Skip to Content
Press Enter

Assessing Topical Requirements Conformance

What Are Topical Requirements and Why Are They Important?

Topical Requirements are a mandatory component of The Institute of Internal Auditors’ (IIA) International Professional Practices Framework® (IPPF®). They provide a minimum baseline and relevant criteria for a consistent, comprehensive approach when assessing the design of governance, risk management and control processes covering specific high-risk areas — such as Cybersecurity, Third-Party, Organizational Behavior, Organizational Resilience, and more. Topical Requirements are mandatory for assurance services and recommended for advisory services. Topical requirements do not add additional conformance requirements on top of what is already required in the Global Internal Audit Standards (Standards) for risk assessments, planning and performing engagements, nor do they mandate that internal audit functions audit the covered risk topics or dictate the frequency of coverage. Topical Requirements are not substitutes for risk assessments or professional judgment.

Unlike the Global Internal Audit Standards™, Topical Requirements are only applicable when the internal audit function chooses to provide assurance over a risk area covered by a Topical Requirement risk that is applicable and significant to the organization. In reality, risk-based internal audit functions are likely already covering Topical Requirement risks that are applicable and significant to their organization.

Topical Requirements’ purpose is to serve as baseline criteria for engagement planning, execution, and documentation:

  • Enhance stakeholder confidence in the internal audit function’s coverage of high-risk areas.
  • Strengthen the relevance of the IPPF by addressing evolving and pervasive risks.

How Will Quality Assessors Assess Topical Requirements Conformance?

Internal and external Quality Assessments (QAs) must incorporate Topical Requirement risks into their assessment methodology once a Topical Requirement risk is effective given that they are mandatory for assurance engagements. According to the 2024 Quality Assessment Manual and guidance from IIA Quality Services, assessors need to adopt a structured approach that uses professional judgment. When performing quality assessments, assessors are not looking for additional work or documentation beyond what is already required in the Standards, just that Topical Requirement risks are covered in assurance engagements like any other applicable significant risk(s) to the organization.

The most effective risk assessment approach is to start with internal audit’s annual risk assessment and audit planning process, as this is where professional judgment decisions are made on which significant risks warrant coverage by the internal audit function. The assessment approach should be risk-based, as the inclusion of a risk in a Topical Requirement does not automatically mean it represents a significant or applicable risk for all organizations.

  • Judgment and Flexibility: While conformance is mandatory once applicability is established, assessors will use professional judgement to consider the context, organizational size, and sector-specific nuances.
  • Audit Risk Assessment and Audit Plan Process: Assessors should begin by reviewing the internal audit function’s audit and risk universe to determine whether it adequately addresses the organization’s business activities, locations, processes, and risks. This includes confirming that risks associated with Topical Requirements are incorporated when they have been identified as key organizational risks. Next, the risk assessment process should be reviewed to ensure risks are assessed to determine if they warrant a separate engagement, a series of engagements over a period of years, or require coverage in other audits that are included in the annual audit plan. These steps are not new, as they have been common practice for internal audit functions and QAs, except now there needs to be a focus on Topical Requirement risks deemed applicable and significant by the internal audit function. Once this is complete, the assessor must determine which audits require a deeper review to assess Topical Requirements conformance as part of the QA process for Domain V: Performing Internal Audit Services. Assessors do not need to review all engagements covering topical risks or engagements covering all topical requirements risks, just a sample of engagements. In most cases, the sample size may not need to be expanded.
  • Engagement Risk Assessment and Planning Phase: If an engagement covers or includes a risk covered by one or more Topical Requirements (that is in effect), the assessor will assess if the Topical Requirement risks(s) are properly covered by verifying that the:
    • Topical Requirements risks, like all other applicable risks, are assessed for significance and applicability within the engagement risk assessment and prioritized for review (Standard 13.2) and the engagement’s objectives and scope (Standard 13.3) which must be documented.
    • Documentation exists to support inclusion and/or exclusion decisions. The assessor does not need to reperform risk assessment and planning work to assess if decisions/conclusions reached are accurate given professional judgment is used to reach such decisions/conclusions.
  • Evidence of Conformance: Assessors will look for clear evidence that the internal audit function conformed to requirements of applicable Standards when assessing and making decisions on the inclusion and exclusion of Topical Requirements risks that are applicable and significant, just as they currently assess for any appliable significant risk. This includes alignment with Domain V of the Standards, which governs the performance of internal audit services. Key documents reviewed likely will include the annual and engagement risk assessments, planning memos/work papers, risk and control matrices (RACMs), checklists, Topical Requirement applicability matrices, audit programs or other audit tools. These key documents/tools are typical internal audit methodologies already used by internal auditors to be in conformance with Standard 9.3 (Methodologies) which require systematic and disciplined methodologies to guide the internal audit function.
  • Coordination and Reliance: When other internal and/or external assurance providers assess a risk covered by a Topical Requirement and the internal audit function has excluded the risk from its audit plan or audits based on coordination and reliance (Standard 9.5), assessors will review internal audit documents (such as assurance map and reliance basis assessment memos/reports) that support their ability to rely on the work of the other assurance provider(s). Conformance to Standard 9.5 is already covered by quality assessments.
  • Documentation of Exclusions: If a Topical Requirement risk, like any other risk, is deemed not applicable and/or not significant, assessors will review documented rationale supporting exclusion decisions made during the annual and/or engagement risk assessment processes. Exclusions may be warranted due to sector-specific considerations or exceptional circumstances which make conformance not feasible. In these cases, the CAE should implement alternative actions to achieve the intent of the Standards and document the actions. This follows the “conform or explain” approach that aligns with the principles outlined in the Standards.
  • Resource Constraints: When resource constraints (capacity, competencies, etc.) make conformance not feasible, either for a Topical Requirement risk or other reason, the CAE first needs to determine if coordination and reliance, co-sourcing, training and/or recruiting qualified resources can be used to conform. When the CAE concludes resource constraints cannot be overcome, assessors will review relevant communications to the board/audit committee on resource sufficiency and how they will be addressed to conform to the requirements in Standards 8.2 Resources and Standards in Principle 10 Manage Resources.
  • Internal Quality Assurance and Improvement Program (QAIP): External quality assessors will assess if the internal audit function’s internal quality assessment process under Standard 12.1 includes assessing conformance to the applicable Topical Requirement(s) by reviewing internal QAIP workpapers.

Conclusion

Topical Requirements represent a significant evolution in internal audit mandatory guidance, offering targeted criteria for high-risk areas while preserving the flexibility of risk-based planning and auditing. They are not meant to add additional steps to an internal audit function’s processes beyond what is already required in the Standards, just that significant applicable risks are considered and assessed for inclusion/exclusion in assurance engagements. As Topical Requirement risks become effective, internal and external quality assessments will play a critical role in validating Standards conformance. If your internal audit function is focused on achieving the Purpose of Internal Auditing and Standards conformance, then you are likely already conforming to Topical Requirements!

For additional information, please access the Topical Requirements Application Guidance.

Learn more with our other resources

Course

COSO Fraud Risk Management Certificate Program Bundle

Tools

AI Framework Supporting Tools

All Things Internal Audit

2026 North American Pulse Report: What Internal Audit Leaders Need to Know

Essential News for Audit Leaders Network

CAE Bulletin Issue: June 16, 2026

Learn about IIA programs and partners.

We are continually searching for innovative products and services to enhance our members' ability to meet their rising stakeholder demands.