IIA drafts guidance on third-party relationships

The Institute of Internal Auditors has released a draft version of proposed requirements on third-party governance, risk management and control processes to include in audit plans.

The IIA is asking for feedback on the document, Third-Party Topical Requirement, which will be open for public comment until April 20. Internal auditors and stakeholders can participate in the public comment survey to share their input on the draft and help shape the criteria and requirements for providing assurance on governance, risk management, and control processes related to third parties.

The Topical Requirements are part of the IIA's broader International Professional Practices Framework alongside its Global Internal Audit Standards and Global Guidance. They do not mandate that a specific risk area be included in audit plans, but provide practitioners with a set of baseline requirements for assessing key risk areas that impact organizations globally and are likely to be included in most audit plans. 

The document was developed with input from internal audit practitioners and stakeholders globally, and offers a consistent and comprehensive approach to assessing the design and implementation of third-party governance, risk management, and control processes.

"We've developed a Topical Requirement on third-party relationships due to the pervasiveness of third-party risks for organizations today," said IIA CEO Anthony Pugliese in a statement Thursday. "Particularly in light of geopolitical shifts that are driving global trade and supply chain disruptions, third-party relationships can present a number of threats to organizations including operational, reputational and compliance risks. It's more important than ever that organizations today have a robust and consistent approach to assessing third-party risk management and control processes." 

The first Topical Requirement was released in February and provided requirements for internal auditors providing assurance on cybersecurity governance, risk management and control processes. More topics are under development, including business culture, business resilience, and anti-corruption and bribery.

Participants can review the draft Third-Party Topical Requirement in English and submit their feedback between March 6 to April 20 through the survey. Both the draft and the survey are available in different languages. The Third-Party Topical Requirement is also accompanied by a user guide that offers supplementary considerations. All the documents are available at www.theiia.org/comment.