When the IIA released the 2025 Global Internal Audit Standards, it also introduced a new mandatory component to the International Professional Practices Framework: Topical Requirements. For many internal audit functions, this addition has raised more questions than answers. What exactly are they? When do they apply? And what does conformance actually look like in practice?
This article answers those questions directly.
What Topical Requirements Are
Topical Requirements are a mandatory element of the IPPF that provide a minimum baseline for how internal audit functions should approach assurance engagements in specific, high-risk subject areas. They sit alongside the Global Internal Audit Standards — not above them, not below them — as a parallel mandatory layer that applies when an audit engagement touches a defined topic.
The IIA describes their purpose clearly: Topical Requirements enhance the consistency and quality of internal audit services related to specific audit subjects. Each one provides relevant criteria for assessing the design and implementation of governance, risk management, and control processes in a particular risk area.
The key word is mandatory. When an internal audit function provides assurance services on a topic covered by a Topical Requirement, applying that requirement is not optional. It is a conformance obligation under the IPPF, the same framework that governs the Global Internal Audit Standards.
How They Fit Into the IPPF
Prior to the 2025 standards, the IPPF consisted of the Standards, the Code of Ethics, and supplemental guidance. Topical Requirements are a new category — mandatory, subject-specific, and designed to address the reality that certain risk areas require more structured audit approaches than the Standards alone can provide.
Think of it this way: the Global Internal Audit Standards tell you how to run an internal audit function. Topical Requirements tell you what a rigorous, consistent audit engagement looks like in a specific risk domain. Both are mandatory. Both are part of conformance.
Topical Requirements are recommended but not required for advisory services. The mandatory obligation applies specifically to assurance engagements on the covered topic.
What Has Been Issued and What Is Coming
As of early 2026, the IIA has issued three Topical Requirements, with a fourth on the way:
Cybersecurity Topical Requirement — Effective February 5, 2026. Provides a structured framework for auditing cybersecurity governance, risk management, and controls. Given the frequency and severity of cyber incidents across industries, this was the first Topical Requirement released and carries significant implications for any audit function that includes IT or cybersecurity in its risk-based audit plan.
Third-Party Topical Requirement — Effective September 15, 2026. Addresses the audit of third-party relationships, vendor management, and supply chain risk. As organizations have expanded their reliance on external partners, the governance and control expectations around third-party risk have grown substantially. This requirement provides the baseline for how internal audit should approach that coverage.
Organizational Behavior Topical Requirement — Effective December 15, 2026. Covers culture, conduct, and organizational behavior — areas that have historically been difficult for internal audit to address with consistency. This requirement provides a framework for bringing structure and rigor to engagements that touch ethics, tone at the top, and workforce behavior.
Organizational Resilience Topical Requirement — Coming April 30, 2026. Will address business continuity, crisis management, and the organization's ability to anticipate, withstand, and recover from disruption. This area has taken on heightened importance in the post-pandemic environment and is expected to be a priority topic for audit committees.
Additional Topical Requirements are expected to follow in future years as the IIA continues to expand the framework into other high-risk domains.
What They Mean for Your Audit Function
For most internal audit functions, Topical Requirements create two immediate obligations.
The first is awareness. Your team needs to know which Topical Requirements are in effect, when they become effective, and which engagements in your audit plan are likely to trigger applicability. This is not a passive exercise — it requires someone in the function to actively monitor IIA releases and assess the implications for your risk-based audit plan.
The second is methodology. If your function plans to provide assurance on cybersecurity, third-party risk, organizational culture, or business resilience, your engagement methodology needs to reflect the applicable Topical Requirement. That means understanding what the requirement covers, how it connects to the relevant frameworks and control criteria, and how to document your approach in a way that demonstrates conformance.
For functions that are already operating with a documented, standardized methodology, integrating Topical Requirements is a manageable extension of existing practice. For functions that are still building engagements from scratch, the arrival of mandatory subject-specific requirements adds another layer of complexity to an already underdeveloped foundation.
The Broader Implication
Topical Requirements signal something important about the direction of the profession. The IIA is raising the floor on what consistent, quality internal audit work looks like — not just in how functions are managed, but in how individual engagements are conducted. The expectation is no longer just that internal audit follows a process. It is that the process produces a defined standard of coverage in areas where the stakes are highest.
For internal audit functions that have invested in building a strong methodology and a functional QAIP, this is a natural extension of the work. For those that have not, it is one more reason to address the foundation before the next external quality assessment arrives.
LH Consulting Group works with internal audit functions to build the methodology, quality programs, and engagement frameworks that support conformance with the 2025 standards — including the emerging Topical Requirements. If your function is assessing how to integrate these requirements into your existing audit approach, that is exactly the kind of work we do.