The Institute of Internal Auditors has released a draft of the Third-Party Topical Requirement, open for public comment until April 20. Internal auditors and stakeholders are invited to participate in the public comment survey to share their feedback on the draft and help shape the criteria and requirements for providing assurance on governance, risk management, and control processes related to third parties.
The Topical Requirements are a key element of The IIA’s broader International Professional Practices Framework, alongside the Global Internal Audit Standards and Global Guidance. While they do not mandate that a specific risk area be included in audit plans, they provide practitioners with a set of baseline requirements for assessing key risk areas that impact organizations globally and are likely to be included in most audit plans.
Developed with input from internal audit practitioners and stakeholders globally, the Third-Party Topical Requirement provides a consistent and comprehensive approach to assessing the design and implementation of third-party governance, risk management, and control processes.
“We’ve developed a Topical Requirement on third-party relationships due to the pervasiveness of third-party risks for organizations today,” said Anthony Pugliese, CIA, CPA, CGMA, CITP, President and CEO of The IIA. “Particularly in light of geopolitical shifts that are driving global trade and supply chain disruptions, third-party relationships can present a number of threats to organizations including operational, reputational and compliance risks. It’s more important than ever that organizations today have a robust and consistent approach to assessing third-party risk management and control processes.”
The first Topical Requirement was released in February and provided requirements for internal auditors providing assurance on Cybersecurity governance, risk management and control processes. Additional topics in development include business culture, business resilience, and anti-corruption and bribery.
Participants are invited to review the draft Third-Party Topical Requirement in English and submit their feedback between March 6 – April 20 via the survey. Both the draft and the survey are available in several languages. The Third-Party Topical Requirement is also accompanied by user guide that provides supplementary considerations. All documents are available at www.theiia.org/comment.
Thanks for reading CPA Practice Advisor!
Subscribe Already registered? Log In
Need more information? Read the FAQs
Tags: Accounting
Ahmed Mohamed Hashi March 14 2025 at 9:50 am
Key Comments and Suggestions: Strengthening Practical Guidance: The requirement outlines key principles effectively, but additional real-world case studies or industry-specific examples would enhance usability. More practical tools (e.g., risk assessment templates) would support auditors in implementing these requirements efficiently. Scalability for Different Organizations: The framework is well-suited for large organizations, but guidance for SMEs is needed. Many smaller entities lack extensive resources for third-party risk management but still face significant risks. A tiered approach based on organization size and complexity would make the requirement more adaptable. Integration with Existing Risk Frameworks: Clearer alignment with global risk management standards (e.g., ISO 31000, COSO ERM, NIST Cybersecurity Framework) would facilitate better adoption. Cross-referencing these standards could help organizations integrate third-party risk assessments within existing audit and compliance frameworks. Clarification of Internal Audit’s Role: Further distinction between assurance and advisory responsibilities in third-party risk management would improve clarity. Internal auditors play a key role in providing independent assurance, but their role in advising on third-party governance practices should be well-defined to avoid conflicts. Conclusion: The Third-Party Topical Requirement is a strong addition to the IPPF and will help internal auditors provide valuable oversight in this critical risk area. With slight enhancements in practical guidance, scalability, and integration with existing frameworks, the requirement will be even more effective. Thank you for the opportunity to contribute feedback.