Topical Requirements

Topical Requirements enhance the consistency and quality of internal audit services, increasing the professionalism of internal auditors’ performance. They help strengthen the relevance of internal auditing to address pervasive and evolving risks. They provide minimum baseline and relevant criteria for a consistent, comprehensive approach to assessing the design and implementation of governance, risk management, and control processes in particular risk areas (the topics).

The 2024 IPPF includes Global Internal Audit Standards and Topical Requirements, which are mandatory, and Global Guidance, which is recommended but not mandatory.

Internal auditors must apply Topical Requirements in conformance with the Global Internal Audit Standards for assurance engagements when applicable. Topical Requirements are applicable when a risk assessment leads to the topic being one of the following:

1. The subject of an assurance engagement in the internal audit plan.
2. Identified while performing an engagement.
3. The subject of an engagement request not on the original internal audit plan.

Evidence that each requirement in the Topical Requirement was assessed for applicability must be documented and retained. Not all individual requirements may apply in every engagement; if requirements are excluded, a rationale must be documented and retained.

The IIA recognizes that organizations globally use various risk, control, and governance frameworks and adhere to specific laws and regulations. Internal audit functions may apply these frameworks. To demonstrate conformance with a Topical Requirement, functions must be able to demonstrate the framework covers the applicable requirements.

The IIA’s Topical Requirements may provide mapping between the requirements and globally recognized frameworks. For example, the Cybersecurity Topical Requirement User Guide maps the NIST and COBIT cybersecurity frameworks. Referencing these specific frameworks does not mean that The IIA requires their application.

Topical Requirements are effective 12 months after issuance, meaning that the relevant requirements must be implemented by this time. Additionally, quality assessments conducted after the effective date will assess conformance with effective Topical Requirements. The quality assessor will review the documentation for relevant engagements to determine conformance. Early adoption of the Topical Requirement is encouraged.

For more information about external quality assessments, please visit Quality Services.

The Quality Assessment Manual’s methodology already indicates how to verify conformance with Topical Requirements in the testing of Standards 13.2 Engagement Risk Assessment and 13.3 Engagement Objectives and Scope using the D5 and D6 templates.

In accordance with our current policy, scored exam questions on new Topical Requirements will not appear on the CIA exam until at least 6 months after the effective date. The Cybersecurity Topical Requirement effective date is February 5, 2026. Please check CIA Updates/General FAQs frequently for additional information.

The chart below shows the stages of developing Topical Requirements.

Details about the most recent processes also appear in the Report on the Standard-setting and Public Comment Processes for the Cybersecurity Topical Requirement.

The IIA receives many questions concerning downloading, copying, and distributing the Global Internal Audit Standards, Topical Requirements, and related materials available. Find answers to the most common questions.