Topical Requirements for internal auditing

Topical Requirements enhance the consistency and quality of internal audit services, increasing the professionalism of internal auditors’ performance.

They help strengthen the relevance of internal auditing to address pervasive and evolving risks.

They provide minimum baseline and relevant criteria for a consistent, comprehensive approach to assessing the design and implementation of governance, risk management, and control processes in particular risk areas (the topics).

The 2024 IPPF includes Global Internal Audit Standards and Topical Requirements, which are mandatory, and Global Guidance, which is recommended but not mandatory.

Internal auditors must apply Topical Requirements in conformance with the Global Internal Audit Standards for assurance engagements when applicable.

Topical Requirements are applicable when a risk assessment leads to the topic being one of the following:

1. The subject of an assurance engagement in the internal audit plan.
2. Identified while performing an engagement.
3. The subject of an engagement request not on the original internal audit plan.

Evidence that each requirement in the Topical Requirement was assessed for applicability must be documented and retained.

Not all individual requirements may apply in every engagement; if requirements are excluded, a rationale must be documented and retained.

Learn more by downloading the Topical Requirement Application Guidance.

The IIA recognizes that organizations globally use various governance, risk management, and control frameworks and adhere to specific laws and regulations. Internal audit functions may apply these frameworks.

To demonstrate conformance with a Topical Requirement, internal audit functions must be able to demonstrate the framework covers the applicable requirements. The IIA’s Topical Requirements may provide mapping between the requirements and globally recognized frameworks.

For example, the Cybersecurity Topical Requirement User Guide maps the NIST and COBIT cybersecurity frameworks.

Referencing these specific frameworks does not mean that The IIA requires their application.

Topical Requirements are effective 12 months after issuance, meaning that the relevant requirements must be implemented by this time. Additionally, quality assessments conducted after the effective date will assess conformance with effective Topical Requirements. The quality assessor will review the documentation for relevant engagements to determine conformance. Early adoption of the Topical Requirement is encouraged.

For more information about external quality assessments, please visit IIA Quality Services.

The Quality Assessment Manual’s methodology already indicates how to verify conformance with Topical Requirements in the testing of Standards 13.2 Engagement Risk Assessment and 13.3 Engagement Objectives and Scope using the D5 and D6 templates.

In accordance with our current policy, scored exam questions on new Topical Requirements will not appear on the CIA exam until at least six months after the Topical Requirement's effective date.

Please check CIA Updates, CIA FAQs, and Certification FAQs frequently for additional information.

Topical Requirements Development Process

Inventory of Topics

• Global Guidance Council (GGC) and IIA staff research topics, and set agenda, priority, and timing.
• International Internal Audit Standards Board (IIASB) reviews.

Project Initiation

• Assignment of IIA staff.
• Appointment of GGC Working Group and Task Force.
• Appointment of two IIASB representatives.

Rough Draft

• Development of rough draft (Task Force and IIA staff).
• Technical editing.

Draft for Public Consultation

• Content review (GGC and IIASB representatives).
• Revisions based on comments (Task Force and IIA staff).
• Approval of exposure draft (full GGC and IIASB representatives).

Public Consultation Period

• Public consultation for 45 days.
• Comments and revisions (GGC Working Group, two IIASB representatives, and IIA staff).

Final Draft

• Revision to create the final draft.
• Approvals by simple majority plus one by: GGC. IIASB for Standards consistency check.
• Determine whether to re-expose (full GGC and two IIASB representatives).
• Due process review by International Professional Practices Framework Oversight Council (IPPFOC).

Issuance

• Proofreading.
• Translations.
• Marketing.
• Uploading to the web.

The IIA receives many questions concerning downloading, copying, and distributing the Global Internal Audit Standards, Topical Requirements, and related materials available. Find answers to the most common questions.