New baseline requirements can bring risk-based discipline to public sector audits.
Public sector internal audit functions’ unique challenges should not stop them from applying the Topical Requirements.
Online Exclusive:
Topical Requirements Raise the Standard
Articles Katleen Seeuws, CIA, CGAP, CRMA, CFE, Pam Stroebel Powers, CIA, CGAP, CRMA, CPA Dec 19, 2025
Public sector internal audit functions face constantly changing risks, from cybersecurity and third-party relationship management to organizational behavior and culture. To help audit functions provide consistent and credible assurance in these areas, The IIA developed Topical Requirements, which set a minimum baseline for audit coverage in specific risk areas. Following these requirements helps ensure that internal audits focus on the most important risks, conform with the Global Internal Audit Standards, and use practices that are consistent across different organizations.
Topical Requirements are mandatory for assurance engagements when they cover a risk that internal audit’s risk assessment has identified as critical. For advisory work, they are recommended but are not required. Although Topical Requirements provide a baseline, auditors should go beyond those requirements when the organization’s context or regulatory environment requires more detailed work.
While the concept of Topical Requirements seems clear in principle, public sector internal auditors may still have questions, such as:
- How are topics chosen?
- Why aren’t topics such as artificial intelligence included yet?
- What parts of the requirements are mandatory and which are optional?
- How should small audit functions with limited resources apply the requirements and how will external quality reviewers judge those choices?
Public sector internal audit functions already must deal with resource constraints and complex legal requirements, so adding Topical Requirements to existing resource constraints and complex legal requirements may seem daunting. However, these requirements can help auditors perform their jobs better, while strengthening the profession overall.
Selecting Topics
Only a limited number of subjects qualify as Topical Requirements. To determine which topics to cover, The IIA uses a structured process that begins with gathering insights about global risks from research, stakeholders, and regulatory developments. The Institute’s Global Guidance Council reviews this information, prioritizing potential topics and determining which ones meet the criteria for development.
The maturity of the risk area is a key factor in choosing topics for Topical Requirements. Mature risk areas such as cybersecurity and third-party management have well-established practices that justify a mandatory framework. Newer areas like artificial intelligence (AI) are still developing, so there is not yet agreement on how they should be governed and controlled. For now, it is more appropriate to address AI with guidance and educational resources instead of requirements.
Applying Requirements
Internal auditors should apply Topical Requirements using a risk-based approach. When auditors identify a significant risk during planning, they must use the requirement, either by performing an audit dedicated to that risk or by including the requirement across several audits. If auditors discover the risk during audit work or stakeholders flag it, they must determine whether the requirement is applicable.
After identifying a major risk, auditors should match it to the relevant Topical Requirement and determine which governance, risk management, and control requirements apply. Auditors don’t have to apply all parts of a requirement in every case. Instead, they should use their professional judgment to choose the elements that fit the audit’s scope and goals. If they choose to apply only part of a requirement, they must explain that decision clearly, which builds accountability and credibility.
External Quality Assessments
One of the most pressing concerns of internal auditors is how external quality reviewers will assess the use of Topical Requirements. During these reviews, assessors will not expect internal audit to fully apply all requirements in every engagement. Instead, they will look at whether the function applied a risk-based approach, exercised professional judgment, and documented its decisions.
If internal audit excluded or only partially applied a requirement, assessors will consider whether the rationale was sound and aligned with the organization’s risk appetite and resource capacity.
For example, if the risk comes from a breakdown in control, auditors only need to focus on the control-related requirements. What matters is making a well-reasoned decision that fits the level of risk and is clearly documented.
Documentation is key to using Topical Requirements effectively. Auditors should clearly document which requirements they applied, which they did not, and why. This transparency makes audit conclusions more credible and helps external quality reviewers confirm that auditors used the requirements consistently and thoughtfully.
Of course, many public sector audit functions must balance the Topical Requirements with government-mandated standards. When more than one standard applies, auditors should follow the stricter requirement.
For example, if an internal audit function uses the U.S. Generally Accepted Government Auditing Standards, it does not have to follow the Topical Requirements. However, the requirements can still offer helpful guidance.
Small Functions
Small internal audit functions are common in the public sector, with many having only three or fewer staff members. That can make it difficult for them to fully apply the Topical Requirements. However, the Standards, Topical Requirements, and accompanying user guides acknowledge these challenges and provide flexibility.
For example, when limited resources and expertise make it difficult to follow the requirements fully, the CAE must inform the governing body, explain the constraints, and suggest mitigating actions. These solutions might include outsourcing or cosourcing some audits, developing internal expertise, or narrowing the scope of work. Moreover, the Topical Requirements and associated materials can help small public sector functions develop a roadmap to implement these solutions.
Small public sector audit teams also face additional challenges such as the need to cover a broad range of areas and report to governing bodies, management, and the public. In these settings, Topical Requirements help show that internal audits meet global standards.
However, public sector CAEs must ensure internal audit conforms with the Topical Requirements, even when resources are limited. Where outsourcing isn’t feasible, CAEs should consult with the governing body and senior management about how risks that are not fully covered may impact the organization.
Delivering Trusted Assurance
The Topical Requirements were created with input from leading internal audit experts. When used appropriately, they can strengthen internal audits in a way that is risk-based, flexible, and guided by professional judgment. As government auditing grows more complex, applying the Topical Requirements carefully and transparently can help public sector functions deliver assurance that their stakeholders can trust.