How to manage and escalate risk: The IIA’s third-party topical requirement

Let’s be honest — third-party risk hasn’t always been a top priority for internal audit. It’s often viewed as someone else’s job: procurement’s, legal’s, maybe IT’s. But the world has changed, and so must we.

Today, whether you're in local government, healthcare, financial services, or education, your organisation likely relies heavily on third parties to deliver essential services. Outsourced payroll, cloud infrastructure, construction contracts, cybersecurity support—you name it. These relationships help us run leaner and faster, but they also carry real risk. If a key vendor fails, gets hacked, or simply doesn’t deliver, the impact can be huge.

That’s why the IIA’s new Third-Party Topical Requirement is timely. It doesn’t suggest that we might want to look at vendor risk—it requires us to assess it, across the whole lifecycle, from selection right through to offboarding.

As a fellow CAE who’s already working through how to embed this in practice, here’s how I’d approach it—and what I’d share if we were having a coffee and talking shop.

Start with the big picture

Before diving into audits or scoping fieldwork, get a sense of the landscape. Third-party risk doesn’t sit neatly in one corner of the business. In fact, it cuts across nearly everything. Think about it: who selects vendors? Who manages them day to day? Who monitors compliance, checks for conflicts, or responds when things go wrong?

You need to bring those threads together. It might mean hosting a conversation between legal, procurement, IT, risk management, and operations. Not always easy—but absolutely worth it. You’ll likely discover overlaps, blind spots, and assumptions that have gone unchallenged for years.

And that’s exactly where internal audit can add value—by connecting the dots and asking the questions no one else is asking.

Risk assessing contracts — don’t just check the box

If there's one part of the third-party lifecycle that gets consistently under-audited, it’s the contracts themselves. Too often, they’re treated as legal necessities rather than risk tools. But the truth is, so much of a vendor’s risk is baked in—or left out—at the contracting stage.

When assessing contracts, I would encourage you to look beyond whether the paperwork exists. What does it actually say? Are deliverables and responsibilities clearly defined? Do the contracts include the right to audit, or clauses for performance and data protection? Is there a clear process for what happens when the contract ends, especially around revoking access or recovering sensitive data?

Also, context matters. A contract with a catering supplier isn’t going to carry the same risk as one with a cloud service provider handling personal data. But both still need some level of scrutiny. And where risk is higher—financially, reputationally, operationally—we need to go deeper.

Audit the whole lifecycle, not just the start

Many organisations are quite good at onboarding vendors. There’s usually a checklist, some due diligence, maybe even a risk rating at the start. But once the contract’s signed, things often go quiet. That’s where the real risk creeps in.

Is anyone checking whether the vendor is still meeting expectations six months in? Is performance being tracked—or just assumed? And what about offboarding? One of the riskiest moments in a vendor relationship is when it ends. If no one’s making sure that data is returned or destroyed, or that access to systems is revoked, it’s an open door for problems.

As auditors, we can shine a light on these gaps. Even just asking the question—“How do we know this vendor still meets our needs?”—can provoke the kind of reflection that leads to change.

Don't skip the paper trail

One thing the new guidance is crystal clear about: if you’re not applying a requirement from the Topical Requirement, you need to document and justify why. That might feel like bureaucracy, but it’s actually a helpful discipline.

You don’t have to audit every third-party relationship the same way. But you do need a clear rationale for why you focused on some and not others. This is where building a structured, risk-based approach—something proportionate and repeatable—really matters. And when your next quality assessment rolls around, having that evidence in place will pay dividends.

Bring the stories that matter

If you ever need to make the case for stronger vendor oversight to your leadership team or board, use stories. Everyone remembers Horizon. Hundreds of sub-postmasters were wrongly prosecuted because no one challenged a flawed third-party system. Wirecard didn’t collapse in a day—it unravelled over years, through missed red flags and unchecked vendor relationships.

These aren’t just headlines. They’re cautionary tales that remind us of what happens when no one’s asking tough questions—or when those who do are ignored.

Final thought: internal audit is the safety net

We’re not here to duplicate procurement. We’re here to make sure the right risks are understood, managed, and escalated when needed. The IIA’s new requirement gives us the backing to do just that.

So lean in. Be visible. Be proactive. The more complex and outsourced our organisations become, the more essential our role is.

Because at the end of the day, you can outsource the work—but not the accountability. And internal audit is one of the few functions that can truly hold the whole third-party picture together.

About the authors

David Hill is the former CEO of SWAP Internal Audit Services based in the UK. David has nearly 40 years of audit experience, and is a former member of the Global Guidance Committee. Connect with David on LinkedIn.