Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
www.theiia.org
What is GTAG?
GTAG - Global Technology Audit Guide
To provide easy-to-understand
information technology audit guides to
Chief Audit Executives, Audit
Committees and Executive Management
To provide a mechanism to quickly
address new IT Issues
To produce technical audit guides on a
global scale
www.theiia.org
www.theiia.org
15 GTAGs published
15 GTAGs published
www.theiia.org
GTAG-1
Information Technology Controls
It covers:
Understanding of IT controls
Importance of IT controls
Organizational roles and
responsibilities for ensuring IT
controls
Analyzing risks
Monitoring and techniques
IT control assessment
www.theiia.org
GTAG-2
It covers:
Why IT change and patch
management controls are
foundational to a healthy IT
environment
How IT change and patch
management controls help
manage IT risks and costs
What works and doesnt work in
practice
Describes sources of change and
the likely impact on business
objectives
www.theiia.org
GTAG-3
Continuous Auditing:
It covers:
Role of continuous auditing in
todays internal audit
environment
Relationship of continuous
auditing, continuous monitoring,
and continuous assurance
The application and
implementation of continuous
auditing
Benefits of a continuous,
integrated approach
www.theiia.org
GTAG-4
Management of IT Auditing
It covers:
Defining IT
IT-related Risks
Defining IT Audit Universe
Executing IT Auditing
Managing IT Auditing
Emerging Issues
www.theiia.org
GTAG-5
www.theiia.org
GTAG-6
GTAG-7
www.theiia.org
GTAG-8
playback link available
Auditing Application Controls
It covers:
What is application control?
What is the relationship between
application control and general
controls?
Why rely on application controls?
How to scope a risk-based
application control review?
What are the steps to conduct an
application controls review?
A list of key application controls
A sample audit program
www.theiia.org
GTAG-10
Business Continuity Management
It covers:
Help communicate business
continuity risk awareness and
support management in its
development and maintenance of a
BCM program.
Disaster recovery planning for
continuity of critical information
technology infrastructure, and
business application systems.
Business Impact Analysis
Business Recovery and Continuity
Strategy
Disaster Recovery for IT
Crisis Communications
www.theiia.org
GTAG-11
Developing the IT Audit Plan
It covers:
Understanding the organization and
how IT supports it.
Defining and understanding the IT
environment.
Identifying the role of risk
assessments in determining the IT
audit universe.
Formalizing the annual IT audit plan.
www.theiia.org
GTAG-12
Auditing IT Projects
It covers:
Key project management risks.
How the internal audit activity can
actively participate in the review of
projects while maintaining
independence.
Five key components of IT projects
for internal auditors to consider
when building an audit approach.
Types of project audits.
A suggested list of questions for use
in the IT project assessment
www.theiia.org
www.theiia.org
It covers:
Direction on how to scope an
internal audit of UDAs.
Guidance for how the internal
auditors role as a consultant can be
leveraged to assist management
with developing an effective UDA
control framework.
Considerations that internal auditors
should address when performing
UDA audits.
A sample UDA process flow as well
as a UDA internal audit program and
supporting worksheets to help
internal auditors organize and
execute an audit.
www.theiia.org
GTAG-15
Information Security Governance
It covers:
Defining ISG.
Helping internal auditors
understand the
right questions
to ask and know what
documentation is required.
Describing the internal audit
activitys (IAA) role in ISG.
Steps to plan, test and analyze and
audit of ISG.
www.theiia.org
www.theiia.org
www.theiia.org
GAIT
Guide to the Assessment of IT Risk
(GAIT) series describes the
relationships among business risk, key
controls within business processes,
automated controls and other critical IT
functionality, and key controls within IT
general controls. Each practice guide in
the series addresses a specific aspect of
IT risk and control assessments.
www.theiia.org
GAIT
The GAIT Methodology PG: a risk-based
approach to assessing the scope of IT general
controls as part of managements assessment
of internal control required by Section 404 of
SOX
GAIT for IT General Control Deficiency A
ssessment
PG: an approach for evaluating whether any
ITGC deficiencies identified during Section 404
assessments represent material weaknesses or
significant deficiencies
www.theiia.org
GAIT
GAIT for Business and IT Risk PG:
guidance for helping identify the IT controls
that are critical to achieving business goals
and objectives
Case Studies of Using GAIT-R to Scope PCI
Compliance
: Following the GAIT-R principles and
methodology, this paper provides two case
studies of applying GAIT-R to PCI
compliance.
www.theiia.org
www.theiia.org