IIA GAIT-R to Scope PCI Compliance

I was at my local chapter meetings of a combined ISACA and IIA group. The topic of the meeting was The Institute of Internal Auditors GTAG and GAIT programs that was presented by Hussain Hasan -of RSM McGladrey, Inc., who is also a member for the IIA’s Advanced Technology Committee.

Hussain pointed me to a case study on using GAIT for Business and IT Risk or GAIT-R to assist in with scope of PCI Compliance.

The GAIT-R methodology comprises eight steps:

  1. Identify the business process and objectives for which the controls are to be assessed.
  2. Identify the key business controls required to provide reasonable assurance that the business objectives will be achieved.
  3. Identify the critical IT functionality relied upon, from among the key business controls.
  4. Identify the significant applications where ITGCs need to be tested.
  5. Identify ITGC process risks and related control objectives.
  6. Identify the key ITGCs to test that address identified risk and related control objectives.
  7. Perform a reasonable person holistic review of all key controls.
  8. Determine the scope of the review and build an appropriate design and effectiveness testing program

Here are the two Case Studies of Using GAIT-R to Scope PCI Compliance.

Leave a Comment.