Recent case studies published by The IIA outlines how internal auditors can use the Guide to the Assessment of IT (GAIT) for Business and IT Risk methodology to enhance PCI compliance efforts. The case studies demonstrate how to document the thought process for scoping and substantiating the IT controls that are included as part of PCI compliance audits. It is recommended that internal auditors follow eight steps to determine the scope for PCI compliance audits:

• Identify the business process and objectives for which the controls are to be assessed.
• Identify the key business controls required to provide reasonable assurance that the business objectives will be achieved.
• Identify the critical IT functionality relied upon from among key business controls.
• Identify the significant applications in which IT General Controls (ITGCs) need to be tested.
• Identify IT general control process risks and related control objectives.
• Identify the key IT general controls to test risks and related control objectives.
• Conduct a holistic review of all key controls.
• Determine the scope of the review and build an appropriate design and effectiveness testing program.

The IIA is internationally recognized as a trustworthy guidance-setting body. Serving members in 165 countries, The IIA is the internal audit profession's global voice, chief advocate, recognized authority, acknowledged leader, and principal educator.