Skip Ribbon Commands
Skip to main content

GAIT for Business and IT Risk

What is GAIT for Business and IT Risk?

GAIT for Business and IT Risk, or GAIT-R, focuses on identifying the key controls that are essential to achieving business goals and objectives.

Who is it for?

GAIT-R was developed primarily for internal audit practitioners. It also can be used by IT governance and security managers or those who are charged with designing and managing IT risks within their organizations.

How Can it Help You?

GAIT-R improves the efficiency and effectiveness of internal audit functions by enabling a focus on business risk and minimizing attention to IT risks that are not critical to the organization. It enables chief audit executives (CAEs) to provide assurance on business risk with the comfort that IT-related issues are given the appropriate level of consideration.

Similarly to the other practice guides in the GAIT series, the GAIT-R methodology is built around a set of principles:

  1. The failure of technology is only a risk that needs to be assessed, managed, and audited if it represents a risk to the business.
  2. Key controls should be identified as the result of a top-down assessment of business risks, risk tolerance, and the controls — including automated controls and IT general controls (ITGCs) — required to manage or mitigate business risk.
  3. Business risks are mitigated by a combination of manual and automated key controls.
  4. To assess the system of internal control to manage or mitigate business risks, key automated controls need to be assessed.
  5. ITGCs may be relied upon to provide assurance of the continued and proper operation of automated key controls.

This methodology also delivers a scope that is based on the risks to each identified business objective, which includes manual key controls within each business process; automated and hybrid key controls within each business process; key controls within ITGC processes; and controls at the entity level, including activities in the control environment, information and communication, and other layers of COSO's internal control model.

Downloads and Links

GAIT for Business and IT Risk
GAIT for Business and IT Risk (Turkish/Türkçe)
Case Studies of Using GAIT for Business and IT Risk to Scope PCI Compliance
Following the GAIT-R principles and methodology, this paper provides two case studies of applying GAIT-R to PCI compliance.


An updated edition of the International Professional Practices Framework (IPPF) guide, more commonly known as the Red Book, is now available. Visit the IIA Bookstore for more information.