The second guide, GAIT for IT General Control Deficiency Assessments, gives auditors and management an approach to assess whether IT general control deficiencies identified during their Sarbanes-Oxley Section 404 assessment represent significant deficiencies or material weaknesses in the system of internal control over financial reporting. It builds on guidance provided in 2004 by nine CPA firms, A Framework for Evaluating Control Exceptions and Deficiencies, and reflects recent changes in the definitions of material weakness and significant deficiency.

The third guide in the series, GAIT for Business and IT Risk, helps managers and auditors identify all the key controls that are critical to achieving business goals and objectives. It identifies the critical aspects of information technology that are essential to the management and mitigation of organizational risk. These critical IT functionalities and their corresponding risks can then be considered when planning audit work.

Both sets of guidance can be downloaded free of charge from The IIA Web site at www.theiia.org/guidance/technology.