Presentation on theme: "The IIA’s Authoritative Guidance"— Presentation transcript:
1 The IIA’s Authoritative Guidance PracticalImplicationsThe IPPF & the professional practice of internal auditing
2 Scope & Structural Changes PPFOrganizes all IIA guidanceIPPFOrganizes The IIA’s authoritative guidanceELEMENTSDefinitionCode of EthicsInternational StandardsPractice AdvisoriesDevelopment andPractice AidsELEMENTSDefinitionCode of EthicsInternational StandardsPractice AdvisoriesPosition PapersPractice GuidesThe new framework is the result of recommendations made by the Vision for the Future task force.In 1998, The Institute of Internal Auditors (IIA) formed a first Vision for the Future task force to assess whether gaps existed between the evolving internal audit practice and the Standards, and to identify whether the processes of standards-setting and guidance development used at that time could be improved. The new definition of internal auditing evolved from the work of this task force, along with the Professional Practices Framework (PPF), which included the “red book.” From , The IIA promulgated this guidance.In late 2005, The IIA’s Executive Committee commissioned an international steering committee and task force to review the PPF, and more specifically, The IIA’s guidance structure and related processes. This second Vision for the Future task force’s efforts focused on reviewing the scope of the framework and increasing the transparency and flexibility of IIA guidance development, review, and issuance processes. The results culminated in reengineered guidance development processes, a new International Professional Practices Framework (IPPF), and a Professional Practices Council (PPC) The PPC’s role is to set priorities for the issuance of guidance, coordinate IPPF processes and disseminate information related to its oversight activities to The IIA’s Board of Directors, various IIA international committees and staff involved with the IPPF, and internal audit stakeholders.Although the first Vision for the Future task force reviewed both content and structure, the second task force focused on enhancing the guidance structure and development processes. This process enhancement was critical for The IIA in the development of the new IPPF. It ensured simplicity and flexibility that would facilitate guidance development for internal audit practitioners for years to come, without requiring framework changes along the way. The enhancement also supports The IIA’s international stature, by demonstrating that it is following due process when developing technical guidance. This helps position The Insitute as a recognized and endorsed international standard-setting body for the internal audit profession.REMOVEDADDED
3 Contextual Changes PPF IPPF REMOVED ADDED ELEMENTS Definition Code of EthicsInternational StandardsPractice AdvisoriesDevelopment andPractice AidsELEMENTSNo changeDefinitionNo changeCode of EthicsSome changesInternational StandardsSome changesPractice AdvisoriesPosition PapersREMOVEDADDEDHowever, as the PPF was retooled into the IPPF, the opportunity was taken to make some content changes. Together with a structure changes, most of the content changes to existing PPF material are concentrated in the area of the standards and practice advisories. Position papers and Practices guides have been added.The details of those changes are developed in the rest of the presentation.Practice Guides
4 AUTHORITATIVE GUIDANCE IPPFThe International Professional Practices Framework organizes The IIA’s authoritative guidanceAUTHORITATIVE GUIDANCEMandatoryNon mandatoryStronglyrecommendedA very critical aspect of the difference between the two frameworks is the change in scope from everything published or issued by The IIA in the PPF, to AUTHORITATIVE GUIDANCE in the IPPF.Authoritative guidance has been developed following strict due process by globally composed technical committees of The IIA under the oversight of the Professional Practices Council Chair.The committees and boards reporting to the Professional Practices Council are the Internal Audit Standards Board, the Professional Issues Committee, the Advanced Technology Committee, the Board of Regents, the Committee on Quality, and the Ethics Committee.Authoritative guidance comprises:Mandatory guidance - Compliance is required and the guidance is developed following due process, including public exposure. Compliance with the principles set forth in mandatory guidance is essential for the professional practice of internal auditing.Strongly Recommended guidance - Compliance is strongly recommended and the guidance is endorsed by The IIA through formal review and approval process. It describes effective of the Code of Ethics and the Standards.
5 IPPF Definition Elements Practice Guides Practice Advisories Position PapersInternational StandardsCode of EthicsDetailed guidance for conducting internal audit activities. Includes detailed processes and procedures, such as tools and techniques, programs, and step-by-step approaches, including examples of deliverables.Address approach, methodology and considerations, but NOT detailed processes and procedures.Concise and timely guidance to assist internal auditors in applying Code of Ethics and Standards and promoting good practices. Includes practices relating to: international, country, or industry specific issues; specific types of engagements; and legal or regulatory issues.IIA statement to assist a wide range of interested parties, including those not in internal auditing profession, in understanding significant governance, risk or control issues and delineating related roles and responsibilities of internal auditing.Mandatory requirements consisting of:Statements of basic requirements for professional practice of internal auditing and for evaluating the effectiveness of its performance, which are internationally applicable at organizational and individual levels. Principle-focused and provide a framework for performing and promoting internal auditing. Includes Attribute, Performance and Implementation Standards.Interpretations, which clarify terms or concepts within the Statements.Consider both Statements and Interpretations to understand and apply correctly.Statement of principles and expectations governing behavior of individuals and organizations in the conduct of internal auditing. Description of minimum requirements for conduct. Describes behavioral expectations rather than specific activities.Statement of fundamental purpose, nature, and scope of internal auditing.
6 Definition of Internal Auditing No ChangeDefinition of Internal AuditingInternal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.The definition is unchanged. It draws attention to the importance of key wordsIndependent and objective ASSURANCE: Internal auditors are primarily providing assurance on the effectiveness of Governance, risk and control processes. By doing so they already add value. The “adding value” is not limited to consulting activities.It is both ASSURANCE and CONSULTING which can add value and help improve organization’s operation (not consulting only)
7 Code of Ethics No Change Integrity Objectivity Confidentiality The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.ObjectivityInternal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments.ConfidentialityInternal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.CompetencyInternal auditors apply the knowledge, skills, and experience needed in the performance of internal auditing services.
8 Standards Semantic/Glossary New Standards Modifications SomeChangesStandardsSemantic/GlossaryNew StandardsModificationsInterpretations
9 Standards Terminology SemanticNew StandardsModificationsInterpretationsTerminologyPreviously, the word should was used throughout the Standards.The use of the word should represented a mandatory obligation.In the 2002 PPF Standards, the word should was used throughout. The definition in the glossary indicated that should represented a mandatory obligation.This was considered very confusing for several reasons:Why not use a word that directly depicts a mandatory requirement?Many countries translated the English should to must, because of the definition in the glossary.The word should was not necessarily understood as meaning must, by those who did not refer to the glossary.
10 StandardsSemanticNew StandardsModificationsInterpretationsThe use of should has been replaced by must, with the exception of these five Standards:Standard 1010Standard 2050Standard 2130.A2; 2130.A3Standard 2220.A2The replacement of should with must does not represent a substantial change, but removes the confusion about what is considered to be a mandatory requirement.A limited number of references to should remain in the Standards, along with a revised definition in the Glossary: Use the word “should” where conformance is expected unless, when applying professional judgment, circumstances justify deviation.Standard 1010,1010 – Recognition of the Definition of Internal Auditing, the Code of Ethics, and the Standards in the Internal Audit CharterThe mandatory nature of the Definition of Internal Auditing, the Code of Ethics, and the Standards must be recognized in the internal audit charter. The chief audit executive should discuss the Definition of Internal Auditing, the Code of Ethics, and the Standards with senior management and the board.Standard 2050 – Coordination The chief audit executive should share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts.Standard 2130.A2 – Internal auditors should ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization.Standard 2130.A3 – Internal auditors should review operations and programs to ascertain the extent to which results are consistent with established goals and objectives to determine whether operations and programs are being implemented or performed as intended.Standard 2220.A2 – If significant consulting opportunities arise during an assurance engagement, a specific written understanding as to the objectives, scope, respective responsibilities, and other expectations should be reached and the results of the consulting engagement communicated in accordance with consulting standards.Ultimately, the Internal Audit Standards Board expects to remove all references to should from the Standards.
11 Standards New terms added to the glossary SemanticNew StandardsModificationsInterpretationsNew terms added to the glossaryInformation technology controlInformation technology governanceTechnology-based audit techniquesRisk appetiteSignificanceBecause of the addition of new Standards or rewording of some existing Standards, additions have been made to the Glossary. Three of these terms refer to the world of technology.Information technology controlInformation technology governanceNew Standard 2110.A2: Assessing information technology governanceThe term, technology-based audit techniques has replaced CAATs (computer assisted audit techniques) to reflect a broader scope and evolution of technology, as well as the support technology provides to internal auditors in conducting their activity.Risk appetite - In line with the definition spelled out in COSO’s ERM, risk appetite refers to the level of risk that an organization is willing to accept.Planning InterpretationRisk Management InterpretationThe Internal Audit Standards Board wanted to clarify the meaning of the word significance as its interpretation can be widely variable; and to differentiate it from materiality.Significance: The relative importance of a matter within the context in which it is being considered, including quantitative and qualitative factors — such as magnitude, nature, effect, relevance, and impact. Professional judgment assists internal auditors when evaluating the significance of matters within the context of the relevant objectives.
12 Six New Standards ATTRIBUTE STANDARDS 1010 1111 PERFORMANCE STANDARDS SemanticNew StandardsModificationsInterpretationsATTRIBUTE STANDARDS1010Recognition of the Definition of Internal Auditing, the Code of Ethics and the Standards in the internal audit charter1111Direct interaction with the board of directorsPERFORMANCE STANDARDS2110.A2Assessing information technology governance2120.A2Evaluation of the risk of fraud2120.C3Limitation of the internal auditors’ role with the risk management scope2430Use of “conducted in conformance with the International Standards for the Professional Practice of Internal Auditing”The introduction of six new Standards is not a direct result of retooling the PPF to become the IPPF. The IASB never stops identifying gaps or revising the Standards. Some of the revisions were ready when it was time to retool the PPF. For the sake of efficiency, the IASB exposed the new Standards in conjunction with the IPPF exposure.ATTRIBUTE STANDARDSStandards 1010 and 1111 are very important additions to the Standards.1010 – Recognition of the Definition of Internal Auditing, the Code of Ethics, and the Standards in the Internal Audit CharterThe mandatory nature of the Definition of Internal Auditing, the Code of Ethics, and the Standards must be recognized in the internal audit charter. The chief audit executive should discuss the Definition of Internal Auditing, the Code of Ethics, and the Standards with senior management and the board.This Standard is designed to elevate the awareness of IIA guidance by stating the internal audit activity’s accountability to that guidance in its charter. This helps internal auditors ensure that senior management and the audit committee are aware of their commitment to the IPPF.Standard 1010 offers a wide latitude of possibilities in terms of the reporting relationships of the internal audit activity1111 – Direct Interaction with the BoardThe chief audit executive must communicate and interact directly with the board.Regardless of the organizational configuration of an internal audit department, organizational independence requires at least the possibility of direct interaction with the board. A board is an organization’s governing body — such as a board of directors, supervisory board, head of an agency or legislative body, board of governors or trustees of a nonprofit organization, or any other designated body of the organization, including the audit committee — to whom the chief audit executive may functionally report.Standard 1111 was added to clarify the minimum requirements of interaction with the oversight body of an organization.PERFORMANCE STANDARDSThree implementation Standards and one generic Standard have been added.Inclusion of a specific focus on information technology governance when considering assessing governance processes. Recognizing IT as being critical to the infrastructure and information flow of any information, the IASB wanted to draw the attention of the internal auditors specifically on IT governance.2110.A2 – The internal audit activity must assess whether the information technology governance of the organization sustains and supports the organization’s strategies and objectives.Fraud is another specific topic where attention is being drawn. Although the views of the IIA have notchange regarding the role of internal auditors on the topic of fraud – Internal auditors are not Fraud investigator specialists – IASB felt that it was important, in the wake of continuous scandals, around the world – to indicate more clearly the specific role of internal auditing having to evaluate the fraud risk and management fraud risk management dispositions.2120.A2 – The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.In 2006, The IIA released a Position Paper on The Role of Internal Auditing in Enterprise Risk Management. Among the objectives for the paper was the identification of ERM activities that, if performed by the internal auditors, could impair their independence. Those limitations are now included in the Standards.2120.C3 – When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks.The 1300 series provides the requirement for assessing and maintaining quality of the internal audit activity and generically states the conditions for claiming conformance with the StandardsStandard 1321– Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing”The chief audit executive may state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance and improvement program support this statement.Additional guidance is provided on how to use the conformance statement when reporting on specific internal audit engagements.2430 – Use of “Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing”Internal auditors may report that their engagements are “conducted in conformance with the International Standards for the Professional Practice of Internal Auditing,” only if the results of the Quality Assurance and Improvement Program support the statement.It is very important to understand the underlying ethical implications of using/claiming inappropriately conformance with the Standards.Obviously, if an audit activity is going through its Quality Assurance and Improvement Program diligently and the results are positive – there is no issue.Issues may arise if an audit activity is not conducting quality assessments or if a QA has been conducted and the results are negative. The issue is not about non-conformance per se, but in the disclosure of the information and the use of the disclaimer in that regard.The IIA would discipline members and CIAs whose report claims usage and/or conformance with the mandatory guidance of The IIA if, in fact, that claim is not supported by due evidence — in particular, a effective Quality Assurance and Improvement Program .A CAE, who states in the internal audit charter the mandatory nature of the Definition, Code of Ethics, and Standards, operates using this guidance, undergoes a QA that evidences conformance, and claims to be in conformance, behaves ethically.A CAE, who states in the internal audit charter the mandatory nature of the Definition, Code of Ethics, and Standards, operates using this guidance, undergoes a QA concluding that non-conformance exists, discloses the non-conformance to senior management and the board, and does not claim to be in conformance until conformance is reached, behaves ethically.A CAE, who state in the internal audit charter the mandatory nature of the Definition, the Code of Ethics, and the Standards, operates using this guidance, undergoes a QA concluding that non-conformance exists, but intentionally does not disclose the non- conformance to senior management and the board, and claims to be in conformance, does not behave ethically.
13 Standards Other modifications SemanticNew StandardsModificationsInterpretationsOther modificationsImproved some Standards by enhancing understanding, while preserving the original meaning. For example, the 1300 series has been reworded for enhanced clarity.Made numbering changes to the 2110, 2120, and 2130 series to reflect better logic of the relationships among the topics:2110: Governance (previously, 2130)2120: Risk (previously, 2110)2130: Control (previously, 2120)Some existing Standards have been reworded for clarity, but the original meaning or intent of those Standards has not been altered. Many of the changes are editorial in nature with better grammar and sentence structure, but no practical implications.Originally, the numbering of the Standards covering risk, control, and governance was displayed in the order as mentioned in the Definition of Internal Auditing; i.e., Risk – 2110; Control – 2120; and Governance – While the definition has not changed, the order of these three topics in the Standards was altered to better signify the actual relationships among the concepts: Governance leads to risk management, which leads to internal control.
14 StandardsSemanticNew StandardsModificationsInterpretationsInterpretations to clarify concepts within a particular statement have been added to the mandatory guidance.Nine for Attribute StandardsTen for Performance StandardsInterpretations have been added to the Standards where concept clarification — beyond glossary definitions — was needed. An integral part of the Standards, interpretations carry the same weight as the Standards.
15 Interpretation Example: 1320 – Reporting on the Quality Assurance and Improvement ProgramThe chief audit executive must communicate the results of the Quality Assurance and Improvement Program to senior management and the board.Interpretation:The form, content, and frequency of communicating the results of the quality assurance and improvement program is established through discussions with senior management and the board and considers the responsibilities of the internal audit activity and chief audit executive as contained in the internal audit charter. To demonstrate conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards, the results of external and periodic internal assessments are communicated upon completion of such assessments and the results of ongoing monitoring are communicated at least annually. The results include the reviewer’s or review team’s assessment with respect to the degree of conformance.This is an example of a Standard with an interpretation. The interpretation enhances the understanding of the concept, “communication of results” displayed in the Standards by clarifying:HowWhatAnd frequency
16 Practice Advisories (PAs) Significant clean-up, leading to a reduction of the number of Practice Advisories from 83 to 42.Practices Advisories have been re-written to achieve:Conciseness.Describe a method, an approach or consideration to assist internal auditors in applying a specific Standard or requirement of the Code of Ethics.The old Practice Advisories used the same language as the Standards and included the word “should.” Many practitioners viewed PAs as Standards, and considered them to be mandatory. PA style was varied, and not all PAs properly supported existing Standards. A massive clean-up was done on the Practice Advisories to remove confusion and align them with their definition.It is very important to remember that although PA’s are AUTHORITATIVE, they are strongly recommended, NOT MANDATORY.
18 PAs related to Attribute Standards 1000-1: Internal Audit Charter1110-1: Organizational Independence1111-1: Board Interaction1120-1: Individual Objectivity1130-1: Impairments to Independence or Objectivity1130.A1-1: Assessing Operations for Which Internal Auditors were Previously Responsible1130.A2-1: Internal Audit’s Responsibility for Other (Non-audit) Functions1200-1: Proficiency and Due Professional Care1210-1: Proficiency1210.A1-1: Obtaining Services to Support or Complement the Internal Audit Activity1220-1: Due Professional Care1230-1: Continuing Professional Development1300-1: Quality Assurance and Improvement Program1310-1: Requirements of the Quality Assurance and Improvement Program1311-1: Internal Assessments1312-1: External Assessments1312-2: External Assessment - Self Assessment with Independent Validation1321-1: Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing”
19 PAs related to Performance Standards 2010-1: Linking the Audit Plan to Risk and Exposures2020-1: Communication and Approval2030-1: Resource Management2040-1: Policies and Procedures2050-1: Coordination2060-1: Reporting to Senior Management and the Board2120-1: Assessing the Adequacy of Risk Management Processes2130-1: Assessing the Adequacy of Control Processes2130.A1-1: Information Reliability and Integrity2130.A1-2: Evaluating An Organization's Privacy Framework2200-1: Engagement Planning2210-1: Engagement Objectives2210.A1-1: Risk Assessment in Engagement Planning2230-1: Engagement Resource Allocation2240-1: Engagement Work Program2330-1: Documenting Information2330.A1-1: Control of Engagement Records2330.A2-1: Retention of Records2340-1: Engagement Supervision2410-1: Communication CriteriaQuality of Communications2440-1: Disseminating Results2500-1: Monitoring Progress2500.A1-1: Follow-up Process
20 Position Papers Two Position Papers have been added to the IPPF: The Role of Internal Auditing in Enterprise Risk ManagementThe Role on Internal Auditing in Resourcing the Internal Audit ActivityA specific addition to The IIA’s authoritative guidance is POSITION PAPERS.Position Papers are IIA statements that delineate related roles and responsibilities of internal auditing. They assist a wide range of interested parties, including those not in the internal audit profession, in understanding significant governance, risk, or control issues.An interesting feature of Position Papers is that they examine an issue impacting internal auditing in a wider context, clarify the roles and responsibilities of others, and explore the internal auditors’ relationships with those players.Position Papers are useful not just for internal auditors, but also to help others — in particular, senior management and the board others — to understand certain issues.
21 Practice Guides 11 Global Technology Audit Guides (GTAG) Guide on the assessment of IT Risk (GAIT)Additional Practice Guides will be issued regularlyPractices Guides are detailed guidance for conducting internal audit activities. It Includes detailed processes and procedures, such as tools and techniques, programs, and step-by-step approaches, including examples of deliverables.At this early stage of the IPPF, all the existing GTAG and the GAIT methodology have been retooled in Practices guides. It does not mean that practice guide will be systematically technology oriented. Overtime, practice guides touching on any topics in the standards can and will be developed.The next 10 slides provides an overview of the content of the existing guides.
22 GTAG-1 Information Technology Controls Understanding IT controlsImportance of IT controlsOrganizational roles and responsibilities for ensuring IT controlsAnalyzing risksMonitoring techniquesIT control assessment
23 GTAG-2 Change and Patch Management Controls: Critical for Organizational Success Why IT change and patch management controls are foundational to a healthy IT environmentHow IT change and patch management controls help manage IT risks and costsWhat works and doesn’t work in practiceSources of change and the likely impact on business objectives
24 GTAG -3 Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment Role of continuous auditing in today’s internal audit environmentRelationships among continuous auditing, continuous monitoring, and continuous assuranceThe application and implementation of continuous auditingBenefits of a continuous, integrated approach
25 GTAG-4 Management of IT Auditing Defining ITIT-related RisksDefining IT Audit UniverseExecuting IT AuditingManaging IT AuditingEmerging Issues
26 GTAG-5 Managing and Auditing Privacy Risks What is PrivacyPrivacy Principles and FrameworksPrivacy Impacts and Risk ModelPrivacy ControlsGood and Bad PerformersInternal Auditing's RoleAuditing PrivacyCAE's Top 10 Privacy Questions
27 GTAG-6 Managing and Auditing IT Vulnerabilities Defining the vulnerability management lifecycleThe scope of a vulnerability management auditOrganizational maturityMetrics to measure vulnerability management practicesTop 10 vulnerability management questions
28 GTAG-7 Information Technology Outsourcing Choosing the right IT vendorWhat are the best ways to manage outsourcing contract agreements?What are the main outsourcing risks and how can you mitigate them?Key outsourcing control considerations from the standing points of both client operations and service provider operationsWhich is the most effective framework for establishing outsourcing controls?
29 GTAG -8 Auditing Application Controls What is application control and what is the relationship between application control and general controls?Why rely on application controls?How do you scope a risk-based application control review?What are the steps to conduct an application controls review?A list of key application controls and a sample audit program
30 GTAG-9 Identity and Access Management The process of managing who has access to what informationNot only IT, but a cross-organizational processInternal auditor has a role.Key IAM conceptsRisks associated with IAM processDetail guidance on how to audit the IAM processA sample checklist for auditors
31 GTAG-10 Business Continuity Management Restoring critical business processes after a disaster Management supportRisk assessmentBusiness Impact analysisBusiness recovery and continuity strategyDisaster recovery for ITAwareness, training, and testingBCM program maintenanceCrisis communicationCAEs have been challenged to educate corporate executives on the risks, controls, costs, and benefits of adopting a BCM program. Although recent disasters around the world have motivated some corporate leaders to pay attention to BCM programs, the implementation of such programs is far from universal. The key challenge is engaging corporate executives to make BCM a priority. Although most executives are likely to agree that BCM is a good idea, many will struggle to find the budget necessary to fund the program as well as an executive sponsor who has the time to ensure its success. This guide will help the CAE communicate business continuity risk awareness and support management in its development and maintenance of a BCM program.
32 GTAG-11 Developing the IT Audit Plan The audit plan is the weakest link…Understanding the organization and how IT supports itDefining and understanding the IT environmentUsing risk assessment to determine the IT audit universeFormalizing the annual IT audit planExecuting the steps necessary for developing the IT audit plan
33 Guide to the Assessment of IT Risk (GAIT) GAIT Methodology – top-down risk-based scoping methodologyGAIT for IT General Control Deficiency Assessment - help assess IT general controls deficiencies identifiedGAIT for Business and IT Risk – help identify critical aspects of IT processesWhat is GAIT?:Provides a methodology that both management and auditors can use in their identification of key controls within ITGC as part of and a continuation of their top-down and risk based scoping of key controls for ICFR.GAIT is a structured reasoning process that can be tailored to an organizations internal language, etc.The business process risks and related key controls identified by the top-down and risk-based approach are its starting point. Those risks to the financial statements are taken to the next level using GAIT analysis: identifying risks within IT business processes where a controls or security failure could lead to a controlsThe IIA released the GAIT Methodology, the first practice guide in its Guide to the Assessment of IT Risk (GAIT) series in January This document provides a methodology to help organizations identify the key IT general controls (ITGCs) needed for an efficient and effective scope of work for Section 404 of the U.S. Sarbanes-Oxley Act of 2002.In March 2008, the IIA followed with two new guides:GAIT for IT General Control Deficiency Assessment provides an approach for assessing any IT general controls deficiencies identified during the annual assessment of internal control over financial reporting.GAIT for Business and IT Risk focuses on identifying the critical aspects of IT processes that are essential to the management and mitigation of business risk.
34 Practice Guides In the pipeline: Fraud Detection in an Automated World (2009)Auditing IT Projects (2009)Security Management: Audit Security Governance (2009)Entity Level IT Controls (2010)Auditing User Developed Applications (2010)Thies are the GTAG whose development as already been approved. Other guides will be developed on various other topics. The working plan of the Technical area of te IIA is available and accessible under the guidance page of the web site: