New Guidance Released by IIA to Help Auditors Conduct More Efficient Annual Assessments.Survey Results Indicate Need; Guidance to Possibly Reduce Compliance Costs ALTAMONTE SPRINGS Al·ta·monte Springs A city of east-central Florida, a residential suburb of Orlando. Population: 40,900. , Fla. -- Yesterday, The Institute of Internal Auditors “IIA” redirects here. For IIA in decision theory, see Independence of irrelevant alternatives. Established in 1941, The Institute of Internal Auditors (IIA) is an international professional association of more than 128,000 members with global headquarters in (IIA (1) (Information Industry Association, Washington, DC) In 1999, IIA merged with SPA (Software Publishers Association) to become the Software & Information Industry Association. See SIIA. ) released long-awaited guidance providing executive management, internal and external auditors The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. , regulators, and the IT industry with a method of identifying which IT General Controls (ITGC ITGC Information Technology General Controls ITGC Information Technology Governance Council )(a) should be tested as a part of an annual assessment of internal controls over financial reporting. The guidance called GAIT - the Guide to the Assessment of IT General Controls Scope Based on Risk, will help organizations and their auditors be more efficient and could possibly result in a reduction of compliance costs, such as those associated with Section 404 of the U.S. Sarbanes-Oxley Act See SOX. of 2002 (SOX (1) (Schema for Object-oriented XML) An XML schema developed by Veo Systems and Muzino Communications, which was submitted to the W3C. SOX is based on DTD, but adds data typing and reuse mechanisms. ). GAIT comes on the heels of recent survey results (b) indicating that costly ITGC scoping inefficiencies still exist. Today, technology is inherent in most organizational processes, many of which are complex and not fully understood by management or auditors. Although some excellent IT control and audit frameworks have emerged from various countries, until now there was no common methodology for clearly identifying ITGC that significantly impact financial reporting. This frequently has resulted in overlooking o·ver·look tr.v. o·ver·looked, o·ver·look·ing, o·ver·looks 1. a. To look over or at from a higher place. b. critical ITGC, as well as testing too many controls, which can be costly. GAIT provides a universal methodology designed to efficiently scope ITGC, regardless of the internal control framework used. Although GAIT is the result of 18 months of work by 30 IT audit experts, chief audit executives, and others from a broad cross-section of industries and companies, feedback from a survey taken just this past month demonstrates the need for this guidance. Of more than 500 respondents In the context of marketing research, a representative sample drawn from a larger population of people from whom information is collected and used to develop or confirm marketing strategy. , primarily IT and internal audit management, less than three percent said their organizations and their external auditors are "extremely efficient" in their scoping of ITGC for annual assessments. Additionally, almost half felt costs related to their organization's scoping of ITGC for audit work required by SOX are too high. And a large majority (more than three-quarters of the respondents) indicated that guidance on scoping ITGC would be of high value. Several Fortune 100 companies already have adopted the guidance as a pilot program, including General Motors, Intel, and Microsoft. "Microsoft spent a lot of time and energy on its first year of SOX 404 implementation, especially for scoping ITGC," said Steve Mar, senior director of IT Audit at Microsoft Corp. "We learned a great deal internally and from other organizations, CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. firms, and regulators. We have shared our lessons learned with others over the years and see GAIT as a means to allow others to benefit. Each organization will need to determine what is in or out of scope for its own ITGC. Using a methodology such as GAIT provides a starting point Noun 1. starting point - earliest limiting point terminus a quo commencement, get-go, offset, outset, showtime, starting time, beginning, start, kickoff, first - the time at which something is supposed to begin; "they got an early start"; "she knew from the ." GAIT's four core principles are: * Principle 1: The identification of risks and related controls in ITGC processes should be a continuation of the top-down and risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes. (What does this mean? GAIT continues the top-down approach Top-down approach A method of security selection that starts with asset allocation and works systematically through sector and industry allocation to individual security selection. in AS2, to help users identify potential failures in ITGC processes that could lead to mistakes or fraud, resulting in material errors in financial statements. GAIT also helps users identify key ITGC over those risks.) * Principle 2: The IT general control process risks that need to be identified are those that affect critical IT functionality in financially significant applications and related data. (What does this mean? Scoping ITGC for annual assessment of internal controls over financial reporting needs to address only the potential failures in ITGC processes that represent a reasonably likely risk of material error (indirectly through the controls' impact on critical IT functionality) in financial statements.) * Principle 3: The IT general control process risks that need to be identified exist in processes and at various IT layers: application program code, database, operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. , and network. (What does this mean?) Risks must be assessed in IT activities at all levels of the infrastructure of each financially significant application. * Principle 4: Risks in IT general control processes are mitigated by the achievement of IT control objectives, not individual controls. (What does this mean? The failure of individual ITGC needs to be assessed for its impact on IT control objectives to determine whether there is a risk to critical IT functionality. The GAIT principles and methodology were released yesterday through a one-hour streaming video A one-way video transmission over a data network. It is widely used on the Web as well as company networks to play video clips and video broadcasts. Computers in home networks stream video to digital media hubs connected to a home theater. Web event attended by more than 1,600 viewers and moderated by IIA President David A. Richards, CIA CIA: see Central Intelligence Agency. (1) (Confidentiality Integrity Authentication) The three important concerns with regards to information security. Encryption is used to provide confidentiality (privacy, secrecy). . "The beauty of GAIT is that it is applicable to any environment," says Richards. "Its universal value is that it brings 'framework-neutral' options to the end-users." GAIT's four principles and methodology are available for free download on The IIA's homepage at www.theiia.org. The presenters discussed GAIT's top-down, risk-based approach, the principles and methodology, practical tips and techniques for using the guidance (including lessons learned by Microsoft), and effective GAIT implementation. Presenters (c) included: Edward Hill Edward Hill can refer to:
The presentation will be available for free viewing until May 4, 2007 at http://www.visualwebcaster.com/event.asp?id=37575. Established in 1941, The Institute of Internal Auditors is a world-wide professional association for internal auditing and has more than 130,000 members in 160 countries. It serves as the internal audit profession's global voice, recognized authority, acknowledged leader, principal educator, and chief advocate. The IIA monitors legislation, regulations and pronouncements of other professional organizations throughout the world on matters that directly or indirectly impact the practice of internal auditing. It stewards and promulgates the International Standards for the Professional Practice of Internal Auditing, and issues other official guidance and comment on issues affecting the internal audit profession. The Institute also offers a variety of leading-edge professional development opportunities, a comprehensive certification program, thorough quality assessment services, benchmarking surveys, and valuable research reports and educational products through The IIA Research Foundation. (a) IT General Controls are those controls that assure the proper operation of IT applications and automated au·to·mate v. au·to·mat·ed, au·to·mat·ing, au·to·mates v.tr. 1. To convert to automatic operation: automate a factory. 2. controls, as well as controls that help to protect data and programs from unauthorized change. (b) IIA survey: "Scoping Information Technology General Controls (ITGC)," January 25, 2007 (c) All presenters are available for interviews with the media. |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion