The GAIT Principles And Methodology For SOX-404
From 2005 to 2007, I was part of the leadership team for the GAIT task team at the Institute of Internal Auditors. We were looking at the huge cost and effort associated with the IT portions of SOX-404. Over 18 months, we developed and published the GAIT Principles and Methodology, designed to help management appropriately scope the IT portions of SOX-404.
Here's how the IIA talked about it in the press release:
2/8/2007: Yesterday, The Institute of Internal Auditors (IIA) released long-awaited guidance providing executive management, internal and external auditors, regulators, and the IT industry with a method of identifying which IT General Controls (ITGC) should be tested as a part of an annual assessment of internal controls over financial reporting.
The guidance called GAIT - the Guide to the Assessment of IT General Controls Scope Based on Risk, will help organizations and their auditors be more efficient and could possibly result in a reduction of compliance costs, such as those associated with Section 404 of the U.S. Sarbanes-Oxley Act of 2002 (SOX).
GAIT comes on the heels of recent survey results indicating that costly ITGC scoping inefficiencies still exist. Today, technology is inherent in most organizational processes, many of which are complex and not fully understood by management or auditors. Although some excellent IT control and audit frameworks have emerged from various countries, until now there was no common methodology for clearly identifying ITGC that significantly impact financial reporting. This frequently has resulted in overlooking critical ITGC, as well as testing too many controls, which can be costly. GAIT provides a universal methodology designed to efficiently scope ITGC, regardless of the internal control framework used.
The approximate timeline of the project began in July 2005 when we held our first summit, to February 2007 when the GAIT guidance was officially announced.
We held the first summit in July 2005, where we assembled internal auditors and security executives from publicly held companies (i.e., SEC registrants), external auditors from the Big Four and probably most importantly, Bill Powers from the Public Company Accounting Oversight Board (PCAOB, created by SOX-404 to audit the auditors).
Instead of showing you slides from that summit, I'm going to show you slides from the January 2006 summit, because we were much better talking about the problem by then.
When I showed the slide above to the PCI Scoping SIG team, most everyone seemed startled at how similar the SOX-404 IT problem statements are to the current PCI problem statements.
Let's talk about each one of these in turn in the SOX-404 context:
- No well-established guidance for scoping IT work results in inconsistency and the process being overly subjective
One of the problems was that auditors were often guilty of auditing anything, just because it looked important. Sure, all the applications that talk to SAP may look important, but is there anything in those apps that could result an undetected material error?
The problem is that in a risk-averse environment, management and internal auditors could rarely effectively challenge the external auditor. In other words, the external auditor could say, "Well, I can't give a clean, unqualified opinion on your 10-K unless we audit everything."
So, these were always lonely battles against the external auditor.
(It sort of feels like a Mafia protection racket. "Sure is a nice, clean 10-K financial statement you got there. Shame if something bad were to happen to it. (wink)")
- Significant key controls reside inside IT and IT processes as well as in the business processes
Incidentally, the real control where reliance is placed may not even be an IT control, instead it's some manual reconciliation process! So in that case, auditing that IT systems would be totally inappropriate.
- Sometimes result in overly broad scope and excessive testing costs
If you're auditing areas where there is little risk, you're wasting resources, time and money.
I remember vividly talking to a controller at a Fortune 20 company who was furious that his compliance costs for the IT and financial portions was the same. I think he said something like, "The Enron failure was not caused by a DBA. So, why am I paying so much for IT control compliance, when that's not where the risk is?"
So this is when scope is overly broad: we're testing stuff that doesn't matter.
- Significant risks to financial assertions may be left unaddressed
This is the case when scope is too small: we never test something that's actually really important, that could cause an undetected material error in the financial statement!
- Suboptimal use of scarce resources
This doesn't require any explanation.
The GAIT Principles were less than 200 words, while the GAIT Methodology was almost 50K words.
Some of the best presentations on GAIT and its successful use are shown below: