GAIT-R framework, extending beyond SOX-404 to any COSO objective
Presented by Jay Taylor and Ed Hill at 2008 Institute of Internal Auditors Internal Conference
Iiaic08 power point cs2-3_track_regulatory session v3
1. GAIT Approach to Regulatory Compliance Edward L. Hill Managing Director Protiviti Jay R. Taylor, CIA, CFE, CISA General Director of Audit General Motors Corporation
35. GAIT for IT and Business Risk Edward Hill, CIA Managing Director Protiviti
36.
37.
38.
39.
40.
41.
42.
43.
44.
45. Step 7- Perform a “reasonable person,” holistic review of all the key controls identified
46.
47.
48.
49. Case Study Audit of Environmental Compliance Management Process Using GAIT Jay R. Taylor
50.
51.
52.
53. So … we only have a certain number of audit hours … What is critical to review? Why??
54. 2. Key Controls in the Business Process to Achieve Business Objectives A = Timeliness B = Completeness C = Accuracy Objectives Key Controls A B C 1. Calendar-based reminders to users prompting input of critical data (automated) X X 2. Entry and edit of chemical purchases, usages, losses, releases, etc. (hybrid) X 3. Comparison of current results (post-calculation) to previous results (automated) X X 4. Final review of reports including support data (hybrid – heavy dependence) (note: “precision”) X X 5. e-Filing of regulatory reports X
55. 3. Critical IT Functionality Relied Upon from Among the Key Business Controls Key Controls Related IT Functionality 1. Calendar reminders to users (automated) Programmed routine including user notification 2. Entry and edit of chemical purchases (hybrid) Programmed edits against tables (range check; chemical types; etc.) 3. Comparison of current results to previous results (automated) Calculate quantities not accounted for, and compare to thresholds and priors 4. Final review of report including support (hybrid) Select transactions, format, and print user reports 5. e-Filing of regulatory reports Select, format, & transmit
Steve During today’s presentation, we will discuss: What GAIT is. Why GAIT was established. Who developed GAIT GAIT Principles & Methodology Tips & Practical Techniques And getting started with GAIT And now, to kick off today’s presentation, I’d like to begin with an overview of what GAIT is and the problems that GAIT is designed to alleviate . . .
Steve A January, 2007, survey* indicated inefficiencies exist in scoping ITGC, costs are too high for many organizations, and guidance would be highly valuable. * 533 respondents, primarily internal auditors and IT Audit managers.
Steve More than three-quarters felt guidance would be of high value. And now, Steve, please tell our viewers about the GAIT team.
Steve In early 2005, the IIA Technology Committee created the GAIT task force, which has held five GAIT Summits since July 2005 The GAIT Summits assembled key stakeholders from internal auditing, management, external auditing, and federal regulators GAIT Team’s Vision and Goals To develop in 2006 a set of widely-used and widely-accepted guiding principles, tools, methodologies and scenarios that can be used by management and auditors to properly scope IT general controls work for financial reporting and SOX-404. To develop a short- and medium-term roadmap that moves the GAIT Principles from new guidance to great advice to generally accepted. To develop a long-term roadmap that expands the GAIT Principles from internal control objectives for just financial reporting, to one that encompasses compliance with laws and regulations, operating effectiveness, etc.
The GAIT methodology examines each financially significant application and determines whether failures in the IT business processes at each layer in the stack represent a likely threat to the consistent operation of the application’s critical functionality. If a failure is likely, GAIT identifies the IT business process risks in detail and the related ITGC control objectives that, when achieved, mitigate the risks. COBIT and other methodologies can identify the key controls to address the ITGC control objectives. In short, the GAIT methodology guides you through asking three questions in sequence: What IT functionality in the financially significant applications is critical to the proper operation of the business process key controls that prevent/detect material misstatement (i.e., what is the critical IT functionality)? For each IT process at each layer in the stack, is there a reasonable likelihood that a process failure would cause the critical functionality to fail —indirectly representing a risk of material misstatement (i.e., if that process failed at that layer, what effect would there be on the critical functionality? Would it cause the functionality to fail such that there would be a reasonably likely risk of material misstatement)? If such IT business process risks exist, what are the relevant IT control objectives (i.e., what IT control objectives need to be achieved to provide assurance over the critical functionality)?
Steve During today’s presentation, we will discuss: What GAIT is. Why GAIT was established. Who developed GAIT GAIT Principles & Methodology Tips & Practical Techniques And getting started with GAIT And now, to kick off today’s presentation, I’d like to begin with an overview of what GAIT is and the problems that GAIT is designed to alleviate . . .