The IIA issued another one of its “Topical Requirements,” a new mandatory component of the organization’s International Professional Practices Framework — this time related to third parties. Designed to help internal audit departments better identify, assess and manage third-party risk, the new requirement is designed to help you establish a baseline for offering assurance services in this area.
Here's how Anthony Pugliese, President and CEO of the IIA, explained the new requirement:
“Particularly in light of geopolitical shifts that are driving global trade and supply chain disruptions, third-party relationships can present a number of threats to organizations including operational, reputational and compliance risks. It’s more important than ever that organizations today have a robust and consistent approach to assessing third-party risk management and control processes.”
Issued on Sept. 15, 2025, the new topical requirement goes into effect a year later, on Sept. 15, 2026. So, the time is now to begin integrating the rule into your 2026 internal audit plan and risk assessment to ensure you’re prepared for any assurance audits after the effective date.
When does the Topical Requirement apply?
The new requirement related to third parties applies when an internal audit function is performing assurance engagements on any third-party or subcontractor relationship — defined by the IIA as “an external individual, group, or entity with whom an organization establishes a business relationship to obtain products or services.” It’s not intended for employees or any indirect external relationships with the primary organization (for example, board members, regulators, agents, trustees, etc.).
The IIA recognizes that every organization may define “third party” in a different way, so it recommends that internal auditors use their best judgment to adapt the rule appropriately.
What are the key components of the new Third-Party Requirements?
The requirement states that if any significant risks include a third party, then certain components should be incorporated within the Engagement Planning Memorandum and specific steps should be taken by the team:
Governance
- Include all third-party relationships in your strategic plan and risk assessment.
- Periodically review all third-party policies and procedures.
Risk Management
- Rate and prioritize third-party risks, and establish a process to manage and escalate any issues.
Controls
- Establish a comprehensive due diligence process for third-party selection, as well as justification for the relationship and a detailed cost-benefit analysis.
- Ensure all contracting is consistent with the company’s policies and procedures, and that all final contracts are reviewed and approved by relevant stakeholders (including compliance and legal).
- Maintain a complete listing of all third-party contracts.
- Create onboarding processes that communicate the terms of the contract.
- Establish access provisioning in accordance with the company’s Access Policy (physical and logical) with expiration date, if applicable.
- Evaluate KPIs and establish procedures when results are outside the parameters.
- Implement a formal offboarding plan that’s consistent with contractual clauses, including revoking access and data rights and reassigning (or destroying) sensitive information.
Where do I go from here?
The goal of this third-party topical requirement is to truly provide a consistent approach to third-party engagements. The important takeaway? If any significant risks include a third party, the above topical governance, risk management and controls should be incorporated. The documentation should articulate what components will be addressed in the audit (and what won’t).
Thankfully, the IIA has published a user guide with more detail on each of these components and even offers optional documentation tools and real-life examples so you can see how the new requirement might apply to your day-to-day work.
Have questions? Does the new requirement add value to your engagements, or is it simply an additional administrative burden? Reach out to me or a member of the team, and we’ll be happy to help!
