The Institute of Internal Auditors has released a draft version of its Organizational Behavior Topical Requirement, now open for public comment through August 22. Insights gathered will help shape the final document and establish a clear baseline and relevant criteria for providing assurance services related to organizational behavior risks.
Developed with input from internal audit practitioners and stakeholders globally, the Organizational Behavior Topical Requirement aims to reframe culture risk as the risk of behavior misaligned with strategic objectives, said the IIA in a statement.
The Topical Requirement will establish minimum mandatory requirements that internal auditors are expected to assess whenever organizational behavior is included in the scope of an assurance engagement as a result of the risk assessment process. As with any risk, organizations can manage this by designing appropriate controls and implementing them effectively.
“In today’s complex business environment, it is critical to promote positive organizational behavior to sustain strong governance,” said Anthony Pugliese, president and CEO of the IIA. “From reputation and compliance to long-term performance, ensuring behaviors align with the organization’s values and strategic objectives is fundamental to an organization’s success. By framing organizational behavior as a risk to be actively managed, this Topical Requirement helps equip the profession with clearer expectations and stronger tools to provide assurance in an area that’s increasingly critical to sustainable success.”
What Are Topical Requirements?
The topical requirements are a central element of the IIA’s broader International Professional Practices Framework, complementing the Global Internal Audit Standards and Global Guidance. While not mandating inclusion of the risk topics in audit plans, they set a minimum baseline for auditing these areas.
Released in February, the first topical requirement focuses on Cybersecurity governance, risk management and control processes. A second, covering Third-Party, was opened for publish comment in March, and a final version is expected to be issued in September. Additional topics are currently in development. These requirements are fully compatible with the traditional risk-based audit approach and can be applied, with minimal adaptation, across all audit functions.
Stakeholders are invited to review the draft topical requirement along with the accompanying draft user guide and contribute feedback via the public comment survey between July 8 and August 22. An educational video from experts on organizational behavior is available on the IIA’s public comment page. A free webinar is scheduled for August 6 from 12-1 p.m. ET. 