The Institute of Internal Auditors released a draft of its Third-Party “Topical Requirement.” The document provides a consistent and comprehensive approach to assessing the design and implementation of third-party governance, risk management, and control processes. It was developed with input from internal audit practitioners and stakeholders globally, says the IIA.
Topical requirements are a set of guidance reports on specific areas that are intended to add to the IIA’s recently enacted Global Internal Audit Standards. They provide a consistent baseline for assessing specific risk areas.
The IIA is asking for public comments on the draft, open until April 20. Internal auditors and stakeholders are invited to participate in the public comment survey to share their feedback on the draft and help shape the criteria and requirements for providing assurance on governance, risk management, and control processes related to third parties.
The Topical Requirements are a key element of The IIA’s broader International Professional Practices Framework, alongside the Global Internal Audit Standards. While they do not mandate that a specific risk area be included in audit plans, they provide practitioners with a set of baseline requirements for assessing key risk areas that impact organizations globally and are likely to be included in most audit plans.
“We’ve developed a Topical Requirement on third-party relationships due to the pervasiveness of third-party risks for organizations today,” said Anthony Pugliese, President and CEO of The IIA. “Particularly in light of geopolitical shifts that are driving global trade and supply chain disruptions, third-party relationships can present a number of threats to organizations including operational, reputational and compliance risks. It’s more important than ever that organizations today have a robust and consistent approach to assessing third-party risk management and control processes.”
The first Topical Requirement was released in February and provided requirements for internal auditors providing assurance on Cybersecurity governance, risk management and control processes. Additional topics in development include business culture, business resilience, and anti-corruption and bribery.
Participants are invited to review the draft Third-Party Topical Requirement and submit their feedback by April 20 via the survey. Both the draft and the survey are available in several languages. The Third-Party Topical Requirement is also accompanied by user guide that provides supplementary considerations. 