On September 15th 2025, the Institute of Internal Auditors (IIA) issued the new Topical Requirements focused on strengthening consistency and quality of auditing the high-risk area of Third Party Management. As a new mandatory element of the IIA International Professional Practices Framework (IPPF), these new requirements will reshape the way in which third party risk management and assurance auditing is facilitated in Australia.
The new Topical Requirements, set to be effective September 15th 2026, will raise the bar and provide a number of benefits including:
- Defining a consistent baseline for evaluating third party risk across all industries.
- Increase confidence in assurance and auditing for leadership and key stakeholders with respect to third party risk profiles.
- Inherently strengthen the resilience of organisations with respect to third party failures, ethical breaches, cyber incidents and more.
Third Party Challenges Organisations Will Face
Despite the benefits, the introduction of the requirements also brings with it new challenges that will have to be faced uniquely by organisations of different size, complexity and industry. As they say there is more than one way to skin a cat, and it is up to organisations to determine the right way.
1. Increases in documentation and evidence
Auditors will be expected to document evidence of assessment of formally structured frameworks and their supporting procedures. The relationship between these frameworks and how they tie into the organisation’s risk management is an additional requirement that expects a level of maturity that is not commonly in place in typical Australian organisations. Even if these frameworks are in place, a lack of cohesion across the different methodologies means evidence collection will be a slow process.
2. Governance gaps in oversight
The new requirements mandate clear board oversight to ensure third party relationships are well managed. In reality, most organisations in Australia delegate the ownership and oversight of all third party risk activities to Procurement and/or IT. Being able to prove involvement by leadership will be difficult, and in some cases, require adjustment to the responsibilities of leadership roles.
3. Consistent Risk Management throughout the Third Party lifecycle
To successfully apply a structured and repeatable method to assessing risk throughout the third party lifecycle, organisations must have a formal enterprise risk management that is clear, functional and communicated to all staff involved in the process. The risk assessment process must consistently address selection, onboarding, monitoring, and offboarding.
4. Ongoing monitoring just got harder
Ongoing monitoring following onboarding is a process that is often not performed successfully or at all by that vast majority of organisations in Australia. The old habits of “set and forget” contracts are not good enough. Even multi-year contracts that address all requirements over the lifespan of the contract will require performance, compliance and cyber control assessment to ensure expectations are being met. Naturally, this will also lean on the risk management framework to determine if any such failures to meet expectations result in risks that are outside of the organisation’s appetite.
5. Aligning to increasing regulatory pressures
The requirements explicitly reference compliance with local, national, and international regulations. For Australian organisations, that could mean at minimum the Privacy Act. However, certain industries are also affected by the Australian Prudential Regulation Authority (APRA) Prudential Standards CPS 230 and 234. For larger critical providers, the Security of Critical Infrastructure (SOCI) Act and Modern Slavery are just some additional considerations. Achieving consistency across various different regulations and standards increases complexity.
6. Strain on smaller organisations and public entities
Large corporations and enterprises will easily absorb these changes, especially multinationals, as these requirements are not new. For Local Government councils, NFPs, small businesses and providers, these new requirements will demand a new focus on audit and compliance. This new focus will come two-fold as it not only requires additional investment and resource, it could also expose gaps that previously avoided the spotlight.
7. Cultural resistance and a lack of Third Party strategy
As with any uplift of requirements and increased complexity, cultural resistance is an expected reality. Australian organisations will fail unless they can overcome the outdated concept that third party management is a procurement-only task. Overcoming this requires the understanding that third party management is not only operational but also strategic. Our dependency on third parties can be improved by better managing the entire process, resulting in cost savings, efficiencies, lower insurance premiums, greater coverage, new client opportunities and much more.
Why These Challenges Matter
Ultimately, these challenges are worth facing. The requirements encourage stronger governance, better risk management discipline, and greater transparency across leadership into third party relationships. For Australian organisations, this means better preparedness for cyber incidents, supply chain disruptions, reputational crises, and regulatory scrutiny.
Where To Start with Third Party Management
For organisations facing a multi-year compliance program to align with the new Topical Requirements, it can be overwhelming knowing where to start. Like most new disciplines, the best method is to map out the current landscape. Start by mapping the entire third party landscape with a Third Party/Vendor Management register. Input all existing information of your third parties and start assessing which entities pose the greatest risk. This will allow you to tier the entities and plan an approach for each tier to align to the governance, risk management, and ongoing monitoring requirements of the IIA Topical Requirements.
This simple step will already put you ahead, providing insight into what auditors will expect, even when gaps exist.
How We Can Help You Take Better Risks
We are here to help strengthen your risk management capabilities, systems and processes. Our risk management capabilities include:
- Providing an interim Chief Risk Officer to backfill a vacancy.
- Providing a dedicated Risk Officer on demand through our Virtual Risk Officer service.
- Helping organisations take their first steps towards implementing a formal and proactive enterprise-wide risk management framework.
- Performing an independent review or health check of your existing risk management framework to identify gaps and level of maturity.
- Conducting risk workshops covering strategic, operational and project risks.
- Conducting risk culture assessments.
- Risk management transformation.
- Supporting you across a range of risk management services including business continuity, crisis management, cyber risk, climate change risk, third party risk and fraud risk.
Take risk management to the next level and contact us to discuss your needs.