Scoping ITGCs for SOx 404 audits: Combining frameworks and/or methodologies to achieve efficiencies and effectiveness

  • Author(s) / Creator(s)
  • Scoping IT general controls (ITGC's) for the purpose of complying with legislation such as Section 404 of the Sarbanes-Oxley Act has been no simple feat. Both management and auditors alike have faced challenges in terms of scoping the work that is to be performed around ITGC's. The Public Company Accounting Oversight Board (PCAOB) and the U.S. Securities and Exchange Commission (SEC) advocate the use of a top-down risk based approach to define the scope of work for Section 404 compliance. However, the use of this approach is not yet fully understood and is not being completely followed. Methodologies are available and have been created to assist with scoping and assessing ITGC's, as described in this paper, however extensive resources are still being utilized to comply with Section 404. This paper reviews current industry practices, by analyzing methods and approaches towards ITGC scoping, for a sample of three
    companies in differing industries. This review is then followed by an analysis of a newer methodology, the GAIT methodology, and how this new methodology can create efficiencies in the scoping of ITGC work, relative to current practices.

  • Date created
  • Subjects / Keywords
  • Type of Item
    Research Material
  • DOI
  • License
    Attribution-NonCommercial 4.0 International