Skip Ribbon Commands
Skip to main content

​Supplemental Guidance
Recommended Guidance

Supplemental Guidance provides detailed guidance for conducting internal audit activities. These include topical areas, sector-specific issues, as well as processes and procedures, tools and techniques, programs, step-by-step approaches, and examples of deliverables.

Supplemental Guidance is restricted to IIA members only.

Non-members may purchase Supplemental Guidance by clicking on the links below.

Downloads and Links

Internal Audit Strategy and Best Practices
Business Continuity Management
Chief Audit Executives — Appointment, Performance, Evaluation, and Termination
Coordinating Risk Management and Assurance
​​Coordination and Reliance: Developing an Assurance Map
Demonstrating the Core Principles for the Professional Practice of Internal Auditing
​​NEW! Developing a Risk-based Internal Audit Plan
Developing the Internal Audit Strategic Plan
Engagement Planning: Assessing Fraud Risks
Engagement Planning: Establishing Objectives and Scope
Formulating and Expressing Internal Audit Opinions
Independence and Objectivity
Integrated Auditing
Interaction with the Board
Measuring Internal Audit Effectiveness and Efficiency
Quality Assurance and Improvement Program
Reliance by Internal Audit on Other Assurance Providers
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
Talent Management
General Best Practices
Assessing Organizational Governance in the Private Sector
Assessing the Risk Management Process
Assisting Small Internal Audit Activities in Implementing the International Standards for the Professional Practice of Internal Auditing
Audit Reports: Communicating Assurance Results
Auditing Anti-bribery and Anti-corruption Programs
Auditing Culture
Auditing Executive Compensation and Benefits
Auditing Privacy Risks, 2nd Edition (replaces GTAG 5)​
Auditing Third-party Risk Management
Evaluating Ethics-related Programs and Activities
Internal Auditing and Fraud

GTAGs are written in straightforward business language and address timely issues related to information technology (IT) management, control, and security.

Global Technology Audit Guides (GTAGs)
Assessing Cybersecurity Risk: The Three Lines Model
Auditing Application Controls (Previously GTAG 8)
Auditing Insider Threat Programs
Auditing IT Governance (Previously GTAG 17)
Auditing IT Projects (Previously GTAG 12)
Auditing Smart Devices: An Internal Auditor's Guide to Understanding and Auditing Smart Devices
Auditing User-developed Applications (Previously GTAG 14)
Business Continuity Management (Previously GTAG 10)
Continuous Auditing: Coordinating Continuous Auditing and Monitoring to Provide Continuous Assurance, 2nd Edition (Previously GTAG 3)
Data Analysis Technologies (Previously GTAG 16)​
Fraud Prevention and Detection in an Automated World (Previously GTAG 13)
Identity and Access Management (Previously GTAG 9)
Information Technology Outsourcing, 2nd Edition (Previously GTAG 7)
Information Technology Risk and Controls, 2nd Edition (Previously GTAG 1)
NEW! IT Change Management: Critical for Organizational Success, 3rd Edition (Previously GTAG 2)
NEW! IT Essentials for Internal Auditors​
Management of IT Auditing, 2nd Edition (Previously GTAG 4)
Understanding and Auditing Big Data
Financial Services Practice Guides
Auditing Capital Adequacy and Stress Testing for Banks
​​NEW! Auditing Conduct Risk
Auditing Credit Risk Management
Auditing Model Risk Management
Auditing Liquidity Risk: An Overview
Foundations of Internal Auditing in Financial Services Firms
Public Sector Practice Guides
Assessing Organizational Governance in the Public Sector
Auditing Grants in the Public Sector
Creating an Internal Audit Competency Process for the Public Sector
​​Unique Aspects of Internal Auditing in the Public Sector
Other Supplemental Guidance
Applying The IIA’s International Professional Practices Framework as a Professional Services Firm
Model Internal Audit Activity Charter


An updated edition of the International Professional Practices Framework (IPPF) guide, more commonly known as the Red Book, is now available. Visit the IIA Bookstore for more information.