Help Available for IT Risk Assessment

Institute of Internal Auditors issues two new guides

For organizations looking for guidance in assessing IT controls will welcome The Institute of Internal Auditors’ (IIA) two new documents in its Guide to the Assessment of IT Risk (GAIT) series. The guides reflect updates and revisions to regulations and link IT controls to critical business risks.

Following on the philosophies discussed in GAIT’s first guide, the second guide in the series -- GAIT for IT General Control Deficiency Assessments -- helps auditors and managers assess whether IT general control (ITGC) deficiencies identified during a Sarbanes-Oxley Section 404 assessment are significant or material weaknesses in their internal controls of financial reporting. The guide’s foundation is guidance of nine CPA firms provided back in 2004.

“GAIT for IT General Control Deficiency Assessment provides a platform for internal auditors to use in discussing their deficiency assessment with external auditors, management, and others,” said IIA director of standards and practices Heriot Prentice, the central organizer behind the GAIT series, in a statement. “It’s based on the experiences of organizations over the last several years, and expands on management guidance from the U.S. Securities and Exchange Commission as well as guidance provided in the nine-firm framework by referencing the U.S. Public Company Accounting Oversight Board’s Auditing Standard No. 5.”

The third guide, GAIT for Business and IT Risk, helps managers and auditors identify the key controls critical to reaching an organization’s business goals and objectives. It identifies the critical aspects of IT that are needed to manage and mitigate organizational risk.

“GAIT for Business and IT Risk provides an approach for developing the scope for a business risk audit that looks at the appropriate IT controls,” said Norman Marks, a member of the GAIT development team and vice president of internal audit for Business Objectives, an SAP company. “It addresses the misconception that IT and business risk need to be assessed independently and it enables chief audit executives to provide assurance on business risk with the comfort that IT-related issues are given the appropriate level of consideration.”

Both guides can be downloaded free from http://www.theiia.org/guidance/technology.