Some years ago, the IIA developed a methodology that helps people use the top-down and risk-based methodology required by the regulators (required by the PCAOB for the audit firms and recommended by the SEC for companies) when it comes to determining which IT General Controls (ITGC) to include for SOX.
The GAI Methodology (download it here) has been used by hundreds of companies (if not more) and accepted by the external auditors. In fact, I know of one company that hired an IT auditor from EY to lead their IT audit team, and he brought GAIT with him.
However, in their infinite wisdom, the IIA has removed GAIT (and its related versions, including a methodology for assessing ITGC deficiencies) from their Global and Americas IIA web sites.
You can help determine whether this was a wise move by the IIA by answering a VERY short survey here.
Thanks
Norman
POSTSCRIPT:
For those who are not familiar with GAIT, it addresses the need described by the SEC in the SOX Guidance:
d. Role of Information Technology General Controls
Controls that management identifies as addressing financial reporting risks may be automated, dependent upon IT functionality, or a combination of both manual and automated procedures. In these situations, management’s evaluation process generally considers the design…