Sarbanes Oxley 404 in Enterprise Architecture Context

Sarbanes Oxley 404 compliance is all about adding accountability to IT governance processes. In other words, the organization needs to make sure any change to IT Infrastructure which has a significant effect on Financial Reports is authentic and genuine.
Implementing section 404 of SOX is an exhaustive exercise and quite often leads to one of those end-less projects.
That's why GAIT methodology is attracting more professionals everyday as it helps narrowing the scope of SOX compliance efforts to what's really important to the business.
GAIT is a risk management methodology with a top-down approach very similar to what most Security Architects use to create enterprise security blueprints.
Actually, GAIT is a slice of Enterprise Architecture process in which specific types of risk (as it is related to financial reporting) are identified in business layer and are then translated to the technology risks in technology infrastructure.
Unfortunately most of the times SOX 404 is driven by some irrelevant business units such as financial or legal without proper engagement of EA team.

Even though GAIT simplifies the identification and implementation of required security controls for IT components, it has no clear method for correlating business risks to the technology landscape. Whereas, EA models are extremely powerful in this area, that one can use them to assess the impact of a business process risk to its supporting IT infrastructure.

In my opinion, GAIT is great for IT professionals to understand what they need to address when it comes to SOX; however, without appropriate collaboration with the EA team, GAIT is costly and -ironically- risky methodology.