Søk i arkivet:


   

   FORSIDEN    OM NIRF    SIDEKART    LAST NED    KONTAKT
English
Diverse nyheter
Kunnskapssenter
CBOK
Benchmarking
Bærekraftig utvikling
Control Self- Assessment
Corporate Governance
Ekstern revisjon
IT-Sikkerhet / IT-Revisjon
Internkontroll
Internrevisjon
Kvalitetssikring av IR
Misligheter
Prosjekt ledelse
Regnskap
Revisjonskomite
Risikostyring
Sarbanes-Oxley Act
Standarder
Sertifisering og diplomering
Utdanning
Pressemeldinger
Medlemskap
Lenker
Annonser
Arbeidsmarked
Publikasjoner
NIRFs Bokhandel
 

  HANDLEKURV
 
  Redigér   Til Kassen

  MEDLEMMER
Brukernavn
Passord

  LES OGSÅ

06.09 - 2010
Presentasjon fra medlemsmøtet 31. august 2010


02.07 - 2010
Internrevisjonskonferansen 2010 i Stavanger (Publisert 04.06.2010)


11.05 - 2010
CIA Testsenter


23.04 - 2010
Presentasjoner fra finansseminaret 20. april 2010



Powered by Zetta

FREDAG 10. SEP 2010 - 14:41


GAIT - En veiledning for å evaluereomfang av generelle IT-kontroller gjennom en top-down og risikobasert tilnærming (05.03.07)
GAIT Methodology
GAIT Methodology

IIA har nå lansert GAIT-metodikken, en veiledning for å evaluere omfang av generelle IT-kontroller gjennom en top-down og risikobasert tilnærming. GAIT-metodikken er basert på GAIT-prinsippene fra IIA (inkludert i dokumentet).
Last ned GAIT-metodikken her.

Mer om GAIT fra IIA finner du her.

EXECUTIVE SUMMARY
A major challenge facing both management of organizations and their independent auditors is defining an effective and efficient scope for the annual assessments of internal control over financial reporting (ICFR) required by Section 404 (“§404”) of the Sarbanes-Oxley Act of 2002.
The U.S. Securities and Exchange Commission (SEC)1 and the Public Company Accounting Oversight Board (PCAOB)2 have recommended a top-down and risk-based approach to defining §404 scope and related key controls3. That recommendation has been made, and generally accepted, as it enables an efficient assessment that is focused on the more likely and significant risks to financial reporting.
Guidance has been provided by organizations such as the Institute of Internal Auditors (IIA) and the PCAOB relative to the identification of key controls at the business level. Additional guidance has also been published by organizations including the Information Systems Audit and Control Association (ISACA) relative to the assessment of controls within IT organizations. However, there remains less certainty about how the scope of work related to controls within IT organizations (IT general controls or ITGC4, 5) should be determined using the recommended top-down and risk-based approach.
If ITGC key controls (which exist within ITGC processes) are not identified as part of a top-down and risk based approach that starts at the financial statement and significant account level and flows down to ITGC, there is a risk that:
• Controls may be assessed and tested that are not critical, resulting in unnecessary cost and diversion of resources
• Controls that are key may not be tested, or may be tested late in the process, presenting a risk to the assessment or audit6
This Guide to the Assessment of IT General Controls Scope based on Risk (GAIT) provides a methodology that both management and external auditors7 can use in their identification of key controls within ITGC as part of and a continuation of their top-down and risk based scoping of key controls for ICFR. It is consistent with the methodology described in the PCAOB’s Auditing Standard Number 2 (AS/2),8 the SEC’s proposed interpretive guidance (published in December 2006), and the IIA’s “Sarbanes-Oxley Section 404: A Guide for Management by Internal Controls Practitioners” (§404 Guide).
GAIT is a structured reasoning process that can be tailored for an organization. The business process risks and related key controls identified by the top-down and risk-based approach are its starting point. Those risks to the financial statements are taken to the next level using GAIT analysis: identifying risks within ITGC processes where a controls or security failure could lead to a controls failure of material significance within the business process—in turn leading potentially to a material misstatement of the financial statements.
GAIT does not identify specific key controls. Rather, it identifies the ITGC processes and related IT control objectives for which key controls need to be identified. Users of GAIT will employ other tools, such as COBIT, to identify and then assess specific ITGC key controls.
Because the identification of risks within ITGC processes is a continuation of the top-down approach that starts with significant accounts and the related business processes, it should be performed by an integrated team of business and IT experts. Business experts alone will not appreciate the technical IT aspects and IT experts alone may not have a sufficient understanding of the extent of reliance on IT functionality.
At this time, GAIT focuses on ITGC risk assessment and scoping for the §404 assessment, but the principles can also be applied to the identification of controls for other assessment purposes (e.g., as part of an assessment of controls over compliance with applicable laws and regulations). Future editions are planned to provide guidance in some of those other areas.

Chapter headlines of the GAIT document:
Part 1. Understanding GAIT
- Executive Summary
- Understanding GAIT’s four core principles
- A word about entity-level controls

Part 2. Applying the GAIT methodology
- GAIT: concisely
- Documenting GAIT results
- Customizing GAIT
- Gathering the GAIT assessment team
- GAIT methodology phases
Phase 1 Identify (and validate if necessary) the critical IT functionality
Phase 2 Identify the [significant] applications where ITGC need to be tested
Phase 3 Identify ITGC process risks and related control objectives
Phase 4 Identify the key ITGCs to test that meet the control objective
Phase 5 Perform a reasonable person review


Tilbake | Skriv ut | Til toppen

  RELATERT INNHOLD:
Ingen relaterte artikler

  TIPS EN VENN

  Mottakers epostadresse
  
  Din epostadresse
  

  AKTIVITETER

21.09 -
Standardkurs 2: Praktisk internrevisjon


13.10 -
Standardkurs 5: Introduksjon til rammeverk for internkontroll og risikostyring


19.10 -
Spesialkurs: HR-revisjon


25.10 -
Nasjonal fagkonferanse i offentlig revisjon 2010


09.11 -
Spesialkurs: Internrevisjon i offentlig sektor


Flere aktiviteter

NIRFS HOVEDSPONSOR 2010
Klikk her for å lese mer om foreningens hovedsponsor!
ECIIA
Klikk her for å komme til ECIIA!
IIA SVERIGE - KURS
Klikk her for mer informasjon!

NIRFs medlemmer kan også benytte seg av kurstilbudet hos vår søsterorganisasjon i Sverige
DIVERSE TILBUD/AKTIVITETER
IIA konferanse 2011 i Kuala Lumpur

IIAs konferanse 2011 er i Kuala Lumpur, Malaysia
Meld det inn i dag! Du får mye informasjon for medlemskontingenten hos oss. Klikk på bildet for mer informasjon og å melde deg inn.
MELD DEG INN I DAG!
Klikk her for å komme til ISACAs sider!
NIRFS MEDLEMMER FÅR MEDLEMSPRIS PÅ ISACAS KURS ETC!




Copyright 2010 - Norges Interne Revisorers Forening
Postboks 1417 Vika, 0115 Oslo. Tlf: 93237912, post@nirf.org
ANNONSER





Les mer om stillingen her!

Oslo Kommune har ledig stilling som internrevisjonssjef
NIRFs bokhandel. Se aktuelle titler nedenfor eller klikk her for å komme til bokhandelen.
NIRFs bokhandel
Veiledning i oppfølging av internkontroll
Veiledning i oppfølging av internkontroll
CIA Learning System
CIA Learning System
Helhetlig risikostyring - et integrert rammeverk (COSO ERM).
COSO ERM på norsk
International Professional Practices Framework
International Professional Practices Framework