How Organizations Build Cyber Resilience Through Internal Audit-InfoSec Collaboration
The Institute of Internal Auditors’s Cybersecurity Topical Requirement, released on Feb 5, 2024, heralds an era of closer working relationships between internal audit and information security to strengthen cyber resilience. The requirement provides guidance to internal auditors on auditing cyber risks, and is designed to foster collaboration between internal auditors and information security professionals while ensuring cybersecurity audits are rigorous, consistent, and aligned with organizational priorities.
Collaboration between these two natural allies offers diverse benefits, and recent survey data reflect that these cyber stakeholders are already joining forces at many organizations. Meetings between internal audit and information security are common for more than 80% of respondents to the 2025 North American Pulse of Internal Audit survey. The survey outcomes also reveal a strong association between the frequency of meetings and the effectiveness of the relationship between internal audit and information security.
A recent joint report from AuditBoard and the Internal Audit Foundation, Natural Allies: Nurturing Cyber Resilient Cultures Through Internal Audit-Information Security Collaboration, examines the current state of internal audit and information security relationships, offering actionable strategies for building effective collaboration between the functions.
Discover key report findings below and download the full report for real-world CAE and CISO examples and actionable strategies for building cyber resilience through internal audit and information security collaboration.
High Ratings of Relationship Effectiveness Between Internal Audit and Information Security
Findings from the 2025 North American Pulse of Internal Audit survey reveal promising data regarding the current state of the internal audit-information security relationship. This sneak peek into the survey’s results (with full results to be released at The IIA’s 2025 Great Audit Minds Conference) shows that three out of four respondents consider the internal audit-infosec relationship as effective or very effective, while just one in 20 rate it as ineffective or very ineffective.
Internal Audit Teams Who Meet More Frequently With InfoSec Report More Effective Relationships
The survey results show that eight in 10 organizations report having meetings between internal audit and their information security function occur at least quarterly. Additionally, the data indicate that organizations with more frequent meetings are more likely to rate their collaboration as effective or very effective (see Figure 2).
This trendline highlights the value of regular communication in fostering strong partnerships. Many organizations attribute their successful collaboration to consistent, structured meetings, as reflected in individual accounts from industry leaders. For example, an internal audit leader from a food manufacturing company said she finds great value in her weekly meetings with her chief information security officer (CISO) because they keep her on the leading edge of the organization’s cybersecurity efforts.
“I find they’re a very good partner because they’re on the front end of project implementations, whether it’s putting a firewall in one of our plants or replacing an enterprise software,” she said. “From a strategic perspective, we share a lot of information that way.”
This insight highlights how close partnerships enable information sharing and can provide internal audit with early visibility into critical projects.
Public Sector Organizations Rate the Internal Audit-InfoSec Relationship as Neutral
The results from the 2025 Pulse survey also reveal two relevant deviations in the internal audit information-security relationship. The first finds the lion’s share of public sector respondents rate their relationships with information security as neutral (see Figure 3), with fewer than six in 10 (53%) rating it as effective or very effective.
This data point unveils a significant opportunity for public sector audit leaders. Indeed, public sector auditors and CISOs at the roundtables emphasized significant potential and benefits of their relationships.
Younger Generations of Internal Auditors and InfoSec Professionals Meet More Frequently
The second deviation finds a generational difference, with older internal audit leaders meeting less frequently with information security professionals. Internal audit leaders from the Baby Boomer generation (1946 to 1964) are more likely to meet annually or quarterly than monthly with their information security counterparts. In contrast, audit leaders from the Gen X (1965 to 1980) and Millennial (1981 to 1996) generations are more likely to meet monthly or more than once a month (see Figure 4).
Tactical Approaches for Effective Relationships
Participants in the 2025 Pulse survey were invited to share insights into the tactical approaches they employed to strengthen the working relationship between internal audit and their organization’s information security function. Among those who rated the effectiveness of the relationship as high (i.e., very effective or effective), over 140 individuals provided feedback to this open-ended question.
The analysis of the written responses revealed that while many participants emphasized the importance of communication, visibility, joint involvement, collaboration, and efforts to build relationships as key factors for fostering effective relationships between internal audit and information security, more advanced approaches — such as establishing credibility and trust through delivered services — were mentioned less frequently (see Figure 5).
Boost Your Organization’s Cybersecurity Resilience Through Collaboration
Practices that strengthen cybersecurity and help grow cyber-resilient organizations should be examined and embraced. Conversely, practices that endorse hoarding information and building silos will ultimately lead to cybersecurity failures.
We hope you’ll consider sharing the joint report from AuditBoard and the Internal Audit Foundation, Natural Allies: Nurturing Cyber Resilient Cultures Through Internal Audit-Information Security Collaboration, with colleagues in internal audit or information security to spark meaningful conversations about strengthening collaboration and enhancing your organization’s cyber resilience.
