I was at my local chapter meetings of a combined ISACA and IIA group. The topic of the meeting was The Institute of Internal Auditors GTAG and GAIT programs that was presented by Hussain Hasan -of RSM McGladrey, Inc., who is also a member for the IIA’s Advanced Technology Committee.
Hussain pointed me to a case study on using GAIT for Business and IT Risk or GAIT-R to assist in with scope of PCI Compliance.
The GAIT-R methodology comprises eight steps:
- Identify the business process and objectives for which the controls are to be assessed.
- Identify the key business controls required to provide reasonable assurance that the business objectives will be achieved.
- Identify the critical IT functionality relied upon, from among the key business controls.
- Identify the significant applications where ITGCs need to be tested.
- Identify ITGC process risks and related control objectives.
- Identify the key ITGCs to test that address identified risk and related control objectives.
- Perform a reasonable person holistic review of all key controls.
- Determine the scope of the review and build an appropriate design and effectiveness testing program
Here are the two Case Studies of Using GAIT-R to Scope PCI Compliance.