Practice Guides
Strongly Recommended Guidance

Practice Guides provide detailed guidance for conducting internal audit activities. They include processes and procedures, tools and techniques, programs, and step-by-step approaches, as well as examples of deliverables.

Practice Guides are restricted to IIA members only.

Non-members may purchase Practice Guides by clicking on the links below.

Downloads and Links

Practice Guides — General

Title	Date
NEW! Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements	July 2013
Assessing Organizational Governance in the Private Sector	July 2012
Developing the Internal Audit Strategic Plan	July 2012
Auditing Privacy Risks, 2nd Edition (replaces GTAG 5)	July 2012
Integrated Auditing	July 2012
Evaluating Ethics-related Programs and Activities	June 2012
Quality Assurance and Improvement Program	March 2012
Coordinating Risk Management and Assurance	March 2012
Reliance by Internal Audit on Other Assurance Providers	December 2011
Independence and Objectivity	October 2011
Interaction with the Board	August 2011
Auditing the Control Environment	April 2011
Assisting Small Internal Audit Activities in Implementing the International Standards for the Professional Practice of Internal Auditing	April 2011
Assessing the Adequacy of Risk Management Using ISO 31000	December 2010
Measuring Internal Audit Effectiveness and Efficiency	December 2010
Chief Audit Executives — Appointment, Performance, Evaluation, and Termination	May 2010
Auditing Executive Compensation and Benefits	April 2010
Evaluating Corporate Social Responsibility/Sustainable Development	February 2010
Formulating and Expressing Internal Audit Opinions	April 2009
Auditing External Business Relationships	May 2009
Internal Auditing and Fraud	December 2009

Practice Guides — Public Sector

Title	Date
Assessing Organizational Governance in the Public Sector	Coming Soon
How to Build a Strategic Competency Plan in the Public Sector	Coming Soon

Practice Guides — GTAG®

Global Technology Audit Guides (GTAG)

GTAGs are written in straightforward business language and address timely issues related to information technology (IT) management, control, and security.

Title	Date
GTAG 17: Auditing IT Governance	July 2012
GTAG 16: Data Analysis Technologies	August 2011
GTAG 15: Information Security Governance	June 2010
GTAG 14: Auditing User-developed Applications	June 2010
GTAG 13: Fraud Prevention and Detection in an Automated World	December 2009
GTAG 12: Auditing IT Projects	March 2009
GTAG 11: Developing the IT Audit Plan	January 2009
GTAG 10: Business Continuity Management	January 2009
GTAG 9: Identity and Access Management	January 2009
GTAG 8: Auditing Application Controls	January 2009
GTAG 7: Information Technology Outsourcing, 2nd Edition	June 2012
GTAG 6: Managing and Auditing IT Vulnerabilities PLEASE NOTE: GTAG 6 has been deleted from the IPPF. Some of its concepts are combined with the 2nd edition of GTAG 4.	DELETED January 2013
GTAG 5: Managing and Auditing Privacy Risks PLEASE NOTE: GTAG 5 has been replaced by the Auditing Privacy Risks, 2nd Edition Practice Guide.	REPLACED July 2012
GTAG 4: Management of IT Auditing, 2nd Edition	January 2013
GTAG 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment	Update Coming Soon
GTAG 2: Change and Patch Management Controls: Critical for Organizational Success, 2nd Edition	March 2012
GTAG 1: Information Technology Risk and Controls, 2nd Edition	March 2012

Practice Guides — GAIT

Guide to the Assessment of IT Risk (GAIT)

The GAIT series of Practice Guides describes the relationships among business risk, key controls within business processes, automated controls and other critical IT functionality, and key controls within IT general controls. Each guide addresses a specific aspect of IT risk and control assessment.

Title	Date
GAIT Methodology	January 2009
GAIT for IT General Control Deficiency Assessment	January 2009
GAIT for Business and IT Risk	January 2009

Case Studies of Using GAIT for Business and IT Risk to Scope PCI Compliance
Following the GAIT-R principles and methodology, this paper provides two case studies of applying GAIT-R to PCI compliance.