I need your help with the IIA’s SOX Methodology for ITGC scoping
Some years ago, the IIA developed a methodology that helps people use the top-down and risk-based methodology required by the regulators (required by the PCAOB for the audit firms and recommended by the SEC for companies) when it comes to determining which IT General Controls (ITGC) to include for SOX.
The GAI Methodology (download it here) has been used by hundreds of companies (if not more) and accepted by the external auditors. In fact, I know of one company that hired an IT auditor from EY to lead their IT audit team, and he brought GAIT with him.
However, in their infinite wisdom, the IIA has removed GAIT (and its related versions, including a methodology for assessing ITGC deficiencies) from their Global and Americas IIA web sites.
You can help determine whether this was a wise move by the IIA by answering a VERY short survey here.
Thanks
Norman
POSTSCRIPT:
For those who are not familiar with GAIT, it addresses the need described by the SEC in the SOX Guidance:
d. Role of Information Technology General Controls
Controls that management identifies as addressing financial reporting risks may be automated, dependent upon IT functionality, or a combination of both manual and automated procedures. In these situations, management’s evaluation process generally considers the design and operation of the automated or IT dependent application controls and the relevant IT general controls over the applications providing the IT functionality. While IT general controls alone ordinarily do not adequately address financial reporting risks, the proper and consistent operation of automated controls or IT functionality often depends upon effective IT general controls. The identification of risks and controls within IT should not be a separate evaluation. Instead, it should be an integral part of management’s top-down, risk-based approach to identifying risks and controls and in determining evidential matter necessary to support the assessment.
Aspects of IT general controls that may be relevant to the evaluation of ICFR will vary depending upon a company’s facts and circumstances. For purposes of the evaluation of ICFR, management only needs to evaluate those IT general controls that are necessary for the proper and consistent operation of other controls designed to adequately address financial reporting risks. For example, management might consider whether certain aspects of IT general control areas, such as program development, program changes, computer operations, and access to programs and data, apply to its facts and circumstances. Specifically, it is unnecessary to evaluate IT general controls that primarily pertain to efficiency or effectiveness of a company’s operations, but which are not relevant to addressing financial reporting risks.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
What are they replacing it with? Is it better?
What problem we’re they hoping to solve (the basis for making any decision)?
What are they replacing it with?
Is it better?
What problem are they trying to solve (the basis for making any decision)?
They said the number of downloads was few and technology has moved on. I told them the downloads were sparse because it was buried and hard to find, plus they didn’t tell anybody about it.
Sounds typical. Terrible website. Hate to use it.
Please see POSTSCRIPT in the updated post.