Cybersecurity Audit Checklist: Best Practices for Internal Audit and InfoSec Teams

Since the IIA introduced the new Cybersecurity Topical Requirement as part of the Global Internal Audit Standard, both internal audit and InfoSec teams now have standardized guidelines for cybersecurity audits intended to enhance collaboration across teams and drive better outcomes. For InfoSec professionals, the requirement provides greater clarity regarding audit expectations, and auditors now have more defined expectations of responsibilities and what technical concepts and risk frameworks to focus on.

Yet, the question persists: How do you actually conduct a successful cybersecurity audit that satisfies the new requirement?  First, you’ll want to execute a clear gameplan for each phase, including pre-audit, during the audit and post-audit. Secondly, you can leverage centralized platforms, automated tools, and real-time monitoring to streamline the entire process. 

Read on for a step-by-step breakdown of what to do at each phase of the audit, and download our helpful guide, Cybersecurity Audit Survival Kit, for more information on the topical requirement and tools for success. 

How to Survive a Cybersecurity Audit Under the New Requirement

Preparation Strategies

Preparation is critical to successfully navigating a cybersecurity audit. Before the audit starts, both internal audit and InfoSec teams should consider the following steps:

1. Understand the Guidance Familiarize yourself with The IIA’s Cybersecurity Topical Requirement and its implications for your role. For the audit team, this could be the first time learning the details associated with cybersecurity. Use this as an opportunity to identify knowledge gaps and continue your education. Likewise, for InfoSec teams, it could be your first time reading an IT audit program written from a non-technical perspective. You will be more prepared for the sometimes general questions posed by auditors.
2. Organize Documentation Knowing what topics will be covered in the audit means you can start gathering documentation early. Both teams must compile information, so centralizing key documents, including risk registers, control frameworks currently in use by InfoSec (e.g., NIST, COBIT, PCI, ISOs), and security policies, is a good practice to streamline audit preparation. While much of this will be accessible to both teams, the InfoSec team may have more detailed documentation that the auditors would not have seen before, like playbooks and standard operating procedures (SOPs).
3. Update Policies and Procedures Depending on your time before the formal audit, the InfoSec team can use the guidance as a checklist to proactively identify and address potential gaps. For example, when compiling policies and procedures, you may notice that policies have not been reviewed for more than a year, or your Incident Response Plan may need to be updated to reflect recent changes made to the organization.
4. Establish Communication Channels Build strong communication between audit and InfoSec teams to ensure alignment and reduce misunderstandings. Even before the audit starts, the teams can work together to strategize the scope and approach. Key individuals may be selected to represent each team and work together to ensure expectations are clear on both sides and help facilitate information gathering.
5. Choose a Testing Approach

Many InfoSec teams have adopted an agile way of working. Auditors may find it useful to perform this type of audit using an agile audit approach to meet the InfoSec team’s expectations. One way to accomplish this is to consider each of the three domains as sprint goals. This way, audit would plan, test, and conclude on each topic during a sprint. During testing, the InfoSec contact can join daily scrum meetings to stay informed, and audit can hold sprint reviews to present issues and confirm the scope of the upcoming sprint. The approach allows InfoSec to openly communicate with audit throughout the process, and audit can adapt to the business’s concerns.     

During the Audit

The audit process should be approached as a collaborative effort. During the audit, both teams can work together as partners by focusing on the following:

1. Transparency Information sharing works both ways. The audit team will share the audit program and its intended approach to testing, documentation requests, and raising issues. To demonstrate a proactive approach, the InfoSec team should likewise share known vulnerabilities and ongoing remediation efforts with auditors. Otherwise, the audit team will find these in their testing and spend time trying to learn about something you already know.
2. Focus on Solutions Findings are inevitable, but these do not necessarily mean the InfoSec team is doing anything wrong. The cybersecurity audit is meant to show a point in time position on a maturity spectrum. Emphasize actionable recommendations that address findings and improve the organization’s cybersecurity posture.
3. Leverage Technology Use integrated platforms to facilitate data sharing, control testing, and reporting. Technology that facilitates information exchange will keep the audit moving efficiently. By conducting the audit on a platform like AuditBoard, internal audit and InfoSec teams can easily share relevant information and audit evidence while cross-referencing existing controls with internal audit to eliminate redundant testing and minimize confusion during the audit.

Post-Audit 

A well-executed audit provides valuable insights that can guide continuous improvement and help the organization adopt best practices related to cybersecurity.  

1. Present a United Front: Once the audit is complete, audit and InfoSec teams can strengthen the organization’s defenses against cyber threats by addressing findings and implementing recommendations. Since the teams worked collaboratively during the audit, both sides should agree on the details and prioritization of the findings and how to present these to the organization. 
2. Continue to Build the Relationship: An additional benefit can be a stronger, ongoing partnership between internal audit and InfoSec. Once both teams agree on the findings, they can define the investment needed to bolster the organization’s defenses against cyber threats. Internal audit can then take these findings and advocate to the board for the budget InfoSec needs to implement the action plans.
3. Embrace Combined Assurance: A potential long-term benefit of the partnership is a shared commitment to work toward combined assurance. By providing InfoSec teams with the tools to conduct self-assessments, internal auditors can rely on the evidence and testing and focus their resources on other areas of the organization. 

Leveraging Technology to Meet the Cybersecurity Topical Requirement

Audit and InfoSec teams often operate in silos, relying on unrelated processes and disconnected systems that hinder effective collaboration and alignment. The lack of integration leads to inefficiencies, redundancies, and confusion, making it challenging to meet The IIA’s Cybersecurity Topical Requirement. Without centralized platforms, automated tools, and real-time monitoring, organizations will struggle to meet the requirement.

Technology will play a pivotal role in meeting the demands of the Cybersecurity Topical Requirement and streamlining the cybersecurity audit process for all involved. Instead of relying on fragmented workflows and manual testing processes, technology like AuditBoard’s integrated platform centralizes risk and control management to create a single source of truth for cybersecurity policies, frameworks, and evidence. Both teams working in a unified platform designed for information sharing ensures alignment throughout the process. 

Automation further strengthens the audit by facilitating control testing and gap assessments, enabling organizations to evaluate the effectiveness of their cybersecurity controls quickly and consistently, identifying areas that require improvement. Continuous monitoring capabilities enhance compliance by providing real-time insights into cybersecurity risks and helping organizations adapt to emerging threats.

Perhaps the greatest advantage of technology like AuditBoard is fostering communication between audit and InfoSec teams. By improving communication between these teams, technology bridges gaps, clarifies scope, and creates a more cohesive approach to cybersecurity audits. Ultimately, leveraging technology simplifies conformance with the IIA requirement and strengthens the organization’s overall cybersecurity position.

Checklist: Cybersecurity Audit Readiness

Internal Audit Teams	InfoSec Teams
Before the Audit
Understand the Cybersecurity Topical Requirement. Update audit plans to incorporate cybersecurity risks where applicable. Engage InfoSec teams to identify key risks and controls. Review past cybersecurity audits to establish a baseline. Evaluate risk management processes, incident response protocols, and disaster recovery plans. Confirm what cybersecurity frameworks the InfoSec team is using to manage their program. Choose a team member to act as the primary contact with InfoSec. Identify any known InfoSec issues that have not been remediated to avoid redundant testing.	Familiarize yourself with The IIA’s guidance. Centralize policies, SOPs, frameworks, and evidence for audits. Maintain an up-to-date risk register and incident management log. Address potential control gaps through self-assessments. Align priorities and expectations, including audit scope, with internal auditors. Choose a team member to act as the primary contact with internal audit. Inform any team members involved in the audit about the need to participate proactively in the audit.
Governance
Review policies, procedures, and other relevant documentation utilized by the organization to manage daily cybersecurity responsibilities. Review roles and responsibilities to support the achievement of the cybersecurity strategy. Review materials presented to the board about cybersecurity strategy, objectives, risks, and controls. Review management’s cybersecurity-related communications with relevant stakeholders. Review the analysis and communication of resource requirements by management.	Provide all cybersecurity-related policies and procedures to the audit team. Verify which frameworks InfoSec uses as a basis for policies and procedures (e.g., NIST CSF, COBIT, NIST 800-53), including the version or release. Provide information related to board communications, budgets, and software used in the cybersecurity program.
Risk Management
Review how management initially identifies cybersecurity risks. Review how management identifies risk management team members, their qualifications, positions, and evidence of cybersecurity discussions. Review the process to update policies and procedures. Review the process for risk prioritization and escalation. Review the process for managing third-party cybersecurity risks. Review the process for communicating cybersecurity operational risks.	Provide current cybersecurity risk registers and assessments, along with the risk scoring methodology. Provide a roster for the risk management team, ideally for the InfoSec team and the enterprise risk management function. Provide a list of critical applications and vendors. Provide any communications related to cybersecurity risks sent to senior management, the organization, and vendors.
Control Activity
Review the cybersecurity control strategic plan. Review management’s process for control evaluation. Review the cybersecurity training and awareness program. Review the SDLC process to ensure cybersecurity is considered. Review process for protecting hardware, software, and network resources. Review controls over service delivery and third parties. Review controls over communications systems. Review incident response procedures.	Provide the cybersecurity strategic plan that should include budgeting, resourcing, test plans, and vendor assessment plans for the year. Provide the annual training plan and any specific training built into the development process, such as secure coding training. Provide the current list of formal, documented controls and any operating procedures for protecting hardware, software, and networks. Provide results from tabletop incident response simulations with resulting improvement plans.
After the Audit
Document all findings in the audit management software with owners, dates, and action plans. Establish a follow-up frequency for corrective actions. Hold a retrospective with the InfoSec team to gather ideas for continuous improvement. Ensure cybersecurity procedures are added to applicable future audits. Draft a report highlighting the cybersecurity program’s strengths and areas for improvement while supporting InfoSec’s plans for future maturity.  Set up a recurring touchpoint meeting with the InfoSec team to discuss findings and issues from future audits.	Draft realistic action plans for all audit findings with owners and implementation dates. Communicate the action plans to appropriate members of the team and leadership. Update policies and procedures based on audit results. Create a cybersecurity maturity plan that incorporates audit results and future objectives. Meet with the internal audit team regularly to gather information from their future audits.

Yes, You Can Survive Cybersecurity Audits

Cybersecurity audits are evolving, and meeting the new Cybersecurity Topical Requirement means adopting a proactive, technology-driven approach. With the right preparation and technology, internal audit and InfoSec teams can work together seamlessly to ensure compliance and strengthen cybersecurity defenses.

If you’d like deeper insights into successful cybersecurity audits, download the complete Cybersecurity Audit Survival Kit today.