Institute of Internal Auditors Issues Information Technology Guidance for Internal Control Audits

The IIA recently published guidance for management, internal and external auditors, regulators and others a method for determining which general controls related to information technology (IT) should be tested to insure suitable internal control (IC) for annual financial reporting purposes. GAIT (Guide for Assessment of Information Technology general controls) has four core principles: [1] identification of IT risks and controls should be determined with similar techniques used to determine key internal control risks for other facets of the organization, [2] auditors need to identify as IT process risks the processes which affect critical functionality in financially significant applications, [3] risk level needs to be assessed at various level of IT, such as program code, database, systems and network and [4] IT control risks are best mitigated through achievement of IT control objectives as opposed to individual control activities. A streaming video of the presentation is available at no charge until early May at http://www.visualwebcaster.com/event.asp?id=37575.

Bloggers such as Big 4 Guy and Tech Gap probably are better prepared than I to fully explain the ramifications of this announcement. At minimum, however, this statement appears to provide useful guidance for audits of information technology systems as part of an internal control evaluation.