IIA sets cybersecurity requirement

The Institute of Internal Auditors released the first in a series of topical requirements planned for this year, starting with cybersecurity.

The Cybersecurity Topical Requirement offers internal auditors a consistent approach to assessing the design and implementation of cybersecurity governance, risk management and control processes. The requirements represent a minimum baseline for assessing cybersecurity in an organization. According to the IIA's research, cybersecurity continues to be a top-rated risk affecting organizations across industries and around the world. The topical requirements give practitioners a set of baseline requirements for reviewing certain risk areas such as cybersecurity and ensure audit functions globally operate in a consistent and reliable manner.

In addition, the IIA's Internal Audit Foundation and AuditBoard released a new joint report Wednesday discussing the rise in cybercrime in the U.S. and how internal audit and information security teams can work together to ensure organizations today are cyber resilient. The report includes insights from internal audit and information security leaders and provides strategies that organizations can take to safeguard against cyberthreats. 

"While internal audit priorities naturally evolve, some key risks will remain consistently critical to organizations and their internal audit plans well into the future," said IIA president and CEO Anthony Pugliese in a statement. "Cybersecurity continues to be a top concern for organizations worldwide — in fact, it was once again ranked as the top risk in the IIA's Risk in Focus 2025 report — and is fitting as the subject for our first Topical Requirement."

Topical requirements are one of the three main elements of the IIA's International Professional Practices Framework, alongside the Global Internal Audit Standards and Global Guidance, providing a consistent baseline for assessing specific risk areas. 

The Cybersecurity Topical Requirement provides a baseline approach for internal audit functions when they assess cybersecurity as an audit topic or if cybersecurity is identified as a risk within other audits. Some of the main requirements include establishing clear roles and responsibilities within the organization regarding cybersecurity strategic objectives, ensuring a robust and up-to-date risk management approach to account for recurring cyber risks, and that management has established an effective internal control environment.

"Internal audit functions have the flexibility to craft audit plans tailored to the unique needs, objectives and risk profile of the organization they serve," said Benito Ybarra, IIA executive vice president of global standards, guidance and certifications, in a statement. "It's crucial to understand that topical requirements do not mandate internal audit functions to examine a specific topic, but rather provide practitioners with the resources and clear direction needed to assess and address priority risks identified in their audit plans in a consistent manner."

The next topical requirement will focus on third-party risk, addressing some of the major aspects of third-party risk management structures that internal auditors need to evaluate to mitigate persistent risks. Other topics under development include business culture, business resilience, anticorruption and bribery.