A fact: most companies have included far too many IT General Controls (ITGC) in their scope for SOX.
Why: because they have taken an approach to scoping ITGC that is disconnected from the top-down and risk-based approach used to identify key controls within business processes. The scoping of ITGC has resulted in including ITGC controls in scope where a failure would not present a reasonable possibility of a material error omission in the financial statements.
“The identification of risks and controls within IT should not be a separate evaluation. Instead, it should be an integral part of management’s top-down, risk-based approach to identifying risks and controls and in determining evidential matter necessary to support the assessment.” – SEC Interpretive Guidance
The IIA recognized that there was a need to help practitioners define the right scope of ITGC for SOX, and a team of experts (including a representative from the PCAOB) developed the GAIT Methodology.
GAIT continues the top-down and risk-based approach recommended for companies by the SEC and mandated for their auditors in the PCAOB’s Auditing Standard 2201 (formerly AS5).
“The auditor should use a top-down approach to the audit of internal control over financial reporting to select the controls to test.” – PCAOB Auditing Standard…
