Skip Ribbon Commands
Skip to main content

​Supplemental Guidance
Recommended Guidance

Supplemental Guidance provides detailed guidance for conducting internal audit activities. These include topical areas, sector-specific issues, as well as processes and procedures, tools and techniques, programs, step-by-step approaches, and examples of deliverables.

Effective with the July 2015 launch of the New IPPF, all Practice Guides, Global Technology Audit Guides (GTAGs), and Guides to the Assessment of IT Risks (GAIT) automatically become part of the Recommended Supplemental Guidance layer.​

Supplemental Guidance is restricted to IIA members only.

Non-members may purchase Supplemental Guidance by clicking on the links below.

Downloads and Links

Practice Guides — General

Title​ Date
Assessing Organizational Governance in the Private Sector ​July 2012
Assessing the Adequacy of Risk Management Using ISO 31000 ​December 2010
Assisting Small Internal Audit Activities in Implementing the International Standards for the Professional Practice of Internal Auditing ​April 2011
NEW! Audit Reports: Communicating Assurance Results ​October 2016
Auditing Anti-bribery and Anti-corruption Programs ​June 2014
Auditing Executive Compensation and Benefits ​April 2010
Auditing External Business Relationships ​May 2009
Auditing Privacy Risks, 2nd Edition (replaces GTAG 5)​ ​July 2012
Auditing the Control Environment ​April 2011
Business Continuity Management ​August 2014
Chief Audit Executives — Appointment, Performance, Evaluation, and Termination ​May 2010
Coordinating Risk Management and Assurance ​March 2012
Developing the Internal Audit Strategic Plan ​July 2012
Evaluating Corporate Social Responsibility/Sustainable Development ​February 2010
Evaluating Ethics-related Programs and Activities ​June 2012
Formulating and Expressing Internal Audit Opinions ​April 2009
Independence and Objectivity ​October 2011
Integrated Auditing July 2012​
Interaction with the Board ​August 2011
Internal Audit and the Second Line of Defense ​January 2016
Internal Auditing and Fraud ​December 2009
Measuring Internal Audit Effectiveness and Efficiency ​December 2010
Quality Assurance and Improvement Program ​March 2012
Reliance by Internal Audit on Other Assurance Providers ​December 2011
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements ​July 2012
Talent Management ​December 2015

Practice Guides — Public Sector

Title Date​
Assessing Organizational Governance in the Public Sector ​October 2014
Creating an Internal Audit Competency Process for the Public Sector February 2015

Practice Guides — GTAG®

Global Technology Audit Guide (GTAG)

GTAGs are written in straightforward business language and address timely issues related to information technology (IT) management, control, and security.

Title Date​
NEW! Assessing Cybersecurity Risk: Roles of the Three Lines of Defense September 2016
Auditing Application Controls (Previously GTAG 8) January 2009
Auditing IT Governance (Previously GTAG 17) July 2012
Auditing IT Projects (Previously GTAG 12) March 2009​
NEW! Auditing Smart Devices: An Internal Auditor's Guide to Understanding and Auditing Smart Devices August 2016
Auditing User-developed Applications (Previously GTAG 14) June 2010
Business Continuity Management (Previously GTAG 10) January 2009
Change and Patch Management Controls: Critical for Organizational Success, 2nd Edition (Previously GTAG 2) March 2012
Continuous Auditing: Coordinating Continuous Auditing and Monitoring to Provide Continuous Assurance, 2nd Edition (Previously GTAG 3) January 2009
Data Analysis Technologies (Previously GTAG 16)​ ​August 2011
Developing the IT Audit Plan (Previously GTAG 11) January 2009
Fraud Prevention and Detection in an Automated World (Previously GTAG 13) December 2009
Identity and Access Management (Previously GTAG 9) January 2009
Information Security Governance (Previously GTAG 15) June 2010
Information Technology Outsourcing, 2nd Edition (Previously GTAG 7) June 2012
Information Technology Risk and Controls, 2nd Edition (Previously GTAG 1) March 2012
Management of IT Auditing, 2nd Edition (Previously GTAG 4) January 2013

Practice Guides — GAIT

Guide to the Assessment of IT Risk (GAIT)

The GAIT series of Practice Guides describes the relationships among business risk, key controls within business processes, automated controls and other critical IT functionality, and key controls within IT general controls. Each guide addresses a specific aspect of IT risk and control assessment.

Title Date​
GAIT Methodology​ ​January 2009​
January 2009​​​
January 2009
 
 

Case Studies of Using GAIT for Business and IT Risk to Scope PCI Compliance
Following the GAIT-R principles and methodology, this paper provides two case studies of applying GAIT-R to PCI compliance.​

Other Supplemental Guidance

​Title ​Date
NEW! Applying The IIA’s International Professional Practices Framework as a Professional Services Firm ​August 2016


An updated edition of the Red Book will be released 1st Quarter 2017. Visit the IIA Bookstore for more information.