Global Technology Audit Guides (GTAG^®)
Prepared by The Institute of Internal Auditors (The IIA), each Global Technology Audit Guide(GTAG) is written in straightforward business language to address a timely issue related to information technology (IT) management, control, and security. The GTAG series serves as a ready resource for chief audit executives on different technology-associated risks and recommended practices.

Practice Guides are restricted to IIA members only. Learn more about becoming a member.

PG GTAG-15: Information Security Governance
PG GTAG-14: Auditing User-developed Applications
PG GTAG-13: Fraud Prevention and Detection in an Automated World
PG GTAG-12: Auditing IT Projects
PG GTAG-11: Developing the IT Audit Plan
PG GTAG-10: Business Continuity Management
PG GTAG-9:   Identity and Access Management
PG GTAG-8:   Auditing Application Controls
PG GTAG-7:   Information Technology Outsourcing
PG GTAG-6:   Managing and Auditing IT Vulnerabilities
PG GTAG-5:   Managing and Auditing Privacy Risks
PG GTAG-4:   Management of IT Auditing
PG GTAG-3:   Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment
PG GTAG-2:   Change and Patch Management Controls: Critical for Organizational Success
PG GTAG-1:   Information Technology Controls

Guide to the Assessment of IT Risk (GAIT)
The GAIT series describes the relationships among business risk, key controls within business processes, automated controls and other critical IT functionality, and key controls within IT general controls. Each practice guide in the series addresses a specific aspect of IT risk and control assessments. 

GAIT Practice Guides include

• The GAIT Methodology PG: a risk-based approach to assessing the scope of IT general controls as part of management’s assessment of internal control required by Section 404 of the Sarbanes-Oxley Act

• GAIT for IT General Control Deficiency Assessment PG: an approach for evaluating whether any ITGC deficiencies identified during Section 404 assessments represent material weaknesses or significant deficiencies

• GAIT for Business and IT Risk PG: : guidance for helping identify the IT controls that are critical to achieving business goals and objectives   

  • Case Studies of Using GAIT-R to Scope PCI Compliance: Following the GAIT-R principles and methodology, this paper provides two case studies of applying GAIT-R to PCI compliance. (PDF, 400KB)