They feared it would be less about value, and more about “homework.” 

There was a lot of sighing and hand-wringing.

Now, the first Technical Requirement (Cybersecurity) is in effect, and three others will go into effect in 2026 or 2027. Teams are rolling up their sleeves and figuring out what implementation really looks like.

That’s why the Internal Audit Collective held a recent webinar to get perspectives from both sides of the fence:

• Quality Services Provider: The discussion was led by Mike Levy, CEO of Cherry Hill Advisory, where his work includes EQAs related to the Topical Requirements. He’s also a member of The IIA Standards Board and past chair of The IIA’s North American Board.
• Practitioners: Mike was joined by three awesome professional practice leaders who’ve been adopting the new requirements: Tracey Cadieux, Marcus Wong, and Patrick Moore.  

Fortunately, these practitioners found that their teams quickly moved past the sighing and hand-wringing. They also found that the Topical Requirements (1) align pretty well with what they’re already doing, and (2) add value by helping to ensure consistent and effective risk coverage 

Everyone is learning as they go. But several recommendations came through loud and clear.

1. Don’t Over-Engineer It

Every one of our panelists echoed one simple message: Instead of creating bolt-on processes, make Topical Requirements conformance part of your existing methodology.

“Bake it into what you already do. Don’t over-engineer it. Just put a game plan together, and then train people and execute,” advised Patrick. “I look at this as not really any different than considering fraud, or the skills assessment of the team. You’re doing that on every audit as you plan — taking those things into account. I look at this as an extension of that.” 

Accordingly, when all our panelists’ teams implemented the Cybersecurity Technical Requirement, they assessed their processes to understand what they were already doing that they could leverage to demonstrate conformance (e.g., risk assessments for annual planning, audit mapping, documenting a cybersecurity focus in scoping, existing frameworks with applicable coverage).

In particular, existing frameworks can be key enablers:

• Tracey’s team mapped the Topical Requirement to the organization’s internal technology framework to help demonstrate conformance. 
• Marcus’s and Patrick’s organizations both use the NIST Cybersecurity Framework, so they leveraged that to help analyze and demonstrate conformance. (The IIA’s Cybersecurity Topical Requirement User Guide maps the requirements to COBIT and NIST frameworks.) 

As Marcus explained, “If you’re a ‘mature’ organization and cybersecurity is part of your mandate, you’ve probably already mapped to a framework, to the risks you're considering when you're doing your annual audit plan, and to the GRC requirements you think about when you're scoping each of the projects.” As he sees it, the Topical Requirement just helps ensure consistent coverage and documentation of key GRC elements over time in cybersecurity-related audits.

Tracey’s team was initially hesitant about how the requirements would work in their audits. But as she shared, “The feedback so far has been that it's been pretty seamless. Because it really is already built into our methodology.”

2. Document at the Planning Level

These requirements often apply holistically, spanning multiple audits. Accordingly, teams want to avoid comprehensively documenting conformance in every single engagement.

That’s why our panelists’ teams have primarily documented Topical Requirements in two places: 

1. Annual planning — As Tracey pointed out, teams already map audits to their annual planning. So the new need is adding relevant language regarding applicable Topical Requirements to scoping documents, just as you’d add language about any regulations you’re considering. 
2. Engagement planning memos — Tracey’s team also added a section to the workpapers indicating applicable Topical Requirements. The approach helps demonstrate conformance at the engagement level while enabling behind-the-scenes reporting. 

Indeed, when Mike does EQAs, he primarily wants to see that teams have been thoughtful about implementation and documentation, including documenting conformance in some form in the workpapers. 

Said Mike, “I don’t need seven checkboxes for every one of the control elements on every single audit step that you do.” So, if you can demonstrate coverage of Topical Requirements holistically across your organization, you don’t have to address it in each and every audit. 

3. Conduct Self-Assessments Before EQAs

Panelists also suggested proactively looking for gaps prior to a formal EQA. Advised Patrick, “Start early, and give yourself time to implement improvements before the EQA. That way, they’re likely to give you a pat on the back for identifying issues and fixing them before they got there.”

“It’s next on my list to figure out how we'll prepare for our EQA,” said Tracey. “We are going to use the guidance by The IIA and some of the tools they have around QA to map out where we meet all of the standards and where it’s documented. After we perform that exercise, I think it's just doing a gap analysis and saying, okay, do we have any gaps? How do we want to address them?”

Mike suggested using The IIA’s Quality Assessment Manual’s template to perform an internal readiness self-assessment — and then having an independent third party review your self-assessment to identify potential gaps. “It helps you avoid as many surprises as possible during the EQA.”   

Addressing questions about how some of the more prescriptive requirements may not fit every company, Mike said, “If there’s a scenario where you feel a requirement doesn’t fit your organization or you’re taking a different approach, yes, that could technically create a conformance issue. But I would encourage you to document why it’s not applicable.” Then, your assessor can review that documentation and have a conversation with you to assess how that impacts conformance. He added, “Just because something didn’t take place doesn’t mean it automatically does not conform or partially conforms. It just becomes a part of the conversation and approach.”

4. Use Topical Requirements as Leverage

For teams who face resistance when auditing covered topics, the requirements give CAEs the ability to say, “This isn’t just our preference or professional opinion — this is now part of professional standards.” That may help you gain buy-in on audit planning and resource allocation.

For example, if smaller teams lack bandwidth or expertise to address Topical Requirements, “I think it drives the conversation with your audit committee and executives about where the risks lie,” said Marcus. “And that drives questions about, are there gaps? Do we need to dedicate more resources or do more work in certain areas?” 

5. Use Technology to Enable Conformance and QA 

All the panelists have leveraged technology to support implementation (e.g., mapping requirements to standards/frameworks, self-assessments, audit and QAIP scoping). For example:

• Marcus and Tracey’s teams experimented with AI tools (e.g., Microsoft Copilot, Claude, ChatGPT) to assess potential gaps. 
• Patrick’s team used Optro’s self-assessment tool to identify focus areas and potential blind spots.
• Marcus’s team — which has an embedded software engineer — is creating a risk module/sandbox they’re loading with relevant documents. By using multiple AI agents to interrogate the company knowledge, the team can have back-and-forth conversations with the agents to brainstorm risks and ensure effective scoping. 

“That doesn’t let us off the hook in terms of understanding the business and talking to our stakeholders to make sure our understanding is correct,” said Marcus. “And it obviously doesn’t reduce my responsibility to make sure we’re conforming with our methodology and the Standards. But it’s like having an extra person on the team to help point us to where we may not be consistent between projects or could be more fully compliant with the Standards.”

6. Scale Your Approach to Your Size and Maturity

The panelists readily acknowledged that implementation will look different for teams of varying sizes and maturity levels. So they offered a few tailored recommendations. 

Leading Practices for Small Internal Audit Functions

1. Keep documentation simple. Consider planning-level assessments and short narrative-style documentation that references existing workpapers. Avoid the temptation to create overly complex control matrices or elaborate requirement-by-requirement testing documentation. 
2. Focus on risk coverage. Your approach should make sense for your risks and priorities. Don’t waste resources mimicking enterprise-grade practices used by huge audit teams — just aim for a thoughtful, risk-based approach offering reasonable documentation of conformance.
3. Consider relying on second-line assurance. Are there opportunities to rely on work already being done by second-line functions? If yes, explore your options and document any reliance. (Though large teams obviously have opportunities here too.)

Leading Practices for Larger or More Mature Internal Audit Functions

1. Reduce/streamline efforts by aligning Topical Requirements with existing frameworks. While this is a leading practice for any size organization, it’s particularly important for large organizations where risk and assurance work occurs across different silos. These companies may already be conforming operationally, making implementation largely about mapping requirements to frameworks and linking documentation.
2. Develop a scalable implementation model. Topical Requirements will keep coming. Consider developing repeatable frameworks covering assessment, mapping, documentation, and QA.
3. Make strategic use of audit technology platforms. Most large organizations have audit management systems; these systems’ workflows and templates can often be adapted in small ways to accommodate the new requirements (e.g., embedding prompts in planning memos). 

7. Understand When Topical Requirements Apply

Application Scope

Short version: Topical Requirements are only mandatory for assurance engagements that include the topic. They are, however, recommended for advisory engagements including the topic. 

The IIA’s Topical Requirements FAQ offers additional guidance. 

Implementation Timeline 

The IIA issues Topical Requirements with one-year implementation periods before they become effective. Here’s the landscape as of 5/21/2026, including links to The IIA’s User Guides. Mike’s firm (an IIA Authorized Licensee) also offers IIA-guide-aligned practitioner’s workbooks teams can use to develop reasonable evidence of conformance. NOTE: The blog version of this article has active links for the standards, user guides, and templates. 

ISSUED:

• Cybersecurity Topical Requirement
  
  • Effective Date: 2/5/2026
  • IIA User Guide
• Third-Party Topical Requirement
  
  • Effective Date: 9/15/2026
  • IIA User Guide
• Organizational Behavior Topical Requirement
  
  • Effective Date: 12/15/2026
  • IIA User Guide
• Organizational Resilience Topical Requirement
  
  • Effective Date: 4/30/2027
  • IIA User Guide

UPCOMING:

• Anti-Corruption Topical Requirement: Expected release for public consultation, June 2026
• Talent Management Topical Requirement: Expected release for public consultation, October 2026

‍
The IIA typically releases draft requirements for public review/comment for 30 to 60 days. We encourage every Internal Auditor to review and offer feedback.

After all, your feedback genuinely matters. “The amount of public exposure that happens, and the feedback that is provided, are what drives these documents,” said Mike. “Cybersecurity, as an example — I think it was a 17-page document to start. And much of that ended up being moved into a user guide, so the final requirement is only about 3 pages.” 

THE LAST WORD: Specificity + Candor = Real Answers

The Topical Requirements webinar was another great example of what sets the Collective apart.

We regularly convene top-quality Internal Audit professionals in real time.

Our webinars, roundtables, and classes (1) focus on specific topics Internal Auditors actually care about and (2) provide healthy discussion spaces enabling transparency and candor. 

Quality people + specificity + candor = a real opportunity to get your questions answered while making meaningful connections. 

If you focus on professional practice development or audit operations, you may be interested in: 

• Our May 28, 2026, roundtable on “Successfully Preparing for an EQA,” led by the wonderful Christine Hovious. Christine previously worked for The IIA and led the IPPF/Standards Transformation initiative. She also recently guided her organization through a successful EQA, receiving the highest rating. Sign up today and come ready with your questions on QAIPs and quality management — or better yet, submit your questions in advance!  
• The Internal Audit Collective’s PPD roundtable, a monthly series in which all three of our awesome panelists participate This dedicated group sets its own agenda based on what PPD and audit operations teams are talking about. 
• The Internal Audit Collective’s Connect program, which helps members match and meet 1:1 with new peers (filtered by team size, industry, etc.) based on their unique interests — like someone who’s in your same role. The next session kicks off at the beginning of June; keep an eye out for your invitation to register. 

‍