The Institute of Internal Auditors Opens Organizational Behavior Topical Requirement for Public Comment
Press Release | July 08, 2025
Lake Mary, FL – (July 8, 2025) – The Institute of Internal Auditors® (The IIA®) today released the draft Organizational Behavior Topical Requirement, now open for public comment through August 22. Insights gathered will help shape the final document and establish a clear baseline and relevant criteria for providing assurance services related to organizational behavior risks.
Developed with input from internal audit practitioners and stakeholders globally, the Organizational Behavior Topical Requirement aims to reframe culture risk as the risk of behavior misaligned with strategic objectives. This reframing of culture as organizational behavior provides a clearer and more practical basis for evaluation. The Topical Requirement will establish minimum mandatory requirements that internal auditors are expected to assess whenever organizational behavior is included in the scope of an assurance engagement as a result of the risk assessment process. As with any risk, organizations can manage this by designing appropriate controls and implementing them effectively.
"In today’s complex business environment, it is critical to promote positive organizational behavior to sustain strong governance,” said Anthony Pugliese, CIA, CPA, CGMA, CITP, President and CEO of The IIA. “From reputation and compliance to long-term performance, ensuring behaviors align with the organization's values and strategic objectives is fundamental to an organization’s success. By framing organizational behavior as a risk to be actively managed, this Topical Requirement helps equip the profession with clearer expectations and stronger tools to provide assurance in an area that’s increasingly critical to sustainable success.”
The Topical Requirements are a key element of The IIA’s broader International Professional Practices Framework® (IPPF®), complementing the Global Internal Audit Standards™ and Global Guidance. While not mandating inclusion of the risk topics in audit plans, they set a minimum baseline for auditing these areas.
Released in February, the first Topical Requirement focuses on Cybersecurity governance, risk management and control processes. A second, covering Third-Party, will be issued in September with additional topics in development. These requirements are fully compatible with the traditional risk-based audit approach and can be applied, with minimal adaptation, across all audit functions.
Participants are invited to review the draft Topical Requirement along with the accompanying draft user guide and contribute feedback via the public comment survey between July 8 – August 22. An educational video from experts on organizational behavior is available on the public comment page. A free webinar is scheduled for August 6 from 12-1 p.m. ET.
About The Institute of Internal Auditors
The Institute of Internal Auditors (The IIA) is an international professional association that serves more than 265,000 global members and has awarded more than 200,000 Certified Internal Auditor (CIA) certifications worldwide. Established in 1941, The IIA is recognized throughout the world as the internal audit profession's leader in standards, certifications, education, research, and technical guidance. For more information, visit theiia.org.