Supplemental Guidance
Recommended Guidance

Supplemental Guidance provides detailed guidance for conducting internal audit activities. These include topical areas, sector-specific issues, as well as processes and procedures, tools and techniques, programs, step-by-step approaches, and examples of deliverables.

Effective with the July 2015 launch of the New IPPF, all Practice Guides, Global Technology Audit Guides (GTAGs), and Guides to the Assessment of IT Risks (GAIT) automatically become part of the Recommended Supplemental Guidance layer.

Supplemental Guidance is restricted to IIA members only.

Non-members may purchase Supplemental Guidance by clicking on the links below.

Downloads and Links

Practice Guides — General

Title	Date
Assessing Organizational Governance in the Private Sector	July 2012
Assessing the Adequacy of Risk Management Using ISO 31000	December 2010
Assisting Small Internal Audit Activities in Implementing the International Standards for the Professional Practice of Internal Auditing	April 2011
Audit Reports: Communicating Assurance Results	October 2016
Auditing Anti-bribery and Anti-corruption Programs	June 2014
Auditing Executive Compensation and Benefits	April 2010
Auditing External Business Relationships	May 2009
Auditing Privacy Risks, 2nd Edition (replaces GTAG 5)	July 2012
Auditing the Control Environment	April 2011
Business Continuity Management	August 2014
Chief Audit Executives — Appointment, Performance, Evaluation, and Termination	May 2010
Coordinating Risk Management and Assurance	March 2012
NEW! Coordination and Reliance: Developing an Assurance Map	February 2018
Developing the Internal Audit Strategic Plan	July 2012
NEW! Engagement Planning: Assessing Fraud Risks	October 2017
NEW! Engagement Planning: Establishing Objectives and Scope	August 2017
Evaluating Corporate Social Responsibility/Sustainable Development	February 2010
Evaluating Ethics-related Programs and Activities	June 2012
Formulating and Expressing Internal Audit Opinions	April 2009
Independence and Objectivity	October 2011
Integrated Auditing	July 2012
Interaction with the Board	August 2011
Internal Audit and the Second Line of Defense	January 2016
Internal Auditing and Fraud	December 2009
Measuring Internal Audit Effectiveness and Efficiency	December 2010
Quality Assurance and Improvement Program	March 2012
Reliance by Internal Audit on Other Assurance Providers	December 2011
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements	July 2012
Talent Management	December 2015

Practice Guides — Financial Services

Title	Date
NEW! Auditing Model Risk Management	March 2018
NEW! Auditing Liquidity Risk: An Overview	December 2017

Practice Guides — Public Sector

Title	Date
Assessing Organizational Governance in the Public Sector	October 2014
NEW! Auditing Grants in the Public Sector	April 2018
Creating an Internal Audit Competency Process for the Public Sector	February 2015

Practice Guides — GTAG^®

Global Technology Audit Guide (GTAG)

GTAGs are written in straightforward business language and address timely issues related to information technology (IT) management, control, and security.

Title	Date
Assessing Cybersecurity Risk: Roles of the Three Lines of Defense	September 2016
Auditing Application Controls (Previously GTAG 8)	January 2009
UPDATED! Auditing IT Governance (Previously GTAG 17)	January 2018
Auditing IT Projects (Previously GTAG 12)	March 2009
Auditing Smart Devices: An Internal Auditor's Guide to Understanding and Auditing Smart Devices	August 2016
Auditing User-developed Applications (Previously GTAG 14)	June 2010
Business Continuity Management (Previously GTAG 10)	January 2009
Change and Patch Management Controls: Critical for Organizational Success, 2nd Edition (Previously GTAG 2)	March 2012
Continuous Auditing: Coordinating Continuous Auditing and Monitoring to Provide Continuous Assurance, 2nd Edition (Previously GTAG 3)	January 2009
Data Analysis Technologies (Previously GTAG 16)	August 2011
Developing the IT Audit Plan (Previously GTAG 11)	January 2009
Fraud Prevention and Detection in an Automated World (Previously GTAG 13)	December 2009
Identity and Access Management (Previously GTAG 9)	January 2009
Information Security Governance (Previously GTAG 15)	June 2010
Information Technology Outsourcing, 2nd Edition (Previously GTAG 7)	June 2012
Information Technology Risk and Controls, 2nd Edition (Previously GTAG 1)	March 2012
Management of IT Auditing, 2nd Edition (Previously GTAG 4)	January 2013
Understanding and Auditing Big Data	May 2017

Practice Guides — GAIT

Guide to the Assessment of IT Risk (GAIT)

The GAIT series of Practice Guides describes the relationships among business risk, key controls within business processes, automated controls and other critical IT functionality, and key controls within IT general controls. Each guide addresses a specific aspect of IT risk and control assessment.

Title	Date
GAIT Methodology	January 2009
GAIT for IT General Control Deficiency Assessment	January 2009
GAIT for Business and IT Risk	January 2009

Case Studies of Using GAIT for Business and IT Risk to Scope PCI Compliance
Following the GAIT-R principles and methodology, this paper provides two case studies of applying GAIT-R to PCI compliance.

Other Supplemental Guidance

Title	Date
Applying The IIA’s International Professional Practices Framework as a Professional Services Firm	August 2016
NEW! Model Internal Audit Activity Charter	March 2017

New Guidance

Standards

Code of Ethics

Become a Global Guidance Contributor

An updated edition of the International Professional Practices Framework (IPPF) guide, more commonly known as the Red Book, is now available. Visit the IIA Bookstore for more information.