The IIA’s Third-Party Topical Requirement: Is Your Vendor Risk Program Audit-Ready Before September 2026?

The regulatory pressure on third-party risk management is not slowing down. From DORA to NIS2, from SEC Regulation S-P to the EU AI Act, organizations have been scrambling to keep their vendor governance programs compliant with an ever-expanding web of rules. And now, a new mandate is joining that list — one that strikes right at the heart of how organizations internally audit and assess their vendor relationships.

In March 2025, the Institute of Internal Auditors (IIA) released the draft of its Third-Party Topical Requirement — a mandatory new standard under the Global Internal Audit Standards (GIAS) that fundamentally changes how internal audit functions are expected to evaluate third-party governance, risk management, and controls. The final requirement takes effect on September 15, 2026, and organizations that have not yet started preparing are already behind.

For enterprises managing dozens, hundreds, or even thousands of vendor relationships, this is not a soft advisory. It is a compliance deadline — and how well your vendor risk program holds up to structured audit scrutiny will depend heavily on the maturity of your TPRM infrastructure today.

What Is the IIA’s Third-Party Topical Requirement?

The IIA’s Third-Party Topical Requirement is part of a broader set of “Topical Requirements” introduced as a new element of the International Professional Practices Framework (IPPF). Unlike general guidance, Topical Requirements are mandatory — when a third-party topic is included in an internal audit plan, internal auditors must apply the standard’s methodology without exception.

At its core, the requirement establishes a minimum, standardized baseline for how internal audit evaluates an organization’s third-party governance, risk management, and control processes. It is built around three key pillars:

• Governance — Does the organization have clear ownership, policies, and executive accountability for third-party risk?
• Risk Management — Are third parties systematically identified, tiered, assessed, and monitored throughout the engagement lifecycle?
• Controls — Are due diligence processes, contractual safeguards, and ongoing compliance monitoring robust and auditable?

The requirement covers a wide range of third-party risk categories that internal auditors must now formally evaluate, including operational risk (service disruptions, failure to meet business objectives), cybersecurity risk (data breaches, system vulnerabilities), financial risk (vendor insolvency, hidden liabilities), compliance risk (regulatory breaches, international standard violations), and legal risk (contract violations, IP disputes, inadequate due diligence).

This is a significant expansion of what internal audit teams are expected to cover — and it demands a level of documentation, process maturity, and cross-functional collaboration that many organizations simply do not have in place yet.

Why This Regulation Matters Now

Third-party risk has ranked among the highest-rated enterprise risks in the IIA’s annual Risk in Focus report for several consecutive years. The reasons are not hard to understand. More than one in three data breaches in 2024 originated through a third-party vendor — a figure that increased by over six percentage points from the prior year. Supply chains are longer and more interconnected than ever, and the rise of AI-powered attacks and vendor impersonation schemes has made the threat landscape even more unpredictable.

Yet, despite the awareness, TPRM programs at many organizations remain fragmented — spread across procurement, legal, IT security, and operational management functions that each engage vendors separately without a unified view of risk. The IIA’s new requirement is a direct response to this reality. By mandating a structured, consistent audit methodology, it pushes organizations to break down those silos and build a coherent, enterprise-wide approach to vendor governance.

For organizations using Enlighta’s TPRM platform, this shift is less disruptive than it might be for others. Enlighta is designed precisely for this kind of structured, lifecycle-based vendor oversight — unifying risk assessments, due diligence workflows, contract compliance monitoring, and performance scorecards into a single platform. When an internal audit team comes knocking, the evidence trail is already organized, auditable, and accessible.

The Three Areas Auditors Will Scrutinize

Understanding what internal auditors will actually examine under the new requirement helps organizations know exactly where to focus their preparation efforts.

1. Governance and Accountability

Auditors will assess whether your organization has a clearly defined third-party governance framework with executive sponsorship and assigned ownership. This means documented policies, a defined vendor classification methodology, and a clear chain of accountability from the front-line vendor manager all the way up to the board.

Many organizations struggle here because governance tends to live in policy documents rather than in operational reality. Enlighta’s platform makes governance tangible and visible. Its role-based dashboards give executives real-time insight into vendor performance, risk posture, contract compliance, and spend — while vendor managers work within structured workflows that enforce the governance policy at every step of the engagement. When an auditor asks, “Who is accountable for this vendor and what oversight exists?” — Enlighta’s system provides a clear, documented answer.

2. Risk Assessment and Vendor Tiering

The requirement demands that organizations systematically identify and tier their third parties based on risk. Not all vendors carry equal exposure. A cloud infrastructure provider with access to sensitive customer data is a fundamentally different risk profile from an office supplies vendor. Auditors will look for evidence that this differentiation is happening in a structured, repeatable, and documented way.

This is where ad-hoc spreadsheet-based TPRM programs fall apart. Without a centralized, automated approach to vendor tiering and risk assessment, it becomes almost impossible to demonstrate to an auditor that your methodology is consistent and scalable. Enlighta addresses this directly. Its out-of-the-box risk assessments span anti-money laundering, cybersecurity, financial viability, technology and operations risk, anti-bribery, sub-contractor risk, geopolitical risk, and business continuity — giving organizations both the breadth and the structure that regulators and auditors now expect. Tiering becomes data-driven rather than judgment-based, and the audit trail is built into the process.

3. Ongoing Monitoring and Controls

Perhaps the most demanding aspect of the requirement is the expectation of continuous monitoring — not just point-in-time assessments conducted at onboarding or contract renewal. Auditors will look for evidence that your organization maintains an active, current picture of vendor risk throughout the relationship lifecycle, including when circumstances change (a vendor’s financial health deteriorates, a cybersecurity incident is disclosed, or a subcontractor relationship changes).

This is where the gap between intent and execution tends to be widest. Many organizations conduct thorough due diligence at onboarding and then effectively stop watching until renewal. The IIA’s requirement makes clear that this is no longer sufficient.

Enlighta’s continuous monitoring capabilities are built for exactly this gap. The platform integrates external data feeds for company health, market data, ESG signals, and compliance updates — automatically surfacing changes that affect vendor risk scores without waiting for a scheduled review. Remediation workflows ensure that identified issues are tracked through to resolution, not just logged and forgotten. When an auditor asks for evidence of ongoing monitoring, Enlighta’s timestamped activity logs, automated alerts, and remediation histories provide exactly that.

What Organizations Need to Do Before September 15, 2026

With the deadline now fewer than four months away, the preparation window is tight. Here is a practical roadmap for organizations that need to get audit-ready:

Step 1 — Conduct a TPRM Program Maturity Assessment Before you can close gaps, you need to understand where they are. Map your current TPRM program against the three pillars of the IIA requirement — governance, risk management, and controls — and identify where documentation, process, or technology is insufficient.

Step 2 — Update Your Audit Universe Internal audit teams need to formally update their audit universe to include significant third-party relationships — IT vendors, supply chain partners, outsourced service providers, and any party with access to sensitive data or critical operations.

Step 3 — Standardize Risk Assessments Develop or adopt uniform third-party risk assessment methodologies that are consistent, documented, and repeatable. If your current assessments vary by team or by vendor category, that inconsistency will be visible to an auditor. Platforms like Enlighta that provide standardized, configurable assessment templates give organizations a significant head start here.

Step 4 — Build Cross-Functional Collaboration The IIA requirement is not just an internal audit concern — it requires genuine collaboration between procurement, legal, IT security, compliance, and vendor management. Establish clear communication channels and shared visibility so that when an audit engagement begins, the relevant stakeholders can contribute efficiently without scrambling for data.

Step 5 — Ensure Your Evidence Trail Is Auditable Every assessment, every risk score, every remediation action, every contract obligation — all of it needs to be documented in a way that can be retrieved and reviewed. This is fundamentally a technology problem for organizations that manage vendor risk manually. Enlighta’s centralized, role-based platform ensures that every action is logged, every document is stored, and every workflow is traceable — giving audit teams the evidence they need without requiring weeks of manual data collection.

The Bigger Picture: A Converging Regulatory Landscape

The IIA’s Third-Party Topical Requirement does not exist in isolation. It arrives alongside DORA’s operational resilience mandates for financial entities, NIS2’s supply chain security requirements across EU critical sectors, SEC Regulation S-P’s vendor data protection obligations, and the EU AI Act’s requirements for AI system governance — including AI embedded in vendor products.

For organizations operating across multiple regulatory jurisdictions, this convergence creates an imperative for a unified vendor risk platform rather than a collection of point solutions or manual processes. The organizations that will navigate this landscape most effectively are those that have invested in a structured, technology-driven TPRM infrastructure that produces defensible, auditable evidence across all of these overlapping requirements.

Enlighta is built for exactly this complexity. Used across tens of thousands of suppliers and over $50 billion of spend by several Fortune 500 enterprises, the platform gives risk and compliance officers, supply chain managers, sourcing teams, and VMOs a unified view of their vendor ecosystem — combining risk, performance, contract compliance, spend, and ESG data into integrated scorecards that tell the full story of each vendor relationship. As regulatory requirements converge, so does Enlighta’s ability to serve as the single source of truth for the entire vendor lifecycle.

The Bottom Line

The IIA’s Third-Party Topical Requirement is not just another compliance checkbox. It represents a fundamental shift in how the internal audit profession expects third-party risk to be governed, assessed, and monitored. By mandating a structured, consistent methodology, it is raising the bar for every organization that relies on external vendors — which, in today’s business environment, means virtually everyone.

September 15, 2026 is closer than it looks. Organizations that use that time well — by assessing their current program maturity, closing governance gaps, standardizing their risk methodologies, and ensuring their evidence trails are auditable — will emerge from IIA audits with confidence. Those that don’t will find themselves exposed not just to audit findings, but to the broader regulatory and reputational risks that come with inadequate vendor oversight.

Enlighta helps organizations get there. With a purpose-built platform that automates the full vendor lifecycle — from initial risk assessment and due diligence through contract compliance, performance monitoring, and continuous risk scoring — Enlighta gives enterprises the infrastructure to turn third-party risk management from a compliance burden into a genuine competitive advantage. When the auditors arrive, your program will be ready.

Interested in assessing your current TPRM program against the IIA’s new requirements?Request a demo of Enlighta and see how the platform can help you build an audit-ready vendor governance program before the September 2026 deadline.