CNAO pays attention to the internal controls of auditees. While using IT, organisations should also change their mechanisms and methods to maintain their internal controls. Standards of IT Governance are best practice setting out what and how to do, so auditors can use the as the criteria when checking internal controls.