Preparing for The IIA’s

Anti-Corruption Topical Requirement

About the Anti-Corruption Topical Requirement

Topical Requirements are a new addition to the International Professional Practices Framework® and are designed to be used alongside the Global Internal Audit Standards™. They provide internal audit functions with clear, purpose-built requirements for auditing complex and dynamic risk areas.

This webinar introduces The IIA’s upcoming Anti-Corruption Topical Requirement, expected to be released for public comment in early June 2026. The session will explore why anti-corruption is a priority for internal audit and how the requirement supports more consistent, reliable assurance and advisory services.

The Anti-Corruption Topical Requirement is expected to help internal audit functions approach anti-corruption engagements with greater consistency, clarity and confidence. It will also support more reliable assurance and advisory work in an area that remains a major priority for boards, audit committees and senior management.

   Key questions answered…

In an increasingly interconnected global economy, the necessity for standardized baselines in high-stakes risk areas is paramount. For the Chief Audit Executive (CAE), Topical Requirements eliminate the ambiguity often found in diverse jurisdictions, ensuring that the depth and rigor of an audit are not compromised by local variations.
 
The decision to elevate anti-corruption to a requirement level is underscored by data from the Association of Certified Fraud Examiners (ACFE) 2026 “Report to the Nations.” The report highlights a staggering shift: corruption cases accounted for only 10% of reported fraud in 1996, but that figure has surged to 45% today.
 
This data validates the IIA’s strategic prioritization, as corruption now represents a primary threat to organizational trust and financial stability.
 
The following table delineates the roles of different standards within the modern audit lifecycle:

Category
Role in the Audit Lifecycle
Examples
Core Standards
Mandatory for the entire profession; focuses on governance, ethics, and functional management.
Ethics, Professionalism, Managing the Internal Audit Function.
Topical Requirements
Mandatory for specific engagements; provides baseline criteria for pervasive, high-stakes risks.
Cybersecurity, Anti-Corruption, Third-Party Management.
Global Guidance
Non-mandatory; provides supplemental instructions for specific sectors or industries.
Global Practice Guides, Global Technology Audit Guides (GTAGs).

While the strategic priority is clear, the implementation is intentionally nuanced to preserve professional judgment.
It is essential to distinguish between a “requirement to audit” and a “requirement for the audit.” The IIA does not issue a “one-size-fits-all” mandate for every organization to audit anti-corruption annually. Instead, this structure preserves the CAE’s seat at the table by allowing for strategic assurance mapping.
 
The Topical Requirement becomes mandatory only when specific conditions are met:
  • Risk Assessment Identification
    When the organizational risk assessment identifies corruption as a significant risk to the achievement of objectives.
  • Audit Plan Inclusion
    When an engagement with a specific corruption-related objective is approved as part of the internal audit plan.
  • Emergent Risk Discovery
    When an auditor identifies a significant corruption risk during another engagement (e.g., a procurement review) that necessitates a shift in scope.

This approach allows for professional judgment and scoping based on the organization’s unique risk landscape. Once the decision to audit is made, however, the Topical Requirement provides a structured, mandatory path for assessment that ensures no critical governance or control element is overlooked.
The Anti-Corruption framework is a holistic model that evaluates organizational culture alongside technical controls. It is structured around three strategic pillars:

  • Governance
    This pillar centers on the “Tone at the Top.” Effective anti-corruption efforts require visible commitment from senior management and rigorous board oversight. Without this ethical foundation, the organization’s governance maturity will remain stunted.

  • Risk Management
    Corruption is famously described as a “cancer”—present but often dormant until it activates and spreads. Because corruption is pervasive yet hidden, auditors cannot rely on the “absence of evidence” as “evidence of absence.” This pillar demands a proactive, “diagnostic” approach, requiring organizations to recognize corruption as a specific risk and incorporate active testing into their prioritization processes.

  • Control
    This evaluates the mechanisms designed to deter and detect corrupt acts. A critical focus area is Third-Party Management, as close relationships with vendors are identified as the number one behavioral red flag for corruption. Controls must also ensure the consistent enforcement of penalties, regardless of an individual’s economic value to the firm.

These pillars remain flexible enough to survive diverse legal environments, allowing for professional adaptation in the face of jurisdictional challenges.
Auditing in a globalized environment frequently presents conflicts between local laws and global standards. Internal auditors must navigate these through the professional safeguards of Standard 4.1 (Documentation of Conflicts).
 
If a law or regulation prevents compliance with a specific part of a Topical Requirement, the auditor is required to document the conflict and communicate the rationale to the board and audit committee. For example, in jurisdictions where formal whistleblowing programs are not culturally or legally standard, auditors should not simply note a deficiency. Instead, they should evaluate alternative reporting channels and make recommendations for leading practices. A prime example of such a practice is the use of outsourced, multi-lingual hotlines (as seen in South Africa) that support various tribal languages to ensure accessibility.
 
Documenting these exclusions is a critical component of the Quality Assessment (QA) process. It protects the auditor’s professional integrity by providing a clear, documented justification for deviations, ensuring that the audit remains credible during external reviews.
The standard-setting process relies on the expertise of the global community. The upcoming public comment period is the final opportunity for stakeholders to influence the mandatory guidance.

Implementation Roadmap & Effective Dates:

  • Anti-Corruption Public Comment
    The draft is scheduled for release early next week with a 45-day window for feedback.

  • General Implementation Rule
    Generally, topical requirements become effective one year after final publication. However, the IIA may allow for extended implementation periods for complex topics.
 
Current Status of Topical Requirements:
  • Cybersecurity: Effective February 2024.
  • Organizational Behavior: Effective December 2024.
  • Third-Party Management: Effective September 15, 2026.
  • Organizational Resilience: Published April 2024; effective April 2027.
  • Talent Management: Currently in the drafting phase.
 
By engaging with these timelines and participating in the feedback process, internal auditors reinforce their role as credible, valued partners in the fight against global corruption and the advancement of organizational integrity.

   Short explainer…

Podcast-style summary…

Jean-Pierre Garitte

Audit Committee Chair of Flemish Government & Local Flemish Governments, Belgium
Past Chair of IIA Global Board

Pamela J. Stroebel Powers,

CIA, CGAP, CRMA, CPA

Director, Professional Guidance, Public Sector
The Institute of Internal Auditors, Global Headquarters

   Glossary of terms used…

 

Term
Definition
ACFE
The Association of Certified Fraud Examiners; an organization that provides global statistics and reports on fraud and corruption.
Assurance Engagement
An audit core practice intended to provide an objective assessment that controls are relevant, adequate, and effective.
Bribery
An incentive paid to an individual to induce them to perform an action they are not authorized or supposed to do.
Conflict of Interest
A situation where a person’s private interests or relationships (such as real estate holdings or family ties) interfere with their professional duties.
Facilitation Payments
Small payments made to officials to ensure the performance of a routine or necessary task to which the payer is already entitled.
Global Internal Audit Standards
The updated standards issued in January 2024 that define the core requirements for the internal audit profession.
IIA
The Institute of Internal Auditors; a global professional body that issues standards and guidance for the internal audit profession.
Kickback
A payment given to someone in return for a favor or service rendered, typically occurring after the corrupt act has been completed.
Topical Requirements
Mandatory baseline criteria for internal auditors to follow when auditing pervasive and high-risk areas, such as cybersecurity or anti-corruption.
Whistleblower Mechanism
A process or “point of contact” (often an ombudsman or an outsourced service) that allows individuals to report unethical behavior or corruption safely and anonymously.
Third-Party Due Diligence
The process of assessing the ethical behavior and risks associated with external vendors and partners before and during a business relationship.
Tone at the Top
The ethical atmosphere created by an organization’s leadership, signaling the importance of integrity and compliance to all employees.

Terms and Conditions

  • The Good Governance Academy nor any of its agents or representatives shall be liable for any damage, loss or liability arising from the use or inability to use this web site or the services or content provided from and through this web site.
  • This web site is supplied on an “as is” basis and has not been compiled or supplied to meet the user’s individual requirements. It is the sole responsibility of the user to satisfy itself prior to entering into this agreement with The Good Governance Academy that the service available from and through this web site will meet the user’s individual requirements and be compatible with the user’s hardware and/or software.
  • Information, ideas and opinions expressed on this site should not be regarded as professional advice or the official opinion of The Good Governance Academy and users are encouraged to consult professional advice before taking any course of action related to information, ideas or opinions expressed on this site.
  • When this site collects private information from users, such information shall not be disclosed to any third party unless agreed upon between the user and The Good Governance Academy.
  • The Good Governance Academy may, in its sole discretion, change this agreement or any part thereof at any time without notice.

Privacy Policy

Link to the policy: GGA Privacy Policy 2021

The Good Governance Academy (“GGA”) strives for transparency and trust when it comes to protecting your privacy and we aim to clearly explain how we collect and process your information.

It’s important to us that you should enjoy using our products, services and website(s) without compromising your privacy in any way. The policy outlines how we collect and use different types of personal and behavioural information, and the reasons for doing so. You have the right to access, change or delete your personal information at any time and you can find out more about this and your rights by contacting the GGA, clicking on the “CONTACT” menu item or using the details at the bottom of the page.

The policy applies to “users” (or “you”) of the GGA website(s) or any GGA product or service; that is anyone attending, registering or interacting with any product or service from the GGA. This includes event attendees, participants, registrants, website users, app users and the like.

Our policies are updated from time-to-time. Please refer back regularly to keep yourself updated.