From Guidance to Ground Rules: Pragmatic Compliance with the New IIA's Topical Requirements

Author: Aaron Greenman, Managing Director

The latest Institute of Internal Audit (IAA) Global Standards change the equation. What was once “good practice” is now “non-negotiable.” Audit Committees and Boards should ask their CAEs one simple question in 2025: “Where, in your strategy and plan, are you covering each Topical Requirement and how will you evidence that coverage?”

The new Global Internal Audit Standards took effect on 9 January 2025, after a one-year transition period. For boards, management, and Chief Audit Executives, the honeymoon period is over: from this date, all functions are expected to conform. External Quality Assessments (EQAs) will assess against the new Standards from 2025 onward.

Two aspects are strikingly different in practice:

• Evidence and accountability: the Standards now emphasise clear requirements and documented conformance across planning, fieldwork, and reporting. “Trust me” is no longer enough, internal audit must show its working.

• Consistency on high-risk topics: the introduction of Topical Requirements (TRs) sets a foundation: the minimum criteria that must be assessed whenever a relevant topic is in scope. The IIA’s own words are blunt: TRs “establish a baseline ... to enable a consistent, reliable assessment of the topic.”

This shift will challenge internal audit functions. It will also, if handled badly, create risk of duplication, wasted effort, and scope creep.

What is Mandatory, and Where Judgement Applies

The IIA has been explicit: “Conformance with Topical Requirements is mandatory for assurance services” (and recommended for advisory). Equally important: TRs are not applied to every audit by default. They are only triggered when:

1. The topic is included in your plan;

2. The topic emerges during the engagement; or

3. The topic is the subject of a requested engagement.

When a TR does apply, the function must evidence that each requirement has been assessed for applicability. Exclusions are permitted, but only where a clear rationale is documented and quality assessments will test this.

IIA-Australia reinforces the same point and adds a dose of pragmatism:

• TRs are not substitutes for risk assessment or professional judgement.

• Coverage can be documented either in the plan or in the workpapers, whichever best suits the engagement.

• But in all cases, applicability decisions and rationales must be visible and defendable.

The result: audit leaders have choice, but not discretion. You cannot ignore TRs, but you can be deliberate about where and how you meet them.

Pragmatic Compliance: Plan Once, Apply Consistently

The risk is obvious: if every audit team treats TRs as “bolt-ons” to individual audits, scope creep will explode. To minimise duplication, audit leaders should make TR coverage explicit in the plan and strategy, deciding up front how and where each requirement will be covered.

We suggest a two-tier approach:

1. Overarching topical audits on a rolling cycle

   • For each TR, nominate requirements to be tested in a dedicated audit (e.g. cybersecurity, third-party risk, organisational culture).

   • Set a cycle (e.g. three years) to ensure full coverage across TRs without overwhelming any one year.

   • Note that the Cyber TR requires completion by early 2026, so planning cannot be deferred.

2. Residual or cross-cutting requirements in routine audits

   • Define a smaller subset of TR requirements that will be considered in most audits (e.g. identity and access, change-driven cyber risks, handling of sensitive data).

   • Standardise processes and coverage using planning checklists / criteria and modular test steps.

   • Where a requirement is excluded, record a short rationale that will stand up to EQA scrutiny.

This approach creates clarity for boards and auditees, confidence for regulators, and efficiency for audit teams.

Benefits of a Structured Approach

• Reduces duplication by distinguishing between one-off topical audits and residual requirements.

• Minimises SME burden by standardising guidance and checklists.

• Strengthens audit credibility with documented, defendable rationale for every decision.

• Future-proofs the methodology as new TRs emerge, without needing wholesale redesign.

Considerations and Challenges

• TRs are deliberately broad. Dedicated audits may become large-scale exercises, especially where controls exist at multiple organisational layers.

• Planning discipline will be essential. Audit leaders must sequence topical audits and residual coverage carefully to avoid unrealistic workloads.

• Functions will need to resist the temptation to over-apply TRs. More is not better; defensible judgement is.

Practical Steps to Embed This Approach

To turn the Standards from theory into practice, audit leaders need a structured but flexible way of embedding TR coverage across their plans and engagements. The following steps provide a pragmatic roadmap that balances compliance with efficiency:

1. Map TR coverage in the strategy and annual plan

   • Table a simple matrix to the Audit Committee showing where each TR will be covered through topical audits, rolling cycles, or embedded into business-as-usual audits.

   • This sets expectations early and avoids audit-by-audit scope battles.

2. Create standard applicability checklists

   • For residual requirements, develop a short checklist for use in all audits.

   • Base it on the three IIA scenarios (planned, emerging, requested) to trigger TR consideration.

   • Make exclusions the exception and document them clearly.

3. Leverage modular test steps

   • Build common procedures into the audit methodology so teams don’t reinvent them each time.

   • Provide tailored guidance to managers to reduce reliance on scarce SMEs.

4. Phase delivery of large TRs

   • For broad topics like Cyber, phase the work across global, regional, and site levels over multiple years.

   • Use a programmatic approach to ensure all minimum requirements are assessed without overloading a single engagement.

How Spherion Can Help

At Spherion, we work with Chief Audit Executives and Boards to turn mandatory requirements into practical, sustainable frameworks. Our approach focuses on minimising duplication, embedding compliance into the plan, and building confidence with stakeholders.

We help by:

• Mapping TR coverage across your strategy and plan so you can demonstrate clear accountability to your Audit Committee and regulators.

• Developing modular checklists and test steps that allow teams to apply residual TR requirements consistently and efficiently.

• Designing rolling topical audit cycles that balance breadth of coverage with delivery capacity, avoiding overload while meeting the Standards.

• Equipping audit managers with practical guidance and tools to reduce dependence on scarce subject matter experts.

• Preparing for EQAs by ensuring documentation and rationales meet both the letter and spirit of the Standards.

Contacts