Position your audit team for 2026 compliance with the IIA’s Third-Party Topical Requirement—clear standards for governance, risk, and controls that turn third-party risk into strategic advantage.
Report objectives
- A new global baseline for third-party risk oversight
The IIA’s Third-Party Topical Requirement establishes a minimum, standardized
framework for how internal audit evaluates third-party governance, risk management,
and controls. - Compliance is needed by September 15, 2026
Organizations have a defined preparation window to assess gaps, remediate
weaknesses, and train audit teams before the requirement officially takes effect. - Focus is on highest-risk third parties, not all vendors
The requirement does not qualify auditing every external relationship—rather focus on
those with the greatest risk impact—while still prioritizing existing regulatory
obligations. - Strong programs integrate governance, risk, and lifecycle controls
Effective third-party risk management spans decision-making governance, standardized
risk processes, and lifecycle controls from due diligence through offboarding.