The Institute of Internal Auditors has unveiled new guidance intended to help companies and auditors scope the IT general controls that should be included in their annual assessments of internal controls over financial reporting under Sarbanes-Oxley.
IT general controls—the controls that assure the proper operation of IT applications and automated controls and help protect data and programs from unauthorized change—comprise a substantial portion of internal and external auditors’ overall costs with Section 404. IIA leaders say assessing key IT general controls is critical, because failures can lead to material errors in financial statements, among other things.
But, IIA officials say, management and internal auditors have struggled to make sure the scope of their work performed around IT general controls is appropriate, since so little guidance has been issued on how to scope or identify only those controls necessary for Section 404 compliance. Last week’s announcement aims to remedy that lack of information.
Richards
“SEC registrants have been hesitant to reduce the scope of their testing for fear of increased risk and scrutiny,” IIA president and chief executive Dave Richards said during a recent Webcast announcing the guidance.
The “Guide to the Assessment of IT General Controls Scope Based on Risk”—known as GAIT—is intended to help users identify those key IT general controls where a failure might indirectly result in a material error in a financial statement. An example would be an automated control that requires an authorized person to approve expenses.
The guidance is based on a set of four IT principles that the IIA says are consistent with the top-down, risk-based approach advocated by both the Public Company Accounting Oversight Board and the Securities and Exchange Commission. Those principles are:
That the identification of risks and related controls in IT general control processes (for example, change management, deployment, access security, and operations) should be a continuation of the top-down, risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes;
That IT general control process risks that need to be identified are those that affect critical IT functions in financially significant applications and related data;
That IT general control process risks that need to be identified exist in processes and at various IT layers: application program code, databases, operating systems, and networks; and
That risks in IT general control processes are mitigated by the achievement of IT control objectives, not individual controls.
The guidance also includes a methodology to implement those principles. In addition to providing guidance around scoping IT general controls and the tools to defend those decisions, the methodology includes a section with implementation examples.
METHODOLOGY
An excerpt from GAIT’s methodology report follows.
The GAIT methodology examines each financially significant application and determines whether failures in the ITGC processes at each layer in the stack represent a likely threat to the consistent operation of the application’s critical functionality. If a failure is likely, GAIT identifies the ITGC process risks in detail and the related ITGC control objectives that, when achieved, mitigate the risks. COBIT and other methodologies can identify the key controls to address the ITGC control objectives.
In short, the GAIT methodology guides you through asking three questions in sequence:
What IT functionality in the financially significant applications is critical to the proper operation of the business process key controls that prevent/detect material misstatement (i.e., what is the critical IT functionality)?
For each IT process at each layer in the stack, is there a reasonable likelihood that a process failure would cause the critical functionality to fail—indirectly representing a risk of material misstatement (i.e., if that process failed at that layer, what effect would there be on the critical functionality? Would it cause the functionality to fail such that there would be a reasonably likely risk of material misstatement)?
If such ITGC process risks exist, what are the relevant IT control objectives (i.e., what IT control objectives need to be achieved to provide assurance over the critical functionality)?
Source
The GAIT Methodology (Institute of Internal Auditors; January 2007)
Heriot Prentice, director of technology practices at the IIA, says GAIT should help companies meet their compliance obligations under Auditing Standard No. 2, which auditors use to gauge compliance with Sarbanes-Oxley, more effectively than other IT control frameworks such as the COBIT standard used alone.
COBIT is one of the most commonly used IT control frameworks, Prentice says, but it also has 360 control objectives. “When they’re doing their IT controls work, most companies have been looking at all 360 objectives of COBIT or applying too many, because there’s been no way to define what’s in scope and out of scope,” he says.
Prentice likens the COSO internal controls framework as a recipe book to create effective internal controls over financial reporting, and COBIT the supermarket aisle for IT controls specifically. A company would never want to use all of the control objectives offered in the COBIT aisle, he says. “You would only use those items that are relevant to your menu.”
Hill
GAIT only helps to determine if a control is within scope, not which IT general controls should be used. “GAIT is strictly a scoping document for IT general control purposes,” says Ed Hill, a managing director at consulting firm Protiviti and a member of the team that developed the guidance. Hill says the guidance works “hand in hand” with frameworks such as COBIT and Controls Objectives for Information and related Technology.
Hill says GAIT is bringing formality into the scoping process for IT controls “that hasn’t been there in the past.”
No comments yet