Regulation Updates: Third-Party Topical Requirement, GRC Reporting, and 529 Plan Changes

By the ACUA Auditing & Accounting Principles Subcommittee
The ACUA Auditing and Accounting Principles Subcommittee is committed to providing members with emerging information in our field. This article features the recently released IIA Third-Party Topical Requirement, clarification on the new reporting requirements on governance, risk management, and controls, plus modifications to the 529 education savings plan that allows tax savings for professional certification expenses.
Understanding the IIA’s Topical Requirements for Third-Party Relationships
Topical Requirements are a new, mandatory component of the Institute of Internal Auditors’ (IIA) Global Internal Audit Standards. Internal auditors must apply the Topical Requirements for assurance engagements in the following situations:
- The topic is included in your audit plan as an assurance engagement.
- The topic is identified during the course of an audit engagement.
- The topic is requested as a new engagement, even if it was not part of your original audit plan.
What’s New?
The Third-Party Topical requirement was finalized on September 15, 2025, and will become effective September 15, 2026. According to the IIA, a third-party is “an external individual, group, or entity with whom an organization (‘the primary organization’) has a business relationship.” In simpler terms, this means any person, group, or business your institution works with.
Importantly, the requirement does not just apply to your direct third-party relationships. It also covers any subcontracted relationships, even those several layers down, such as fourth-level subcontractors, if your contract allows them. This broad scope ensures that risks are managed throughout your entire supply chain.
What does the Third-Party Topical Requirement involve?
Internal auditors need to assess their institution’s contract management throughout the third-party life cycle, consisting of selecting, contracting, onboarding, monitoring, and offboarding. Internal auditors should consider these stages when assessing the requirements for these three key areas:
- Governance: Internal auditors must evaluate how their institution decides with whom to contract, how these relationships are managed, and who communicates with third parties and stakeholders. This includes assessing whether the organization has clearly defined roles and responsibilities for managing third-party relationships, and whether established policies and procedures align with regulations and are updated regularly. Auditors should confirm there is a formal approach to contracting third parties and there are protocols for communicating with relevant stakeholders.
- Risk Management: Internal auditors must review how their institution identifies, assesses, and monitors third-party risks. This begins with examining due diligence procedures for onboarding third parties. There should be ongoing monitoring and corrective action for deviations, and risk assessments should classify and rank third-party risk. Check for escalation and remediation processes in place for unresolved issues, including remediation or termination.
- Controls: Internal auditors should assess the controls in place to manage and monitor the risks associated with third parties. Review procurement controls for appropriate sourcing and selecting of third parties and ensure there is an appropriate approval process. Determine whether there is centralized contract management and verify contracts contain risk mitigation clauses, performance expectations, compliance obligations, and are reviewed and updated periodically. Review ongoing third-party monitoring and periodic evaluation, and the monitoring of contract renewal dates and offboarding plans.
By understanding and applying these requirements, your institution can better manage third-party risks and strengthen its overall governance.
Download the Third-Party Topical Requirement and a user guide from the IIA at:
https://www.theiia.org/en/standards/2024-standards/topical-requirements/third-party/
Other topical requirements to be aware of:
Cybersecurity – effective February 5, 2026
Organization Behavior – public comment period ended, pending finalization.
Organizational Resilience – pending public comment.
https://www.theiia.org/en/standards/2024-standards/topical-requirements
New Reporting Requirements for GRC
The new IIA Global Internal Audit Standards, effective January 9, 2025, introduce more structured and rigorous reporting requirements for Governance, Risk Management, and Controls (GRC). They emphasize clarity, consistency, and alignment with stakeholder expectations.
During an engagement, the Internal Audit function must evaluate the governance processes to ensure the organization promotes ethical behavior, accountability, and transparency. Auditors must identify key risks and ensure they are managed effectively, and review the control framework to identify control deficiencies, weaknesses, and failures.
Standard 14.5 Engagement Conclusions requires internal auditors to develop an engagement conclusion that summarizes the results relative to the engagement objectives. In addition, this standard states “assurance engagement conclusions must include the internal auditor’s judgment regarding the effectiveness of the governance, risk management, and control processes of the activity under review, including an acknowledgment of when processes are effective.”
The considerations for implementation of this standard recommend having methodologies for the internal audit function in the form of a rating scale indicating whether reasonable assurance exists regarding the effectiveness of controls. An example is developing criteria for a scale that indicates “satisfactory, partially satisfactory, needs improvement, or unsatisfactory.”
The AAP Committee aggregated the ratings used by the committee members and created the following example of a rating methodology that is applicable to report ratings and GRC ratings:

Standard 15.1 Final Engagement Communication states the final communication for assurance engagements must include a “conclusion regarding the effectiveness of the governance, risk management, and control processes of the activity required,” in addition to the continuing requirements of objectives, scope, recommendations, and any action plans. Auditors are encouraged to use their engagement conclusions derived from their methodologies to meet this reporting standard.
529 College Savings Plans Expanded to Cover Professional Certifications
A provision in the One Big Beautiful Bill Act (OBBBA) that was signed into law in July 2025 included changes in 529 education savings plans that may benefit ACUA members. Traditionally 529 plans were reserved for undergraduate and graduate degree programs, but now certain professional certification and credentialing programs are covered as qualifying expenses. This includes several of our most sought-after certifications, including the Certified Internal Auditor (CIA), the Certified Information Systems Auditor (CISA), and the Certified Public Accountant (CPA).
This is a great opportunity to invest in your professional development, especially if your department does not cover or reimburse certification expenses. Eligible expenses can include study materials, exam fees, and even continuing education required to maintain your credential.
See Section 70414 of the OBBBA for more information. As always, everyone’s tax situation is different, so please consult with your tax advisor to confirm eligibility. Check with your financial institution for assistance setting up a 529 plan.