Topical Requirements
Topical Requirements are a new, mandatory component of the International Professional Practices Framework. Internal auditors must apply Topical Requirements in conformance with the Global Internal Audit Standards when a risk assessment identifies the subject of a Topical Requirement for further review by one or more assurance engagements.
Topical Requirements are designed to strengthen the ongoing relevance of internal auditing to address pervasive and evolving risks. They provide a consistent baseline and relevant criteria for assessing the effectiveness of governance, risk management, and control processes in particular risk areas. Topical Requirements enhance the consistency and quality of internal audit services across industries and sectors. They are recommended but not required for advisory services.
The IIA to Release its First Topical Requirement
The Cybersecurity Topical Requirement, the first in the series, will be released on February 5, 2025, available in multiple languages, and becomes effective 12 months later. Register for the free February 6 webinar.
The Global Guidance Council reviewed the comments received during the 90-day public comment period, which closed July 3, 2024. The final Cybersecurity Topical Requirement is accompanied by a user guide to help internal audit functions implement the requirements.
Upcoming Topical Requirements
Additional Topical Requirements will be issued soon, with drafts available for public consultation before finalization. The Topical Requirements expected for public consultation in 2025/26 include:
- Third-party
- Culture
- Business Resiliency
-
The 2024 IPPF includes Global Internal Audit Standards and Topical Requirements, which are mandatory, and Global Guidance, which is recommended but not mandatory.
-
Internal auditors must apply Topical Requirements in conformance with the Global Internal Audit Standards for assurance engagements when applicable. Topical Requirements are applicable when a risk assessment leads to the topic being one of the following:
- The subject of an assurance engagement in the internal audit plan.
- Identified while performing an engagement.
- The subject of an engagement request not on the original internal audit plan.
Evidence that each requirement in the Topical Requirement was assessed for applicability must be documented and retained. Not all individual requirements may apply in every engagement; if requirements are excluded, a rationale must be documented and retained.
-
The IIA recognizes that organizations globally use various risk, control, and governance frameworks and adhere to specific laws and regulations. Internal audit functions may apply these frameworks. To demonstrate conformance with a Topical Requirement, functions must be able to demonstrate the framework covers the applicable requirements.
The IIA’s Topical Requirements may provide mapping between the requirements and globally recognized frameworks. For example, the Cybersecurity Topical Requirement User Guide maps the NIST and COBIT cybersecurity frameworks. Referencing these specific frameworks does not mean that The IIA requires their application.
-
Topical Requirements are effective 12 months after issuance, meaning that the relevant requirements must be implemented by this time. Additionally, quality assessments conducted after the effective date will assess conformance with effective Topical Requirements. The quality assessor will review the documentation for relevant engagements to determine conformance. Early adoption of the Topical Requirement is encouraged.
For more information about external quality assessments, please visit Quality Services.
-
The Quality Assessment Manual’s methodology already indicates how to verify conformance with Topical Requirements in the testing of Standards 13.2 Engagement Risk Assessment and 13.3 Engagement Objectives and Scope using the D5 and D6 templates.
-
In accordance with our current policy, scored exam questions on new Topical Requirements will not appear on the CIA exam until at least 6 months after the effective date. The Cybersecurity Topical Requirement effective date is February 5, 2026. Please check CIA Updates/General FAQs frequently for additional information.
-
The chart below shows the stages of developing Topical Requirements.
Details about the most recent processes also appear in the Report on the Standard-setting and Public Comment Processes for the Cybersecurity Topical Requirement.
-
The IIA receives many questions concerning downloading, copying, and distributing the Global Internal Audit Standards, Topical Requirements, and related materials available. Find answers to the most common questions.