Auditing Business Applications, 2nd Edition
Global Technology Audit Guide (GTAG) | Global Guidance | October 21, 2025
Copyright Notice All content is protected by international copyright laws. You may reference or quote small portions of this document with proper attribution to The IIA, but unauthorized reproduction, distribution, or use beyond that, other than for your own personal use, is strictly prohibited and may constitute a violation of copyright law, resulting in civil and criminal penalties. Contact copyright@theiia.org for permission to use our materials.
Given the critical role of applications as enablers of business processes, a risk-based internal audit plan should include engagements that evaluate standardized and system-specific controls to determine whether significant risks are adequately managed.
Common examples of business applications include systems such as enterprise resource planning, point-of-sale, industrial control, customer relationship management, and billing.
This guide draws from three widely used frameworks to help auditors work with IT-IS to develop an assessment plan and tests to evaluate the design and implementation of relevant controls.
The guidance replaces the previous edition published in 2021.