Third-party topical requirement

The IIA issued the Third-Party Topical Requirement (“Requirement”), establishing a mandatory baseline for Internal Auditors to evaluate third-party governance, risk management, and control processes.  

The Requirement formalizes how Internal Audit addresses risks arising from third-party relationships, promoting consistency and quality in evaluating one of the most significant and expanding risk areas across industries.

Below is a summary of the Third-Party Topical Requirement.  Find the full text of the draft Requirement here: Third_Party_Topical_Requirement_English

The Third-Party Topical Requirement was published in September 2025, is effective in September 2026 and must be applied in conjunction with Global Internal Audit Standards.  Organizations should review internal audit plans, third-party risk management frameworks, and contract management processes to align with the Requirement.  Application of the Requirement should be risk-based and proportionate, with professional judgment guiding scope and depth based on the organization’s size, complexity, and risk profile.

‍

Third parties

A third party is an external individual or entity engaged by an organization to provide products or services, typically through a contract or formal agreement. This includes vendors, suppliers, contractors, consultants, outsourced providers, and their subcontractors. Although third parties perform services on the organization’s behalf, the organization remains accountable for the associated risks. The primary organization remains accountable for risks tied to its objectives, even when relying on third parties. These relationships may introduce strategic, reputational, ethical, operational, financial, compliance, cybersecurity, legal, sustainability, and geopolitical risks.

Conformance with the Topical Requirement is mandatory for assurance engagements and recommended for advisory services. Internal auditors must document evidence that each requirement was assessed for applicability and retain rationale for any exclusions.  The Requirement applies at both the organization-wide third-party governance level and the level of individual third-party relationships.  Internal Auditors must assess applicability, document any exclusions, and demonstrate conformance, which is subject to quality assessment. The User Guide emphasizes that risk assessment and professional judgment determine scope and documentation.

‍

Governance

Evaluating third-party governance involves determining whether a formal, risk-based approach exists and whether there is appropriate board and senior management oversight.

Internal Auditors should assess whether policies and procedures address the full third-party life cycle, whether roles and accountabilities are clearly defined with appropriate competencies, and whether performance, risk, and compliance matters are communicated in a timely manner, particularly for prioritized third parties. The User Guide emphasizes alignment with The IIA’s Three Lines Model and the importance of board oversight.

‍

Risk Management

The Requirement calls for standardized processes to identify, assess, prioritize, and manage third-party risks throughout the life cycle.  Third parties, including downstream subcontractors, must be ranked and prioritized based on risk, and risk responses must be aligned with that ranking.

Internal Auditors should evaluate whether risk assessments address key categories such as strategic, operational, financial, compliance, cybersecurity, legal, sustainability, and geopolitical risks, and whether third parties, including downstream relationships, are ranked with responses aligned to their risk level. Processes should support ongoing monitoring, corrective action, and escalation, with management evaluating the risks of ongoing business relationships and pursuing remediation or termination where warranted. The User Guide emphasizes that risk assessment should begin at selection and be updated throughout the relationship, with documentation retained to demonstrate conformance.

‍

Controls

The Control Processes section sets baseline expectations for managing third-party relationships through due diligence, contracting, monitoring, and offboarding.  Contracts and monitoring processes should enable appropriate assurance over third-party controls, including rights to audit or reliance on independent assurance reports where applicable.

Internal Auditors should assess whether due diligence supports sourcing decisions, contracts are properly reviewed and managed, and an accurate inventory of third parties is maintained. Onboarding and monitoring processes should establish clear expectations and evaluate performance and risk throughout the life cycle. Corrective action and escalation protocols must address underperformance, while renewal and offboarding processes should ensure proper termination, data return or destruction, and revocation of access. The User Guide offers practical considerations and an optional tool to support consistent application and documentation of conformance.

‍

How we can help

Socorro Partners supports Internal Audit and management in strengthening third-party governance, risk management, and controls in alignment with the Third-Party Topical Requirement.

We help organizations assess third-party frameworks, enhance risk assessments, evaluate contract management and monitoring, and design documentation to demonstrate conformance. Our team integrates internal audit, risk, compliance, and operational expertise to support effective third-party risk oversight and adherence to professional standards.