After four years of struggles with the Sarbanes-Oxley Section 404 assessment process, the Institute of Internal Auditors (IIA) stepped forward last week with a blueprint to make the IT audit process more manageable and predictable. The release, called the Guide to the Assessment of IT General Controls Scope Based on Risk (GAIT), provides guidance in the form of principles and methodology for executive management, internal audit staffs and external auditors, outlining what the IIA believes is a more efficient and less costly IT general controls assessment process.

Of course, the IIA is hardly alone trying to rationalize resource-intensive 404 audits. The Securities and Exchange Commission and Public Company Accounting Oversight Board have also turned their attention to providing better guidance to management and auditors–although far more broad than what the IIA has provided in GAIT.

The IIA document is designed for early stage IT scoping assessments–helping with decisions as to which areas of technology, down to specific applications and servers, pose the greatest risk to a company and should be the focus of 404 control reviews. In that way, it is meant to complement existing, frameworks such as COBIT. "GAIT is a structured reasoning process that can be tailored for an organization," says Heriot Prentice, director of technology practices at the IIA, who led the two-year process to establish new IT audit guidelines. "The business process risks and related key controls identified by the top-down and risk-based approach are its starting point." Prentice expects company executives that use GAIT to be able to challenge external auditor disagreements about scoping decisions for particular systems.