IIA Global Technology Audit Guides

The Institute of Internal Auditors (IIA) is producing a series of publications with guidance on information technology. Each guide is written in straightforward business language to address timely issues related to information technology management, control, or security.

Click on the links below to download the free GTA Guides in PDF format.

Guide 1: Information Technology Controls
This guide covers technology topics, issues, and audit concerns, as well as, issues surrounding management, security, control, assurance, and risk management.

Download Information Technology Controls (PDF, 2MB)

Guide 2: Change and Patch Management Controls: Critical for Organizational Success
This guide is about managing risks that are a growing concern to those involved in the governance process. Like information security, management of IT changes is a fundamental process that can cause damage to the entire enterprise and easily disrupt operations if it is not performed well. This enterprise-wide impact makes change management of interest to many audit committees and, as a result, to top management.

The objective of the guide is to convey how effective and efficient IT change and patch management contribute to organizational success. Because the role of an audit is to assess risks and provide assurance to the organization, auditors cannot ignore the potential impact that changes to information systems and other IT assets can have on business operations. More importantly, the guide gives readers the necessary knowledge to help them counsel their boards about change-management risks and controls and to help their organizations comply with constantly changing regulatory requirements.

Download Change and Patch Management Controls: Critical for Organizational Success (PDF, 1037KB)

Guide 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment
Organizations are continually exposed to significant errors, frauds, or inefficiencies that can lead to financial loss and increased levels of risk. An evolving regulatory environment, increased globalization of businesses, market pressure to improve operations, and rapidly changing business conditions are creating the need for more timely and ongoing assurance that controls are working effectively and risk is being mitigated. These demands have put increased pressure on chief audit executives and their staff.

Continuous auditing is a method used to automatically perform control and risk assessments on a more frequent basis. Technology is the key to enabling such an approach. Continuous auditing changes the audit paradigm from periodic reviews of a sample of transactions to ongoing audit testing of 100 percent of transactions. It becomes an integral part of modern auditing at many levels.

This guide focuses on helping chief audit executives to identify what must be done to make effective use of technology in support of continuous auditing and highlights areas that require further attention. It provides continuous audit guidance that will benefit the organization by significantly reducing instances of error and fraud, increasing operational efficiency, and improving bottom-line results through a combination of cost savings and a reduction in overpayments and revenue leakage.

Download Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment (PDF, 956KB).

Guide 4: Management of IT Auditing 
There is no question that IT is changing the nature of the internal audit functions. The risks companies face, the types of audits that should be performed, how to prioritize the audit universe, and how to deliver insightful findings are all issues with which chief audit executives must grapple. This guide is designed for chief audit executives and internal audit management personnel who are responsible for overseeing IT audits. Its purpose is to help sort through the strategic issues regarding planning, performing, and reporting on IT audits.

Download Management of IT Auditing (PDF, 377KB)

Guide 5: Managing and Auditing Privacy Risks
One of the many challenging and formidable risk management issues faced by organizations today is protecting the privacy of customers’ and employees’ personal information. The cost from privacy breaches is increasing every day. The organization’s customers, suppliers, and business partners want assurances that the personal information collected from them is protected and used only for the purposes for which it was originally collected.

This guide is intended to provide the chief audit executive, internal auditors, and management with insight into privacy risks that the organization should address when it collects, uses, retains, or discloses personal information. The guide provides an overview of key privacy frameworks which help to understand the basic concepts and aid in finding the right sources for more guidance regarding expectations and what works well in a variety of environments. It also covers the details on how internal auditors complete privacy assessments.

Download Managing and Auditing Privacy Risks (PDF, 752KB)

Guide 6: Managing and Auditing IT Vulnerabilities
This guide was developed to help chief audit executives and internal auditors ask the right questions of IT security staff when assessing the effectiveness of their vulnerability management processes. The guide recommends specific management practices to help an organization achieve and sustain higher levels of effectiveness and efficiency and illustrates the differences between high- and low-performing vulnerability management efforts.

Download Managing and Auditing IT Vulnerabilities (PDF, 574KB)

Guide 7: IT Outsourcing
Information technology (IT) outsourcing has grown in popularity as an efficient, cost-effective, and expert solution designed to meet the demands of systems implementation, maintenance, security, and operations.

The benefits of IT outsourcing are accompanied with the need to manage the complexities, risks, and challenges that come with it. It is important that internal auditors understand the outsourcing context and help the organizations with a comprehensive review of its outsourcing operations and evaluation of its compliance with applicable laws and regulations.

This guide provides the chief audit executive, internal auditors, and management with information on the types of IT outsourcing activities, the IT outsourcing lifecycle, and how outsourcing activities should be managed by implementing well-defined plans that are supported by a company-wide risk, control, compliance, and governance framework.