This guide is the second edition of the first installment in the GTAG series — GTAG 1: Information Technology Controls — which was published in March 2005. Its goal was, and is, to provide an overview of the topic of IT-related risks and controls.
This GTAG is provided as a service to members of The IIA.
Learn more about the value of an IIA Membership.
This GTAG helps chief audit executives (CAEs) and their teams keep pace with the ever-changing and sometimes complex world of information technology (IT). It provides an overview of IT related risks and controls written in a reader-friendly style for business executives, rather than the highly technical language that can often alienate those outside of IT management.
Both senior management and the audit committee have an expectation that the internal audit activity will provide assurance around all important risks, including those introduced or enabled by the implementation of IT. The GTAG series helps the CAE and internal auditors become more knowledgeable of the risk, control, and governance issues surrounding technology.
The goal of the first GTAG is to help internal auditors become more comfortable with general IT controls so they can confidently communicate with their audit committee and exchange risk and control ideas with the chief information officer (CIO) and IT management. This GTAG describes how members of governing bodies, executives, IT professionals, and internal auditors address significant IT related risk and control issues and presents relevant frameworks for assessing IT risk and controls. Moreover, it sets the stage for subsequent GTAG’s that cover specific IT topics and associated business roles and responsibilities in greater detail
Prepared by The Institute of Internal Auditors (The IIA), each Global Technology Audit Guide (GTAG) is written in straightforward business language to address a timely issue related to information technology (IT) management, control, and security. The GTAG series serves as a ready resource for chief audit executives on different technology-associated risks and recommended practices.