Resources

Regulation Updates: Third-Party Topical Requirement, GRC Reporting, and 529 Plan Changes

Blue Logo for ACUA with the text Journal Articles

By the ACUA Auditing & Accounting Principles Subcommittee

The ACUA Auditing and Accounting Principles Subcommittee is committed to providing members with emerging information in our field. This article features the recently released IIA Third-Party Topical Requirement, clarification on the new reporting requirements on governance, risk management, and controls, plus modifications to the 529 education savings plan that allows tax savings for professional certification expenses.

Understanding the IIA’s Topical Requirements for Third-Party Relationships

Topical Requirements are a new, mandatory component of the Institute of Internal Auditors’ (IIA) Global Internal Audit Standards. Internal auditors must apply the Topical Requirements for assurance engagements in the following situations:

  • The topic is included in your audit plan as an assurance engagement.
  • The topic is identified during the course of an audit engagement.
  • The topic is requested as a new engagement, even if it was not part of your original audit plan.

What’s New?

The Third-Party Topical requirement was finalized on September 15, 2025, and will become effective September 15, 2026. According to the IIA, a third-party is “an external individual, group, or entity with whom an organization (‘the primary organization’) has a business relationship.” In simpler terms, this means any person, group, or business your institution works with.

Importantly, the requirement does not just apply to your direct third-party relationships. It also covers any subcontracted relationships, even those several layers down, such as fourth-level subcontractors, if your contract allows them. This broad scope ensures that risks are managed throughout your entire supply chain.

What does the Third-Party Topical Requirement involve?

Internal auditors need to assess their institution’s contract management throughout the third-party life cycle, consisting of selecting, contracting, onboarding, monitoring, and offboarding. Internal auditors should consider these stages when assessing the requirements for these three key areas:

  • Governance: Internal auditors must evaluate how their institution decides with whom to contract, how these relationships are managed, and who communicates with third parties and stakeholders. This includes assessing whether the organization has clearly defined roles and responsibilities for managing third-party relationships, and whether established policies and procedures align with regulations and are updated regularly. Auditors should confirm there is a formal approach to contracting third parties and there are protocols for communicating with relevant stakeholders.
  • Risk Management: Internal auditors must review how their institution identifies, assesses, and monitors third-party risks. This begins with examining due diligence procedures for onboarding third parties. There should be ongoing monitoring and corrective action for deviations, and risk assessments should classify and rank third-party risk. Check for escalation and remediation processes in place for unresolved issues, including remediation or termination.
  • Controls: Internal auditors should assess the controls in place to manage and monitor the risks associated with third parties. Review procurement controls for appropriate sourcing and selecting of third parties and ensure there is an appropriate approval process. Determine whether there is centralized contract management and verify contracts contain risk mitigation clauses, performance expectations, compliance obligations, and are reviewed and updated periodically. Review ongoing third-party monitoring and periodic evaluation, and the monitoring of contract renewal dates and offboarding plans.

By understanding and applying these requirements, your institution can better manage third-party risks and strengthen its overall governance.

Download the Third-Party Topical Requirement and a user guide from the IIA at:

https://www.theiia.org/en/standards/2024-standards/topical-requirements/third-party/

Other topical requirements to be aware of:

Cybersecurity – effective February 5, 2026

Organization Behavior – public comment period ended, pending finalization.

Organizational Resilience – pending public comment.

https://www.theiia.org/en/standards/2024-standards/topical-requirements

New Reporting Requirements for GRC

The new IIA Global Internal Audit Standards, effective January 9, 2025, introduce more structured and rigorous reporting requirements for Governance, Risk Management, and Controls (GRC). They emphasize clarity, consistency, and alignment with stakeholder expectations.

During an engagement, the Internal Audit function must evaluate the governance processes to ensure the organization promotes ethical behavior, accountability, and transparency. Auditors must identify key risks and ensure they are managed effectively, and review the control framework to identify control deficiencies, weaknesses, and failures.

Standard 14.5 Engagement Conclusions requires internal auditors to develop an engagement conclusion that summarizes the results relative to the engagement objectives. In addition, this standard states “assurance engagement conclusions must include the internal auditor’s judgment regarding the effectiveness of the governance, risk management, and control processes of the activity under review, including an acknowledgment of when processes are effective.”

The considerations for implementation of this standard recommend having methodologies for the internal audit function in the form of a rating scale indicating whether reasonable assurance exists regarding the effectiveness of controls. An example is developing criteria for a scale that indicates “satisfactory, partially satisfactory, needs improvement, or unsatisfactory.”

The AAP Committee aggregated the ratings used by the committee members and created the following example of a rating methodology that is applicable to report ratings and GRC ratings:

Example of Report/GRC Ratings

Standard 15.1 Final Engagement Communication states the final communication for assurance engagements must include a “conclusion regarding the effectiveness of the governance, risk management, and control processes of the activity required,” in addition to the continuing requirements of objectives, scope, recommendations, and any action plans. Auditors are encouraged to use their engagement conclusions derived from their methodologies to meet this reporting standard.

529 College Savings Plans Expanded to Cover Professional Certifications

A provision in the One Big Beautiful Bill Act (OBBBA) that was signed into law in July 2025 included changes in 529 education savings plans that may benefit ACUA members. Traditionally 529 plans were reserved for undergraduate and graduate degree programs, but now certain professional certification and credentialing programs are covered as qualifying expenses. This includes several of our most sought-after certifications, including the Certified Internal Auditor (CIA), the Certified Information Systems Auditor (CISA), and the Certified Public Accountant (CPA).

This is a great opportunity to invest in your professional development, especially if your department does not cover or reimburse certification expenses. Eligible expenses can include study materials, exam fees, and even continuing education required to maintain your credential.

See Section 70414 of the OBBBA for more information. As always, everyone’s tax situation is different, so please consult with your tax advisor to confirm eligibility. Check with your financial institution for assistance setting up a 529 plan.

Mitigating Bias in Internal Auditing: Strategies for Enhanced Objectivity

Blue Logo for ACUA with the text Journal Articles

By Amaya Beck

Internal auditors are tasked with evaluating organizational processes to ensure compliance with laws and regulations, as well as identifying areas for improvement. However, like all professionals, they are prone to psychological biases that can influence their judgments and decisions. These biases can lead to inaccurate audit findings, undermine the credibility of the audit process, and ultimately affect organizational decision-making. By implementing mitigation strategies, Internal Auditors can implement mitigation strategies and enhance the credibility of their work and contribute to more effective organizational governance.

Common Biases in Internal Auditing

Several biases are particularly relevant to internal auditors:

  • Confirmation Bias: This involves favoring information that supports preconceived notions while disregarding contradictory evidence. It can lead auditors to overlook critical issues or misinterpret data.
  • Anchoring Bias: Auditors may rely too heavily on initial information, which can skew their assessment of subsequent data.
  • Overconfidence Bias: This occurs when auditors overestimate their knowledge or judgment, potentially leading to missed errors or omissions.
  • Availability Bias: Auditors may give undue weight to readily available information or recent events, rather than considering a broader range of data.

Strategies for Mitigating Bias

1. Structured Decision-Making Tools: Six Thinking Hats Technique

The Six Thinking Hats technique, developed by Edward de Bono, offers a structured approach to decision-making by encouraging diverse perspectives. This method involves assigning different colored hats to represent various thinking styles: White Hat for facts, Black Hat for risks, Green Hat for creativity, Red Hat for emotions, Yellow Hat for benefits, and Blue Hat for process management. Auditors should metaphorically don the different hats and systematically consider multiple viewpoints to reduce the impact of personal biases and ensure more comprehensive evaluations.

2. Peer Reviews and Second Opinions

Engaging in peer reviews or seeking second opinions can help challenge assumptions and identify potential biases. This collaborative approach fosters a culture of critical evaluation and enhances the reliability of audit findings.

3. Training and Awareness Programs

Educating auditors about common biases and their effects is crucial. Training programs should emphasize the importance of recognizing and mitigating biases to promote a culture of objectivity within audit teams.

4. Organizational Independence and Reporting Lines

Ensuring internal auditors report directly to the audit committee or an equivalent body helps maintain independence and reduces the influence of organizational pressures that might lead to biased judgments.

Conclusion

Mitigating bias in internal auditing is essential for maintaining the integrity and credibility of audit processes. By employing structured decision-making techniques, fostering a culture of peer review, and enhancing awareness of cognitive biases, internal auditors can significantly reduce the impact of biases on their work. These strategies not only improve the quality of audit findings but also contribute to more informed organizational decision-making, ultimately enhancing governance and compliance. By adopting these strategies, internal auditors can enhance their role as guardians of organizational integrity and contribute to more effective governance and compliance practices.

Resources

  1. https://www.linkedin.com/pulse/psychological-biases-how-affect-internal-auditors-isaac-omosa  
  2. https://www.accaglobal.com/content/dam/ACCA_Global/Technical/audit/pi-banishing-bias-prof-scepticism.pdf 
  3. https://internalauditor.theiia.org/en/voices/2024/august/building-a-better-auditor-beating-behavioral-biases/   
  4. https://abmagazine.accaglobal.com/content/abmagazine/global/articles/2022/nov/practice/the-various-biases-in-audit.html 
  5. https://www.learnleansigma.com/guides/six-thinking-hats/
Avoiding Bias in Your Internal Audit Program

AAP Roundtable on Implementing the New IIA Standards

Blue Logo for ACUA with the text Journal Articles

On February 11, 2025, the ACUA Auditing and Accounting Principles (AAP) Committee hosted a roundtable discussion on implementing the Institute of Internal Auditors (IIA) Global Internal Audit Standards (Standards), which became effective on January 9, 2025. This event drew 35 ACUA members, who were divided into breakout rooms to share their questions and solutions on five topics with significant changes: reporting, governance/charter, performance metrics, strategic planning, and quality assessments. The AAP committee members facilitated the discussion and contributed to the following summary.

Reporting Requirements

The IIA added reporting elements in “Standard 15.1 Final Engagement Communication.” Changes include prioritizing findings, adding an overall summary of governance, risk, and controls, and adding an owner and due date to the management response.

How are departments reporting conformance in their audit reports while working on implementing the new Standards?  The internal audit departments that have already completed a gap analysis or an internal assessment and have modified their practices to agree with the new Standards continue to use the “in conformance” phrase in their reports. Departments that are still adjusting to the new Standards, or will have an external assessment soon, are temporarily omitting that phrase from their reports.

How are you prioritizing your findings? All members said they are consciously prioritizing their findings, but the methodologies varied. Some departments have defined a matrix for categorizing their findings as “high, medium, or low.” These ratings and definitions are sometimes presented in the reports for context. Other departments are relying on professional judgment in prioritizing their findings and are documenting their reasoning in the work papers. Most departments are including the phrase “findings are listed in order of priority” in the final reports.

How are departments concluding on the effectiveness of the governance, risk management, and control processes (GRC) of the activity reviewed? Most participants have not had to address this new requirement yet. Members are planning to give a conclusion on GRC as a whole, rather than addressing the three elements separately. Many plan to describe GRC from a selection of options, such as “needs improvement/adequate/good” or “satisfactory/enhancement required/significant enhancements required/ineffective.” Departments have begun developing criteria to facilitate consistent rankings of these areas.

Naming the individuals responsible for addressing the findings and the planned completion date is a new requirement, but is this a departure from your current practice? Most members said they are used to providing the estimated completion date on the final report but have not necessarily named the responsible party or division. Some departments that formerly only retained this information in the workpapers will now include this information in the management response section of the report. All agreed that providing the role or division responsible, rather than the name of the specific person, is sufficient.

Governance and Charters

“Standard 6.2 Internal Audit Charter” requires the internal audit charter to include the purpose of internal auditing, commitment to adhering to the Standards, a mandate including scope and types of services to be provided, and defines organization position and reporting relationships.

What changes are departments making to their audit charter? Many departments have been comparing their audit charter to the new Standards to determine what, if any, modifications are necessary. A few schools are using this opportunity to develop their initial charter. Minor changes include updating definitions, such as advisory services, and incorporating language from the IIA charter[TM1]  template, available from the IIA website. Another school looked at the “musts” in the Standards and ensured all were met. Other changes include adding required communications, enhancing the Standards on managing the internal audit function in Domain IV, and adding a section on ethics and professionalism.

Has anyone received any pushback or enthusiastic buy-in on their updated charters? Most members said neither, but mostly because people outside of the Internal Audit Department do not really understand the implication of these changes. However, most felt the Board and Audit Committees have been supportive.

How is the chief audit executive (CAE) managing the changes in communication with the board? Many schools have made presentations to their board regarding the changes to the Standards. Some CAEs are creating a document to formalize the discussions that take place between the CAE and the Board or Audit Committee. All agreed it is important to document what is required to be communicated to the Board.

Performance Metrics

“Standard 12.2 Performance Measurement” is new and states the CAE must develop objectives to evaluate the internal audit function’s performance and promote continuous improvement.

Which performance metrics have you found to be the best measurements of success? The most common metrics discussed at the roundtable included:

  • Status of the audit plan
  • Implementation of corrective actions
  • Post-engagement client surveys
  • Engagement time versus administrative time
  • Continuing professional education
  • Results of internal and external assessments
  • Project timeliness, such as completing engagements within time budgets, reports issued within X days of fieldwork, and hotline reports closed within X days.

Which new performance metrics are being considered as a result of this new standard? All schools said they did not make any changes to their existing performance metrics, though some did add existing metrics to their audit manual. Some were considering adding potential metrics about increasing the automation of work and applying data analytics to more projects. One school said their Board wanted a better understanding of the financial savings achieved, though it is difficult to quantify the value of compliance audits and process improvements.

Do you have performance metrics that tie to an individual auditor or manager? Most schools said their goals are related to the entire team. One school said their managers have additional key performance indicators of timely review of reports and a percentage of their team’s engagements completed. Another said they tie annual merit increases to the number of projects completed.

Strategic Planning

“Principle 9 Plan Strategically” focuses on planning strategically, and “Standard 9.2 Internal Audit Strategy” requires the CAE to develop and implement a strategy for the internal audit function that supports the strategic objectives and success of the organization and aligns with the expectations of the board, senior management, and other key stakeholders.

Is strategic planning a new area for internal audit departments? If not, what are your plans for meeting this new standard? Some departments already had a strategic plan and were taking the opportunity to revisit their plan. Many smaller departments had not yet implemented a strategic plan and were preparing to do so.

What resources have you found to be most helpful for developing a strategic plan? The roundtable group discussed some webinars they have attended on the subject. Others have found peer input and online searches on organizational goals and strategies to be helpful.

What types of input did you receive when building your strategic plan? Those who have completed their strategic plan used team feedback, client survey responses, management analysis, their internal audit mission and objectives, and audit committee feedback. Completed plans were shared with the Board and senior management.

Internal and External Quality Assessments

Assessments of internal audit departments now fall under different standards. “Standard 8.3 Quality” requires the CAE to develop, implement, and maintain a quality assurance and improvement function. “Standard 12.1 Internal Quality Assessment” covers ongoing monitoring, periodic self-assessments, and communicating results to the board and senior management about adherence with the Standards. “Standard 8.4 External Quality Assessment” requires an external review conducted every 5 years and include at least one Certified Internal Auditor (CIA) on the external review team.

For those who have completed an internal assessment or gap analysis, what resources did you use? All participants said they used the ACUA AAP – IIA Global Standards 2025 – Self-Assessment Tool and found it helpful in evaluating compliance with the new Standards. Members can download this workbook from the ACUA Resource Library after logging in and searching for “self-assessment tool.”

What were the biggest changes found in your gap assessment? Most felt the enhanced reporting and communication with the Board was the biggest change. Smaller changes needed to be addressed by revising audit manuals, audit charters, and strategic plans. The new ethics and professionalism domain and reporting requirements also needed to be incorporated into the audit manual. Roundtable attendees cited the need for training team members on the changes in the Standards to be able to effectively review engagement workpapers.

Which new topics have the most ambiguity for implementation? Small audit shops and those combined with other areas such as risk and compliance expressed difficulties in demonstrating conformance with the Standards due to inherent differences in organizational and operational structures. The group discussed ways to document conflict of interest disclosures and project-level independence. Others felt the requirements in “Domain III Governing the Internal Audit Function” are quite overarching and may be difficult to implement and document.

Who has plans to have an external assessment in 2025? Only one university said they were due for an external assessment in 2025. Others ensured they completed their assessment before the change in the Standards to allow for more time to conform. All acknowledged they will need to have a CIA on their next review team, though some cited this new criterion may be a challenge as there are not many CIAs in their current pool of assessors.

Conclusion

The first AAP roundtable on the new Standards was a big success. The participants appreciated hearing how fellow members are tackling these changes. Members enjoyed the small breakout group format and the ability to share and collaborate with peer universities on these topics. In the post-event survey, the roundtable attendees unanimously found the roundtable to be helpful and would be interested in attending future roundtables related to the Standards. Please watch for future roundtable opportunities hosted by the AAP!