This week, the IIA has published their first Topical Requirements (TR) and related Users Guide. The Users Guide (which provides optional information for consideration, while the content of the TR is mandatory) says:
When the subject of a Topical Requirement is identified during the risk-based internal audit planning process and is included in the audit plan, then the requirements outlined in the Topical Requirement must be used to assess the topic within the applicable engagements. In addition, when internal auditors perform an engagement (either included or not included in the plan) and elements of a Topical Requirement emerge, the Topical Requirement must be assessed for applicability as part of the engagement. Lastly, if an engagement is requested that was not originally in the plan and includes the topic, the Topical Requirement must be assessed for applicability.
Professional judgment plays a key role in the application of the Topical Requirement. Risk assessments drive chief audit executives’ decisions about which engagements to include in the internal audit plan (Standard 9.4 Internal Audit Plan). Additionally, internal auditors use professional judgment to determine what aspects will be covered within each engagement (Standards 13.3 Engagement Objectives and Scope, 13.4 Evaluation Criteria, and 13.6…
