Resources

AAP Roundtable: Strategies for Risk Assessments, Developing Findings, and Follow-up

Blue Logo for ACUA with the text Journal Articles

By Susie Geiger and the AAP Subcommittee

On January 14, 2026, the Auditing and Accounting Principles (AAP) Subcommittee of the Association of College and University Auditors (ACUA) hosted a roundtable to help institutions strengthen conformance with Domain V of the updated Institute of Internal Auditor’s Global Internal Audit Standards. The session focused on three standards central to effective engagement execution: Standard 13.2 on engagement risk assessments, Standard 14.2 on analyses and developing potential findings, and Standard 15.2 on confirming the implementation of recommendations or action plans. Nearly 50 ACUA members participated by sharing challenges, comparing practices, and identifying strategies to improve consistency, efficiency, and quality across their audit functions.

This highly interactive roundtable was facilitated by AAP Committee members Hollie Andrus, Patty Davidson, Jennifer Dent, Erin Egan, John McDaniel, and Agnessa Vartanova. After sharing the requirements of each of the Standards, the participants met in breakout rooms to discuss how institutions conduct and document risk assessments, analyze information to identify findings, and perform follow-up activities. These discussions are summarized below.

Standard 13.2 – Engagement Risk Assessments

Standard 13.2 requires internal auditors to understand the activity under review, assess relevant risks, evaluate governance and compliance processes, and identify the significance of risks, including fraud risks. Institutions reported that meeting these expectations consistently remains a significant challenge. In the breakout rooms, participants were asked to discuss the question “How does your institution conduct and document your engagement risk assessments?”

Challenges in Risk Assessment

Several audit shops struggle with training auditors to identify and analyze risks in a consistent manner across diverse engagements. Limited subject‑matter expertise, particularly in IT and fraud, further complicates risk identification. Many offices also lack tools or data analytics capabilities to support more sophisticated assessments.

Organizational dynamics add another layer of difficulty. Risk tolerance varies widely across campus units, and leadership turnover can disrupt expectations. Smaller audit shops, in particular, often lack a centralized risk management function to help define institutional risk tolerance and appetite. Communication barriers also arise when auditors and clients use terminology differently, leading to misunderstandings that hinder risk identification.

Strategies for Improving Risk Identification and Evaluation

Despite these challenges, participants shared a range of practical strategies for effectively identifying and evaluating risks. Many offices have adopted standard templates to document risk assessments and utilize inventories of common risks, including ones specifically related to fraud. Others conduct team brainstorming sessions at the start of each engagement to determine potential risks.

Audit functions are also drawing on diverse information sources such as prior audit reports, peer institution audits, policies, strategic plans, regulatory guidance, and ACUA resources such as the Risk Dictionary. Some offices incorporate frameworks like the Association of Certified Fraud Examiner’s (ACFE) Occupational Fraud Framework to strengthen evaluation of fraud and other types of risks. Some shops work directly with their institution’s risk management office to get an understanding of the institution’s risk tolerance and appetite. A few institutions have hired a Certified Fraud Examiner or are encouraging existing auditors to pursue the designation with the support of the office.

To improve consistency, several participants described developing scoring systems for prioritizing risks and creating standard lists of client questions to guide kickoff meetings. Others emphasized the value of pre‑engagement research and the use of asking the client open‑ended questions such as “what can go wrong?” to uncover contextual risks. Another suggestion was to provide audit clients with a confidential method for communicating their concerns to internal audit.

Standard 14.2 – Analyses and Potential for Engagement Findings

Standard 14.2 requires auditors to analyze relevant, reliable, and sufficient information to develop potential findings and evaluate identified differences between the evaluation criteria and the existing state (condition) to determine which are reportable findings. In the breakout rooms, members shared several challenges they have faced in developing testing observations into reportable findings and worked together to brainstorm strategies for improving conformance with this standard. Participants were asked to discuss the questions “How does your institution conduct and document your engagement risk assessments?” and “How much testing is needed for assurance engagements to develop an issue?”

Challenges in Testing and Analysis

Higher education institutions often have multiple decentralized systems that do not interface, leading to inconsistent datasets that complicate testing.  Participants also identified inconsistent testing methodologies, lack of standard templates, and difficulty balancing over‑ and under‑documentation as common concerns which can lead to poor quality assurance.

Some offices reported experimenting with AI tools but expressed uncertainty about evaluating the reliability of AI‑generated results. Others noted that some clients may not fully understand internal controls, making it harder to validate observations or explain findings. Several participants also said that their offices have trouble performing root cause analysis, especially for newer auditors who may be tempted to rely on assumptions rather than structured analysis.

Strategies for Enhancing Finding Development

Participants shared several approaches to improve testing quality and consistency. Many offices use verification between data sources to validate accuracy. Others have adopted standard testing templates with required fields but built‑in flexibility to accommodate diverse audit areas.  Some shops have created specialized procedures and templates for conducting and documenting the testing of regularly reviewed processes like travel expenses and procurement card transactions.

Training plays a central role, and many offices are emphasizing documentation expectations during onboarding and ongoing professional development. Audit management software, such as TeamMate, helps some teams link risks, controls, and testing more effectively. To strengthen root cause analysis, participants recommended techniques such as the “five whys” and incorporating client input. AI tools may also support testing when procedures are carefully designed and validated.

Determining the Extent of Testing

Participants also discussed how much testing is needed to develop a finding. Resource constraints and inconsistent access to data prevent audit functions from effectively employing population-level analysis at a significant scale, leading many offices to rely on judgmental sampling. Some auditors also struggle to move beyond inquiry and neglect to corroborate client statements with evidence. Several participants said that their offices do not have procedures for assessing and prioritizing/ranking identified observations.

To address these issues, offices are developing standard definitions of “relevant, reliable, and sufficient” information aligned with Standard 14.1. Others use external frameworks (AICPA, FASB) to guide finding criteria. Risk decision matrices help some teams evaluate materiality and determine whether an observation warrants verbal communication or a formal finding. Some shops are making efforts to transition from testing small samples to population-level testing when feasible. Auditors are also being trained that inquiry is often not sufficient to confirm or dismiss a finding; they should corroborate management statements with observation, examination, or reperformance.

Standard 15.2 – Confirming the Implementation of Recommendations or Action Plans

Standard 15.2 requires internal audit functions to confirm whether management has implemented action plans and, when they have not, to follow the CAE’s established guidelines for management acceptance of risk. Participants were asked to discuss the question “How does your institution monitor and perform follow-up activities?” and discussed the following related challenges and strategies in the breakout rooms.

Challenges in Follow‑Up

Follow‑up processes are often less structured than planning or testing phases. Many offices rely heavily on e-mail and phone communication and lack standardized tools for tracking status updates. Some participants felt the follow‑up process is treated like an afterthought and receives much less attention and standardization than the planning and testing phases.

Delays in management action plan completion are common, and some clients do not provide explanations or updated timelines. Auditors also struggle to balance accountability with maintaining positive client relationships. Determining what constitutes sufficient verification, especially when deciding between retesting and reviewing client-provided evidence, remains a challenge.

Strategies for Effective Follow‑Up

Participants highlighted several practices that improve follow‑up effectiveness, including transitioning from “trust but don’t verify” cultures to more evidence-based follow-up procedures. Some offices include follow‑up activities directly in the audit plan to signal their importance to leadership and audit committees. Many have also developed standard templates for documenting action plan status updates.

Regular follow‑up cadences, such as every 90-120 days, help maintain momentum. Some offices conduct interim check‑ins rather than waiting for due dates, which has improved implementation rates. Prioritization methodologies also help identify high‑risk findings that require closer monitoring or escalation.

Clear communication is essential. Some offices have the client determine the specific action plan, with internal audit approval, to mitigate each finding rather than prescribing action plans they may not fully understand. During reporting, auditors define what “implemented” will look like for each action plan and explain how non‑responsiveness may be escalated. Some offices require written justifications for non‑implementation or use standard forms for documenting risk acceptance. Others report overdue action plans to leadership using dashboards and visualizations, and a few require clients to present their rationale for non‑implementation directly to the audit committee.

Conclusion

This roundtable generated discussion that was fruitful and varied, allowing participants to find comfort in shared struggles while also coming together to share creative ideas for solutions. Participants reported in a post-event survey that they found the roundtable valuable and would be interested in attending future roundtables focused on the Standards, as well as other topics.

The AAP Subcommittee will host another roundtable focused on conformance with Standards 13.2, 14.2, and 15.2, this time from the lens of conducting advisory work. This event is tentatively scheduled for Wednesday April 15, 2026, and invitations to register for the session will be e-mailed soon.

Methodology Madness: New Standards Guidance for Formalizing Audit Processes

Blue Logo for ACUA with the text Journal Articles

By Kara Hefner

It has been one year since the implementation of the Institute of Internal Auditors’ (IIA) new Global Internal Audit Standards (Standards). Everyone can agree the Standards have become more prescriptive, with more “musts” and “shoulds” than in prior guidance. Another term has come to the forefront: the word “methodology” is found 109 times throughout the 120-page document. There are 13 standards that require documented methodologies, and 17 more that recommend either implementing methodologies or having documented methodologies to provide evidence of conformance.

Gone are the days of simply relying on professional judgment, winging it, and relying on passing the smell test. This article outlines the required and recommended methodologies to aid in consistently application of audit processes.

What are Methodologies?

The term “methodologies” is defined in the Standards’ glossary as “policies, processes, and procedures established by the chief audit executive to guide the internal audit function and enhance its effectiveness.”

As described in Standard 9.3 on Methodology, the chief audit executive must establish methodologies to guide the internal audit function in a systematic and disciplined manner to implement the internal audit strategy, develop the internal audit plan, and conform with the Standards. These methodologies must be evaluated and updated as necessary to improve the internal audit function and respond to significant changes that affect the function. Internal auditors should be trained in the methodologies to ensure consistency within the department.

Documented methodologies are often found in the department’s formal procedure manual, audit charter, and board charter. Some methodologies can be built into workpaper templates, and ratings methodologies are sometimes included for transparency in the final audit reports. It is important that all auditors are familiar with the department’s methodologies, and that reviewers ensure methodologies are consistently applied.

Required Methodologies

Excluding the Methodology standard 9.3 discussed above, the following 12 standards require methodologies to be in place:

StandardMethodology Requirement (abbreviated)
2.2  Safeguarding ObjectivityThe chief audit executive must establish methodologies to address impairments to objectivity. Internal auditors must discuss impairments and take appropriate actions according to relevant methodologies.
4.1 Conformance with the Global Internal Audit StandardsThe internal audit function’s methodologies must be established, documented, and maintained in alignment with the Standards.
11.2 Effective CommunicationThe chief audit executive must establish and implement methodologies to promote accurate, objective, clear, concise, constructive, complete, and timely internal audit communications.
12.1 Internal Quality AssessmentThe chief audit executive must establish a methodology for internal assessments, as described in Standard 8.3 Quality, that includes ongoing monitoring, periodic self-assessments, and communication with the board and senior management about the results of internal assessments.
12.2 Performance MeasurementThe chief audit executive must develop a performance measurement methodology to assess progress toward achieving the function’s objectives and to promote the continuous improvement of the internal audit function.
12.3 Oversee and Improve Engagement PerformanceThe chief audit executive must establish and implement methodologies for engagement supervision, quality assurance, and the development of competencies. To assure quality, the chief audit executive must verify whether engagements are performed in conformance with the Standards and the internal audit function’s methodologies. The chief audit executive must ensure that evidence of supervision is documented and retained, according to the internal audit function’s established methodologies.
13.1 Engagement CommunicationAt the end of an engagement, if internal auditors and management do not agree on the engagement results, internal auditors must follow an established methodology to allow both parties to express their positions regarding the content of the final engagement communication and the reasons for any differences of opinion regarding the engagement results.
13.3 Engagement Objectives and ScopeIf a resolution on scope limitations cannot be achieved with management, the chief audit executive must elevate the scope limitation issue to the board according to an established methodology.
13.6 Work ProgramThe engagement work program must identify methodologies, including the analytical procedures to be used, and tools to perform the tasks.
14.3 Evaluation of FindingsInternal auditors must determine whether to report identified risks as findings, based on the circumstances and established methodologies. Internal auditors must prioritize each engagement finding based on its significance, using methodologies established by the chief audit executive.
14.4 Recommendations and Action PlansIf internal auditors and management disagree about the engagement recommendations and/ or action plans, internal auditors must follow an established methodology to allow both parties to express their positions and rationale and to determine a resolution.
15.2 Confirming the Implementation of Recommendations or Action PlansInternal auditors must confirm that management has implemented their action plans following an established methodology, which includes inquiring about progress, performing follow-up assessments, and updating tracking systems.

Recommended Methodologies

The Standards also recommend implementing methodologies for other topics under their Considerations for Implementation and Evidence of Conformance categories. These recommendations are summarized below by domain:

  • Domain II: Ethics & Professionalism – Methodologies may be created for addressing ethical issues, disclosing objectivity impairments, and handling illegal or discreditable behavior by internal auditors. Methodologies can specify actions internal auditors are expected to take in response to legal or regulatory violations of which they become aware. Memorialize the manner in which internal audit staff are properly supervised and the permissible ways auditors may  access information. (Standards 1.2, 1.3, 2.3, and 5.2)
  • Domain III: Governance – Consider documenting methodologies to be followed when an organizational impairment is suspected or identified. Formally document the board’s expectations. The external quality assessment should include a comprehensive review of methodologies and their adequacy. (Standards 7.1, 8.1, and 8.4)
  • Domain IV – Managing – Methodologies are recommended for creating and reviewing the internal audit strategy, creation of the annual audit plan, communicating with the board and senior management, handling of errors and omissions, and evaluating external providers of assurance and advisory services. To develop and retain internal auditors, have a methodology for staff training, project supervision, evaluating performance, improving competencies, and promoting professional development. Develop methodologies for communicating the acceptance of risks with collaboration from the board. (Standards 9.2, 9.4, 9.5, 10.2, 11.1, 11.4, and 11.5)
  • Domain V: Performing – Adopt methodologies for when to perform additional analysis, considering the adequacy of controls, significance, and cost benefit analysis. Implement a rating scale for determining the effectiveness of controls for the final report. For example, develop a scale to identify satisfactory, partially satisfactory, needs improvement, or unsatisfactory. (Standards14.2, 14.5, and 14.6)

Establishing and Improving Methodologies

Now that most internal audit shops have adopted the new Standards, this is a good time to check up on the required and recommended methodologies. Review the Standards against the procedure manual, charters, and workpaper templates and identify any methodologies that should be created or enhanced. Consider formalizing rating scales to aid in ranking findings and conclusions for final reports. Discuss methodology enhancements with your board to ensure alignment.

Once established, perform ongoing monitoring to ensure methodologies are in place and used consistently. Reviewers should verify workpapers follow the established methodology and help coach their team on process deviations. Periodic self-assessments and external assessments can also aid in providing feedback on the effectiveness of your methodologies.

Prioritizing Rest to Become a Better Auditor

Blue Logo for ACUA with the text Journal Articles

By Tyler Morgan

“And from that period on, I was in a wormhole. You couldn’t get me out of the room. I would come home from school, sleep for like 30 minutes, go into a room for four hours, and that was it.” 

The above quote comes from Rick Rubin’s interview of singer/songwriter John Mayer on the former’s Tetragrammaton podcast, and Mayer is describing his teenage years when he was learning how to play guitar. Practicing an instrument for four hours a day will tend to result in one becoming rather proficient. But maybe there was something else contributing to Mayer’s aptitude on the guitar. He does not dwell on it, but embedded subtly in the middle of Mayer’s quote may be a key insight into how he became such a generational talent: he took time to rest.

As it turns out, Mayer is not the only highly successful person to benefit (consciously or unconsciously) from the power of rest. There are numerous examples of highly successful people who prioritized rest as a way to achieve peak cognitive performance, including iconic politicians, inventors, business leaders, writers, artists, and musicians. Instead of viewing rest as a waste of time that could otherwise be used to get more things done, these individuals understood that adequate rest was essential to ensure their working time was used effectively and efficiently. While internal auditors are busy people, it is clear from numerous examples of prolific and impactful individuals from outside the auditing world that even the busiest among us can benefit from prioritizing rest.

Perhaps the most likely objection to using rest as a way to become a more effective internal auditor is the belief that internal auditors simply have too much to do to be able to prioritize rest, but history suggests otherwise. Take, for instance, Winston Churchill during World War II. Churchill first served as the British prime minister from 1940-1945, and there clearly was a lot riding on his performance during this time, with each day being filled with a monumental list of items for him to handle. However, Churchill had a longstanding habit of taking an afternoon nap, and he deemed the fate of the free world resting on his shoulders as no excuse for missing his afternoon slumber. The naps continued during the war. He did not consider napping to be a luxury but rather viewed an afternoon nap as an essential way to maintain his legendary daily productivity. Churchill wrote, “Nature had not intended mankind to work from eight in the morning until midnight without the refreshment of blessed oblivion which, even if it only lasts 20 minutes, is sufficient to renew all the vital forces.” Naps were not a decadent activity to be enjoyed solely when little was going on, but they instead functioned as a way for Churchill to stay in tune with immutable biological rhythms and maintain peak cognitive performance during a historical period when every decision was critical. 

Since internal auditors are knowledge workers, they tend to be judged on the quality of their work rather than quantity. And since work quality is positively correlated with cognitive performance, and cognitive performance is enhanced with adequate rest, it follows that rest is a lever internal auditors can pull to increase the quality of their work. University stakeholders likely will not be impressed that an internal auditor regularly works 60-hour weeks or that they never take breaks during the workday. Instead, internal auditors will be judged on the quality of their output and how beneficial it is to their university, especially as artificial intelligence and other technological innovations likely will reduce the amount of time needed to be spent on mundane, low-value administrative tasks. Instead of focusing on work quantity, internal auditors should prioritize producing high-quality, meaningful output that goes far beyond cookie-cutter reports and trite recommendations. In a world where ChatGPT can quickly spew elegant, professional-sounding reports with all the right buzzwords but little substance or original insight, internal auditors who are able to think critically and apply their institutional knowledge to solve tough problems will increasingly stand out from the crowd and be extremely valuable to university stakeholders.

There is strong evidence that prioritizing rest will enhance internal auditors’ critical thinking skills and problem-solving abilities. While a nap to break up the workday may not be a realistic possibility for many, the good news is that rest is not just limited to naps. There are lots of ways to rest, and the remaining paragraphs will explore a few tips, tricks, and key insights backed by science to help you get the rest you need. 

Walk

It may seem counterintuitive to list exercise as a way to rest, but there is plenty of evidence supporting the idea that physical exertion can help boost cognitive performance and improve memory. While countless forms of exercise may achieve these results, many studies have focused on walking in particular. This is great news for higher education internal auditors, as college campuses are often some of the loveliest places to take a walk. A campus walk can also be a great way to become more informed about what is going on at your university, whether by walking through unfamiliar buildings or by having informal conversations with faculty and staff you encounter. Walking outside also provides the added bonus of getting sunlight, which has been linked to better mood regulation and other cognitive benefits. The combination of physical exertion and sunlight exposure may even improve sleep. 

Sleep

Even if workday naps are not a realistic possibility for you, there are many things you can do to at least ensure the quality of your nighttime sleep. In addition to regular exercise, consistently going to bed at the same time each night ensures your sleep is aligned with your circadian rhythm. Limiting screens and other overstimulating devices near bedtime may make it easier to fall asleep, and the same can be said for caffeine consumption. Even if you can fall asleep a few hours after drinking coffee, there is strong evidence that your sleep quality will suffer even if you are unable to perceive it. This is because caffeine typically takes a long time to break down in the body. In his book Why We Sleep: The New Science of Sleep and Dreams, Matthew Walker points out that caffeine has an average half-life of five to seven hours. This means that half of the caffeine you consumed six hours ago may still be circulating in your system, though this amount could be higher or lower depending on your individual caffeine metabolism. Many of us would never drink six ounces of coffee right before bedtime, so it is worthwhile to consider the fact that having twelve ounces of coffee at four o’clock might be functionally equivalent. Therefore, it may be wise to skip that late-afternoon latte.

Play

We live in a golden age for picking up new hobbies. Given the staggering amount of content available on YouTube and similar platforms, it has never been easier to learn to, say, bake a loaf of sourdough, play the drums, or plant that vegetable garden. Maintaining meaningful pursuits outside of work can help reduce the odds of burnout and ensure that your identity is not completely tied up with your occupation. Promisingly, there is evidence that Americans are increasingly prioritizing hobbies and leisure.

Unfortunately, however, the time we spend with others appears to be declining, despite strong evidence that our relationships and a sense of community are correlated positively with numerous quality of life measures. But hobbies do not have to be solitary pursuits, and combining hobbies with socialization and a sense of community likely will augment their restorative effects. One need look no further than America’s current obsession with pickle ball, a sport often played in groups of four. Is it possible that our love of pickle ball has something to do with its ability to bring us together? If you are not into pickle ball, there are plenty of other activities that you can enjoy with others, such as book clubs, board game nights, running and walking clubs, bowling leagues, volunteering for a nonprofit, and playing in a band.

Leave

According to a 2023 Pew Research Center survey, nearly half of all U.S. workers surveyed who receive paid time off from their employer used less leave than they were offered. While this number might be skewed somewhat by the lack of a distinction between personal and sick leave, it is clear that at least some of the unused leave stems from workers being concerned about their work performance, with 49% of those with unused leave citing a fear of falling behind at work as a reason for forfeiting leave. Similarly, about one in five of those surveyed with forfeited leave were concerned about hindering their chances for advancement. However, if we again apply the logic that being a valuable internal auditor relies on peak cognitive performance, and peak cognitive performance demands adequate rest and a lack of burnout, then it does not follow that forfeiting our vacation time will necessarily make us better internal auditors, and it could be doing the opposite.

Whatever You Do, Do Not Unrest

While engaging in fulfilling and restorative rest pursuits is important, it may be even more important to actively avoid activities that keep your brain stimulated at all times. This is because there is strong evidence that our brains perform important functions when they are not busy dealing with a demanding task or trying to find a solution to a pesky problem. This brain state—characterized by introspection during times when an individual is not deeply concentrating on their external environment—is known as the default mode network (DMN), and the DMN likely assists with problem solving and planning for the future.

The DMN was discovered essentially by accident. Scientists researching which areas of the brain were activated during cognitively demanding tasks noticed that these “active” areas of the brain became deactivated in between tasks, as expected, but something else happened during these rest periods that caught them by surprise. Instead of seeing a brain with minimal activity, they noticed that other areas of the brain began to light up, indicating that though participants might have been at rest, their brains were not. This paved the way for a critical insight: just because we may be taking a mental break, our brains continue furiously working away in the background on our behalf.  As we learn more about the DMN—it was only discovered in 2001—it is appearing increasingly likely that our modern digital environments, saturated with numerous distractions that keep us in a state of perpetual stimulation, are holding the DMN back from performing its important functions. Whether it is out of an attempt to maximize productivity, or just to ward off boredom, we rarely allow our brains a moment to rest. Instead, the moments of time that used to be the domain of boredom are now filled with social media scrolling, listening to podcasts, and replying to texts and e-mails. At the time the DMN was discovered, this level of constant mental stimulation would have been almost impossible, but in just a couple of decades we have transformed into individuals who almost never have to be alone with our own thoughts. This should alarm us since it is clear our brains are doing something important during times of mental rest. Therefore, purposefully abstaining from mentally stimulating activities for at least some time each day may be worthwhile. It may seem like you are wasting time, but in reality you are taking a positive step to ensure that your brain can perform at its best, and hopefully you will quickly notice the benefits of a little rest. 

Regulation Updates: Third-Party Topical Requirement, GRC Reporting, and 529 Plan Changes

Blue Logo for ACUA with the text Journal Articles

By the ACUA Auditing & Accounting Principles Subcommittee

The ACUA Auditing and Accounting Principles Subcommittee is committed to providing members with emerging information in our field. This article features the recently released IIA Third-Party Topical Requirement, clarification on the new reporting requirements on governance, risk management, and controls, plus modifications to the 529 education savings plan that allows tax savings for professional certification expenses.

Understanding the IIA’s Topical Requirements for Third-Party Relationships

Topical Requirements are a new, mandatory component of the Institute of Internal Auditors’ (IIA) Global Internal Audit Standards. Internal auditors must apply the Topical Requirements for assurance engagements in the following situations:

  • The topic is included in your audit plan as an assurance engagement.
  • The topic is identified during the course of an audit engagement.
  • The topic is requested as a new engagement, even if it was not part of your original audit plan.

What’s New?

The Third-Party Topical requirement was finalized on September 15, 2025, and will become effective September 15, 2026. According to the IIA, a third-party is “an external individual, group, or entity with whom an organization (‘the primary organization’) has a business relationship.” In simpler terms, this means any person, group, or business your institution works with.

Importantly, the requirement does not just apply to your direct third-party relationships. It also covers any subcontracted relationships, even those several layers down, such as fourth-level subcontractors, if your contract allows them. This broad scope ensures that risks are managed throughout your entire supply chain.

What does the Third-Party Topical Requirement involve?

Internal auditors need to assess their institution’s contract management throughout the third-party life cycle, consisting of selecting, contracting, onboarding, monitoring, and offboarding. Internal auditors should consider these stages when assessing the requirements for these three key areas:

  • Governance: Internal auditors must evaluate how their institution decides with whom to contract, how these relationships are managed, and who communicates with third parties and stakeholders. This includes assessing whether the organization has clearly defined roles and responsibilities for managing third-party relationships, and whether established policies and procedures align with regulations and are updated regularly. Auditors should confirm there is a formal approach to contracting third parties and there are protocols for communicating with relevant stakeholders.
  • Risk Management: Internal auditors must review how their institution identifies, assesses, and monitors third-party risks. This begins with examining due diligence procedures for onboarding third parties. There should be ongoing monitoring and corrective action for deviations, and risk assessments should classify and rank third-party risk. Check for escalation and remediation processes in place for unresolved issues, including remediation or termination.
  • Controls: Internal auditors should assess the controls in place to manage and monitor the risks associated with third parties. Review procurement controls for appropriate sourcing and selecting of third parties and ensure there is an appropriate approval process. Determine whether there is centralized contract management and verify contracts contain risk mitigation clauses, performance expectations, compliance obligations, and are reviewed and updated periodically. Review ongoing third-party monitoring and periodic evaluation, and the monitoring of contract renewal dates and offboarding plans.

By understanding and applying these requirements, your institution can better manage third-party risks and strengthen its overall governance.

Download the Third-Party Topical Requirement and a user guide from the IIA at:

https://www.theiia.org/en/standards/2024-standards/topical-requirements/third-party/

Other topical requirements to be aware of:

Cybersecurity – effective February 5, 2026

Organization Behavior – public comment period ended, pending finalization.

Organizational Resilience – pending public comment.

https://www.theiia.org/en/standards/2024-standards/topical-requirements

New Reporting Requirements for GRC

The new IIA Global Internal Audit Standards, effective January 9, 2025, introduce more structured and rigorous reporting requirements for Governance, Risk Management, and Controls (GRC). They emphasize clarity, consistency, and alignment with stakeholder expectations.

During an engagement, the Internal Audit function must evaluate the governance processes to ensure the organization promotes ethical behavior, accountability, and transparency. Auditors must identify key risks and ensure they are managed effectively, and review the control framework to identify control deficiencies, weaknesses, and failures.

Standard 14.5 Engagement Conclusions requires internal auditors to develop an engagement conclusion that summarizes the results relative to the engagement objectives. In addition, this standard states “assurance engagement conclusions must include the internal auditor’s judgment regarding the effectiveness of the governance, risk management, and control processes of the activity under review, including an acknowledgment of when processes are effective.”

The considerations for implementation of this standard recommend having methodologies for the internal audit function in the form of a rating scale indicating whether reasonable assurance exists regarding the effectiveness of controls. An example is developing criteria for a scale that indicates “satisfactory, partially satisfactory, needs improvement, or unsatisfactory.”

The AAP Committee aggregated the ratings used by the committee members and created the following example of a rating methodology that is applicable to report ratings and GRC ratings:

Example of Report/GRC Ratings

Standard 15.1 Final Engagement Communication states the final communication for assurance engagements must include a “conclusion regarding the effectiveness of the governance, risk management, and control processes of the activity required,” in addition to the continuing requirements of objectives, scope, recommendations, and any action plans. Auditors are encouraged to use their engagement conclusions derived from their methodologies to meet this reporting standard.

529 College Savings Plans Expanded to Cover Professional Certifications

A provision in the One Big Beautiful Bill Act (OBBBA) that was signed into law in July 2025 included changes in 529 education savings plans that may benefit ACUA members. Traditionally 529 plans were reserved for undergraduate and graduate degree programs, but now certain professional certification and credentialing programs are covered as qualifying expenses. This includes several of our most sought-after certifications, including the Certified Internal Auditor (CIA), the Certified Information Systems Auditor (CISA), and the Certified Public Accountant (CPA).

This is a great opportunity to invest in your professional development, especially if your department does not cover or reimburse certification expenses. Eligible expenses can include study materials, exam fees, and even continuing education required to maintain your credential.

See Section 70414 of the OBBBA for more information. As always, everyone’s tax situation is different, so please consult with your tax advisor to confirm eligibility. Check with your financial institution for assistance setting up a 529 plan.