Help Available to Assess IT Risks
The IIA releases the second and third guides in the GAIT series; survey identifies need to address PCAOB/SEC revisions and business/IT risk linkageLAS VEGAS - Responding to organizations' need for guidance on assessing IT controls, The Institute of Internal Auditors (IIA) has issued two new documents in its Guide to the Assessment of IT Risk (GAIT) series. The guides address updates and revisions to regulations as well as the needs of organizations to link IT controls to critical business risks. A recent survey* of 895 auditors and corporate managers indicated that a majority of respondents would find the guidance helpful. Leveraging the philosophies discussed in GAIT's first guide, the second guide - GAIT for IT General Control Deficiency Assessments - gives auditors and management an approach to assess whether IT general control (ITGC)** deficiencies identified during their Sarbanes-Oxley Section 404 assessment represent significant deficiencies or material weaknesses in the system of internal control over financial reporting. It builds on guidance provided in 2004 by nine certified public accounting firms, A Framework for Evaluating Control Exceptions and Deficiencies, and reflects recent changes in the definitions of material weakness and significant deficiency."GAIT for IT General Control Deficiency Assessment provides a platform for internal auditors to use in discussing their deficiency assessment with external auditors, management, and others," says IIA Director of Standards and Practices Heriot Prentice, the central organizer behind the GAIT series. "It's based on the experiences of organizations over the last several years, and expands on management guidance from the U.S. Securities and Exchange Commission as well as guidance provided in the nine-firm framework by referencing the U.S. Public Company Accounting Oversight Board's Auditing Standard No. 5."The IIA also released its third guide in the series - GAIT for Business and IT Risk. This practice guide helps managers and auditors identify all the key controls that are critical to achieving business goals and objectives. It identifies the critical aspects of information technology that are essential to the management and mitigation of organizational risk. These critical IT functionalities and their corresponding risks can then be considered when planning audit work."GAIT for Business and IT Risk provides an approach for developing the scope for a business risk audit that looks at the appropriate IT controls," said Norman Marks, a member of the GAIT development team and vice president of internal audit for Business Objectives, an SAP company. "It addresses the misconception that IT and business risk need to be assessed independently and it enables chief audit executives to provide assurance on business risk with the comfort that IT-related issues are given the appropriate level of consideration.""This helps organizations identify the key IT controls necessary for reasonable assurance that selected business risks are adequately mitigated," Marks added.GAIT for IT General Control Deficiency Assessment and GAIT for Business and IT Risk were unveiled this week at The IIA's General Audit Management Conference being held March 17-19 in Las Vegas. Both sets of guidance can be downloaded free of charge from The IIA Web site at www.theiia.org/guidance/technology. ###* IIA survey: "GAIT - IT Assessment," March 14, 2007Key findings include:78.7 percent of respondents indicated that assessing control deficiencies in ITGCs is difficult.98.3 percent of respondents would find guidance (consistent with the PCAOB's Auditing Standard #5 and SEC revisions) helpful in assessing deficiencies in ITGCs.More than half of the respondents (56.7 percent) indicated that their methodology was not effective or only somewhat effective in identifying and assessing IT risks as a part of an overall audit of organizational risk.99.4 percent of respondents would find guidance helpful in identifying and assessing IT risks as a part of an overall audit of business risk.** IT general controls are those controls that assure the proper operation of IT applications and automated controls as well as controls that help to protect data and programs from unauthorized change.Contact: Scott McCallumOffice: 407-937-1247 Cell: 321-246-7649Scott.McCallum@TheIIA.org