Skip Ribbon Commands
Skip to main content

​Supplemental Guidance
Recommended Guidance

Supplemental Guidance provides detailed guidance for conducting internal audit activities. These include topical areas, sector-specific issues, as well as processes and procedures, tools and techniques, programs, step-by-step approaches, and examples of deliverables.

Effective with the July 2015 launch of the New IPPF, all Practice Guides, Global Technology Audit Guides (GTAGs), and Guides to the Assessment of IT Risks (GAIT) automatically become part of the Recommended Supplemental Guidance layer.​

Supplemental Guidance is restricted to IIA members only. 

Non-members may purchase Supplemental Guidance by clicking on the links below.

Downloads and Links

Practice Guides — General

Title​ Date
NEW! Audit Reports: Communicating Assurance Engagement
October 2016​
Internal Audit and the Second Line of Defense January 2016​
Talent Management ​December 2015
Business Continuity Management ​August 2014
Auditing Anti-bribery and Anti-corruption Programs ​June 2014
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements ​July 2013
Assessing Organizational Governance in the Private Sector July 2012​
Developing the Internal Audit Strategic Plan ​July 2012
Auditing Privacy Risks, 2nd Edition (replaces GTAG 5)​ July 2012​
Integrated Auditing July 2012​
Evaluating Ethics-related Programs and Activities June 2012​
Quality Assurance and Improvement Program March 2012​
Coordinating Risk Management and Assurance March 2012​
Reliance by Internal Audit on Other Assurance Providers ​December 2011
Independence and Objectivity October 2011​
Interaction with the Board August 2011​
Auditing the Control Environment April 2011​​
Assisting Small Internal Audit Activities in Implementing the International Standards for the Professional Practice of Internal Auditing April 2011​​
Assessing the Adequacy of Risk Management Using ISO 31000 December 2010​​
Measuring Internal Audit Effectiveness and Efficiency December 2010​​
Chief Audit Executives — Appointment, Performance, Evaluation, and Termination May 2010​​
Auditing Executive Compensation and Benefits April 2010​​
Evaluating Corporate Social Responsibility/Sustainable Development February 2010​​
Formulating and Expressing Internal Audit Opinions April 2009​​
Auditing External Business Relationships May 2009​​
Internal Auditing and Fraud December 2009​​

Practice Guides — Public Sector

Practice Guides — GTAG®

Global Technology Audit Guide (GTAG)

GTAGs are written in straightforward business language and address timely issues related to information technology (IT) management, control, and security.

Title​ ​Date
​​NEW GTAG! Assessing Cybersecurity Risk: Roles of the Three Lines of Defense September 2016​
NEW GTAG! Auditing Smart Devices: An Internal Auditor's Guide to Understanding and Auditing Smart Devices  August 2016​
GTAG 17: Auditing IT Governance​ July 2012​
GTAG 16: Data Analysis Technologies August 2011
GTAG 15: Information Security Governance June 2010​​​
GTAG 14: Auditing User-developed Applications June 2010​
GTAG 13: Fraud Prevention and Detection in an Automated World December 2009​​
GTAG 12: Auditing IT Projects March 2009​​
GTAG 11: Developing the IT Audit Plan January 2009​​
GTAG 10: Business Continuity Management January 2009​​
January 2009​​
January 2009​​
GTAG 7: Information Technology Outsourcing, 2nd Edition June 2012
GTAG 6: Managing and Auditing IT Vulnerabilities
PLEASE NOTE: GTAG 6 has been deleted from the IPPF. Some of its concepts are combined with the 2nd edition of GTAG 4.
January 2013
GTAG 5: Managing and Auditing Privacy Risks
PLEASE NOTE: GTAG 5 has been replaced by the Auditing Privacy Risks, 2nd Edition Practice Guide.
July 2012
GTAG 4: Management of IT Auditing, 2nd Edition January 2013
GTAG 3: Continuous Auditing: Coordinating Continuous Auditing and Monitoring to Provide Continuous Assurance, 2nd Edition March 2015
GTAG 2: Change and Patch Management Controls: Critical for Organizational Success, 2nd Edition March 2012​​
GTAG 1: Information Technology Risk and Controls, 2nd Edition March 2012

Practice Guides — GAIT

Guide to the Assessment of IT Risk (GAIT)

The GAIT series of Practice Guides describes the relationships among business risk, key controls within business processes, automated controls and other critical IT functionality, and key controls within IT general controls. Each guide addresses a specific aspect of IT risk and control assessment.

Title Date​
GAIT Methodology​ ​January 2009​
January 2009​​​
January 2009

Case Studies of Using GAIT for Business and IT Risk to Scope PCI Compliance
Following the GAIT-R principles and methodology, this paper provides two case studies of applying GAIT-R to PCI compliance.​

Other Supplemental Guidance

​Title ​Date
NEW! Applying The IIA’s International Professional Practices Framework as a Professional Services Firm ​August 2016

New IPPF Resources
Educate staff, colleagues, and stakeholders on these changes by utilizing these tools:

The 2013 Red Book is still a useful and binding reference source as a majority of the content has not changed and remains valid. The IIA Bookstore is exploring an online tool with searchable, on-demand access to all IPPF content. Learn more in the FAQs.