Remember Me
Technical Resources
Printer View

Professional Guidance

The IIA is the standard and guidance setting body for the internal audit profession globally and promotes guidance following rigorous due process. By providing authoritative guidance, the IIA sets the bar for internal audit efficiency, effectiveness, and professionalism.



International Professional Practices Framework (IPPF)

The IIA's International Professional Practices Framework (IPPF) forms the cornerstone of internal audit practice.

It consists of three mandatory components:
  • Definition of Internal Auditing
  • Code of Ethics
  • International Standards for the Professional Practice of Internal Auditing (Standards)

These mandatory components are principles-based and are relevant for any internal audit activity, whether in-house, outsourced or a combination. Mandatory components are available as a free download as part of the IIA's global efforts to define minimum standards for internal audit practice.
   

The IPPF also comprises three strongly recommended components:
  • Position Papers
  • Practice Advisories
  • Practice Guides

Recommended guidance has been developed to provide a wide range of applicable solutions to meet the requirements of the IIA’s mandatory guidance. Recommended components are available as a free download resource for members only.

Demonstrated compliance with the IIA’s Standards is a key way for organisations to ensure they are getting an appropriate level of assurance from their internal audit activity. Anyone with a strong interest in internal audit is encouraged to download and read these Standards, and ensure their internal audit activity is in compliance with these Standards.

You can purchase the full IPPF, including a book and interactive CD-ROM from our Australian Bookstore.



Recent Updates to the IPPF

The IIA undertakes a periodic refresh of its professional practices frameworks to ensure that guidance is up to date, and that the internal audit profession is operating at the highest standard.

Updates since 1 January 2009 are listed below:

Practice Advisories

Practice Advisory 1000-1: Internal Audit Charter ( , 9 KB )
01-Jan-2009 | Practice Advisory | IIA Global | Access: All Members
Practice advisory supporting standard 1000 - the purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval.
Practice Advisory 1110-1: Organisational Independence ( , 9 KB )
01-Jan-2009 | Practice Advisory | IIA Global | Access: All Members
Practice advisory supporting standard 1110 - the chief audit executive must report to a level within the organisation that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organisational independence of the internal audit activity.
Practice Advisory 1111-1: Board Interaction ( , 5 KB )
01-Jan-2009 | Practice Advisory | IIA Global | Access: All Members
Practice advisory supporting standard 1111 - the chief audit executive must communicate and interact directly with the board.
Practice Advisory 1120-1: Individual Objectivity ( , 11 KB )
01-Jan-2009 | Practice Advisory | IIA Global | Access: All Members
Practice advisory supporting standard 1120 - internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.
Practice Advisory 1130.A1-1: Assessing Operations for which Internal Auditors Were Previously Responsible ( , 5 KB )
01-Jan-2009 | Practice Advisory | IIA Global | Access: All Members
Practice advisory supporting standard 1130.A1 - internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an auditor provides assurance services for an activity for which the auditor had responsibility within the previous year.
Practice Advisory 1130.A2-1: Internal Audit's Responsibility for Other (Non-audit) Functions ( , 14 KB )
01-Jan-2009 | Practice Advisory | IIA Global | Access: All Members
Practice advisory supporting standard 1130.A2 - asssurance engagements for functions over which the chief audit executive has responsibility must be overseen by a party outside the internal audit activity.
Practice Advisory 1130-1: Impairment to Independence or Objectivity ( , 14 KB )
01-Jan-2009 | Practice Advisory | IIA Global | Access: All Members
Practice advisory supporting standard 1130 - if independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment.
Practice Advisory 1200-1: Proficiency and Due Professional Care ( , 6 KB )
01-Jan-2009 | Practice Advisory | IIA Australia | Access: All Members
Practice advisory supporting standard 1200 - engagements must be performed with proficiency and due professional care.
Practice Advisory 1210.A1-1: Obtaining External Service Providers to Complement the Internal Audit Activity ( , 27 KB )
01-Jan-2009 | Practice Advisory | IIA Global | Access: All Members
Practice advisory supporting standard 1210.A1 - The chief audit executive must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.
Practice Advisory 1210-1: Proficiency ( , 16 KB )
01-Jan-2009 | Practice Advisory | IIA Global | Access: All Members
Practice advisory supporting standard 1210 - internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.


Practice Guides

Global Technology Audit Guide (GTAG®) 01: Information Technology Controls ( , 1.74 MB )
01-Jan-2009 | Practice Guide | IIA Global | Access: All Members
This global technology audit guide provides information on available frameworks for assessing IT controls and describes how to establish the right framework for an organisation.

Global Technology Audit Guide (GTAG®) 02: Change and Patch Management Controls: Critical for organisational Success ( , 802 KB )
01-Jan-2009 | Practice Guide | IIA Global | Access: All Members
Like information security, management of IT changes is a fundamental process that can cause damage to the entire enterprise and easily disrupt operations if it is not performed well. The objective of this global audit technology guide is to convey how effective and efficient IT change and patch management contribute to organisational success.

Global Technology Audit Guide (GTAG®) 03: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment ( , 1.22 MB )
01-Jan-2009 | Practice Guide | IIA Global | Access: All Members
Continuous auditing changes the audit paradigm from periodic reviews of a sample of transactions to ongoing audit testing of 100 percent of transactions. This global technology audit guide focuses on assisting CAEs with identifying what must be done to make effective use of technology in support of continuous auditing and highlights areas that require further attention.

Global Technology Audit Guide (GTAG®) 04: Management of IT Auditing ( , 336 KB )
01-Jan-2009 | Practice Guide | IIA Global | Access: All Members
IT is changing the nature of the internal audit function. As new risks emerge, new audit procedures are required to manage these risks adequately. This global technoglogy audit guide aims to help CAEs plan and manage the IT audit function more effectively and efficiently and covers area such as evaluating IT-related risks, defining the IT audit universe, executing IT audits, and managing the IT audit function.

Global Technology Audit Guide (GTAG®) 05: Managing and Auditing Privacy Risks ( , 1.23 MB )
01-Jan-2009 | Practice Guide | IIA Global | Access: All Members
This global technology audit guide is intended to provide the CAE, internal auditors, and management with insight into privacy risks that the organisation should address when it collects, uses, retains, or discloses personal information. This guide provides an overview of key privacy frameworks to help readers understand the basic concepts and find the right sources for more guidance regarding expectations and what works well in a variety of environments. It also covers how internal auditors complete privacy assessments.

Global Technology Audit Guide (GTAG®) 06: Managing and Auditing IT Vulnerabilities ( , 631 KB )
01-Jan-2009 | Practice Guide | IIA Global | Access: All Members
This global technology audit guide aims to help CAEs pose the correct questions to their IT security staff when assessing the effectiveness of their vulnerability management processes. The guide recommends specific management practices to help an organisation achieve and sustain higher levels of effectiveness and efficiency and illustrates the differences between high- and low-performing vulnerability management efforts.

Global Technology Audit Guide (GTAG®) 07: Information Technology Outsourcing ( , 909 KB )
01-Jan-2009 | Practice Guide | IIA Global | Access: All Members
This global technology audit guide provides the CAE, internal auditors, and management with the information on the types of IT outsourcing activities, the IT outsourcing lifecycle, and how outsourcing activities should be managed by implementing well defined plans that are supported by a companywide risk, control, compliance, and governance framework.

Global Technology Audit Guide (GTAG®) 08: Auditing Application Controls ( , 1.65 MB )
01-Jan-2009 | Practice Guide | IIA Global | Access: All Members
This global technology audit guide provides CAEs with information about application controls and their benefits, application control review scoping and approaches, and other considerations. The guide also includes a list of common application controls and a sample audit plan.

Global Technology Audit Guide (GTAG®) 09: Identity and Access Management ( , 1 MB )
01-Jan-2009 | Practice Guide | IIA Global | Access: All Members
This global technology audit guide aims to provide insight into what identity and access management (IAM) means to an organisation and to suggest internal audit areas for investigation. It can assist CAEs and other internal auditors to understand, analyze, and monitor their organisation's IAM processes. A checklist for IAM review is also included in this guide.

Global Technology Audit Guide (GTAG®) 10: Business Continuity Management ( , 1.6 MB )
01-Jan-2009 | Practice Guide | IIA Global | Access: All Members
This global technology audit guide focuses on how business continuity management (BCM), as a program or framework, is designed to enable business leaders to manage the level of risk the organisation could potentially encounter if a natural or man-made disruptive event that affects the extended operability of the organisation were to occur.The guide includes disaster recovery planning (DRP) for continuity of critical information technology infrastructure and business application systems, because many business functions are predominately automated. This will help the CAE establish the basis for exercising an effective assessment and reporting key information to stakeholders.



About IIA Membership  Learning & Development Certification  Technical Resources

 

 News & Advocacy Quality