An IIA survey of 895 auditors and corporate managers taken in 2007 indicates that internal audit departments are short on guidance and methods for evaluating IT controls. Almost 80% of respondents indicated that assessing IT general controls is difficult, and 98% said that more detailed guidance consistent with PCAOB AS-5 would be helpful in assessing deficiencies in IT general controls. More than half said that their methodology is not effective or only somewhat effective in identifying and assessing IT risks.
Based on the survey results, the IIA developed two new documents in its Guide to the Assessment of IT Risk (GAIT) series: GAIT for IT General Control Deficiency Assessment and GAIT for Business and IT Risk. The first guide is intended to help managers understand what constitutes a material weakness in IT general controls. It's simple decision chart format and 6-step assessment methodology are designed to make make IT general controls audits more meaningful and better linked to overall internal control objectives.
GAIT for Business and IT Risk ties together the concepts of business risk and IT risk. The idea is to provide a model for identifying key IT controls that contribute to mitigating business risk. The methodology takes a top-down approach that first identifies business objectives, then the risks to completing those objectives, and finally the IT applications and general controls that support the business objectives.
Both guides have linkages to generally accepted standards—COSO's Enterprise Risk Management Integrated Framework and PCAOB's Auditing Standard 5.
►
Monday, May 26, 2008
Subscribe to:
Post Comments (Atom)
Posts
0 comments:
Post a Comment