On September 15th 2025, the Institute of Internal Auditors (IIA) issued the new Topical Requirements focused on strengthening consistency and quality of auditing the high-risk area of Third Party Management. As a new mandatory element of the IIA International Professional Practices Framework (IPPF), these new requirements will reshape the way in which third party risk management and assurance auditing is facilitated in Australia.
The new Topical Requirements, set to be effective September 15th 2026, will raise the bar and provide a number of benefits including:
- Defining a consistent baseline for evaluating third party risk across all industries.
- Increase confidence in assurance and auditing for leadership and key stakeholders with respect to third party risk profiles.
- Inherently strengthen the resilience of organisations with respect to third party failures, ethical breaches, cyber incidents and more.
Third Party Challenges Organisations Will Face
Despite the benefits, the introduction of the requirements also brings with it new challenges that will have to be faced uniquely by organisations of different size, complexity and industry. As they say there is more than one way to skin a cat, and it is up to organisations to determine the right way.
1. Increases in documentation and evidence
Auditors will be expected to document evidence of assessment of formally structured frameworks and their supporting procedures. The relationship between these frameworks and how they tie into the organisation’s risk management is an additional requirement that expects a level of maturity that is not commonly in place in typical Australian organisations. Even if these frameworks are in place, a lack of cohesion across the different methodologies means evidence collection will be a slow process. In the AICD 2024-25 NFP Governance & Performance Study, 53% of directors said they spent more time on duties than the prior year, reflecting a rise in compliance and assurance demands typical to director roles.
The quality of evidence also plays a key role. ASA 530 for Attribute Testing requires auditors to document a confidence of 90-95% or higher when ensuring controls are adequate. For key controls, i.e. anything relating to key vendors and processes, any deviation from the requirements must be as low as between 0-5%. This leaves very little room for exceptions and drives the outcome of any review.
2. Governance gaps in oversight
The new requirements mandate clear board oversight to ensure third party relationships are well managed. In reality, most organisations in Australia delegate the ownership and oversight of all third party risk activities to Procurement and/or IT. Being able to prove involvement by leadership will be difficult, and in some cases, require adjustment to the responsibilities of leadership roles.
Consistently, we have observed either a lack of resource to dedicate to third party management or delegation to IT roles such as a Cyber Security Lead. The latter introduces implementation concerns as Cyber Security Lead roles tend to lack the required Risk Management knowledge required to undertake third party management.
3. Consistent Risk Management throughout the Third Party lifecycle
To successfully apply a structured and repeatable method to assessing risk throughout the third party lifecycle, organisations must have a formal enterprise risk management that is clear, functional and communicated to all staff involved in the process. The risk assessment process must consistently address selection, onboarding, monitoring, and offboarding.
Private and unlisted companies such as IT service providers, SMEs, NFPs and Charities have no legal obligation to implement a risk management framework with the only exception being an ad-hoc approach for Work Health and Safety. Many third parties that would be used for IT services, marketing, legal services, etc. have no obligation to do so, increasing the risk of poor or no risk management across third party management. The Vero Insurance SME Insurance Index 2024/2025 reported that ~90% of Australian businesses lack a formal risk management process with 81–82% never or rarely conducting risk analyses when required.
4. Ongoing monitoring just got harder
Ongoing monitoring following onboarding is a process that is often not performed successfully or at all by that vast majority of organisations in Australia. The old habits of “set and forget” contracts are not good enough. Even multi-year contracts that address all requirements over the lifespan of the contract will require performance, compliance and cyber control assessment to ensure expectations are being met. Naturally, this will also lean on the risk management framework to determine if any such failures to meet expectations result in risks that are outside of the organisation’s appetite.
The McGrathNicol/YouGov study from August 2024 concluded that 82% of Australian companies do not extend risk assessments beyond Tier-1 suppliers, and 71% of companies that do assess third parties, do not include security practices in their assessment.
5. Aligning to increasing regulatory pressures
The requirements explicitly reference compliance with local, national, and international regulations. For Australian organisations, that could mean at minimum the Privacy Act. However, certain industries are also affected by the Australian Prudential Regulation Authority (APRA) Prudential Standards CPS 230 Operational Risk Management and CPS 234 Information Security. For larger critical providers, the Security of Critical Infrastructure (SOCI) Act and Modern Slavery are just some additional considerations. Achieving consistency across various different regulations and standards increases complexity.
With the delay of requirements under APRA CPS 230 relating to pre-existing contracts to July 2026 for non-Significant Financial Institutions (SFIs), we can expect a natural increase in pressure as the date approaches. If the activities of APRA CPS 234 from 2019 are also an example of what is to come, we can expect at the very least a thematic review. APRA has already committed to conducting targeted reviews of SFIs as part of their 2025-2026 Corporate Plan.
6. Strain on smaller organisations and public entities
Large corporations and enterprises will easily absorb these changes, especially multinationals, as these requirements are not new. For Local Government councils, NFPs, small businesses and providers, these new requirements will demand a new focus on audit and compliance. This new focus will come two-fold as it not only requires additional investment and resource, it could also expose gaps that previously avoided the spotlight.
7. Cultural resistance and a lack of Third Party strategy
As with any uplift of requirements and increased complexity, cultural resistance is an expected reality. Australian organisations will fail unless they can overcome the outdated concept that third party management is a procurement-only task. Overcoming this requires the understanding that third party management is not only operational but also strategic. Our dependency on third parties can be improved by better managing the entire process, resulting in cost savings, efficiencies, lower insurance premiums, greater coverage, new client opportunities and much more.
In May 2024, the Australian Privacy Commissioner highlighted third-party providers as a “weak spot” in privacy and security postures of organisations, reinforcing the need for enterprise-level third party management strategy beyond only procurement or IT.
Why These Challenges Matter
Ultimately, these challenges are worth facing. The requirements encourage stronger governance, better risk management discipline, and greater transparency across leadership into third party relationships. For Australian organisations, this means better preparedness for cyber incidents, supply chain disruptions, reputational crises, and regulatory scrutiny.
Third parties are already the bread and butter of many critical functions within Australian organisations. We cannot expect adequate operations, security and assurance without expecting a level of quality that matches that of our own internal processes.
Where To Start with Third Party Management
In Part 2 of our Third Party Management publication we will go over some key steps to consider and to help you succeed in third party management.
How We Can Help You Build Organisational Resilience
We are here to help strengthen your organisational resilience, systems and processes. Our third party risk management capabilities include:
- In-house developed comprehensives vulnerability scanning of third parties.
- Comprehensive third party risk management assessments to provide independent assurance.
- Helping organisations take their first steps towards implementing a formal and proactive third party management framework.
- Performing an independent review or health check of your existing third party management framework to identify gaps and level of maturity.
- Conducting third party risk and cyber risk awareness workshops covering strategic, operational and project risks.
- Conducting third party penetration tests and comprehensive audits.
- Supporting you across a range of third party services including governance, business continuity, crisis management, cyber risk, third party monitoring and more.
Take risk management to the next level and contact us to discuss your needs.