The IIA's third-party topical requirement: A mandatory shift in audit accountability

In March 2025, the Institute of Internal Auditors (IIA) released a game-changing draft for public comment: the Third-Party Topical Requirement. This new mandatory standard introduces a minimum baseline for how internal auditors should evaluate the governance, risk management, and controls related to third-party relationships. As organizations continue to lean on third parties to drive efficiency, scale, and innovation, this requirement is a powerful response to increasing vulnerabilities across global supply chains, IT ecosystems, and vendor agreements.

This article explores the full implications of the IIA’s proposal, highlighting its structure, rationale, and critical mandates. Understanding this requirement is essential for audit leaders, risk professionals, and executives, not only for compliance but also for building resilience in an interconnected business environment.

Why now? The third-party risk explosion

Third-party risks are not new, but their scope has exploded. In the wake of high-profile cybersecurity breaches, regulatory crackdowns, and geopolitical instability, organizations have learned a hard truth: you can outsource services, but you can’t outsource responsibility.

Third parties today include cloud service providers, software vendors, logistics partners, consultants, and subcontractors. If any one of these entities fails—due to insolvency, non-compliance, poor cyber hygiene, or ethical lapses—the reputational and financial consequences land squarely on the shoulders of the contracting organization.

The IIA recognizes this growing exposure and aims to equip auditors with a framework that:

• Ensures consistent evaluation of third-party arrangements
• Supports proactive risk management across the third-party lifecycle
• Promotes accountability in governance structures
• Elevates audit quality and reliability

What are topical requirements?

Topical Requirements, newly introduced under the International Professional Practices Framework (IPPF), are binding standards for assurance services. They define minimum expectations when auditing a particular topic. For third-party relationships, conformance is mandatory when:

1. The engagement is included in the internal audit plan
2. A third-party risk is identified during an audit
3. Management requests an engagement on third-party risk

All audit teams must document how each Topical Requirement was assessed and whether it was applicable. Any excluded requirements must be justified in the workpapers.

Importantly, while advisory services are not required to follow these mandates, the IIA strongly recommends their use to uphold professional quality.

What counts as a third party?

The IIA defines third parties as any external individuals or entities in a formalized business relationship with the organization. This includes:

• Vendors and suppliers
• Contractors and subcontractors
• Outsourced service providers
• Agencies and consultants
• Downstream subcontractors

The requirement explicitly excludes indirect relationships such as employees, regulators, or investors. However, if third parties subcontract work to additional entities (fourth parties), auditors must evaluate how governance and controls extend to these downstream providers.

The risks at stake: More than just financial

The draft identifies key third-party risk categories that internal auditors must evaluate:

• Operational: Service disruptions, inability to meet business objectives
• Cybersecurity: Data breaches, loss of sensitive information
• Financial: Insolvency, hidden liabilities, unreliable funding
• Compliance: Breaches of regulatory frameworks, international standards
• Legal: Contract violations, IP disputes, inadequate due diligence
• Reputational: Environmental or social harm, unethical conduct, public fallout

When these risks materialize, it’s the primary organization—not the vendor—that answers to regulators, shareholders, and the public.

A lifecycle approach: From selection to offboarding

One of the requirement’s most significant contributions is a structured approach across the third-party lifecycle:

1. Selection
2. Contracting
3. Onboarding
4. Monitoring
5. Offboarding

Each phase has embedded risks and demands strong governance, policies, and controls.

Governance: Oversight, structure, and communication

Internal auditors are required to assess the organization's governance practices related to third-party oversight. This includes:

• A formal, periodically reviewed decision-making framework to determine whether to engage a third party
• Documented policies aligned with regulatory requirements that govern third-party relationships across the lifecycle
• Clearly defined roles, responsibilities, and required competencies for managing third-party engagements
• Communication protocols that report third-party risk and performance to all relevant stakeholders, including the board, HR, risk, legal, compliance, and operations

These practices ensure transparency and enable better, faster decision-making during third-party incidents.

Risk management: Identification, ranking, response

Risk management must be standardized and tailored to address a wide range of exposures. Internal auditors must verify that the organization:

• Conducts comprehensive risk assessments that classify and rank third parties based on severity and exposure
• Develops appropriate, monitored, and documented risk responses
• Has mechanisms to escalate and remediate issues that arise from third-party failures
• Periodically reviews and adjusts risk assessments in response to market shifts, business changes, or incidents

This is not a one-time activity but a dynamic, ongoing process that adjusts to real-world developments.

Controls: Evidence of execution and monitoring

Effective third-party risk governance is only as good as its operational controls. Internal auditors must evaluate whether the following are present and effective:

• Business Case Justification: Documentation supporting the rationale for each third-party relationship
• Due Diligence: Financial checks, cybersecurity reviews, legal vetting, bank verification
• Contracting Procedures: Cross-functional involvement, legal approval, secure storage
• Contract Oversight: Assigned contract owners and an updated centralized contract system
• Onboarding Protocols: Processes to ensure third parties understand and meet expectations
• Performance Monitoring: Systems to track compliance with contract terms and key performance indicators
• Incident Management: Escalation rules, post-incident reviews, root cause analysis
• Renewal Tracking: Proactive oversight of contract expirations and renewals
• Offboarding Plans: Steps for termination, data retrieval or destruction, and access revocation

These are not just administrative tasks; they are essential safeguards against risk leakage.

Implications for the profession: Raising the bar

The introduction of the Third-Party Topical Requirement is more than a compliance checklist—it's a call to elevate the internal audit function. By mandating these assessments, the IIA is signaling a shift in how the profession is expected to operate:

• Internal auditors will need to deepen their understanding of vendor risk, cybersecurity, legal frameworks, and data privacy laws.
• Audit teams must collaborate more extensively with procurement, compliance, IT security, and legal departments.
• There will be greater expectations for technology adoption, especially in contract lifecycle management, automated monitoring, and risk analytics.

For many audit shops, this represents a major capacity and skills challenge. But it also opens the door for a more strategic, empowered internal audit function.

What organizations should do now

To prepare for the finalized version of this Topical Requirement, organizations should:

1. Assess readiness: Benchmark current third-party audit practices against the draft requirements.
2. Review and update policies: Ensure alignment with regulatory obligations and lifecycle best practices.
3. Map roles and responsibilities: Clearly assign ownership for third-party governance, risk, and control tasks.
4. Invest in systems: Consider centralized platforms for contract management, risk scoring, and issue escalation.
5. Train internal auditors: Equip them with cross-functional knowledge in compliance, cybersecurity, and supplier management.
6. Engage stakeholders: Bring executive leadership into the conversation about third-party risk accountability.

The IIA's Third-Party Topical Requirement is not just timely—it's transformative. As organizations navigate increasing regulatory pressures and interdependent ecosystems, this new standard reinforces the idea that accountability does not end where outsourcing begins.

Internal audit has a central role to play in evaluating, strengthening, and assuring third-party relationships. This requirement gives auditors the structure, authority, and clarity they need to meet that challenge.

Organizations that embrace it early will be better positioned to manage risk, preserve trust, and thrive in a complex, high-stakes business environment.

About the authors

Mike Miller is a vCISO at Appalachia Technologies and is a 25+ year professional in Tech and Cyber Security. Connect with Mike on LinkedIn.