Rightsizing your IT ICS with GAIT
The IT Scoping Problem
Internal Control Sytems (ICS) are all about controlling risk. Enterprise Risk Management bases its decisions how to handle a certain risk basically on risk exposure, which is the product of the probability of an incident occurring (also called “likelihood of occurrence”, meaning how likely it is for a specific risk to occur within a defined timeframe) and the incident magnitude (sometimes called “impact”), i.e. the potential losses.
Certain compliance regulations now require to control business processes (e.g. financial reporting processes in the case of SOX) in such a manner, that the aggregate risk exposure across all business processes impacted by the compliance requirement is minimized (but not eliminated) to such a level, that the continued operation of the business is not in danger. This entails that a detailed risk assessment is done on all involved business processes, and the IT systems that support those processes.
While this risk assessment is complicated but manageable from a business process perspective, it is much harder to do from an IT systems perspective. For example, when it comes down to assess the risk exposure of a weak admin password on a computer network switch to the financial closing process in SAP, traditional risk assessment strategies will fail both from a business process as well as an IT systems perspective.
Rightscoping IT controls using GAIT
The GAIT risk-based scoping approach provides a more precise and target-oriented method in deriving and defining IT risks, control objectives, and finally IT general controls compared to traditional IT scoping approaches. It builds on the existing ICS framework of process-level controls (PLCs) to detect involved IT functionality, determine its criticality and derive applications and systems in SOX scope.
The Guide to the Assessment of IT General Controls (GAIT) has been developed by the Institute of Internal Auditors (IIA) together with audit firms to respond to the challenges when defining the systems scope and IT General Controls (ITGCs) scope for the annual assessment of Internal Control over Financial Reporting (ICFR). Recently it has been included in the International Professional Practices Framework (IPPF) that defines the professional standards for internal auditors when conducting an internal audit.
GAIT seeks to extend the risk-based top-down approach recommended by the PCAOB AS2201 to ITGCs. This ensures an adequate risk coverage for PLCs and ITGCs. Using this approach for identifying relevant systems and IT control objectives within ITGC processes reasonably ensures that
- only relevant controls are in scope, and
- not relevant controls are not in scope, to avoid unnecessary cost.
This risk-based ITGC scoping approach provides both system scoping and ITGC scoping results, while tailoring the IT control framework to a best match risk coverage, avoiding insufficient risk coverage as well as excess controls implementation and execution in the IT area of the ICS.
The following core principles are applied when implementing the risk-based scoping approach:
|1||The identification of risks and related controls in IT general control processes (e.g., in change management, deployment, access security, operations) should be a continuation of the top-down and risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes.|
|2||The IT “general control process risks” that need to be identified are those that affect critical IT functionality in financially significant applications and related data.|
|3||The IT general control process risks that need to be identified exist in processes and at various IT layers: application program code, databases, operating systems, and network.|
|4||Risks in IT general control processes are mitigated by the achievement of IT control objectives, not individual controls.|
The GAIT Methodology
The risk-based scoping methodology continues where the identification of (process-level) controls according to PCAOB AS 2201 (colored light-blue in the picture on the right) left off. It starts with identifying critical IT functionality used in those PLCs, either as a report/IPE, directly, or even indirectly („other critical IT-functionality”).
After the list of critical IT functionality is sorted by application/system, the list of systems used in the PLCs is the first outcome of the risk-based scoping – the systems scoping.
For each system in SOX scope, the “ITGC process risks” and related control objectives are determined by applying the risk-based scoping approach. This is achieved by assessing the risk for ITGC layers and control domains.
Controls in ITGC processes do not directly relate to the risk of material errors in the financial statements. Individual ITGCs assure that relevant IT control objectives are achieved. These control objectives assure that critical IT functionality operates consistently. This critical IT functionality is required for SOX PLC key controls in the business processes to operate consistently. The key controls in the business processes are required to prevent or detect material errors in the financial statements. The key question to ask is: „Will a failure of IT functionality indirectly (through affecting PLCs) result in an undetected material error in the financial statement?“
When all required control objectives have been identified, the IT general controls to cover these control objectives are defined.
Finally, a “reasonable person review” is conducted to assure quality and consistency of the final set of ITGCs to implement.
Please refer to the official “GAIT Methodology” document released by the IIA for detailed information about the execution phases and the GAIT methodology itself.
With the application of GAIT for scoping and implementing the IT part of an Internal Control System, both implementation and operations efforts for an ICS are kept at a reasonable level by using a targeted risk-based scoping methodology, that allows for reducing control effort in low-risk IT areas, while maintaining adequate risk coverage for IT systems exhibiting a high risk exposure.