As of 2026, Internal Audit functions must consider Institute of Internal Auditors (hereafter “IIA”) Topical Requirements when performing assurance engagements in specific risk areas. The first Topical Requirement, Cybersecurity, became effective on 5 February 2026, while the Third-Party and Organizational Behavior Topical Requirements have also now been issued and will become effective later in 2026. Further requirements are already on the horizon, including the Organizational Resilience Topical Requirement expected later this year. As a result, the IIA Topical Requirements framework is becoming significantly more tangible and impactful for Internal Audit functions in 2026.
What are Topical Requirements?
Topical Requirements are a mandatory part of the IIA’s International Professional Practices Framework and sit alongside the Global Internal Audit Standards and Global Guidance. Their purpose is to provide a minimum baseline for auditing specific risk topics so that internal audit work on those areas is more consistent, more credible, and easier for stakeholders to rely on. They are not intended to replace existing frameworks or turn audits into a checklist exercise. Rather, they help ensure that when internal audit addresses a topic such as cybersecurity, third-party risk, or organizational behavior, certain essential elements are considered in a structured and defensible way. This is no longer a forward-looking discussion: in 2026, Topical Requirements move from concept to implementation, with internal audit functions increasingly needing to show how they are reflected in audit methodology and engagement files. For many internal audit functions, 2026 will be the first year in which this needs to be translated into concrete planning decisions, scoping choices, and engagement documentation rather than remaining a purely conceptual requirement.
KPMG Insight: Topical Requirements are best viewed as a practical baseline rather than an additional audit layer. For most internal audit functions, the real challenge is not redesigning the methodology from scratch, but making existing risk assessment, scoping, and work programs more explicit and easier to evidence.
When do Topical Requirements apply?
Topical Requirements apply when the topic is relevant to an audit engagement. In practice, that means the topic has been identified through the internal audit function’s risk-based planning or emerges during an engagement, or it becomes the subject of a newly requested engagement outside the original plan. Their application is therefore not automatic or universal; it remains driven by risk and scope. For assurance work, application is mandatory. For advisory work, it is recommended rather than required. Not every requirement within a Topical Requirement will apply in every case, but internal auditors are expected to assess relevance and document any exclusions with a clear rationale.
KPMG Insight: The practical impact of Topical Requirements starts upstream, at the level of risk assessment and scope definition. Internal audit functions will need to show not only why a topic was included, but also why certain elements were not. It is also important to consider the topical requirement beyond a single, dedicated topical audit, as these broad risk areas are often addressed across multiple audits over time.
How do Topical Requirements fit into the audit lifecycle?
Topical Requirements should be considered throughout the audit lifecycle, starting with the periodic internal audit planning process. During audit planning, they help determine whether a specific topic warrants dedicated coverage or whether the relevant requirements can be addressed across multiple engagements over time. During scoping, they help internal auditors decide which aspects of governance, risk management, and control are most relevant to the risk being assessed. During execution, they provide a structured baseline for procedures and evaluation criteria. During reporting, they support clearer communication on what was covered, what was excluded, and why. In that sense, they reinforce a disciplined risk-based approach rather than adding a separate layer of methodology.
KPMG Insight: Internal audit teams now need to show that Topical Requirements are considered from planning through reporting, rather than treated as a late-stage documentation exercise. Topical Requirements create the most value when they are embedded early in the engagement lifecycle. If they are considered only during reporting or file completion, they are more likely to feel administrative than risk-driven.
How to demonstrate compliance with topical requirements?
Demonstrating compliance starts with clear documentation. Internal audit should be able to show that the Topical Requirement was considered, that applicability was assessed, and that any exclusions were intentional and justified. This can be documented at audit plan level and/or in engagement workpapers, depending on how the topic is covered. Where organizations already use more detailed regulatory or industry frameworks, internal audit does not need to duplicate work, but it should be able to show how work performed maps to the relevant Topical Requirement. This makes conformance more transparent and also matters from a quality assessment perspective, as Topical Requirements will form part of future quality reviews.
KPMG Insight: For many audit functions, demonstrating compliance should not require a large volume of new documentation. More often, it will require a clearer audit trail linking risk assessment, scope decisions, work programs, and the rationale for exclusions. Integrating these specific checkpoints into existing documentation for risk assessments, scoping documents and audit methodology can support you to ensure sufficient coverage and in easily creating a sufficient level of documentation.
Why do Topical Requirements matter for Internal Audit teams and Audit Committees?
For internal audit teams, Topical Requirements create a clearer and more consistent baseline for addressing major risk areas, while still leaving room for professional judgment. They make it easier to explain why a topic was included in the plan, how it was scoped, and whether coverage is sufficient. For Audit Committees, this can support better conversations about risk prioritization, assurance coverage, and the rationale for audit choices. That is particularly relevant for topics that are widely recognized as important but not always addressed with the same depth or consistency in practice.
KPMG Insight: Topical Requirements can strengthen the dialogue between Internal Audit and the Audit Committee by making assurance coverage on critical risks more transparent. That is particularly valuable for topics that are widely acknowledged as important but not always addressed with the same depth or consistency in practice. Cybersecurity audits were already widely present in audit plans; however, topics such as organizational behavior, third-party risk, and operational resilience are more widely scattered and often less addressed.
How KPMG can help
KPMG can support internal audit functions in translating Topical Requirements into practical, workable methodology that aligns with existing ways of working. This may include supporting you with:
- updating templates and working papers, supporting you with ensuring and documenting conformance and alignment with existing frameworks and regulatory expectations,
- demonstrating conformance without creating unnecessary administrative burden. The real value lies in embedding the requirements pragmatically so that audit quality is strengthened while the approach remains proportionate and workable in day-to-day practice, and
- performing readiness assessments or quality assessments on your conformance with Global Internal Audit standards including topical requirements.
