource-intensive 404 audits. The Securities and ExchangeCommission and Public Company Accounting Oversight Board have alsoturned their attention to providing better guidance to managementand auditors–although far more broad than what the IIA has providedin GAIT.

The IIA document is designed for early stage IT scopingassessments–helping with decisions as to which areas of technology,down to specific applications and servers, pose the greatest riskto a company and should be the focus of 404 control reviews. Inthat way, it is meant to complement existing, frameworks such asCOBIT. “GAIT is a structured reasoning process that can be tailoredfor an organization,” says Heriot Prentice, director of technologypractices at the IIA, who led the two-year process to establish newIT audit guidelines. “The business process risks and related keycontrols identified by the top-down and risk-based approach are itsstarting point.” Prentice expects company executives that use GAITto be able to challenge external auditor disagreements aboutscoping decisions for particular systems.

GAIT is based on a top-down, risk-based approach, based on fourcore principles involving identifying those risks and relatedcontrols in IT general controls processes. This is in line with therecommendations of both the PCAOB and SEC; in fact, both agencieswere given access to GAIT drafts as the guidelines were beingwritten. There is also a GAIT methodology and scenarios availablethat can be used as training tools.

The IIA enlisted the help of an advisory board made up of theleading audit firms and 16 Fortune 500 issuers, and on a pilotbasis, several large companies, including Microsoft, Intel andGeneral Motors, have begun using GAIT. “We hope people will comeback to us and say 'this part worked' or 'this part did not,'”Prentice says.

According to at least one financial management and complianceconsultant, GAIT shows promise but is still a work in progress.“This is not written for IT people, but for internal auditors andSOX directors,” says James Clendenen, engagement director for therisk and consulting section at Chicago-based Parson Consulting.“How you would convert this to something IT people can use is wherethe big disconnect is.” GAIT is written at too high a level, heargues, and not technical enough for use by IT staff, unless theintent is that internal audit or other compliance staff wouldtranslate its principles into a more useful framework for IT.Clendenen also points out there is no discussion of segregation ofduty issues as they arise, something that many smaller companiesstruggle with, and that improvements could be made in some of theIT layer categories to make them work with all areas oftechnology.

Some practitioners take a different view. Brad Ames, internalaudit director in charge of SOX testing at Hewlett-Packard Co.,believes the IIA guidance is exactly what companies should befollowing. HP developed its own set of general controls guidelinesseveral years ago and in many ways they are similar to theprinciples outlined in the GAIT guidance. “We're into our thirdyear and I find that framework to be the most straightforward forpersuading my external auditors that the controls we identify arekey and they are operating effectively,” says Ames, whoseresponsibilities include oversight of IT audits. “Our approach isvery similar to the GAIT process.” One strategic idea emphasized inGAIT that Ames finds especially important involves benchmarkingcontrols, a process of monitoring automated controls that allowscomparisons among different applications as a way to identifyoutliers or controls that may be faulty. “It's a way to compareapplications and isolate those susceptible to emerging risk,” hesays.