The GAIT Methodology

In 2007, the IIA published the GAIT Methodology to help practitioners define the right ITGC controls to include in their organization’s scope for SOX.

It has been widely accepted, both by companies and their external auditors, as well as by the regulators. In fact, the SEC’s SOX guidance was developed based on an understanding of the principles in GAIT.

GAIT continues the top-down and risk-based approach recommended for companies by the SEC and mandated for their auditors by the PCAOB.

You can download a copy of the 2007 version here:

However, it is 15 years since GAIT was published. Technologies have advanced and we have 15 years of experience with SOX and GAIT.

With the help of a panel of practitioners, partners with independent audit and consulting firms, and former IIA executives, GAIT has been updated.

The update is not (yet) a product of the IIA. Hopefully, they will take that on in 2023.

You can download a copy of the 2022 version here:

Following the success of the 2007 GAIT publication, the IIA moved on to publish additional GAIT products.

GAIT for Business and IT Risk

It is available at

This methodology took the ideas and principles in GAIT and modified it to address all IT-related business risks, not just SOX.

GAIT for IT General Control Deficiency Assessment

It is available at

Assessing the severity of an ITGC key controls failure is not easy, as that failure could affect multiple critical functionalities in multiple significant applications.

This assessment methodology follows the processes in GAIT for SOX back up the risk chain, enabling an appropriate assessment of the ICFR risk to be made.

%d bloggers like this: