To apply GAIT most efficiently in all subsidiaries of a group it is necessary to select the systems with the highest potential of savings on the one hand and the most chances for success on the other hand. Typically, this would be those systems where only few critical IT functionality is used in PLCs.
The following system classification tries to provide inputs on how to prioritize systems when applying GAIT in course of the GAIT roll out to all subsidiaries:
- Priority 1 systems
Systems that show the following characteristics should be prioritized when applying GAIT:
- No financial data is processed directly or indirectly by this system
- No postings or any accounting records in financial data, the general ledger or any side ledgers are performed by this system or with data out of this system
- Systems not involved directly in the financial reporting process
- Critical PLCs are performed neither directly in the system nor based on data from this system
- Low number of PLC key controls is performed by this system or with data from this system
Examples of such systems are SIEM systems, or systems providing Single-Sign-On (SSO) functionality (e.g. Active Directory) to other ICS-relevant systems.
- Priority 2 systems
Systems that have the following characteristics may be considered second:
- Systems that are involved in the financial reporting process, but do not directly process or manipulate financial data
- Systems that are used either directly or based on data from these systems in the execution of critical PLCs
- Systems that do not have highly complex IT processes (e.g. only a low number of changes are performed, only administrators have write access, etc.)
Examples of such systems are report writers, fixed asset feeder systems, logistics systems, CRM systems, or data warehouses
- Priority 3 systems
Systems that have the following characteristics may be considered last:
- System that are critical to Internal Control over Financial Reporting (ICFR)
- System that are directly involved in the financial reporting process
- Postings are made in the general ledger or side ledgers
Examples for such systems are ERP systems (e.g. SAP), or billing systems with accounting functionality.
Please refer to the official “GAIT Methodology” document released by the IIA for detailed information about the execution phases and the GAIT methodology itself.
Für weitere Informationen zum Thema Interne Kontrollsysteme, empfehlen wir unsere Präsenz Trainingskurse zu den folgenden Themen: