Guidance and Resources

​Standards & Guidance — International Professional Practices Framework (IPPF)®

International Professional Practices Framework (IPPF) The International Professional Practices Framework (IPPF) is the conceptual framework that organizes authoritative guidance promulgated by The Institute of Internal Auditors. A trustworthy, global, guidance-setting body, The IIA provides internal audit professionals worldwide with authoritative guidance organized in the IPPF as mandatory guidance and ​recommended guidance.


NEW! Global Technology Audit Guide: Auditing Identity and Access Management

Recommended Guidance

Practice Guide: Auditing Market Risk in Financial Institutions

Identity and access management covers the policies, processes, and tools for ensuring users have appropriate access to IT resources.
The “Auditing Identity and Access Management” GTAG will help internal auditors understand key terms and how to approach an audit to ensure their organization’s IAM protocols help mitigate potential security and regulatory risks. This knowledge will help internal auditors provide assurance that controls for managing access to IT resources are well designed and effectively implemented.
This guidance will enable internal auditors to understand:

  • IAM and develop a working knowledge of relevant processes, including related governance and security controls.
  • Risks and opportunities associated with IAM.
  • Components of the IAM process, including provisioning IDs, administering and authorizing access rights, and maintaining enforcement through authentication, reauthorization reviews, and automated account deactivation processes.
  • Some of the considerations and strategies for implementing IAM controls.
  • The basics of auditing IAM, including specific controls that should be evaluated.

Member download.

Nonmembers may purchase Supplemental Guidance by visiting the IIA Bookstore.

Standards for auditing establish the general specifications that define the essential attributes required for a quality audit. They include the characteristics that should be met in planning, conducting, and reporting an audit, providing a basis for ensuring audit quality.

The IIA and the Government Accountability Office (GAO) are both recognized nationally and internationally as leaders in promoting high-quality audit work.  Respectively, these organizations have promulgated the International Professional Practices Framework (IPPF) and Generally Accepted Government Auditing Standards, the two most commonly used sets of standards for public sector auditing in the United States. References to these standards are available below.

The PSAC is committed to providing members with the latest, most relevant guidance and resources for auditors in the public sector and many other resources are consolidated for quick access below.

International Professional Practices Framework (IPPF)

The IPPF is the conceptual framework that organizes authoritative guidance promulgated by The IIA. A trustworthy, global, guidance-setting body, The IIA provides internal audit professionals worldwide with authoritative guidance organized in the IPPF as mandatory guidance and recommended guidance.

​Public Sector Practice Guides
​Assessing Organizational Governance in the Public Sector
​Auditing Grants in the Public Sector
​Creating an Internal Audit Competency Process for the Public Sector
​Unique Aspects of Internal Auditing in the Public Sector

Generally Accepted Government Auditing Standards (GAGAS)

From the GAO, GAGAS — often referred to as Yellow Book — provides a framework for conducting high-quality audits with competence, integrity, objectivity, and independence.

IPPF/GAGAS Comparison

The IIA has developed a guide that compares and contrasts these two guiding documents: IIA International Standards for the Professional Practice of Internal Auditing / Government Accountability Office / Government Audit Standards (GAGAS), A Comparison, 2nd Edition). ​Called the Red/Yellow book, it identifies the  differences between the two and offers suggestions for organizations that follow both.

Other Standards That May Apply to Government Audit Organizations

There are other sets of standards set by internationally-based organizations that may apply to public sector auditors in the United States. These include the International Standards of Supreme Audit Institutions (ISSAIs) set by the International Organisation of Supreme Audit Institutions (INTOSAI) and the International Standards on Auditing (ISA) set by the International Auditing and Assurance Standards Board (IAASB) under the authority of the International Federation of Accountants (IFAC).

Tools
NEW! Governance Toolkit
NEW! Internal Audit Assessment Tool
NEW! Cybersecurity Toolkit
NEW! Audit Report Toolkit
NEW! Considerations for Reliance
NEW! Determining Risk Owners
NEW! Establishing Objectives and Scope
NEW! Execute a Risk Assessment
NEW! Impact and Likelihood Scales
NEW! Mapping Process Flows

Signature Studies
NEW! OnRisk 2021: A Guide to Understanding, Aligning and Optimizing Risk
NEW! 2020 American Corporate Governance Index
NEW! 2021 Pulse of Internal Audit and Public Sector Pulse Fact Sheet

 

 

The IIA COSO Resource Exchangehttps://na.theiia.org/standards-guidance/topics/Pages/COSO-Resource-Center.aspxhttps://dl.theiia.org/instrep/PublishingImages/The-IIA-COSO-Resource-Exchange.pngThe IIA COSO Resource Exchangehttps://dl.theiia.org/instrep/Lists/CenterResourceExchange/DispForm.aspx?ID=9The IIA COSO Resource Exchange
CBOK Resource Exchangehttps://na.theiia.org/iiarf/Pages/Common-Body-of-Knowledge-CBOK.aspxhttps://dl.theiia.org/instrep/PublishingImages/CBOK-Resource-Exchange.jpgCBOK Resource Exchangehttps://dl.theiia.org/instrep/Lists/CenterResourceExchange/DispForm.aspx?ID=11CBOK Resource Exchange
The IIA Risk Resource Exchangehttps://na.theiia.org/standards-guidance/topics/Pages/Risk-Resource-Exchange.aspxhttps://dl.theiia.org/instrep/PublishingImages/The-IIA-Risk-Resource-Exchange.jpgThe IIA Risk Resource Exchangehttps://dl.theiia.org/instrep/Lists/CenterResourceExchange/DispForm.aspx?ID=12The IIA Risk Resource Exchange