The GAIT Methodology
In 2007, the IIA published the GAIT Methodology to help practitioners define the right ITGC controls to include in their organization’s scope for SOX.
It has been widely accepted, both by companies and their external auditors, as well as by the regulators. In fact, the SEC’s SOX guidance was developed based on an understanding of the principles in GAIT.
GAIT continues the top-down and risk-based approach recommended for companies by the SEC and mandated for their auditors by the PCAOB.
You can download a copy of the 2007 version here: https://app.box.com/s/h6xjyg5wb3dtcecrxzzux1mx5fklfhfq
However, it is 15 years since GAIT was published. Technologies have advanced and we have 15 years of experience with SOX and GAIT.
With the help of a panel of practitioners, partners with independent audit and consulting firms, and former IIA executives, GAIT has been updated.
The update is not (yet) a product of the IIA. Hopefully, they will take that on in 2023.
You can download a copy of the 2022 version here: https://app.box.com/s/iqma2m9t4b9vc5lpgs2391evonyapb5l
Following the success of the 2007 GAIT publication, the IIA moved on to publish additional GAIT products.
It is available at https://app.box.com/s/cy0ly7envfx9acuodrhcnbm6lho0qubh.
This methodology took the ideas and principles in GAIT and modified it to address all IT-related business risks, not just SOX.
GAIT for IT General Control Deficiency Assessment
It is available at https://app.box.com/s/gz6313q44f16d4a8k2is7sq7kjuckkip.
Assessing the severity of an ITGC key controls failure is not easy, as that failure could affect multiple critical functionalities in multiple significant applications.
This assessment methodology follows the processes in GAIT for SOX back up the risk chain, enabling an appropriate assessment of the ICFR risk to be made.
Norman Marks on Governance, Risk Management, and Audit 