You are on page 1of 3

Supplemental Guidance

Recommended Guidance

Supplemental Guidance provides detailed guidance for conducting internal audit activities.
These include topical areas, sector-specific issues, as well as processes and procedures, tools
and techniques, programs, step-by-step approaches, and examples of deliverables.

Effective with the July 2015 launch of the New IPPF, all Practice Guides, Global Technology
Audit Guides (GTAGs), and Guides to the Assessment of IT Risks (GAIT) automatically
become part of the Recommended Supplemental Guidance layer.

Supplemental Guidance is restricted to IIA members only.

Non-members may purchase Supplemental Guidance by clicking on the links below.

Downloads and Links

Practice Guides General
Title Date
Audit Reports: Communicating Assurance Engagement
October 2016
Results (NEW!)
Internal Audit and the Second Line of Defense January 2016
Talent Management
Business Continuity Management August 2014
Auditing Anti-bribery and Anti-corruption Programs June 2014
Selecting, Using, and Creating Maturity Models: A Tool for Assurance
July 2013
and Consulting Engagements
Assessing Organizational Governance in the Private Sector July 2012
Developing the Internal Audit Strategic Plan July 2012
Auditing Privacy Risks, 2nd Edition (replaces GTAG 5) July 2012
Integrated Auditing July 2012
Evaluating Ethics-related Programs and Activities June 2012
Quality Assurance and Improvement Program March 2012
Coordinating Risk Management and Assurance March 2012
Reliance by Internal Audit on Other Assurance Providers
Independence and Objectivity October 2011
Interaction with the Board August 2011
Auditing the Control Environment April 2011
Assisting Small Internal Audit Activities in Implementing the
April 2011
International Standards for the Professional Practice of Internal Auditing
Assessing the Adequacy of Risk Management Using ISO 31000
Measuring Internal Audit Effectiveness and Efficiency
Chief Audit Executives Appointment, Performance, Evaluation, and
May 2010
Auditing Executive Compensation and Benefits April 2010
Evaluating Corporate Social Responsibility/Sustainable Development
Formulating and Expressing Internal Audit Opinions April 2009
Auditing External Business Relationships May 2009
Internal Auditing and Fraud

Practice Guides Public Sector

Title Date
Creating an Internal Audit Competency Process for the Public Sector
Assessing Organizational Governance in the Public Sector October 2014

Practice Guides GTAG

Global Technology Audit Guide (GTAG)

GTAGs are written in straightforward business language and address timely issues related to
information technology (IT) management, control, and security.

Title Date
NEW GTAG! Assessing Cybersecurity Risk: Roles of the Three Lines of September
Defense 2016
NEW GTAG! Auditing Smart Devices: An Internal Auditor's Guide to
August 2016
Understanding and Auditing Smart Devices
GTAG 17: Auditing IT Governance July 2012
GTAG 16: Data Analysis Technologies August 2011
GTAG 15: Information Security Governance June 2010
GTAG 14: Auditing User-developed Applications June 2010
GTAG 13: Fraud Prevention and Detection in an Automated World
GTAG 12: Auditing IT Projects March 2009
GTAG 11: Developing the IT Audit Plan January 2009
GTAG 10: Business Continuity Management January 2009
GTAG 9: Identity and Access Management January 2009
GTAG 8: Auditing Application Controls January 2009
GTAG 7: Information Technology Outsourcing, 2nd Edition June 2012
GTAG 6: Managing and Auditing IT Vulnerabilities
PLEASE NOTE: GTAG 6 has been deleted from the IPPF. Some of its
January 2013
concepts are combined with the 2nd edition of GTAG 4.
GTAG 5: Managing and Auditing Privacy Risks
PLEASE NOTE: GTAG 5 has been replaced by the Auditing Privacy
July 2012
Risks, 2nd Edition Practice Guide.
GTAG 4: Management of IT Auditing, 2nd Edition January 2013
GTAG 3: Continuous Auditing: Coordinating Continuous Auditing and
March 2015
Monitoring to Provide Continuous Assurance, 2nd Edition
GTAG 2: Change and Patch Management Controls: Critical for
March 2012
Organizational Success, 2nd Edition
GTAG 1: Information Technology Risk and Controls, 2nd Edition March 2012

Practice Guides GAIT

Guide to the Assessment of IT Risk (GAIT)

The GAIT series of Practice Guides describes the relationships among business risk, key controls within business processes,
automated controls and other critical IT functionality, and key controls within IT general controls. Each guide addresses a
specific aspect of IT risk and control assessment.

Title Date
GAIT Methodology January 2009
GAIT for IT General Control Deficiency Assessment January 2009
GAIT for Business and IT Risk January 2009

Case Studies of Using GAIT for Business and IT Risk to Scope PCI Compliance

Following the GAIT-R principles and methodology, this paper provides two case studies of
applying GAIT-R to PCI compliance.

Other Supplemental Guidance

Title Date
NEW! Applying The IIAs International Professional Practices Framework as
a Professional Services Firm