How Are Organisations Responding to the IIA's New Topical Requirements?

The recent introduction of new Topical Requirements as published by the Global Institute of Internal Auditors (IIA) require all internal audit teams to assess the risk driven by organisational behaviour.  

We are proud to share that our own Wieke Scholten has contributed to the “Organizational Behavior Topical Requirement”, which provides a minimum baseline and comprehensive approach to help auditors assess the design and effectiveness of control processes related to behaviour.  

Since its publication in December 2025, many organisations are taking a closer look at how they identify, assess and respond to behavioural risk in a more structured and consistent way.   

Emerging risks can be traced back to behavioural patterns (e.g., rushed decision-making), and the underlying drivers that shape them (e.g., social norms that prioritize fast delivery, as opposed to taking the time to weigh perspectives). In other words, risks are linked to “how things are done” in daily practice. 

Organisations are increasingly seeing the importance of understanding what aspects of “how things are done” can unintentionally lead to poor outcomes, before those outcomes materialise. Not only to meet evolving expectations such as the IIA’s, but also to move from a reactive to a more proactive approach to risk management. This requires a shift in focus: from asking “what happened?” to understanding “what is driving risk in the first place?”. 

Integrating behavioural insights into audit and risk practices helps organisations:  

1. Identify behavioural patterns that may lead to poor outcomes 

2. Understand what is driving those behavioural patterns 

3. Intervene early to prevent risk materialisation  

The IIA Organisational Behaviour Topical Requirements mark another step towards more forward-looking internal audit approach.  

Are you wondering what the new IIA Topical Requirements on Organizational Behavior mean for your organisation and how to incorporate them into your internal audit and/or risk assessment methodology? We are happy to connect and exchange ideas. 

https://www.theiia.org/en/standards/2024-standards/topical-requirements/organizational-behavior/#documents