GAIT

1
GAIT

• Guide to the Assessment of IT
• General Controls Scope Based on Risk
• A Top-Down, Risk-Based Approach to the
• Scoping of Key ITGC

2
GAIT

• Topics Covered
• Problems with IT SOX Compliance
• Overview / Advantages
• Four Principles
• Methodologies Five Phases
• Implementation
• Examples

3
The Problem

• Challenge defining an effective and efficient
  scope for the annual assessments of ICFR
• Internal control assessments and testing by
  management and external auditors was not focused
  on risk of material errors (e.g., not following a
  risk-based approach)
• Lack of established guidance (i.e., inconsistency
  and subjectivity, reliance on checklists, etc.)
• CobiT and ITGI provide more scope than SOX
  expects, causing companies to do too much
• Significant cost overruns
• Difficulty defining the key IT general controls
  required to address risks of material errors to
  financial reports

4
What is GAIT?

• GAIT provides a set principle and methodology
  that facilitates the cost-effective scoping of IT
  general control assessments
• GAIT is a reasoned thinking process that
  continues the top-down and risk-based approach to
  assess risk in ITGCs
• GAIT focuses on identifying risk in IT processes
  that could affect critical functionality needed
  to prevent/detect material errors
• Control objectives are identified in GAIT, but
  not specific key controls

5
Why was GAIT formed?

• Based on the problems described earlier, the IIA
  noticed the need to help companies identify key
  IT general controls where a failure indirectly
  result in a material error to the financial
  statements

5
6
Who helped with GAIT?

• Core team of 7 people wrote and edited the
  documents
• Christine Bellino, Jefferson Wells
• Ed Hill, Protiviti
• Fawn Weaver, Intel
• Gene Kim, Tripwire
• Heriot Prentice, The IIA
• Norman Marks, Business Objects
• Steve Mar, Microsoft Team Leader
• Advisory Board
• CPA Firms Big Four, Mid-sized Firms
• SEC Registrants
• Regulators

6
7
Who is a part of GAIT?

• The Institute of Internal Auditors
• IIA Support Staff
• Advanced Technology Committee
• Others
• American Institute of Certified Public
  Accountants (AICPA)
• International Federation of Accountants (IFAC)

8
How does GAIT work?

• The GAIT document has two main parts
• Principles
• Methodology
• Four Core Principles
• Define the relationship between business risk, IT
  general controls risk, and the IT general
  controls that can mitigate these threats as they
  pertain to financial reporting objectives
• Methodology
• Helps organizations to examine each financially
  significant application and determine whether
  failures in the IT general control processes at
  each layer of the IT infrastructure represent a
  likely threat to the consistent operation of the
  application's critical functionality HOW TO
  APPLY THE PRINCIPLES

9
Advantages of Applying GAIT

• Two Primary Advantages
• Improves cost effectiveness of IT General
  Controls auditing by including within audit scope
  only the elements or layers of infrastructure and
  IT general control processes that are relevant to
  financial control risks.
• Aids in the documentation of scoping decisions.

10
Overall GAIT Scoping
RISK of material misstatement/fraud to financial
statements disclosures

• Significant accounts
• Business processes
• Business controls
• Applications
• General Controls

Scope SOX according to RISK of material
misstatement/fraud.
11
IT Risk Assessment and Scoping

• Significant accounts
• Business processes
• Business controls
• Applications
• IT Process Controls
• Change Mgt, Operations, Security
• Application
• Database
• Operating System
• Network

STEP 1 validate understanding
STEP 2 perform risk assessment at each layer
STEP 3 Conclude is it REASONABLY LIKELY a
failure in this IT Process area could impact
application controls result in a material
misstatement?
Risk is not eliminated is it reduced to a
REASONABLE level.
12
Risk of not using GAIT
By not applying a top-down and risk based
approach starting at the financial statements and
significant account level, there is a risk that

• Controls may be assessed and tested that are not
  critical, resulting in unnecessary cost and
  diversion of resources
• Controls that are key may not be tested, or may
  be tested late in the process, presenting a risk
  to the assessment or audit

13
GAITs Four Principles

• The identification of risks and related controls
  in IT business processes should be a continuation
  of the top-down and risk-based approach used to
  identify significant accounts, risks to those
  accounts, and key controls in the business
  processes.
• The IT general control process risks that need to
  be identified are those that affect critical IT
  functionality in financially significant
  applications and related data.
• The IT general control process risks that need to
  be identified exist in processes and at various
  IT layers application program code, databases,
  operating systems, and network.
• Risks in IT general control processes are
  mitigated by the achievement of IT control
  objectives, not individual controls.

14
Financially Significant Definition

• Application contains functionality relied upon
  to assure the integrity of the financial
  reporting process.
• Should that functionality not function
  consistently and correctly, there is at least a
  reasonable likelihood of a material misstatement
  that would not be prevented or detected.
• Data data that, if affected by an unauthorized
  change that bypasses normal application controls
  (i.e., as a result of an ITGC failure), is at
  least reasonably likely to result in a material
  misstatement that would not be prevented or
  detected.

15
The GAIT Methodology

• . . . guides you by asking
• three questions
• What IT functionality in the financially
  significant applications is critical to the
  proper operation of the business process key
  controls that prevent/detect material
  misstatement?
• For each IT process at each layer in the stack,
  is there a reasonable likelihood that a process
  failure would cause the critical functionality to
  fail indirectly representing a risk of material
  misstatement?
• If such IT business process risks exist, what are
  the relevant IT control objectives?

16
Phases of GAIT Methodology
Identify controls over financial reporting to
provide reasonable assurance as to their
reliability
AS5
Identify and validate critical IT functionality
Phase 1
Identify significant applications where ITGCs
need to be tested
Phase 2
Identify ITGC process risks and related control
objectives
Phase 3
Identify ITGC to test that meet control objectives
Phase 4
Perform a reasonable person review
Phase 5
17
AS5

• Top Down Approach
• Effective internal control over financial
  reporting provides reasonable assurance regarding
  the reliability of financial reporting and the
  preparation of financial statements.
• The auditor should use a top-down approach to
  the audit of internal control over financial
  reporting to select the controls to test. A
  top-down approach begins at the financial
  statement level and with the auditor's
  understanding of the overall risks to internal
  control over financial reporting.
• Role of IT
• The auditor should assess the extent of
  information technology ("IT") involvement in the
  period-end financial reporting process
• The identification of risks and controls within
  IT should not be a separate evaluation but,
  rather, an integral part of the auditor's top
  down risk assessment, including identification of
  significant accounts and disclosures and their
  relevant assertions, as well as the controls to
  test.

18
Methodology Phase 1
Identify and validate critical IT functionality

• Review key controls, reports, and other
  functionality in the companys business processes
  and determine which are manual and which are
  automated.
• Develop a list of critical IT functionality.
• Confirm key automated controls.
• Determine whether there is additional critical IT
  functionality not identified as a key control.

19
Methodology Phase 2
Identify significant applications where ITGCs
need to be tested

• Sort the critical IT functionality by
  application.
• Identify the financially significant applications
  that are in scope for ITGC.

20
Methodology Phase 2

• Continue only with financially significant
  applications.

21
Methodology Phase 3
Identify ITGC process risks and related control
objectives
Risk of IT Process Failures

• What is the likelihood of an IT process failure
  occurring and what is the potential impact?
• What is the likelihood of the IT process failing
  in such a way that it would cause the critical IT
  functionality to fail?
• Is it at least reasonably likely that the
  critical functionality would fail without prompt
  detection and result in a material error in the
  financial statements?

22
Methodology Phase 4
Identify ITGC to test that meet control
objectives

• Consider the pervasiveness of ITGC . . .
• Are there risks that may affect multiple
  applications and their critical IT functionality?
• Select Key IT general controls to test.
• Link each key IT general control to the control
  objectives identified through GAIT.

23
Methodology Phase 5
Perform a reasonable person review

• Confirm that the risks and key controls represent
  a reasonable view of risk to financial reporting.
• Ensure that the selection of risks is reasonable,
  given the organizations risk tolerance in their
  404 scope.

23
24
Implementation GAIT

• Prior to implementing GAIT, companies should
  perform a top-down, risk-based assessment of
  their business processes and identify the key
  controls in those processes.
• GAIT will utilize the information gathered from
  this assessment and define what functionality
  within the IT applications is critical and to see
  what IT applications provide this functionality.

25
Sample GAIT Matrix
26
Risk Factors

• Factors that affect the risk associated with a
  control include
• The degree to which the control relies on the
  effectiveness of other controls (e.g., the
  control environment or information technology
  general controls)
• Whether the control relies on performance by an
  individual or is automated (i.e., an automated
  control would generally be expected to be lower
  risk if relevant information technology general
  controls are effective)

27
Case Study 1

• Energy Trading Company
• Key IT general controls reduced from 48 to 20
• Able to consolidate many of the controls
• Added 2 applications due to reliance of financial
  controls
• Identified other risk areas related to a key
  application

28
Case Study 2

• Financial Institution
• Eliminated 3 systems from scope no controls
  dependent upon the systems
• Able to eliminate all Network related controls
  except for access
• Some controls were added back at managements
  request due to the immaturity of the processes

29
Case Study 3

• Utility Company
• Reduced key IT general controls from 49 to 18
• Reduction had significant potential for reducing
  administrative overhead
• Paved the way for self assessment program
• Able to provide good rationale for in-scope
  applications

30
Maximizing GAITs Implementation

• Tips and Techniques
• Start with a top-down, risk-based assessment of
  each risk and key control in the business process
  being evaluated
• Build a team of internal controls experts with
  both business and IT knowledge to complete or
  review GAIT results
• Engage external auditor
• Perform GAIT assessment early in the process
• Focus on getting scope right, not just on
  reductions
• Document results carefully and be sure to explain
  what is and is not in scope

31
More Information . . .

• GAIT Resourceswww.theiia.org
• Questions? Ask Dr. GAITdrgait_at_theiia.org

32

• Questions

33

• Feel free to contact me with questions
• Bill McSpadden, CISA
• Protiviti
• 913-685-6200 or 913-661-7403
• Bill.mcspadden_at_protiviti.com