Institutes » Institute proposes IT principles

The Institute of Internal Auditors’ (IIA) Advanced Technology Committee in
the US has developed an exposure draft of Generally Accepted IT Principles
(GAIT) to help internal auditors and management evaluate and manage IT risks
related to specific internal control objectives, such as those over financial

The document contains detailed guidance to help management and internal
auditors define the scope of work and support their conclusions for IT-related
internal control objectives, such as those described in the Committee of
Sponsoring Organisations of the Treadway Commission’s (COSO’s) internal control
framework. COSO is a voluntary organisation dedicated to improving the quality
of financial reporting through business ethics, effective internal controls and
corporate governance.

Although not considered a control framework, GAIT will supplement frameworks
like COSO and provide information to appropriately identify and link internal
control objectives, assertions, risks and controls for IT-related risks. It will
also add value to a company’s top-down, risk-based approach to assessing
controls over financial reporting for compliance with the US Sarbanes-Oxley Act
of 2002.

The IIA says that there is a need for these IT principles because the IT
portions of section 404 of the US Sarbanes-Oxley Act has frustrated auditors and
management. The IIA says that significant key controls reside inside IT and IT
processes, as well as in the business processes, but that there is no
well-established guidance for scoping IT work, resulting in inconsistency and
the compliance and review process being overly subjective.

Indeed, the lack of robust IT principles has sometimes resulted in
organisations taking an overly broad scope when reviewing IT compliance and
excessive testing costs, says the IIA. It also says that an absence of such
principles and a uniform approach to IT auditing can produce significant risks
to financial assertions and a poor use of resources.

Need for guidance

The IIA says that there is no clear guidance to define how IT processes and
activities can invalidate financial application processing or financial
assertions. While COSO provides an accepted construct for defining overall
internal control objectives, assertions, risks and controls, its application to
the IT environment is ambiguous, says the IIA. The professional body adds that
COBIT ­ an IT audit standard developed by the Information Systems Audit and
Control Association in the US ­ does not provide a clear mechanism to scope IT
processes and controls to the achievement of specific internal control
objectives, such as COSO’s objective for internal control over financial

The IIA says that its GAIT principles define constructs of “IT assets” and
the three types of transactions that affect them. The IIA says that the
principles will:

• Enable auditors and management to appropriately identify and link
assertions to IT activities and processes, and then appropriately scope relevant
IT controls work;
• Provide a common context for management and auditors to support and test
management’s assessment that the necessary IT controls exist and are effective;
• Extend to evaluating operating effectiveness and complying with laws and
regulations (as defined by COSO), while primarily assessing internal control
objectives for financial reporting.

The six GAIT principles are: 

1. IT exists only to support the business;

2. IT assets are the application code and executables, interfaces,
configurations, software and hardware settings that make IT run;

3. An IT asset will continue to operate consistently until acted upon by a

4. Three types of transactions affect IT assets: change, entitlements and

5. For an overall internal controls assertion (such as financial reporting
completeness and cutoff) for a given process or business objective, an IT asset
is in scope if, and only if, a change to it could invalidate that assertion; and

6. For all IT assets in scope, management tests and makes assertions (for
example, completeness, accuracy, and so on) on the three types of IT
transactions, which management’s assessment on internal controls is reliant

Business risk analysis

Since all operational and financial reporting processes use IT assets
applications, databases, operating systems, networks, and related
infrastructures the IIA says that it is imperative to include an IT controls
assessment in the business risk analysis.

GAIT’s principles-based approach helps an organisation determine how deep and
how wide it must go to assess the effectiveness of IT controls in a risk-based
manner. GAIT’s goal is to provide prescriptive guidance that can help
organisations create a sustainable IT controls compliance plan, considering
scope and cost by:

• Addressing how IT risk relates to business objectives;
• Facilitating a top-down risk-based approach for scoping risk and control
• Creating a transactional view of key IT processes and controls;
• Linking overall business control objectives to IT risks and controls;
• Defining critical controls analogous to conventional transactional business
process controls; and
• Providing a flowchart to help establish whether there is a reasonable risk
that changes to IT assets may invalidate overall control assertions, such as
financial statement assertions.

The proposal walks the reader through a set of business process scenarios
showing how GAIT can be used to determine the appropriate scope for two COSO
internal control objectives financial reporting and operating effectiveness. It
also includes a detailed glossary of IT-related terms, as well as a series of
frequently asked questions to help clarify GAIT-related issues, such as how GAIT
can add to what is already included in COBIT.