The Institute of Internal Auditors (IIA) has taken a significant step forward with the release of the Cybersecurity Topical Requirement on February 5, 2025.
This new requirement is effective immediately and is a crucial addition to the IIA’s International Professional Practices Framework® (IPPF®), addressing one of the most pressing risks faced by organizations globally.
Addressing Pervasive Risks
Cybersecurity remains a top concern for organizations worldwide, consistently ranking as a critical risk in various reports, including The IIA’s Risk in Focus 2025. The Cybersecurity Topical Requirement (Topical Requirement) provides a structured approach for internal audit functions to assess cybersecurity governance, risk management and control processes. This is essential for ensuring that organizations are well-prepared to handle recurring cyber threats.
Key Elements of the Requirement
The requirement emphasizes several key areas:
- Clear Roles and Responsibilities: Establishing defined roles within the organization to manage cybersecurity strategic objectives.
- Robust Risk Management: Implementing an up-to-date risk management approach to address ongoing cyber risks.
- Effective Internal Controls: Ensuring that management has established a strong internal control environment.
These elements are designed to provide a consistent baseline for internal auditors, helping them to evaluate cybersecurity risks effectively.
Flexibility and Guidance
One of the standout features of the Topical Requirements is the flexibility they offer. Internal audit functions can tailor their audit plans to the unique needs and risk profiles of their organizations. This flexibility ensures that while the requirements provide clear guidance, they do not mandate a one-size-fits-all approach. Instead, they equip practitioners with the resources needed to address priority risks in a consistent manner.
Implementation Steps
Implementing the IIA’s Cybersecurity Topical Requirement involves several key steps to ensure effective integration into an organization’s internal audit processes:
- Understand the Requirement
- Review the User Guide: Start by thoroughly reviewing the Cybersecurity Topical Requirement User Guide provided by the IIA. This guide offers detailed insights into the requirement, including practical application examples and mapping to globally recognized frameworks like NIST and COBIT.
- Assess Current Capabilities
- Evaluate Skill Sets: Assess the current skill sets of your internal audit team to determine if additional training or resources are needed. This may involve identifying gaps in cybersecurity knowledge and arranging for relevant training programs.
- Engage Qualified Resources: If necessary, consider engaging third-party experts to supplement your internal audit team’s capabilities.
- Develop a Tailored Audit Plan
- Customize Audit Plans: Tailor your audit plans to address the unique needs and risk profiles of your organization. Ensure that the plans incorporate the key elements of the Cybersecurity Topical Requirement, such as clear roles and responsibilities, robust risk management, and effective internal controls.
- Engage Stakeholders
- Involve Senior Management and the Board: Engage senior management and the board in discussions about cybersecurity governance. Their involvement is crucial for establishing a strong cybersecurity culture and ensuring alignment with strategic objectives.
- Document and Review
- Document Conformance: Maintain thorough documentation of how your organization conforms to the Cybersecurity Topical Requirement. This includes records of audit plans, findings, and corrective actions.
- Prepare for Quality Reviews: Be prepared for both internal and external quality reviews by ensuring that all documentation is up-to-date and accurately reflects your cybersecurity audit processes.
- Continuous Improvement
- Learn from Best Practices: Leverage lessons learned from other organizations that have implemented the requirement. Participate in roundtables and forums to share experiences and gain insights.
- Stay Updated: Keep abreast of any updates or additional guidance provided by the IIA to ensure your practices remain current and effective.
Internal audit functions are required to comply with the IIA’s cybersecurity-related requirements when cybersecurity risks are material to the organization and have a significant impact on the achievement of the organization’s objectives. To put it simply, the need for compliance is tied to when cybersecurity becomes a critical factor in managing the organization’s overall risk and control environment.
By following these steps, organizations can effectively implement the IIA’s Cybersecurity Topical Requirement and enhance their cybersecurity audit processes. Although the Cybersecurity Topical Requirement is not mandatory for all internal audit functions to be considered in compliance with the IIA standards, it is highly recommended.
Looking Ahead
The Topical Requirement is just the beginning. The IIA plans to release additional Topical Requirements throughout the year, focusing on other critical areas such as third-party risk, business culture, business resilience, and anti-corruption and bribery. These upcoming requirements will further enhance the ability of internal auditors to address a wide range of pervasive risks.
The release of the Topical Requirement marks a significant milestone for the IIA and the internal audit profession. By providing a structured and flexible approach to assessing cybersecurity risks, the IIA is helping organizations strengthen their defenses against one of the most critical threats they face today.
If you have any questions about the Topical Requirement, please contact our team at [email protected].
About Schneider Downs Risk Advisory
Our team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
Explore our full Risk Advisory Service offerings or contact the team at [email protected]
