The Institute of Internal Auditors (IIA) has begun to release topical requirements for internal audit functions (IAFs), providing assurance on specific mature risk areas. The first cybersecurity topical requirement released earlier this month and future topical requirements will mandate minimum requirements IAFs must follow when internal audit is conducting assurance services in these areas. The topical requirements are intended to drive consistency across the internal audit profession.
The process for developing the topical requirements is driven by the IIA Global Guidance Council (Council) with assistance from the International Internal Audit Standards Board (IIASB). The Council drafts the topical requirements subject to consistency checks to the Standards by the IIASB.
Cybersecurity: The First Topical Requirement
Identification of cybersecurity gaps remains a top priority for companies as cyber-related risks escalate, made evident by the escalating cyberthreats and high-profile data breaches over the last few years. Consequently, cybersecurity risk and related assurance activities are prominently featured in most internal audit plans. Implementing the final version of the Cybersecurity Topical Requirement will help enhance consistency in assurance practices.
Below are some actionable insights that are critical to understand:
- The requirement does not require IAF to perform cybersecurity internal audits. However, the requirement must be conformed to if cybersecurity internal audit work is conducted.
- IAFs have one year to conform to these requirements (effective date is February 5, 2026).
- There are significant revisions to the requirements from the initial draft version demonstrating the comment and review processes considered the feedback received.
- The release included the Cybersecurity Topical Requirement, which contains the mandatory elements for IAFs following the Standards. The release also included the Cybersecurity Topical Requirement User Guide, which contains implementation consideration and guidance. The guidance is suggested but not required.
- Adherence to the mandatory portions of the topical requirements will be assessed during external quality assessments and should be evaluated as part of the IAF’s quality assurance and improvement program.
What Internal Audit Functions Need to Do Now
- The Cybersecurity Topical Requirement is mandatory and necessitates IAFs to assess cybersecurity governance, risk management, and control activities when performing assurance services. This requirement1 encompasses four governance, six risk management, and seven control activity criteria.
- IAFs can achieve conformance with cybersecurity requirements through various approaches tailored to their organizational needs. It is essential to carefully consider the most effective method for assessing current cybersecurity practices. When selecting third-party vendors or consulting firms to identify potential gaps in existing processes, it is important for IAFs to understand the intent of the Cybersecurity Topical Requirements and their relationship to the International Professional Practices Framework and the Global Internal Audit Standards. A thorough understanding and navigation of these requirements will help IAFs adhere to IIA standards while providing assurance over cybersecurity practices.
- The IIA is expected to release additional requirements over the next few years and include Third-Party and Culture, Business Resilience, and Anti-Corruption/Bribery. The Third-Party Topical Requirement is expected to be released for comment in March or April 2025, and the Culture, Business Resilience and Anti-Corruption/Bribery Topical Requirements are expected to be developed in 2025 or 2026.
For more information on the updated IIA Global Internal Audit Standards, read our FORsights™ article, “Navigating the Updated IIA’s Global Internal Audit Standards.” If you have any questions or need assistance, please reach out to a professional at Forvis Mazars.
- 1The Institute of Internal Auditors Releases the Cybersecurity Topical Requirements," theiia.org, February 5, 2025.