Audit & Best Practice Guides 

Updated: Thursday October 02, 2008


Alberta - Auditor General

Austria - Auditor General

Australia - Australian National Audit Office

Delaware - Office of Auditor of Accounts

Denmark - Rigsrevisionen

Germany - Bundesrechnungshof

India - Office of the Comptroller and Auditor General

Kentucky - The Auditor of Public Accounts

Minnesota - Office of the legislative Auditor

New South Wales - Audit Office of New South Wales

Northern Territory - Northern Territory Auditor General's Office

Puerto Rico - Oficina del Contralor

Queensland - Queensland Audit Office

United Kingdom - Audit Commission

United Kingdom - UK National Audit Office

United States of America - Government Accountability Office

Virginia - Auditor of Public Accounts


Auditor General of Alberta



Auditing for the Public (.pdf, 2MB)

The authority and value of the legislative audit derive entirely from the fact that the auditor in expressing an opinion does so independently: "Since the time of Aristotle it has been accepted principle that state auditors should be free from direction, influence and intimidation by, and income or reward from, the authorities and persons whose affairs they are called upon to audit. No state auditor, or at any rate no chief state auditor, can afford to be without independence; he needs it as a judge needs it, in order to be impartial and fearless in criticism. He also needs it in order to be able to publicise his criticism in an open report." The title of this short volume says it all.

Surviving the Annual Audit (.pdf, 23KB)

Practical advice for a successful and stress-free financial statement and performance measures audit.

Improving Communication Between You and the Auditors

(.pdf, 21KB)

Tips for ministries on audits of performance measures and on Section 7500* reviews of annual reports

Best Practices in Preparing an Integrated Results Analysis

(.pdf, 26KB)

Good annual reports communicate reliable and relevant information about an organization’s performance. They allow readers to relate and compare financial and non-financial performance over time and assess whether an organization has met its goals. Guidelines for Government Organizations

Client Satisfaction Surveys .pdf, 2MB)

If client satisfaction surveys are to provide accurate and useful information they must be properly conducted. Surveys must meet several key criteria if government organizations are to realize the maximum benefit from the investment in gathering survey information.


Austrian Court of Audit



Success in Information Technology Projects (.pdf, 388KB)

This paper outlines the Austrian Court of Audit experience in it-audit resulting in a brief guidance to do better it-projects.



Australian National Audit Office



Internet Delivery Decisions (.pdf, 630 KB)


This better Practice Guide contains various components to help managers make decisions about how best to use the Internet. 

Business Continuity Management - Keeping the wheels in motion (.pdf, 2MB)

This Guide presents a structured approach to business continuity management. The approach involves identifying preventative treatments for continuity risks that can be routinely managed, and developing an organisation- wide business continuity plan-to deal with the consequences should the preventative treatments fail.





Use of IT-tools for statistic analysis and sampling (.htm)

This paper briefly outlines how the National Audit Office of Denmark has integrated the use if IT-tools in the audit products. The following subjects are considered in the paper: the IT products and their use (IDEA, NT auditor etc), statistical sampling, analysis of accounting information, audit of general IT-controls, IT-tools for benchmarking, access to data, process audit and lessons learned.

Planning of choice of methods for performance audit (.htm)

This article deals with the problems associated with that part of the planning phase in which the audit approach and audit methodology are decided. This part of the planning is crucial in relation to the selected subjects. The identification of an area or a subject as material and/or risky is insufficient in itself if the subsequent planning phase does not result in the choice of a relevant audit approach that generates the information that is of importance to the decision-maker. To get this information created it is crucial to choose correct methods and techniques.

Measuring results of performance audit (.htm)

The NAO has documented the results of its performance audit examinations during the past 4 years. This paper describes the methodology used and discusses the problems in relation to this documentation.

Governance as part of performance audit examinations (.htm)

This article concludes on the lessons learned of the NAO in relation to applying good governance as part of the performance audit. Furthermore, the article presents perspectives for this kind of examinations in future years.


Office of Auditor of Accounts



Internal Control Guide

(.pdf, 223KB) March 2000

More than ever, taxpayers are demanding that government resources be used efficiently, economically and effectively. Government employees entrusted with public resources are responsible for safeguarding assets, complying with laws and regulations, and meeting goals and objectives. An adequate system of internal controls can assist government employees to carry out these responsibilities.

Traditionally, internal control applied only to accounting activities. Today, internal control affects virtually every aspect of an organization's operations.

Internal Control Examples

 (.pdf, 172KB) March 2000

Examples of control objectives, potential errors and control activities for related agency cycles.


The Bundesrechnungshof



Guidelines for Outsourcing Information & Communications Technology

These guidelines for auditing the outsourcing of ICT functions are published by Germany’s 16 state courts of audit in response to recent developments in government operations.

The critical importance of ICT in the delivery of quality government services prompts a uniform approach by external audit bodies to the complex field of outsourcing. Outsourcing ICT is not without risk, and is still to some extent a new field of government activity.

These guidelines aim to provide practical suggestions for adopting a new approach to designing and implementing ICT audits.


Office of the Comptroller and Auditor General



Information Technology Audit: General Principles. (IT Audit Monograph Series # 1)    


Controls in a computer information system reflect the policies, procedures, practices and organisational structures designed to provide reasonable assurance that objectives will be achieved. The controls in a computer system ensure effectiveness and efficiency of operations, reliability of financial reporting and compliance with the rules and regulations........................

Survey Questionnaire for IT Applications

Planning questionnaire to be complete prior to an IT Application audit.


The Auditor of Public Accounts



Vulnerability Study Checklist

(See also IT Resource page)

This checklist provides an authorized information technology auditor information and tools helpful in performing a basic study of a host computer in order to identify enticements (conditions that would entice a potential intruder to probe further) and vulnerabilities (anything which could provide an unauthorized intruder access.) This information is also intended for network administrators who want to better secure the hosts and networks for which they are responsible.


Office of The Legislative Auditor



Local E-Government - April, 2002

Summary (.pdf, 186KB)

Full Report (.pdf, 3.5MB)

E-government is information or services provided on-line by local governments to individuals using the Internet and Web sites. It ranges from simple Web sites conveying only basic information to very complex sites that transform the customary ways of delivering local services. Because successful e-government requires ongoing resources, local governments need to weigh the potential costs against likely benefits before implementing it.

This report identifies best practices for local governments, including cities, counties, and school districts, that deliver e-government services to citizens via the Internet.

Managing Local Government Computer Systems - April, 2002

Summary (.pdf, 350 KB)

Full Report (.pdf, 2.4 MB)

Local governments may manage their computer systems in-house, by outside vendors, by an intergovernmental computer collaboration, or by a combination of these three approaches. This report recommends that counties, cities, and school districts adopt certain best practices as they consider how they want to manage their computer systems. It discusses best practices for managing computer systems for local governments, including reliance on vendors, intergovernmental collaborations, and/or in-house staff.

New South Wales

Audit Office of New South Wales



Intellectual Property - Better Practice Guide

(Oct 2001 .pdf, 1600KB)

See also Better Practice Guide


The guide contains checklists for better practice. It aims to assist agencies developing policies and procedures to manage Intellectual Property more efficiently and effectively.

E-government readiness assessment guide (Sept 2001)

This guide draws from the research assembled in the performance audit, "e-government - Use of the Internet and related technologies to improve public sector performance" (above). It addresses issues at the agency level, in a self-help guide format.

Puerto Rico

Oficina del Contralor



Las Mejores Prácticas para la Adquisición y Utilización de la Tecnología de la Información

(Best Practices for the Acquisition and Utilisation of Information Technology)

  1. Proceso de Adquisición

  2. (Acquisition Process)

  3. Proceso de Pre-Implantación

  4. (Pre-Implementation Process)

  5. Proceso de Implantación

  6. (Implementation Process)

  7. Proceso de Post-Implantación

  8. (Post-Implementation Process)

  9. Proceso de Utilización y Seguridad

  10. (Usage and Security Process)

  11. Hallazgos más comunes según las auditorías realizadas por la Oficina del Contralor de Puerto Rico

(Most common findings following audits carried out by the Office of the Controller of Puerto Rico)

Diez Principios Para Lograr Una Administración Pública De Excelencia

(Ten Principles To Achieve Excellence In Public Administration)

Responsabilidad de la gerencia

(Management responsibility)

United Kingdom

Audit Commission



Project Survival Toolkit

(.pdf, 84KB)

We sought views on why some projects are sustained and others close. These projects can be grouped under four headings: operating environment, partnerships, communities and project management. In this article we draw on these views to develop a "project survival tool kit" aimed at helping those projects that require public money if they are to continue to meet local needs.

United Kingdom

National Audit Office



Audit Briefing - Electronic Records Management (.doc, 376KB)

A short paper designed to raise auditors' awareness of the "authenticity" issues surrounding the use of electronic audit evidence.

Audit Briefing - Firewalls (.doc, 265KB)

A short paper designed to raise auditors' awareness of the purpose and operation of firewalls.

Audit Briefing - WLANs (.pdf, 295KB)

A short paper designed to raise auditors' awareness of WLAN technology.

Review of Information Systems - Workbook (.pdf, 300KB)

Explanation to accompany the following checklist.

Review of Information Systems - Checklist (.pdf, 98KB)

Checklist covering system operation activities in the following areas: change & configuration management; operation and maintenance;   information security management.

Summary of control objectives - Change & Configuration Management (.pdf, 114KB)

Analysis of common risks, control strategies, and suggested topics for discussion with the audit client.

Summary of control objectives - Computer Operations

(.pdf, 122KB)

Analysis of common risks, control strategies, and suggested topics for discussion with the audit client.

Summary of control objectives - Information Security Management

(.pdf, 128KB)

Analysis of common risks, control strategies, and suggested topics for discussion with the audit client.

Review of System Development - Overview (.pdf, 150KB)

A brief overview for external auditors of the system development process

Review of System Development - Checklist (.pdf, 170KB)

A checklist for external auditors on system development.

IT audit training course material

AP4 course notes (.zip, 2.7MB)

Misc. course notes (.zip, 1.9MB)

Training notes and support material on various IT-related topics, including programme and project management, e-business, quality management and business continuity management. Although no longer in use, this material may provide a useful basis for further development.

Software available for 'value for money' examinations (.pdf, 1.8MB)

This leaflet provides summary information on the software that we currently hold together with key points on its value to vfm work. The software is divided into six main groups: Planning, Surveys, Data Analysis and Modelling, Text Analysis, Charting, and Presentation.

Collecting, analysing, and presenting data: how software can help (.pdf, 340KB)

A key feature of good quality value for money reports is a comprehensive analysis of data. Software can assist in a number of ways.

United States of America

Government  Accountability Office



Assessing The Reliability of Computer Processed Data (.pdf 181KB, Oct 2002)


This guidance is intended to demystify the assessment of computer processed data. It supplements GAO’s "Yellow Book" (Government Auditing Standards, 1994 Revision), which defines the generally accepted government auditing standards (GAGAS), and replaces the earlier GAO guidance, Assessing the Reliability of Computer-Processed Data (GAO/OP-8.1.3, Sept. 1990).

Federal Information System Controls Audit Manual: Volume I Financial Statement Audits. AIMD-12.19.6, (.pdf, 2.3MB) June 2001.

Download appendices 1-4, 10 that allow users to enter data to support the gathering and analysis of audit evidence. (.zip, 75KB)


Federal agencies, the Congress, and the public rely on computer-based information systems to carry out agency programs, manage federal resources, and report program costs and benefits. The methodology outlined in this manual provides guidance to auditors in evaluating internal controls over the integrity, confidentiality, and availability of data maintained in these systems. The manual is primarily designed for evaluations of general and application controls over financial information systems that support agency business operations. However, it could also be used when evaluating the general and application controls over computer-processed data from agency program information systems, as called for in Government Auditing Standards.

Electronic Law Enforcement: Introduction to Investigations in an Electronic Environment

GAO-01-121G. .html, February 2001.

The Office of Special Investigations (OSI) is a specialized unit within GAO created to meet the Congress' need for quick, focused responses to questions and issues of criminal activity, fraud, and abuse. Staffed with senior criminal investigators, its primary mission is to identify and investigate potential fraud, criminal misconduct, and serious wrongdoing involving federal funds, programs, and activities.

OSI has two special publications created as a service to the investigative and law enforcement communities: Investigators' Guide to Sources of Information (GAO/OSI-97-2) and Electronic Law Enforcement: Introduction to Investigations in an Electronic Environment (GAO-01-121G)

Executive Guide: Maximizing the Success of Chief Information Officers: Learning from Leading Organizations

GAO-01-376G, February 2001

This guide is intended to assist federal agencies in maximizing the success of chief information officers (CIO). Principles and practices gleaned from the case studies presented in this guide offer concrete suggestions on what agency executives can do to ensure the effectiveness of their CIO organizations.

Executive Guide: Creating Value Through World-Class Financial Management. GAO/AIMD-00-134. April 2000.

This executive guide is intended to assist federal agencies in achieving the objectives of the Chief Financial Officers (CFO) Act of 1990 and subsequent related legislation by providing case studies of 11 practices critical for establishing and maintaining sound financial operations.

Core Financial System Checklist: Checklist for Reviewing Systems Under the Federal Financial Management Improvement Act

This checklist assists agencies in implementing and monitoring their core systems, and management and auditors in reviewing agency core systems to determine if they substantially comply with the Federal Financial Management Improvement Act. AIMD-00-21.2.2, February 2000.

Information Security Risk Assessment: Practices of Leading Organizations. GAO/AIMD-00-33 November, 1999

This guide is intended to help federal managers implement an ongoing information security risk assessment process by providing examples, or case studies, of practical risk assessment procedures that have been successfully adopted by four organizations known for their efforts to implement good risk assessment practices. 

Executive Guide: Leading Practices in Capital Decision-Making. GAO/AIMD-99-32. December 1998.

This executive guide summarizes 12 fundamental practices that have been successfully implemented by organizations recognized for their outstanding capital decision-making practices. It also provides examples of leading practices from which the federal government may be able to draw lessons and ideas. 

Executive Guide: Measuring Performance and Demonstrating Results of Information Technology Investments. GAO/AIMD-98-89. March 1998.

By using comprehensive performance information, more informed decisions can be made about IT investments at a time when resources are limited and public demands for better government service are high.

Executive Guide: Information Security Management: Learning From Leading Organizations

GAO/AIMD-98-68. (.pdf, 239KB) May, 1998.

Increased computer interconnectivity and the popularity of the Internet are offering organizations of all types unprecedented opportunities to improve operations by reducing paper processing, cutting costs, and sharing information. However, the success of many of these efforts depends, in part, on an organization's ability to protect the integrity, confidentiality, and availability of the data and systems it relies on.

Business Process Re-engineering Guide.

AIMD-10.1.15 April 1997.

This guide is designed to help auditors review business process re-engineering projects in a federal settings, determine the soundness of these efforts, and identify actions needed to improve the prospects for their success. 

Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity (Exposure Draft). AIMD-10.1.23

Guidance that provides a method for evaluating and assessing how well a federal agency is selecting and managing its IT resources and identifies specific areas where improvements can be made.

Executive Guide: Improving Mission Performance Through Strategic Information Management and Technology. AIMD-94-115. May 1, 1994. 48 pp.

Federal agencies have not kept pace with evolving management practices and skills necessary to define critical information needs, and select, apply and control changing information technologies. This report focuses on what agencies can do now to improve performance by using new approaches to managing information and related technologies. It summarizes 11 fundamental practices that led to performance improvements, both short- and long-term, in leading private and public organizations. 


Auditor of Public Accounts



Information Security

This section of the Auditor of Public Accounts website provides guidance on what constitutes strong information security policy development, implementation, and maintenance:

Frequently Asked Questions

Security Framework

Sample Policies & Procedures


For enquiries or comments about this site, E-mail the webmaster