Skip to Content
Press Enter

Assessing Topical Requirements Conformance

What Are Topical Requirements and Why Are They Important?

Topical Requirements are a new category of mandatory guidance issued by The Institute of Internal Auditors (IIA) under the International Professional Practices Framework® (IPPF®) for assurance and advisory engagements. They are designed to ensure consistency and quality for engagements that address specific high-risk areas — such as Cybersecurity, Third-Party, Organizational Behavior, Organizational Resilience, and more. Topical Requirements are mandatory for assurance engagements and recommended for advisory services.

Unlike the Global Internal Audit Standards™, Topical Requirements are only applicable when the internal audit function chooses to provide assurance over a risk subject covered by a Topical Requirement. Once applicable, they become mandatory and serve as baseline criteria for engagement planning, execution, and documentation. Their purpose is to:

  • Enhance stakeholder confidence in the internal audit function’s coverage of high-risk areas.
  • Promote consistency in audit execution across industries and geographies.
  • Strengthen the relevance of the IPPF by addressing emerging and pervasive risks.

Topical Requirements are not substitutes for risk assessments or professional judgment, nor do they mandate that every internal audit function must audit the covered risk topics. Instead, they guide internal audit functions on how to audit the topic when it is included in or added to the audit plan or is a risk that is identified in another audit.

How Will Quality Assessors Assess Topical Requirements Conformance?

Internal and external Quality Assessments (QAs) must incorporate Topical Requirements into their assessment methodology once a Topical Requirement is effective given that they are mandatory for assurance engagements. According to the 2024 Quality Assessment Manual and guidance from IIA Quality Services, assessors need to adopt a structured approach and use professional judgment during their assessments.

The most effective QA approach is to start at the beginning of the audit life cycle; that is, with the annual risk assessment and audit planning process, as this is where professional judgment decisions are made on which significant risks warrant coverage by the internal audit function. Below is a high-level discussion; a more detailed QA methodology must be implemented to effectively assess conformance. The assessment approach needs to be risk-based, as just because a risk is a subject of a Topical Requirement does not mean it is a significant risk for all organizations.

  • Judgment and Flexibility: While conformance is mandatory once applicability is established, assessors will use professional judgement to consider the context, organizational size, and sector-specific nuances.
  • Audit Risk Assessment and Audit Plan Process: Assessors need to start by examining the internal audit function’s audit and risk universe to determine if it adequately addresses the organization’s businesses, locations, processes, risks, etc., and that it includes risks covered by The IIA’s Topical Requirements. Next, the risk assessment process should be reviewed to ensure risks are assessed to determine if they warrant a separate engagement, a series of engagements over a period of years, or require coverage in other audits that are included in the annual audit plan. These steps are not new, as they have been common practice during QAs, except now there needs to be an additional focus on Topical Requirement risks. Once this is complete, the assessor must determine which audits require a deeper review to assess Topical Requirements conformance as part of the QA process for Domain V: Performing Internal Audit Services.
  • Engagement Risk Assessment and Planning Phase: If an engagement covers or includes a risk covered by one or more Topical Requirements, the assessor will assess if the Topical Requirement(s) are properly implemented by verifying that the:
    • Requirements are assessed for applicability within the engagement risk assessment (Standard 13.2) and the engagement’s objectives and scope (Standard 13.3).
    • Documentation exists to support inclusion or exclusion decisions.
    • Required actions are executed in alignment with the applicable Topical Requirement(s).
  • Evidence of Conformance: Assessors will look for clear evidence that the internal audit function conformed to the Topical Requirements where applicable. This includes alignment with Domain V of the Standards, which governs the performance of internal audit services. Key documents reviewed can include the annual and engagement risk assessments, planning memos/workpapers, risk and control matrices (RACMs), checklists, documentation tools (see Topical Requirement User Guide examples), Topical Requirement applicability matrices, and audit programs.
  • Coordination and Reliance: When other internal and/or external assurance providers assess a risk covered by a Topical Requirement and the internal audit function has excluded the risk from its audit plan or audits, assessors will review internal audit documents (such as assurance map and reliance basis assessment memos/reports) that support their ability to rely on the work of the other assurance provider(s). This will be assessed based on Standard 9.5 Coordination and Reliance.
  • Documentation of Exclusions: If a Topical Requirement is deemed not applicable, assessors will review documented rationale supporting the exclusion. Exclusion decisions may be made during the annual and/or engagement risk assessment processes. Exclusions may be warranted due to sector-specific considerations, resource constraints, or exceptional circumstances. For resource constraints, assessors will review relevant communications to the board/audit committee on capacity, budget, competencies, etc. and how they will be addressed to conform to the applicable Topical Requirement.
  • Internal Quality Assurance and Improvement Program (QAIP): External quality assessors will assess if the internal audit function’s internal quality assessment under Standard 12.1 includes assessing conformance to the applicable Topical Requirement(s). QAIP workpapers need to demonstrate the assessment performance.  

Conclusion

Topical Requirements represent a significant evolution in internal audit mandatory guidance, offering targeted criteria for high-risk areas while preserving the flexibility of risk-based planning and auditing. As they become effective, internal and external quality assessments will play a critical role in validating proper application.

For internal audit functions, this means proactively:

  • Incorporating Topical Requirements into planning and engagement processes.
  • Documenting applicability assessments and rationale for exclusions that are transparent and defensible.
  • Ensuring engagement processes, documents, and workpapers reflect conformance.

For quality assessors, this brings several benefits:

  • Enhanced clarity in evaluating engagements that address high-risk topics.
  • Consistency in assessment criteria due to standardized expectations for internal audit functions.
  • Greater transparency in how audit teams support professional judgment in complex decisions.
  • Stronger alignment with stakeholder expectations and global best practices.
For additional information, please access the Topical Requirements Application Guidance.

Learn more with our other resources

Webinar

Becker Webinar: Understanding the New Internal Audit Practitioner (IAP) Program

Webinar

Anti-Fraud Collaboration (AFC) Webinar: The Impact of Fraud on U.S. Public Companies

Webinar

Crowe Webinar-Improving Public Sector Internal Audits With Transparency

All Things Internal Audit

The Psychology of Auditing: Human Behavior Behind the Findings

Learn about IIA programs and partners.

We are continually searching for innovative products and services to enhance our members' ability to meet their rising stakeholder demands.