Key insights on IIA’s Third-Party Topical Requirement

What are topical requirements?

• Topical requirements are a mandatory component of the International Professional Practices Framework. They give a consistent baseline for assessing specific risk areas.
• Internal auditors must apply topical requirements in line with the Global Internal Audit Standards when they’re delivering assurance services on the topics released, if they’re included in the IA plan. Topical requirements are recommended, but not required when giving advisory services. 
• Each topical requirement includes baseline expectations around governance, risk management and control.

When do topical requirements apply?

• Each topical requirement becomes effective 12 months after it is issued.
• It applies when the topic is one of the following: 
  • the subject of an engagement in the IA plan 
  • identified while performing an engagement 
  • the subject of an engagement request that wasn’t on the original IA plan

Documentation requirements

• IA teams must document and retain evidence that each requirement in the topical requirement was assessed for applicability. Not all individual requirements may apply in every engagement. If a requirement is excluded, IA teams must document it and retain a rationale.

Have any been issued?

• The Cybersecurity Topical Requirement was released on 15 February 2025, with an effective date of 5 February 2026.
• The Third-Party Topical Requirement was released on 15 September 2025, with an effective date of 15 September 2026.
• The Organisational Behavior Topical Requirement was released on 15 December 2025, with an effective date of 15 December 2026.
• Additional topical requirements relating to organisational resiliency are planned.

What is the Third-Party Topical Requirement?

What it is: 

• Required when giving assurance in a specific area related to third-party risk (for example, third-party risk management programme audit or third-party audit) 
• Covers third-party governance, risk management and control processes
• Includes a supplemental user guide with optional documentation tool
• Subject to inclusion in an external quality assessment

What it's not: 

• Requirement for internal audit to audit third-parties. 
• A comprehensive third-party work programme (need to consider any local laws and regulations specific to third-party risks in your territory).

Overview of the IIA Third-Party Topical Requirements

The IIA Third-Party Topical Requirements includes an approach for assessing the design and implementation of third-party governance, risk management and control processes.

Governance

• Policies and procedures for defining, assessing, contracting and managing third-party risks across the lifecycle
• Roles and responsibilities for third-party management
• Communication protocols related to third-party management

Risk management

• Defined processes to manage third-party risks across key categories (for example, strategic, reputational, ethical, operational, financial, compliance, IT/cyber, legal, sustainability or geopolitical risks)
• Risk assessment process ranking/ prioritising third parties
• Monitoring and escalation process for issues related to third parties

Control processes

• Due diligence processes for third-party sourcing, selection and so on
• Contracting and approval process
• Onboarding processes (including third-party inventory or listing)
• Ongoing monitoring processes
• Corrective action and escalation process for performance issues
• Renewal, expiration and offboarding processes.

Key actions businesses can take today

1. Review your 2026 risk assessment and internal audit plan

Identify internal audit and advisory projects where third-party risk applies. Ensure you flag all relevant engagements to be considered under the Third-Party Topical Requirements, as they come into effect from 15 September 2026.

2. Establish and embed a process to assess if third-party requirements apply

Define and implement a process for your engagement teams to consider in detail the applicability of the third-party governance, risk management and control processes aspects described by the IIA Third-Party Topical Requirements.

3. Define documentation requirements

• Ensure your engagement teams document the results of the above applicability assessment, especially why any aspects are being excluded from the Third-Party Topical Requirements. Consider using IIA resources for this, such as this IIA documentation tool (appendix B, page 19).

4. Integrate third-party risk into your risk assessment and audit planning

Actively consider third-party risk in your risk assessment and annual or periodic IA planning. Work with senior leadership to identify emerging third-party risks and ensure your audit plan is dynamic and can respond adequately to emerging risks.

5. Foster a culture of continuous learning

Encourage your engagement teams to share lessons learned from audits involving third-party risks. Ensure you incorporate those lessons into:

• your future risk assessment and internal audit plan
•  third-party requirements applicability assessments

audits involving third-party risks related processes.

We are here to help you

PwC is deeply experienced in working across sectors to help firms efficiently and effectively transform their third-party risk management (TPRM) frameworks, to reflect regulatory guidance and leading best practice.

We are ready to support:

• IA's risk assessment and how to consider third-party risk in your IA plan
•  Your third-party requirements applicability assessment and related documentation (such as for TPRM programme audit, specific third-party audit or a process audit where third-parties are integral to the process)
• IA by carrying out a TPRM programme maturity assessment using our TPRM Framework – it covers all three assessment areas in the Topical Requirement – to set a strong foundation for IA's viewpoint on third-party risk

Our PwC TPRM team applies innovative approaches and technologies that help our clients effectively manage their risk exposure. They can then properly identify, mitigate and monitor the third-party risks most impactful to their operations. We help our clients design, build and manage fit-for-purpose third-party risk programmes that protect their operations, brand and reputation at an optimal cost to operations.