Third party Topical Requirement

As operational supply chains and business networks become more complex, organisations are increasingly dependent upon contracts with a wide range of third parties to support their activities. This can be highly beneficial, providing cost-effective specialist solutions without the need for these to be provided in-house or even in the same country.

However, this model comes with challenges. Third parties need to be managed very carefully - a significant failure to perform could result in major disruption to the contracting organisation’s activities, and potentially expose it to data breaches and regulatory sanctions. As operations and services become ever more digitised, the impact can be rapid and cause considerable damage.

In February 2025, the IIA published its draft Topical Requirement document on third parties. Conforming with the Topical Requirement will be mandatory once it comes into force. This applies to specific third party reviews within your internal audit plan, reviews in your plan with a third party component and additional reviews not in your original plan.

The Topical Requirement for third parties is focused around three key areas:

Governance	Outsourcing decision making, policies and procedures, third party management roles, responsibilities, skills, stakeholder engagement, performance assessment and reporting.
Risk management	Processes to identify, analyse, mitigate and monitor third party risks through the lifecycle, accountability for achieving contractual terms, reporting and escalation of issues, management responses to issues including remediation and termination.
Control processes	Business cases, due diligence, contracting and approval, contract review by legal and compliance, record keeping, contract ownership, contract register, onboarding, contract/ performance monitoring, escalation/ issue protocols, contract renewal/ review date monitoring, offboarding, exit strategy.

Heads of Internal Audit must assess all three areas, and any departures from this must be documented. A draft user guide has also been published, including “considerations” for each of the three areas that are not mandatory, and internal auditors are required to rely on their own judgement to determine what to include in their assessments.

Third party risk management

There are therefore some important risks associated with third parties that need to be managed. These include:

The objectives of the relationship not being achieved from the perspective of the contractor
Reputational damage by association with the third party
Over-reliance or dependence for critical services impacting the resilience of the contracting organisation
Performance and quality issues
Cost overruns or poor financial control, fraud
Business continuity, IT and cyber security issues
Legal regulatory breaches e.g. bribery, corruption, fraud, modern slavery.

Although these matters can be managed and controlled, third party risk has been one of the highest rated risks in the Institute of Internal Auditors (“IIA”) annual Risk In Focus document for several years.

The concept of third party risk management (TPRM) is not new, and various TPRM framework models have been published. They focus on the six key phases of the contracting lifecycle, with governance, risk management and control procedures applied at each of these phases.

THIRD PARTY CONTRACTING LIFECYCLE
1. Sourcing	Sourcing solution e.g. outsource, in-house, hybrid, sole/ multi-provider.
2. Due diligence	Validation of potential providers, information gathering, third party risk assessment.
3. Contracting	Contractual protections, clarity of responsibilities, performance measures, penalties and damages, termination clauses, commercial/ legal review.
4. Monitoring	Relationship/ contract ownership, accountability, SLA, Key Performance Indicators, reporting protocols, service auditor (SOC) reports.
5. Issue resolution	Performance management and reporting, escalation, dispute resolution, mediation.
6. Exit/ termination	Exit/ replacement strategy, contractual termination clauses, handover transition requirements.

In practice, the approaches you can adopt for the management and oversight of third parties varies considerably. The largest organisations may have an established TPRM framework to to exercise collective control over their most significant third parties. In many organisations however, third party risk management remains siloed, with procurement, legal, IT and operational management functions engaging with their third parties separately.

Guidance for Heads of Internal Audit

This is a complex and important area for internal audit, requiring careful thought and specialist skills. The IIA published a comprehensive Practice Guide in 2018, which includes:

The main elements of a TPRM program
The role of internal audit
Performing the engagement, including information gathering, risk assessment, engagement scope, resource allocation, testing and evaluation, reporting results.

There are also various appendices covering key areas such as right to audit, contract review considerations, due diligence and audit of small organisations.

What does this mean for Heads of Internal Audit?

Heads of Internal Audit will already have considerable experience in providing assurance over the various aspects of third party risk management – especially if your organisation has a high dependence on third parties. The challenge is the increasing breadth and complexity of the services that are now provided by third parties, ranging from IT or utility service providers to sector specific contractors in manufacturing or construction. Each different type of service brings with it a distinct set of third party risks that need to be identified, evaluated and mitigated by the organisation. Providing assurance for what may be a wide range of third parties requires careful planning to make sure that your highest risk relationships are covered sufficiently and that your internal audit team has the skills to assess the risk management in respect of what may be specialised/ technical services.

The Topical Requirement is helpful in that it sets out the governance, risk management and controls that must be considered. However, it does not remove the need for Heads of Internal Audit to fully understand the third parties engaged by their organisation, their importance to its operations, the related risk exposure and how this is managed. Using the Requirement as the basis, Heads of Internal Audit can prioritise the highest risk third parties to review and determine the most appropriate team to undertake the assurance work. In some cases, external expertise (e.g. IT auditors, contract/ legal specialists) many need to be brought in to support the Internal Audit team.

The Topical Requirement does not provide much additional audit guidance, but by mandating that it is followed, the IIA obliges Heads of Internal Audit to adopt a more methodical audit approach to third parties and to document their rationale for deciding whether the various components of the Topical Requirement are applicable or not. You will need to update your documentation around annual planning to reflect this. This can only enhance your Internal Audit team’s understanding of what may be a complex supply chain, and improve the communication of audit priorities and assurance to management and the Audit Committee.

If you would like to discuss further or want more information, please contact Jon Dee.