Skip Ribbon Commands
Skip to main content

​Supplemental Guidance
Recommended Guidance

Supplemental Guidance provides detailed guidance for conducting internal audit activities. These include topical areas, sector-specific issues, as well as processes and procedures, tools and techniques, programs, step-by-step approaches, and examples of deliverables.

Effective with the July 2015 launch of the New IPPF, all Practice Guides, Global Technology Audit Guides (GTAGs), and Guides to the Assessment of IT Risks (GAIT) automatically become part of the Recommended Supplemental Guidance layer.​

Supplemental Guidance is restricted to IIA members only.

Non-members may purchase Supplemental Guidance by clicking on the links below.

Downloads and Links

Practice Guides — General

Title​ Date
Assessing Organizational Governance in the Private Sector ​July 2012
Assessing the Adequacy of Risk Management Using ISO 31000 ​December 2010
NEW! Assessing the Risk Management Process March 2019​
Assisting Small Internal Audit Activities in Implementing the International Standards for the Professional Practice of Internal Auditing ​April 2011
Audit Reports: Communicating Assurance Results ​October 2016
Auditing Anti-bribery and Anti-corruption Programs ​June 2014
Auditing Executive Compensation and Benefits ​April 2010
Auditing External Business Relationships ​May 2009
Auditing Privacy Risks, 2nd Edition (replaces GTAG 5)​ ​July 2012
Auditing the Control Environment ​April 2011
NEW! Auditing Third-party Risk Management ​October 2018
Business Continuity Management ​August 2014
Chief Audit Executives — Appointment, Performance, Evaluation, and Termination ​May 2010
Coordinating Risk Management and Assurance ​March 2012
​​Coordination and Reliance: Developing an Assurance Map February ​2018​
Developing the Internal Audit Strategic Plan ​July 2012
Engagement Planning: Assessing Fraud Risks October 2017​
Engagement Planning: Establishing Objectives and Scope August 2017​
Evaluating Corporate Social Responsibility/Sustainable Development ​February 2010
Evaluating Ethics-related Programs and Activities ​June 2012
Formulating and Expressing Internal Audit Opinions ​April 2009
Independence and Objectivity ​October 2011
Integrated Auditing July 2012​
Interaction with the Board ​August 2011
Internal Audit and the Second Line of Defense ​January 2016
Internal Auditing and Fraud ​December 2009
Measuring Internal Audit Effectiveness and Efficiency ​December 2010
Quality Assurance and Improvement Program ​March 2012
Reliance by Internal Audit on Other Assurance Providers ​December 2011
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements ​July 2012
Talent Management ​December 2015

Practice Guides — Financial Services

Title Date​
Auditing Capital Adequacy and Stress Testing for Banks ​May 2018
Auditing Model Risk Management March 2018​
Auditing Liquidity Risk: An Overview December 2017

Practice Guides — Public Sector

Title Date​
Assessing Organizational Governance in the Public Sector ​October 2014
Auditing Grants in the Public Sector ​April 2018
Creating an Internal Audit Competency Process for the Public Sector February 2015

Practice Guides — GTAG®

Global Technology Audit Guide (GTAG)

GTAGs are written in straightforward business language and address timely issues related to information technology (IT) management, control, and security.

Title Date​
Assessing Cybersecurity Risk: Roles of the Three Lines of Defense September 2016
Auditing Application Controls (Previously GTAG 8) January 2009
NEW!Auditing Insider Threat Programs August 2018​
Auditing IT Governance (Previously GTAG 17) January 2018
Auditing IT Projects (Previously GTAG 12) March 2009​
Auditing Smart Devices: An Internal Auditor's Guide to Understanding and Auditing Smart Devices August 2016
Auditing User-developed Applications (Previously GTAG 14) June 2010
Business Continuity Management (Previously GTAG 10) January 2009​
Change and Patch Management Controls: Critical for Organizational Success, 2nd Edition (Previously GTAG 2) March 2012
Continuous Auditing: Coordinating Continuous Auditing and Monitoring to Provide Continuous Assurance, 2nd Edition (Previously GTAG 3) January 2009
Data Analysis Technologies (Previously GTAG 16)​ ​August 2011
Developing the IT Audit Plan (Previously GTAG 11) January 2009
Fraud Prevention and Detection in an Automated World (Previously GTAG 13) December 2009
Identity and Access Management (Previously GTAG 9) January 2009
Information Technology Outsourcing, 2nd Edition (Previously GTAG 7) June 2012
Information Technology Risk and Controls, 2nd Edition (Previously GTAG 1) March 2012
Management of IT Auditing, 2nd Edition (Previously GTAG 4) January 2013
Understanding and Auditing Big Data May 2017​​

Practice Guides — GAIT

Guide to the Assessment of IT Risk (GAIT)

The GAIT series of Practice Guides describes the relationships among business risk, key controls within business processes, automated controls and other critical IT functionality, and key controls within IT general controls. Each guide addresses a specific aspect of IT risk and control assessment.

Title Date​
GAIT Methodology​ ​January 2009​
January 2009​​​
January 2009
  

Case Studies of Using GAIT for Business and IT Risk to Scope PCI Compliance
Following the GAIT-R principles and methodology, this paper provides two case studies of applying GAIT-R to PCI compliance.​

Other Supplemental Guidance

​Title ​Date
Applying The IIA’s International Professional Practices Framework as a Professional Services Firm ​August 2016
Model Internal Audit Activity Charter March 2017​


An updated edition of the International Professional Practices Framework (IPPF) guide, more commonly known as the Red Book, is now available. Visit the IIA Bookstore for more information.

CIA Your Roadmap to Success 
Copyright © The Institute of Internal Auditors. All Rights Reserved.