⚡ Draft ⚠️ Mandatory Priority #7

Third-Party Management Topical Requirement – Draft for Public Comment IIA

Draft requirement for third-party risk management auditing, open for comment until April 20, 2025.

📅 Effective: Q3 2025
Comments Due: April 20, 2025
🔄 Next Review: Q3 2026

🎯 Key Focus Areas

  • Vendor lifecycle management assessment
  • Due diligence process evaluation
  • Critical vendor identification
  • Fourth-party risk considerations
  • Performance monitoring standards

📋 Requirement Details

The Third-Party Management Topical Requirement, released in draft form in March 2025 and open for public comment until April 20, 2025, addresses the critical need for consistent auditing of vendor and third-party relationships. This requirement provides standards for evaluating third-party risk management programs, including vendor selection processes, due diligence procedures, ongoing monitoring activities, and performance management. It covers the entire vendor lifecycle from onboarding through termination, with special focus on critical vendors, concentration risks, fourth-party risks, and supply chain dependencies. The requirement emphasizes the importance of assessing data privacy, security controls, business continuity capabilities, and regulatory compliance of third parties.

📄 Reference Documents

  • IIA Third-Party Topical Requirement Draft
  • Public Comment Instructions
  • Vendor Risk Management Framework
Published: April 7, 2026
Last Updated: April 7, 2026

Sign In

Welcome back! Enter your credentials to continue.

Forgot password?
Don't have an account? Sign Up

Create Account

Join us today. It only takes a minute.

Already have an account? Sign In