The IIA’s Third-Party Topical Requirement

The Topical Requirements are a new component of the Institute of Internal Auditors’ (IIA) International Professional Practices Framework (IPPF), introduced to provide internal auditors with consistent methodologies for assessing governance, risk management, and control processes in specific high-risk areas. These requirements are mandatory when internal audit engagements include the specific topic, ensuring a standardized approach across organizations.

What Is the Purpose of the Third-Party Topical Requirement?

The Third-Party Topical Requirement aims to guide internal auditors in evaluating the effectiveness of an organization’s third-party governance, risk management, and control processes. This is particularly pertinent given the increasing reliance on third-party relationships and the associated risks, including operational, reputational, and compliance challenges.

What Are the Key Components of the Third-Party Topical Requirement?

1. Governance and Oversight
   • Assess the organization’s governance structures overseeing third-party relationships.
   • Ensure clear roles and responsibilities are defined for managing third-party risks.
2. Risk Assessment and Due Diligence
   • Evaluate the processes for identifying and assessing risks associated with third parties.
   • Review due diligence procedures to ensure third parties meet the organization’s standards.
3. Contractual Agreement
   • Examine contracts to verify they include necessary clauses addressing risk management, compliance, and performance expectations.
4. Performance Monitoring and Compliance
   • Monitor third-party performance against agreed-upon metrics and compliance with contractual obligations.
   • Identify and address any deviations or issues promptly.
5. Exit Strategies and Termination Procedures
   • Ensure there are clear procedures for disengaging from third-party relationships, including data handling and transition plans.

How to Implement the Requirements

1. Understand the IIA’s Requirements and Scope
   • Review the official IIA Global Internal Audit Standards (2024) to understand the requirements.
   • Study the user guide provided by the IIA. The guide offers detailed considerations and examples to facilitate effective implementation.
   • Understand when it is mandatory; it must be applied if third-party risks are in scope for any audit engagement.
2. Include Third-Party Risk in Your Audit Universe
   • Update your audit universe to include significant third-party relationships, e.g., IT vendors, supply chain partners, outsourced service providers.
   • Conduct a risk assessment to identify high-risk third parties based on:
     • Criticality to operations
     • Access to sensitive data
     • Legal or compliance obligations

3. Plan the Engagement with a Third-Party Focus
   • Develop a specific audit plan focus on third-party governance, due diligence, and monitoring.
   • Define audit objectives such as:
     • Evaluate the adequacy of third-party risk assessment processes.
     • Assess whether contractual protections are adequate and enforced.

Is Compliance Required?

Internal audit functions are required to demonstrate conformance with the Topical Requirements during quality assessments. This includes documenting adherence to the specified standards and addressing any identified gaps.

To learn more about McKonly & Asbury’s Internal Audit services, contact Elaine Nissley, Director, or Victor Kong, Senior Manager, who have been providing internal audit services for over twenty years. We would love to discuss how we can assist you with your challenges.

About the Author