The Institute of Internal Auditors presents all things internal audit. In this episode, George Barham, director of Standards and Professional Guidance at the I I A, discusses the topical requirements component of the International Professional Practices Framework. Good to have you back on the podcast, George. Hey, Robert, it's great to be with you today, and I look forward to the discussion. Thanks for having me.
So let's begin by getting a quick overview of just what topical uh, requirements are. The IPPF has three components, and two of those three are mandatory. The first is the global Internal Internal Audit standards, which we recently issued an update, um, earlier this year in January. And then the second mandatory component of the IPPF is topical requirements, which is what we're gonna go into today in more detail.
The third component is global guidance, which is, uh, what we consider supplemental. So those are not mandatory, but those include things like practice guides, GT tags, which are global technology, audit guides, those sort of things. So I thought it's, it's important to make that distinction at first. Um, so a little bit of history during 20 21, 20 22, our global board approved the concept of topical requirements.
And really the thinking on that was to strengthen the ongoing relevance of the IPPF by addressing areas that are, like you said, pervasive, evolving, uh, risks that, that things, uh, you know, organizations across the globe need to consider. And, uh, we really wanna try to promote consistent high quality engagement performance.
So, as, as you've explained the, under the revised IPPF, uh, internal auditors are going to be expected to know topical requirements and be ready to apply them, uh, when risk areas, uh, that are a focus of a topical requirements are part of an engagement. Is that correct? That's, that's correct, Robert. Yeah, I mean, I guess, uh, you know, the, the topics or maybe subjects of the topical requirements, maybe that's a little more clear.
We can say the subjects of the topical requirements, like we've said, those are higher risk in nature. These are gonna be applicable across, um, industry sectors, countries around the world. So, um, no matter where you're an internal audit practitioner, these topical requirements are gonna be things that should be considered, uh, should be part of the discussion when you're, you're framing risk and thinking about, um, you know, what's gonna be involved in your internal audit plan.
Um, and also, I think before we go any further, Robert, let's talk about, uh, just briefly what a topical requirement is not. Uh, I think that's, that's something that it would be good just to, to clarify a little bit. They are, they're not a requirement mandating that you have to perform an engagement on the topic.
The topical requirement is basically, um, us outlining, um, that if a topple requirement is, is part of your plan, is part of your internal audit plan, that it's, uh, it's intended to, you know, frame up those risks, those things that you should be looking at. Um, it's not a comprehensive work program. We know that there's gonna be judgment involved. Uh, we know that, um, every organization is unique in how they look at assess, um, a risk and how they perform their audits.
So, um, just from the beginning, just wanna state that we know that there's gonna be, um, some level of, of judgment that, that goes into this. That's a great clarification. We we're not telling people how to develop an audit plan. We're just saying if your audit plan includes these particular subject areas where there are topical requirements, you need to make sure that, that, that you comply with the topical, uh, requirements.
And, and, and those go down to the level of, uh, assessing specific aspects of, uh, each engagement, correct. Is that correct? Yes, that's correct. Yeah. The, the topics, um, or I guess we could say the subject of the topical requirements, uh, they clarify, um, some of the higher risk areas that an internal auditor, um, should be aware of. Um, they are meant to be applicable across, um, different industries, sectors, countries around the world.
And, um, and yes, they, they, the goal is to really provide a consistent approach, um, a baseline of looking at, at these, uh, mandatory requirements within, uh, the topical requirement. And I, I think it's important, Robert, before we we go any further, let's talk about what they, uh, what topical requirements are not. They are not a requirement mandating that you look, um, at, at the topic to perform an engagement on it.
Um, we're not saying that you have to go, go out and perform an engagement just because we have a topical requirement. What we're saying is, if the topical requirement is, um, is included in your audit plan, you're gonna look at it. What we're saying is then once you've made that decision, um, that it's gonna be part of your audit plan, then these are the mandatory requirements that you need to consider as you go through that topic.
So we have, uh, we have requirements within the topic requirements, and then we have considerations. The requirements basically say, um, what you have to consider, um, that you've looked through, you've assessed, uh, and you've analyzed each one of those. And then the considerations, um, they're not necessarily requirements, it's just providing examples of what you could do to get comfortable with, um, assessing and auditing those requirements. So that's, that's basically how they're organized.
Again, we covered the, uh, governance, risk management and, um, control processes. So with each one of those, you would have, um, the requirements and the considerations piece. And I, and I do want to get into, uh, into that, uh, aspect of it, the, the, the idea of looking at, at governance risk management and control process. But, but I did wanna ask one question.
You know, topical requirements are, are somewhat more directive than what internal auditors may be used to, uh, coming from the IPPF. Why is that necessary? Why is that important? Yeah, that's, that's a good question. I mean, the, the thought is, or the idea is that they're designed to strengthen the ongoing relevance of the IPPF, uh, to enhance the value, um, that internal audit services, um, that are provided by, you know, practitioners.
And again, no matter the industry sector, wherever it is in the world. So, um, you know, they're really designed to address relevant topics for a wide global internal audit audience. Um, and they're, they're meant to just provide a little bit more, um, detail and then reconcile that back to the IPPF as, as we, you know, provide a little bit more tailored direction of, of d different topics. Yeah, that's a great choice of words, tailored direction.
Uh, so, so, so let's turn to, to the, how the topical requirements are, are structured. Uh, each one will approach a particular risk or subject matter area on those three levels that you mentioned before. Uh, governance, risk management and control process. Tell me a little bit more, again, about the, the requirements and the considerations. Yeah, that, that's, again, that's, that's a very important piece of this.
The requirements are what we've identified as, um, the different aspects of the topical requirement that, um, that need to be analyzed, assessed, um, and planned. And, and so as a practitioner looks at, um, cybersecurity, uh, as an example, that's our first topic of requirement.
Um, this is really, you know, where we've gone through and identified these are the main, the main things that you need to, to think about, consider, um, and really what your review should, should center around, um, versus the considerations would help a practitioner analyze those requirements. So if you're looking at a, a certain requirement, the consideration would give you examples of how you might analyze it.
So I guess another way to say that is the requirement, uh, the requirements are the what and the considerations would be the, how Great way to put it. So, uh, I, I, I do want to get into the specific sort of unboxing, the, the cybersecurity topical requirement. But before I go there, I did want to, uh, mention that another consideration for topical requirements is that they will be evaluated in quality assessments, but why is that important? Yeah, great, great point. Glad you highlighted that.
Yeah, it's, it's certainly gonna be just as any other area, uh, of a, of a quality assurance review happened, uh, you know, to look at different standards and that sort of thing. It's, it's gonna be the same thing. The quality assessment would include, um, a, a topical requirements, um, section of that. So, um, you would need to, as a practitioner document, um, you know, be able to provide support just like you would in going through any other aspect of your quality assurance review.
So, um, how you went through and you looked at this TOPAL requirement, how you made the decisions to, um, to pull evidence on it, what was, um, relevant to your organization, anything that would help that reviewer understand your thought process, um, and help you explain, um, you know, how you executed this, this review of topical requirements.
So yes, that's a very important piece, um, that, uh, organizations who, you know, want to have conformance with the standards, um, want to, you know, have a favorable review, uh, from a quality assurance standpoint, they'll need to also consider the topical requirements. 'cause that will be part of the assessment process. Great. I'm, I'm glad we were able to sort of elaborate on that a little bit.
So, so let's unbox a little bit, uh, that the cybersecurity, uh, topical requirements, which is the first one outta the gate. What should practitioners reviewing, uh, that draft, which is currently at right now, what should they be taking from it? Yeah, it's, uh, I would say, Robert, the goal is, you know, to look through it from the standpoint of it's providing a consistent, comprehensive approach to assessing cybersecurity, um, if you will.
Um, again, the focus on governance, risk management and control process. So, um, if I'm a reviewer, I'm looking at it, I'm trying to make sure that, um, it's clear, um, you know, what's expected, um, understanding those requirements, um, looking through the considerations to be sure that, um, that it's very clear. There's some examples of, of what I can do to, to use that. But, uh, just making sure that it, that it makes sense, I guess is a good way to say it as, as you review it.
So, um, we understand this is, this is a new, um, concept. Um, this is our first one. This, this is definitely our, our, our pilot. So, um, we'll take the same approach with others, but, um, you know, we reserve the, the right to learn a little bit more on these as well. So, um, just, just, you know, I would encourage, um, our members, practitioners to look through that, make sure that it, that it makes sense.
Um, and then leave any comments, questions that you have and, and we'll be looking through those. And, um, we want to, you know, improve, improve this as much as we can, and make sure that it's very clear what's expected of everyone. And, and you've mentioned, obviously those considerations and requirements under each of those three areas. Can, can you gimme an example of, of what that, uh, that current draft has, for example, considerations or rather requirements for cybersecurity?
You know, an example on the governance piece under the requirements, you know, we talk about, um, you know, making sure that the board, um, and or audit committee, depending on your organization, um, that they're aware of cybersecurity as a, as a topic, as as a risk topic, uh, topic as an audit topic.
And so we, we definitely want to be sure that there is clear communication, um, that there's reporting up to the board level, that they are engaged, that the, um, the management team, uh, is, is engaging, uh, the board or the audit committee.
Um, same with internal audit as well, making sure that there's a clear, you know, line of communicating audit results, advisory projects, you know, anything like that, that, that would help the board provide, uh, governance and oversight, um, that would help them provide, you know, strategic considerations and strategic, um, guidance to the organization from a cyber standpoint. So that would be an example of a, of a governance piece. Um, I guess is, is an example for of a risk management piece.
Um, just making sure that cybersecurity has a seat at the table from a risk management standpoint.
So making sure that cybersecurity and the risk related to that are part of an organization's plan to identify, manage, monitor risks, um, just making sure that, um, that cybersecurity has a, um, you know, a a way to be discussed and that results are analyzed and if, you know, any kind of, um, threats are determined or anything like that, that risk management is involved in making sure that there's ongoing monitoring and that any changes that are needed are, are, are provided.
So, you know, risk management is gonna be that second line of, um, that we talked about earlier, the three lines model. Um, so making sure that, that they're, um, you know, aware of and managing those risks. And in, in the current, uh, sort of template of the, uh, of the, uh, topical requirement, an appendix is where they're gonna find the considerations in, in each each of those three, uh, areas. Correct? That's correct, yes.
And, and as we stated, um, you know, the considerations, um, will help you get started, will help you hit the ground running as, as you start to do this. Uh, it's not intended to be an all encompassing list or, um, you know, there may be some other ways that, that you, uh, use your judgment as a, as an internal auditor that you're able to satisfy those requirements.
But, um, again, it's, it's about providing the profession with a way to get started and, and, um, you know, give you a little bit of, you know, some examples, some things to, to help you along your way. Yeah. And, and I'm glad you mentioned that. 'cause I mean, I was gonna say, you know, a lot of this sounds like, you know, sort of fundamental internal auditing, uh, and this sort of begs the question, you know, why the need to spell out this as a mandatory topical requirement?
Yeah, that's a good question. I, I think it, it does go back to fundamentals. So I mean, I think the, the approach that we have taken on cybersecurity, um, would be a similar approach we would take on other topics in the future. So, you know, again, we're, we're very comfortable with the, the governance, the risk management, the control processes we like. Those are the, the three main items.
Um, so not just looking at cybersecurity, you know, we think we could, we could use that approach on other topics and plan to use that on other topics. Um, but again, it, it's, it's a little bit deeper cut into, um, what an auditor looks at in thinking about our standards and thinking about our IPPF.
It just gives you a little bit more specific, um, guidance specific requirements, um, over a topic, um, such as cybersecurity that is just at the top of, of most organizations' mind when it comes to risk, when it comes to audit topics. So, a, a, again, the, the i a being a global organization, you know, we think, um, cybersecurity is, is gonna be, um, you know, a, a risk consideration, an audit consideration across the globe.
So it's really just trying to, you know, move the profession forward, you know, continue to leak that back to our IPPF and, uh, and really just highlight some of the higher risks, um, that are out there. And to your earlier point, I think as well, uh, it talks, it speaks to, again, the relevance and, and, and added value that, uh, that internal audit brings to, to the organization or can bring to the organization, especially in these high risk areas.
That's correct. I couldn't, couldn't say it better, Robert. All right. Thank you. So, uh, I'd, I'd be remiss, obviously if I didn't mention that as, and I think we did earlier, that, uh, there is a, a, a public comment, uh, draft out there. Uh, tell me how long is that, that comment period, uh, open, and will the public comment periods be, uh, incorporated into all the future topical requirement discussions?
Yes, I think to every question you asked there, um, we plan, we plan to have a, a public comment period of 90 days for all our topical requirements. So with this current one, our, our, our first one on cybersecurity, that period will end July the third. So, um, please complete surveys by then. It will be open until that time. Um, and then, like you said, anything, anything in the future, we'll have the same, uh, public period as well, 90 days.
And then also I wanted to just, you know, say that, um, these, the, the cybersecurity topic requirement is an English, French, Spanish, Arabic, German, simplified Chinese and Portuguese. So, um, again, global audience, trying to be sure that we get as much input on that as we can. Um, and then to take the survey, it's not gonna be too cumbersome. It's probably a five to 10 minute venture to, uh, to go through and, and look through that and provide some feedback.
So highly encourage our, our listeners to, to help us with that. And we look forward to, to continued, uh, comments from, from the profession. Yeah. Great, great points, uh, throughout George, uh, you're right, the, the, it really is, uh, not a, a, a long survey. So getting that feedback from, from practitioners on, on the draft will be important. George, again, thanks so much. Uh, you've given us a great deal to think about, uh, on topical requirements.
Uh, so again, thank you for, for, for your help today. Yeah, sure thing, Robert. Great speaking with you. Thanks for having me. And, uh, we look forward to, like I said, hearing from our, our members and practitioners, and we'll find this fine tune this approach as we go. So thanks for your support.
Yeah. On, on, on that, that before I wrap up, uh, I will encourage our listeners, uh, who wanna know more about topical requirements or who wanna take the survey to go to the ia.org and look for topical requirements under the standards tab, on the main navigation block. And as always, folks, thanks for listening. If You like this podcast, please subscribe and rate us. You can subscribe wherever you get your podcasts. You can also catch other episodes on our YouTube channel or@theiia.org.
That's tia.org.