GAIT
Download
1 / 33

Guide to the assessment of IT General Controls Scope Based on ... - PowerPoint PPT Presentation


  • 739 Views
  • Uploaded on

GAIT G uide to the A ssessment of IT General Controls Scope Based on Risk A Top-Down, Risk-Based Approach to the Scoping of Key ITGC GAIT Topics Covered: Problems with IT SOX Compliance Overview / Advantages Four Principles Methodologies – Five Phases Implementation Examples

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Guide to the assessment of IT General Controls Scope Based on ...' - JasminFlorian


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Slide1 l.jpg

GAIT

Guide to the Assessment of IT

General Controls Scope Based on Risk

A Top-Down, Risk-Based Approach to the

Scoping of Key ITGC


Slide2 l.jpg
GAIT

Topics Covered:

  • Problems with IT SOX Compliance

  • Overview / Advantages

  • Four Principles

  • Methodologies – Five Phases

  • Implementation

  • Examples


The problem l.jpg
The Problem

  • Challenge defining an effective and efficient scope for the annual assessments of ICFR

  • Internal control assessments and testing by management and external auditors was not focused on risk of material errors (e.g., not following a risk-based approach)

  • Lack of established guidance (i.e., inconsistency and subjectivity, reliance on checklists, etc.)

  • CobiT and ITGI provide more scope than SOX expects, causing companies to do too much

  • Significant cost overruns

  • Difficulty defining the key IT general controls required to address risks of material errors to financial reports


What is gait l.jpg
What is GAIT?

  • GAIT provides a set principle and methodology that facilitates the cost-effective scoping of IT general control assessments

  • GAIT is a reasoned thinking process that continues the top-down and risk-based approach to assess risk in ITGCs

  • GAIT focuses on identifying risk in IT processes that could affect critical functionality needed to prevent/detect material errors

  • Control objectives are identified in GAIT, but not specific key controls


Why was gait formed l.jpg
Why was GAIT formed?

Based on the problems described earlier, the IIA noticed the need to help companies identify key IT general controls where a failure indirectly result in a material error to the financial statements

5


Who helped with gait l.jpg
Who helped with GAIT?

Core team of 7 people wrote and edited the documents

Christine Bellino, Jefferson Wells

Ed Hill, Protiviti

Fawn Weaver, Intel

Gene Kim, Tripwire

Heriot Prentice, The IIA

Norman Marks, Business Objects

Steve Mar, Microsoft – Team Leader

Advisory Board

CPA Firms – Big Four, Mid-sized Firms

SEC Registrants

Regulators

6


Who is a part of gait l.jpg
Who is a part of GAIT?

The Institute of Internal Auditors

IIA Support Staff

Advanced Technology Committee

Others

American Institute of Certified Public Accountants (AICPA)

International Federation of Accountants (IFAC)


How does gait work l.jpg
How does GAIT work?

  • The GAIT document has two main parts:

    • Principles

    • Methodology

  • Four Core Principles

    • Define the relationship between business risk, IT general controls risk, and the IT general controls that can mitigate these threats as they pertain to financial reporting objectives

  • Methodology

    • Helps organizations to examine each financially significant application and determine whether failures in the IT general control processes at each layer of the IT infrastructure represent a likely threat to the consistent operation of the application's critical functionality – HOW TO APPLY THE PRINCIPLES


Advantages of applying gait l.jpg
Advantages of Applying GAIT

  • Two Primary Advantages

    • Improves cost effectiveness of IT General Controls auditing by including within audit scope only the elements or layers of infrastructure and IT general control processes that are relevant to financial control risks.

    • Aids in the documentation of scoping decisions.


Overall gait scoping l.jpg
Overall GAIT Scoping

Significant accounts

Business processes

Business controls

Applications

General Controls

RISK of material misstatement/fraud to financial statements & disclosures

Scope SOX according to RISK of material misstatement/fraud.


It risk assessment and scoping l.jpg
IT Risk Assessment and Scoping

Significant accounts

Business processes

Business controls

Applications

IT Process Controls:

Change Mgt, Operations, Security

  • Application

  • Database

  • Operating System

  • Network

STEP 1:

validate

understanding

STEP 2: perform

risk assessment

at each layer

STEP 3: Conclude: is it REASONABLY LIKELY a failure in this IT Process area

could impact application controls & result in a material misstatement?

Risk is not eliminated; is it reduced to a REASONABLE level.


Risk of not using gait l.jpg

Controls may be assessed and tested that are not critical, resulting in unnecessary cost and diversion of resources

Controls that are key may not be tested, or may be tested late in the process, presenting a risk to the assessment or audit

Risk of not using GAIT

By not applying a top-down and risk based approach starting at the financial statements and significant account level, there is a risk that:


Gait s four principles l.jpg

The identification of risks and related controls in IT business processes should be a continuation of the top-down and risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes.

The IT general control process risks that need to be identified are those that affect critical IT functionality in financially significant applications and related data.

The IT general control process risks that need to be identified exist in processes and at various IT layers: application program code, databases, operating systems, and network.

Risks in IT general control processes are mitigated by the achievement of IT control objectives, not individual controls.

GAIT’s Four Principles


Financially significant definition l.jpg
Financially Significant – Definition business processes should be a continuation of the top-down and risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes.

  • Application: contains functionality relied upon to assure the integrity of the financial reporting process.

    • Should that functionality not function consistently and correctly, there is at least a reasonable likelihood of a material misstatement that would not be prevented or detected.

  • Data: data that, if affected by an unauthorized change that bypasses normal application controls (i.e., as a result of an ITGC failure), is at least reasonably likely to result in a material misstatement that would not be prevented or detected.


Slide15 l.jpg

. . . guides you by asking business processes should be a continuation of the top-down and risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes.

three questions:

What IT functionality in the financially significant applicationsis critical to the proper operation of the business process key controls that prevent/detect material misstatement?

For each IT process at each layer in the stack, is there a reasonable likelihood that a process failure would cause the critical functionality to fail — indirectly representing a risk of material misstatement?

If such IT business process risks exist, what are the relevant IT control objectives?

The GAIT Methodology


Phases of gait methodology l.jpg
Phases of GAIT Methodology business processes should be a continuation of the top-down and risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes.

Identify controls over financial reporting to provide

reasonable assurance as to their reliability

AS5

Identify and validate critical IT functionality

Phase 1

Identify significant applications where ITGCs need to be tested

Phase 2

Identify ITGC process risks and related control objectives

Phase 3

Identify ITGC to test that meet control objectives

Phase 4

Perform a reasonable person review

Phase 5


Slide17 l.jpg
AS5 business processes should be a continuation of the top-down and risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes.

Top Down Approach

  • Effective internal control over financial reporting provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements.

  • The auditor should use a top-down approach to the audit of internal control over financial reporting to select the controls to test. A top-down approach begins at the financial statement level and with the auditor's understanding of the overall risks to internal control over financial reporting.

    Role of IT

  • The auditor should assess the extent of information technology ("IT") involvement in the period-end financial reporting process;

  • The identification of risks and controls within IT should not be a separate evaluation but, rather, an integral part of the auditor's top down risk assessment, including identification of significant accounts and disclosures and their relevant assertions, as well as the controls to test.


Methodology phase 1 l.jpg
Methodology – Phase 1 business processes should be a continuation of the top-down and risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes.

Review key controls, reports, and other functionality in the company’s business processes and determine which are manual and which are automated.

Develop a list of critical IT functionality.

Confirm key automated controls.

Determine whether there is additional critical IT functionality not identified as a key control.

Identify and validate critical IT functionality


Slide19 l.jpg

Sort the critical IT functionality by application. business processes should be a continuation of the top-down and risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes.

Identify the financially significant applications that are in scope for ITGC.

Methodology – Phase 2

Identify significant applications where ITGCs need to be tested


Slide20 l.jpg

Continue business processes should be a continuation of the top-down and risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes.only with financially significant applications.

Methodology – Phase 2


Slide21 l.jpg

What is the business processes should be a continuation of the top-down and risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes.likelihood of an IT process failure occurring and what is the potential impact?

What is the likelihood of the IT process failing in such a way that it would cause the critical IT functionality to fail?

Is it at least reasonably likely that the critical functionality would fail without prompt detection and result in a material error in the financial statements?

Methodology – Phase 3

Identify ITGC process risks and related control objectives

Risk of IT Process Failures


Slide22 l.jpg

Consider the pervasiveness of ITGC . . . business processes should be a continuation of the top-down and risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes.

Are there risks that may affect multiple applications and their critical IT functionality?

Select Key IT general controls to test.

Link each key IT general control to the control objectives identified through GAIT.

Methodology – Phase 4

Identify ITGC to test that meet control objectives


Slide23 l.jpg

Confirm that the risks and key controls represent a reasonable view of risk to financial reporting.

Ensure that the selection of risks is reasonable, given the organization’s risk tolerance in their 404 scope.

Methodology – Phase 5

Perform a reasonable person review

23


Implementation gait l.jpg
Implementation GAIT reasonable view of risk to financial reporting.

Prior to implementing GAIT, companies should perform a top-down, risk-based assessment of their business processes and identify the key controls in those processes.

GAIT will utilize the information gathered from this assessment and define what functionality within the IT applications is critical and to see what IT applications provide this functionality.


Sample gait matrix l.jpg
Sample GAIT Matrix reasonable view of risk to financial reporting.


Risk factors l.jpg
Risk Factors reasonable view of risk to financial reporting.

Factors that affect the risk associated with a control include:

  • The degree to which the control relies on the effectiveness of other controls (e.g., the control environment or information technology general controls);

  • Whether the control relies on performance by an individual or is automated (i.e., an automated control would generally be expected to be lower risk if relevant information technology general controls are effective);


Case study 1 l.jpg
Case Study 1 reasonable view of risk to financial reporting.

Energy Trading Company

  • Key IT general controls reduced from 48 to 20

  • Able to consolidate many of the controls

  • Added 2 applications due to reliance of financial controls

  • Identified other risk areas related to a key application


Case study 2 l.jpg
Case Study 2 reasonable view of risk to financial reporting.

Financial Institution

  • Eliminated 3 systems from scope – no controls dependent upon the systems

  • Able to eliminate all Network related controls except for access

  • Some controls were added back at management’s request due to the immaturity of the processes


Case study 3 l.jpg
Case Study 3 reasonable view of risk to financial reporting.

Utility Company

  • Reduced key IT general controls from 49 to 18

  • Reduction had significant potential for reducing administrative overhead

  • Paved the way for self assessment program

  • Able to provide good rationale for in-scope applications


Maximizing gait s implementation l.jpg
Maximizing GAIT’s Implementation reasonable view of risk to financial reporting.

Tips and Techniques

Start with a top-down, risk-based assessment of each risk and key control in the business process being evaluated

Build a team of internal controls experts with both business and IT knowledge to complete or review GAIT results

Engage external auditor

Perform GAIT assessment early in the process

Focus on getting scope right, not just on reductions

Document results carefully and be sure to explain what is and is not in scope


More information l.jpg
More Information . . . reasonable view of risk to financial reporting.

GAIT Resourceswww.theiia.org

Questions? Ask Dr. [email protected]


Slide32 l.jpg

Questions reasonable view of risk to financial reporting.


Slide33 l.jpg


ad