Skip Ribbon Commands
Skip to main content
Global Institute of Internal AuditorsBreadcrumb SeparatorStandards and GuidanceBreadcrumb SeparatorRecommended GuidanceBreadcrumb SeparatorPractice GuidesBreadcrumb SeparatorGAIT for IT General Controls Deficiency Assessment

GAIT for IT General Control Deficiency Assessment

What is GAIT for IT General Control Deficiency Assessment?

GAIT for IT General Control Deficiency Assessment, or GAIT 2, provides an approach for evaluating IT general controls deficiencies identified during the annual assessment of internal control over financial reporting. GAIT 2 provides a platform for internal auditors to use in discussing their deficiency assessment with external auditors, management, and others.

In addition, GAIT 2 builds on the guidance provided in A Framework for Evaluating Control Exceptions and Deficiencies, a methodology developed in 2004 by nine certified public accounting firms that has guided management and internal and external auditors in assessing deficiencies in their organization's system of internal control over financial reporting. GAIT 2 incorporates three years of practical experience applying this guidance, and addresses the extensive changes to the standards and practices related to assessments of Section 404 that have occurred in that time.

Who is it for, and How Can it Help you?

This practice guide provides an updated approach to the assessment of IT general control deficiencies, helping auditors or management assess whether they represent material weaknesses or significant deficiencies.

GAIT 2's assessment process consists of 10 steps that are based on six principles. These principles are:

  1. To assess ITGC deficiencies, it is necessary to understand the reliance chain between the financial statements and the key ITGCs that have failed.
  2. For there to be a material weakness, two tests have to be met: a) likelihood and b) impact (i.e., the potential misstatement of the financial statements).
  3. Because an ITGC deficiency does not directly affect the financial statements, the assessment is similarly not direct. The assessment is in stages or steps, and the likelihood and impact tests are applied across a combination of the steps.
  4. All ITGC deficiencies that relate to the same ITGC objective should be assessed as a group.
  5. All ITGC objectives that are not achieved and relate to the same key automated controls, key reports, or other critical functionality should be assessed as a group.
  6. The principle of aggregation requires that control deficiencies of all types — including manual and automated control deficiencies related to the same significant account or disclosure — be considered as a group.

An updated edition of the International Professional Practices Framework (IPPF) guide, more commonly known as the Red Book, is now available. Visit the IIA Bookstore for more information.