What Is the Organizational Behavior Topical Requirement?
The Organizational Behavior Topical Requirement is a mandatory component of the IIA's International Professional Practices Framework, sitting alongside the Global Internal Audit Standards and Global Guidance. It must be applied whenever organizational behavior is the subject of an assurance engagement, is identified during the course of another engagement, or is the subject of a requested engagement that was not originally in the audit plan.
The distinction between organizational behavior and culture is deliberate and important. Culture encompasses both the observable choices employees make and the underlying drivers of those choices — formal incentives, informal values, beliefs, and leadership norms. Organizational behavior is the auditable subset: the observable choices themselves. This reframing transforms what has historically been a subjective, difficult-to-audit domain into something auditors can assess systematically using traditional risk-based audit methodology.
Organizational behavior is "the way we do things" — the observable choices employees make in doing their jobs, which influence performance and the achievement of organizational objectives.
The 15 Mandatory Requirements
The Topical Requirement establishes 15 mandatory requirements across three domains that internal auditors must assess for applicability in every relevant engagement.
Governance (4 Requirements)
Governance requirements address how the board and senior management structure oversight of organizational behavior. Internal auditors must assess whether: the board oversees roles and responsibilities to avoid unintended consequences such as conflicts of interest; individual and group accountability for behavioral expectations is established and maintained; governance processes ensure regular monitoring and challenge of behavioral alignment; and policies and procedures addressing behavioral risk are established, reviewed, communicated, and integrated into decision-making.
A critical insight: effective governance is not passive. The board must actively challenge management on behavioral matters — not simply receive reports. Audit evidence should include board minutes showing genuine challenge, behavioral risk dashboards, and documentation of action taken when misalignment is detected.
Risk Management (4 Requirements)
Risk management requirements address whether the organization has defined an approach to identifying and managing behavioral risks. Auditors must assess whether a behavioral risk management framework exists; whether monitoring is adequate and timely; whether gaps between behavioral expectations and actual behaviors are communicated with root cause analyses; and whether identified gaps are resolved with stakeholder input and tracked to completion.
Root cause analysis is a key differentiator. Communicating that a behavioral gap exists is insufficient — the framework must identify why the gap exists: unclear incentives, low psychological safety, poor leadership tone, or structural design failures.
Controls (7 Requirements)
Control requirements are the most operationally detailed domain. They address: the approach to identifying and mitigating behavioral risk patterns; tone setting and structured feedback mechanisms; speak-up and escalation processes; incentive and disincentive programs; issue management processes; training and awareness programs; and talent acquisition and onboarding processes.
Incentive programs deserve particular attention. They are among the most powerful drivers of behavior — and misaligned incentives are a leading root cause of misconduct, excessive risk-taking, and shortcuts. Auditors must assess not only whether incentive programs exist but whether their behavioral consequences have been evaluated.
Applicability Assessment — The Mandatory Documentation Requirement
Evidence that each of the 15 requirements was assessed for applicability must be documented and retained for every relevant engagement. This applies even when requirements are excluded — the rationale for exclusion must be documented. Conformance will be evaluated during quality assessments.
This creates a mandatory workpaper: an applicability assessment matrix documenting, for each requirement, whether it was applied, partially applied, or excluded — and if excluded, why. Acceptable rationale includes contextual factors or resource constraints with documented alternative actions. "Not relevant" without analysis is not acceptable.
Three Practical Application Types
Standalone OB Framework Reviews assess the organisation's complete behavioral governance, risk management, and control framework across all 15 requirements.
Thematic Reviews apply a subset of requirements to a specific behavioral theme — such as incentive practices, speak-up culture, or tone at the top.
Integration into Existing Audits embeds behavioral risk considerations into traditional audit work. A cybersecurity audit may identify that most security failures are behavioral rather than technical, triggering assessment of applicable OB requirements within that engagement.
Common Findings Internal Auditors Will Encounter
Boards that receive culture reports without challenging management fail Requirement G-C. Performance reviews assessing financial targets only — with no assessment of how objectives are achieved — fail Requirement C-D. Speak-up channels with no feedback mechanism for reporters fail Requirement C-C. Training programs with high completion rates but no assessment of behavioral impact fail Requirement C-F.
The Conform-or-Explain Principle
Where full conformance is not feasible — due to resource constraints, sector-specific considerations, or public sector limitations — the CAE must implement alternative actions achieving the intent of the requirement and document the rationale. This "conform or explain" approach preserves the framework's integrity while acknowledging real-world constraints.