Supplemental Guidance
Recommended Guidance

Supplemental Guidance provides detailed guidance for conducting internal audit activities. These include topical areas, sector-specific issues, as well as processes and procedures, tools and techniques, programs, step-by-step approaches, and examples of deliverables.

Effective with the July 2015 launch of the New IPPF, all Practice Guides, Global Technology Audit Guides (GTAGs), and Guides to the Assessment of IT Risks (GAIT) automatically become part of the Recommended Supplemental Guidance layer.

Supplemental Guidance is restricted to IIA members only.

Non-members may purchase Supplemental Guidance by clicking on the links below.

Downloads and Links

Practice Guides — General

Title	Date
NEW! Internal Audit and the Second Line of Defense	January 2016
Talent Management	December 2015
Business Continuity Management	August 2014
Auditing Anti-bribery and Anti-corruption Programs	June 2014
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements	July 2013
Assessing Organizational Governance in the Private Sector	July 2012
Developing the Internal Audit Strategic Plan	July 2012
Auditing Privacy Risks, 2nd Edition (replaces GTAG 5)	July 2012
Integrated Auditing	July 2012
Evaluating Ethics-related Programs and Activities	June 2012
Quality Assurance and Improvement Program	March 2012
Coordinating Risk Management and Assurance	March 2012
Reliance by Internal Audit on Other Assurance Providers	December 2011
Independence and Objectivity	October 2011
Interaction with the Board	August 2011
Auditing the Control Environment	April 2011
Assisting Small Internal Audit Activities in Implementing the International Standards for the Professional Practice of Internal Auditing	April 2011
Assessing the Adequacy of Risk Management Using ISO 31000	December 2010
Measuring Internal Audit Effectiveness and Efficiency	December 2010
Chief Audit Executives — Appointment, Performance, Evaluation, and Termination	May 2010
Auditing Executive Compensation and Benefits	April 2010
Evaluating Corporate Social Responsibility/Sustainable Development	February 2010
Formulating and Expressing Internal Audit Opinions	April 2009
Auditing External Business Relationships	May 2009
Internal Auditing and Fraud	December 2009

Practice Guides — Public Sector

Title	Date
Creating an Internal Audit Competency Process for the Public Sector	February 2015
Assessing Organizational Governance in the Public Sector	October 2014

Practice Guides — GTAG®

Global Technology Audit Guide (GTAG)

GTAGs are written in straightforward business language and address timely issues related to information technology (IT) management, control, and security.

Title	Date
NEW GTAG! Assessing Cybersecurity Risk: Roles of the Three Lines of Defense	September 2016
NEW GTAG! Auditing Smart Devices: An Internal Auditor's Guide to Understanding and Auditing Smart Devices	August 2016
GTAG 17: Auditing IT Governance	July 2012
GTAG 16: Data Analysis Technologies	August 2011
GTAG 15: Information Security Governance	June 2010
GTAG 14: Auditing User-developed Applications	June 2010
GTAG 13: Fraud Prevention and Detection in an Automated World	December 2009
GTAG 12: Auditing IT Projects	March 2009
GTAG 11: Developing the IT Audit Plan	January 2009
GTAG 10: Business Continuity Management	January 2009
GTAG 9: Identity and Access Management	January 2009
GTAG 8: Auditing Application Controls	January 2009
GTAG 7: Information Technology Outsourcing, 2nd Edition	June 2012
GTAG 6: Managing and Auditing IT Vulnerabilities PLEASE NOTE: GTAG 6 has been deleted from the IPPF. Some of its concepts are combined with the 2nd edition of GTAG 4.	DELETED January 2013
GTAG 5: Managing and Auditing Privacy Risks PLEASE NOTE: GTAG 5 has been replaced by the Auditing Privacy Risks, 2nd Edition Practice Guide.	REPLACED July 2012
GTAG 4: Management of IT Auditing, 2nd Edition	January 2013
GTAG 3: Continuous Auditing: Coordinating Continuous Auditing and Monitoring to Provide Continuous Assurance, 2nd Edition	March 2015
GTAG 2: Change and Patch Management Controls: Critical for Organizational Success, 2nd Edition	March 2012
GTAG 1: Information Technology Risk and Controls, 2nd Edition	March 2012

Practice Guides — GAIT

Guide to the Assessment of IT Risk (GAIT)

The GAIT series of Practice Guides describes the relationships among business risk, key controls within business processes, automated controls and other critical IT functionality, and key controls within IT general controls. Each guide addresses a specific aspect of IT risk and control assessment.

Title	Date
GAIT Methodology	January 2009
GAIT for IT General Control Deficiency Assessment	January 2009
GAIT for Business and IT Risk	January 2009

Case Studies of Using GAIT for Business and IT Risk to Scope PCI Compliance
Following the GAIT-R principles and methodology, this paper provides two case studies of applying GAIT-R to PCI compliance.

Other Supplemental Guidance

Title	Date
NEW! Applying The IIA’s International Professional Practices Framework as a Professional Services Firm	August 2016

New Guidance

Due Process

COSO Resources

Regulator Responses

New IPPF Resources
Educate staff, colleagues, and stakeholders on these changes by utilizing these tools:

The 2013 Red Book is still a useful and binding reference source as a majority of the content has not changed and remains valid. The IIA Bookstore (powered by the Internal Audit Foundation) is exploring an online tool with searchable, on-demand access to all IPPF content. Learn more in the FAQs.