The Institute of Internal Auditors (IIA) announced its Cybersecurity Topical Requirement, the first in a series of mandated frameworks under its International Professional Practices Framework (IPPF). The move signals a shift from cybersecurity audits being a discretionary or ad-hoc exercise to a standard approach for all audit plans.
Standardizing Audit
The requirement mandates a baseline approach for internal audit functions assessing cybersecurity. Key scope areas include:
- Governance: Clear roles for cybersecurity oversight, aligned with strategic objectives.
- Risk management: Dynamic risk assessments to counter evolving threats.
- Controls: Rigorous evaluation of technical and procedural safeguards of data and assets.
This means standardized audits will replace inconsistent practices with a unified methodology tied to frameworks like NIST CSF 2.0 and COBIT 2019.
Breaking Down Silos
A standout theme of the requirement is collaboration. The IIA explicitly pushes auditors to partner with InfoSec teams, bridging a historical conflict and divide. The requirement’s User Guide even maps controls to NIST 800-53, offering a shared language for both functions. This is a win for organizations aiming to elevate beyond reactive, siloed responses to breaches and a callout to the DevSecOps approach brought to many organizations.
Additionally, if IT leadership is not open to cyber audits, it’s a red flag. Internal audit should work to build their credibility, add expertise where needed, and address hesitation from IT. Cybersecurity awareness should be embedded into all areas of the organization, including internal audit.
Challenges Ahead
While the requirement is a leap forward, implementation hurdles remain:
- Timeline: Conformance is mandatory by February 2026, but smaller internal audit functions may struggle with resource constraints and subject matter expertise.
- Scope flexibility: Audits are not required, but if cybersecurity is scoped, the framework applies. This balances rigor with adaptability but could lead to avoidance of cybersecurity in some organizations’ audit plan. Internal audit teams should assess cyber risk on an annual basis and, given this has been a top risk for all industries for the past several years, there is no reason not to include cyber in the audit plan.
- Privacy balancing act: Continuous monitoring must align with employee privacy norms, a tension the framework acknowledges but doesn’t resolve. Cross-training team members in privacy areas and collaborating with privacy experts is increasingly becoming more important.
What’s Next?
The IIA plans follow topical requirements for third-party risk, culture, and resilience. For now, cybersecurity takes center stage, reflecting its rank as the No. 1 global risk in the IIA’s 2025 survey.
This requirement isn’t just about compliance; it’s a call to action. Internal audit should partner with cyber leadership to:
- Review the Topical Requirement and User Guide to ensure they have a plan to meet the baseline requirements.
- Evaluate their internal audit teams’ cybersecurity expertise and provide training or seek third-party expertise as needed for support.
- Ensure current process supports formal cybersecurity strategies, standard board-level reporting, and clear roles and responsibilities for cyber risk management.
- Prioritize continuous risk management by maintaining ongoing risk assessments, updating incident response plans, and measuring awareness program effectiveness.
- Implement continuous monitoring, effective third-party/vendor management, and regular independent control evaluations.
- Promote cross-functional collaboration, alignment, and communication between audit, InfoSec, and senior management to drive a unified cybersecurity approach.
Organizations leveraging the new requirement will gain stronger cyber resilience and standardization, empowering audit and InfoSec teams to address cyber risk and report it effectively to the board. For internal auditors, the message is clear: Cyber audits are here to stay. For InfoSec teams? It’s time to welcome audit as an ally, not an adversary.
To better understand and apply the rule at your organization, contact CrossCountry Consulting.