Gait for Business and Information Technology Risk

Abstract

Notes

1. GAIT-R is also known as GAIT ― Business and IT Risk. It is part of the family of IIA guidance products derived from the initial GAIT Methodology, which is a methodology for defining the IT general controls that should be included in an organization's assessment of internal control over financial reporting under Section 404 of the U.S. Sarbanes-Oxley Act.

2. A business impact analysis may also be called a critical systems analysis, IT risk assessment, or similar term.

3. ISACA's IT Control Objectives for Sarbanes-Oxley describes these as “IT-dependent manual controls” or “hybrid” controls.

4. GAIT-R uses a stack with four layers. This can be customized for each organization. For example, a user of this Methodology may identify a different set of four layers or use a model with a different number of layers in the stack. The number of layers and the choice of descriptions do not affect the operation of the GAIT-R Methodology.

5. To enable readers to use the Methodology section of this document without the need to reference back to the Principles, parts of the text used to explain the Principles have been repeated.

6. The GAIT-R Methodology can also be used by non-auditors to identify and assess risks, especially those related to information technology. This Methodology's reference to auditors from this point forward is intended to include other users of the Methodology.

7. ISACA's IT Control Objectives for Sarbanes-Oxley describes these as “IT-dependent manual controls” or “hybrid” controls.

8. Some IT auditors use the terms programmed procedures or programmed accounting procedures for these calculations, updating of ledger accounts, and so on.

9. Go to www.coso.org for information about the COSO ERM framework.