Getting Started with GAIT
By Jack Bess, KnowledgeLeader contributing writer
May 28, 2007
On a February 7, 2007 Institute of Internal Auditors (IIA) web cast, panelists offered practical tips and techniques when using GAIT to scope IT controls for SOX compliance and how to effectively implement GAIT. The Sarbanes-Oxley Act (SOX) of 2002 is clear in its mandate that companies annually assess their internal controls over financial reporting. Companies have found that the precise scope of their assessment is less clear. “You would be surprised how may times this question comes up in audiences: ‘Where can I get a list of the key controls I need to have for IT general controls?’” says Norman Marks, vice president of internal audit at Business Objects, S.A., a software developer based in San Jose, Calif. “But if you follow the approach of ‘Where is the standard list?’ you are not necessarily going to get the right ones.” Marks is part of a core team at The Institute of Internal Auditors (IIA) who have helped develop a methodology and set of principles to help organizations define their scope of control assessments as mandated by Section 404 of SOX. That methodology, the Guide to the Assessment of IT General Controls Scope (GAIT), aims to provide a structured reasoning process companies can use in scoping the controls that ensure the accuracy of their financial statements. Making the business case for GAIT GAIT offers much-needed guidance through the confusing web of financial, IT, fraud, operational and other types of controls, says David Richards, IIA president. Explaining how that guidance can result in a cost-effective and efficient scoping process is a key case to be made when seeking executive buy-in and reporting to the audit committee. It is relatively easy for a company to focus on applications controls while ignoring the general controls that “sit in the background” but “cut across” the application controls, Richards says. For example, an accounts payable application might have specific automated controls, but those automated controls “might rely on some general controls in the IT area to make them effective,” Richards adds. If you are going to rely on automated controls, then you have to test the general controls if you want a proper assessment, he says. Under the structured reasoning of GAIT, a company takes a top-down, risk-based approach that identifies key financial accounts, looking at the risks around those accounts and the controls mitigating those risks, and determining the controls to be tested. “Many organizations have been struggling over the last three years with the process of trying to get that list of key controls down to a manageable amount,” Richards says. “It is an ominous task when you look at the amount of work that needs to be done to satisfy yourself that those key controls you are relying on for financial accuracy are in place, working and accomplishing their objectives.” Streamlining the scoping process will save companies the time, effort and cost of identifying and testing controls that do not need to be tested. Spending an undue amount of resources on a control assessment is a problem for many companies, according to IIA officials.
“Many organizations are diverting a lot of their resources to look at this area, to the detriment of others,” says Heriot Prentice, The IIA’s director of technology practices. “We want to see GAIT being used to allow people to scope their work properly, to work more efficiently and effectively, and allow them to do their other duties they may be ignoring.” Based on what he called “very informal research at my own company,” Marks says he estimated that $5,000 to $10,000 could be spent on testing a single key control. “So if a company is able to drive 20 key controls out-of-scope by using GAIT, that is a fair amount of money,” he says. The significant benefits associated with GAIT result from the methodology and four core principles that fine-tune the organization’s scoping process. The four GAIT principles are: 1. Identification of risks and related controls in IT general control processes (e.g. in change management, development, security, or operations) should be a continuation of the top-down and risk-based approach used to identify significant accounts, and key controls in the business processes. 2. The IT general control process risks that need to be identified are those that affect critical IT functionality in financially significant applications and related data. 3. The IT general control process risks that need to be identified exist in processes and at various IT layers: application program code, databases, operating systems and network. 4. Risks in IT general controls processes are mitigated by the achievement of IT control objectives, not individual controls. These are not radically new ideas, says Ed Hill, a Protiviti managing director and member of The IIA team that developed GAIT. What is new is organizing them into a 40-page conceptual framework accompanied by a template and matrix that can be used to document the thought process that results in the project scope, Hill says. “One of the things people lacked before GAIT was a way to explain (to upper management and the audit committee) what the scope was around IT efforts,” Hill says. “That is something important that GAIT brings to the table – documentation of the rationale on what is and what is not in scope around the IT areas.” Being able to document and clearly communicate the rationale helps the audit committee review the results, Hill says. How deeply involved the committee will want to be in the details of the scoping process will vary from company to company, but, at the very least, the GAIT documentation promotes a higher level of understanding and assurance that management has carefully identified, tested, and verified the key controls, Richards says. “That is really the business case: to rationalize and understand that you are doing only the work and applying the resources you need to sign-off on your 404 assessment,” Hill says. Microsoft sharpens focus The formal GAIT methodology was not available in 2005, which was Year One of the SOX Section 404 compliance process at the Microsoft Corp. However, the computer-technology giant scoped and assessed its IT general controls using the Control Objectives for Information and Related Technology (COBIT) framework along with a reasoning process analogous to GAIT, says Steve Mar, Senior Director of IT Audit at Microsoft. Some of the principles and components of the process Microsoft went through are now in the GAIT document, says Mar, who is team leader of The IIA’s GAIT Core Team. The process began with deciding to take a top-down, risk-assessment approach, he says. “As you do a top-down, risk assessment, it is key that you understand what the residual risk is,” says Mar. “That will help give you guidance as to whether you want to scope something in or out. It will also provide you some level of detail as you document your rationale about something being in or out-of-scope for SOX 404 purposes. The question is: If there is a control failure, will it create a failure at the application or the infrastructure level that will cause a material misstatement of the financial statements?” Mar outlined some of the steps that Microsoft took in Year One: · Gather the team: To ensure that the right skill sets and competencies were engaged in the SOX 404 process, personnel with the appropriate financial, operational and IT skills were assigned to the Financial Compliance Group (FCG) Project Management Office. · Ensure tone-at-the-top: “SOX mandates that a company's CEO and CFO be involved in SOX 404 compliance, but at Microsoft, Chief Information Officer Stuart Scott was also deeply involved and brought enormous value to the process,” Mar says. “Scott helped set a tone that communicated managing controls and IT governance are vital components of doing business.” “Having Stuart make that message clear to the folks in IT meant it was very clear and straightforward on what everyone needed to do to support the 404 process,” Mar says. “Some people see the 404 process as something you have to do, that it is a lot of work for nothing and that there is no value. We looked at it as an opportunity. The principles behind having good systems and good controls are really just smart business. If you are smart doing business, you will be smart in satisfying your external customers’ requirements and needs.” · Set up communications: “The FCG put together a plan to facilitate communication internally and externally. Internally, the group periodically met with the CEO, CFO, the audit committee, and other executives and managers to inform them about 404 progress and provide them with statistics and other data,” Mar says. The meetings were “a good, solid explanation of our process, how we were getting there, the metrics we were using to measure what we were doing and determining our endpoint,” Mar says. “Communication between Microsoft and the external auditors was also fundamental to the 404 process. Those discussions help ensure that the scoping process is built on a solid, well-reasoned foundation.” “A good, trusted relationship with your external auditor will make your scoping process that much better, that much easier to understand, and you will be able to work together to figure out some challenging things and document your rationale,” Mar says. “You create ITGC objectives, making sure those are all clear. You deal with some of the more difficult, challenging applications and infrastructure (issues); and because you have a good working relationship, you can talk about these things. For example, one of the big conversations in Year One was whether we should include certain applications like the budgeting and forecasting component we use at Microsoft, and whether that was in scope or out-of-scope.” · Inventory business applications: “It was not unusual for companies in Year One to spend a great deal of time and effort in identifying and scoping business applications. The task was much easier at Microsoft, where Microsoft Applications (MS Apps) software was used to list the company’s 2,000 to 3,000 business applications,” Mar says. “That inventory also collected information on each application, such as whether it had ever been updated or given a security review,” he adds. “It was very handy for us to have all that information in one place. It is a real time-saver because it allows you to decide which applications are in scope or out-of-scope.” Working with the list, the team initially reduced that list to around a hundred applications and processes key to SOX 404 compliance. Over the years, the number of in-scope applications has been reduced to less than seventy. A key step here was to identify the business areas with the most significant accounts – i.e., which has the most revenue, the most expenses, and so on – then determine which applications are associated with those accounts, he says. “Once you have that link, you can determine the infrastructure that supports that application,” Mar says. “We looked at where those applications were housed; what servers they were on; and which data centers they were functioning in. We looked at the inherent and residual risk of the IT general controls at the OS level, the network, the database and the data centers. By doing that, it allowed us to link everything from the business process down to the IT infrastructure.” · Training the testers: “After scoping the controls, the FCG held training sessions for personnel who would be performing the tests. The training on 404 compliance was carried out not only in the U.S. but also at Microsoft subsidiaries in Europe and Asia,” says Mar. “The 404 process spanned several continents, which made it all the more important that the FCG have a strong communications capability to track any events that might impact the compliance effort. For example, a turnover in staff might mean that personnel assigned to the testing might be only partially trained.” “Ultimately, using a GAIT-like reasoning process at Microsoft brought a heightened understanding of the business itself,” Mar says. “Apart from helping the team identify the applications and infrastructure systems that are critical to Microsoft’s operations, the initiative contributed to IT process maturity.” “The process allowed us to know where our critical business processes and critical applications are and based on that, IT management can do a number of things,” according to Mar. “They can make better and smarter decisions about their strategy. They can better know the processes that support what they have now, therefore make better judgments about how they would improve the process.” A living document Of course, Sarbanes-Oxley is only one among a host of regulatory mandates that an organization might have to respond to, including the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, and various stock-exchange requirements. With its focus on IT general controls and financial reporting, GAIT has been developed and promoted for SOX 404 efforts, but IIA officials say the structured reasoning of its methodology and its core principles might potentially be adapted to serve other regulatory mandates. “GAIT can work with many frameworks, like COBIT; and as we go forward, we will develop GAIT for various other business areas and applications,” Prentice says. “You would be able to apply GAIT to HIPAA and different regulations, but not in its current form. We would need to devise a separate methodology, but certainly the four principles could apply in those other areas. We have just not looked at that as yet.” In the meantime, The IIA is very interested in learning about organizations’ experiences in applying GAIT. Its website (www.theiia.org), where the methodology and supporting documents can be downloaded, has a feature called Dr. GAIT. This is where people can post questions and receive replies from The IIA. Richards and Prentice say the Question-and-Answer function and the request for feedback reflect The IIA’s goal of making GAIT a practitioner guide that is as clearly understandable and useful as possible. “We see the methodology as a living document,” Prentice says. “As we progress and people use GAIT, they will come back to us and say, ‘This worked’ or ‘This did not work,’ and we will use that feedback to tweak it and provide the best guidance we can.”
Article from Protiviti KnowledgeLeader – www.knowledgleader.com.
KnowledgeLeader is a subscription-based website that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk, and add value. Free 30-day trials available.
|
Protiviti is a leading provider of truly independent internal audit and business and technology risk consulting services. We help clients identify, measure and manage operational and technology-related risks they face within their industries and throughout their systems and processes. And we offer a full spectrum of audit services, technologies and skills for business risk management and the continual transformation of internal audit functions.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. |