Understand the IIA Cybersecurity Topical Requirement: Overview, Details, and Job Impacts for Audit and InfoSec

With cybersecurity threats on the rise, all teams must be working in concert to protect their organizations effectively. The reality, however, is that key players like internal audit and information security often operate in silos and bristle at the thought of cybersecurity audits. To improve this process for both functions, The Institute of Internal Auditors (IIA), a global professional standards-setting body, has introduced Topical Requirements, which address specific subject areas that pose unique risks and challenges. Their first requirement tackles cybersecurity and offers a roadmap for consistency and collaboration between audit and InfoSec.

Gain a better understanding of the new requirement below, then download our must-have Cybersecurity Audit Survival Kit to learn best practices for conducting a cybersecurity audit under the new requirements and get a checklist for cybersecurity audit readiness.  

Quick Overview of The IIA’s Cybersecurity Topical Requirement

Historically, internal auditors have approached cybersecurity with varying levels of rigor, often depending on the organization’s size, sector, and the auditor’s familiarity with cyber risks. Recognizing cybersecurity’s critical and universal nature, The IIA introduced its Cybersecurity Topical Requirement as the first subject under its new Topical Requirements framework.

The Cybersecurity Topical Requirement ensures that internal auditors approach cybersecurity audits with a consistent methodology. It emphasizes the need for auditors to develop a thorough understanding of the cybersecurity landscape, encompassing potential threats, vulnerabilities, and the implications of cyber incidents for organizational operations. By establishing a baseline for cybersecurity audits, The IIA provides a roadmap that organizations of all sizes can adopt, promoting consistency and reducing the variability that has historically characterized cybersecurity audits.

Unlike traditional audit approaches that often treat cybersecurity as an isolated risk, this requirement mandates that cybersecurity risks be integrated into audit plans continuously. This shift recognizes that cyber threats are dynamic, requiring an ongoing and adaptive audit approach.

Collaboration is a foundational part of the guidance. Internal auditors are encouraged to work closely with InfoSec teams to understand the organization’s cybersecurity posture comprehensively. Collaboration is essential for evaluating cyber controls effectively and fostering a shared commitment to organizational resilience.

Specifics of the Cybersecurity Topical Requirement

The Cybersecurity Topical Requirement is designed to standardize and enhance internal auditors’ approaches to cybersecurity audits and give InfoSec teams insight into the control expectations that the auditors will be assessing. The guidance starts by listing requirements in three domains: Governance, Risk Management, and Controls.

The guidance includes two documents: the Topical Requirement and a Topical Requirement User Guide. 

• The Topical Requirement summarizes the three domain areas as “a minimum baseline for assessing cybersecurity in an organization.” Under each area, the document lists the applicable requirements internal auditors must assess. 
• The User Guide supplements the summary with detailed considerations for applying the requirements within each domain. The detailed instructions provide a step-by-step guide to conducting a cybersecurity audit. Next, the User Guide includes mapping to the NIST Cybersecurity Framework 2.0, COBIT 2019, and NIST 800-53. The final section of the User Guide is a sample audit program that can be used as a resource for designing specific audit test steps.

Key aspects of the guidance include:

1. Comprehensive Understanding of Cyber Risks: Internal auditors must gain a thorough understanding of the cybersecurity landscape, including the potential threats, vulnerabilities, and impacts unique to their organization. This marks a departure from traditional approaches that treat cybersecurity as a niche domain.
2. Integration With Audit Plans: Cybersecurity risks must be woven into audit plans throughout the year rather than being isolated to annual reviews. This ensures that audits remain relevant in the face of rapidly evolving threats.
3. Collaboration With InfoSec Teams: Auditors are encouraged to work closely with InfoSec counterparts to align on objectives, share knowledge, and achieve a comprehensive assessment of cybersecurity controls.
4. Minimum Standards for Cybersecurity Audits: The guidance sets clear expectations for the scope and depth of cybersecurity audits, ensuring consistency across organizations of all sizes.

While the guidance is written from an auditor’s perspective, its content is valuable to anyone protecting an organization from cyber threats. The appendices, in particular, are a solid roadmap for evaluating an organization’s control environment, regardless of your role. By providing these standards, The IIA has created a resource for improving audit quality and fostering better relationships between auditors and InfoSec professionals, bolstering cyber resilience. 

Governance Requirements for Cybersecurity

Internal auditors must assess how effectively an organization’s governance processes address cybersecurity risks during their audits. For governance, this involves ensuring that cybersecurity policies and procedures are established, regularly updated, and aligned with widely recognized frameworks such as NIST or COBIT.

Organization leaders must define and assign clear roles and responsibilities for cybersecurity to qualified individuals. Auditors should also verify that updates regarding cybersecurity strategies, risks, and controls are communicated regularly to the board. Additionally, it is important to confirm that key stakeholders, including leadership and strategic vendors, are actively engaged “to discuss and act on existing vulnerabilities and emerging threats in the cybersecurity environment.” Furthermore, essential resources such as funding, training, and technology should be communicated to support these initiatives.

Risk Management in Cybersecurity

Auditors evaluate whether an organization’s risk management processes effectively address cybersecurity risks. The risk management evaluation includes verifying that a structured approach is in place to identify, analyze, and mitigate IT and cybersecurity risks, with input from cross-functional teams and external stakeholders as necessary.

Risk management policies must be established, regularly updated, and aligned with recognized frameworks. Clear accountability should be designated to monitor and respond to emerging risks. The processes should facilitate the escalation of critical risks that reach “an unacceptable level according to the organization’s established risk management guidelines,” ensure compliance with legal and contractual obligations, and manage risks associated with third parties. Additionally, auditors will assess data protection measures, such as encryption practices and data retention policies, and communicate any cybersecurity operational risks to management and employees.

Control Processes for Cybersecurity

Internal auditors must assess the organization’s cybersecurity controls to determine whether they are properly designed and implemented. This involves prioritizing controls based on risk, effectively allocating resources, and providing necessary staff training. Policies should encompass all facets of cybersecurity operations, including system development lifecycle integration, hardware management, and production support.

The requirement calls for IT general controls like “configuration, end-user device administration, encryption, patching, user-access management, and monitoring availability and performance.”  Controls must cover areas such as network security, email, file sharing, and the physical security of high-risk information centers. Additionally, auditors must ensure that the organization has effective incident response and recovery procedures in place and that cybersecurity is integrated with service delivery processes, such as change management and help desk operations.

How the Requirement Impacts Your Job

Introducing the Cybersecurity Topical Requirement has far-reaching implications for internal auditors and InfoSec professionals, both in their individual roles and in their working relationships. 

For InfoSec professionals, the requirement provides greater clarity regarding audit expectations. By outlining specific focus areas, the Cybersecurity Topical Requirement enables InfoSec teams to prepare more effectively, reducing the uncertainty and stress often accompanying audits. The guidance also encourages InfoSec teams to adopt a proactive approach by conducting self-assessments and addressing vulnerabilities before they become audit findings. This proactive engagement streamlines the audit process and demonstrates a commitment to continuous improvement, strengthening the organization’s cybersecurity posture.

For internal auditors, the requirement represents a significant expansion of responsibilities. Auditors are now expected to better understand cybersecurity, including technical concepts and risk management frameworks, especially those currently used within their organizations. This shift requires auditors to invest in continuous learning and engage more closely with InfoSec counterparts. By doing so, auditors can enhance their ability to assess cybersecurity risks effectively and provide actionable recommendations supporting organizational goals.

Impacts for InfoSec Professionals

For InfoSec teams, the guidance offers a clearer understanding of audit expectations and introduces auditors as allies in the fight against cyber threats.

1. Predictability in Audit Focus: The guidance outlines specific focus areas for cybersecurity audits. InfoSec teams can use the guidance to conduct self-assessments, and identify and address vulnerabilities before they become audit findings. Having the audit program from the appendices means you know exactly what kind of questions the auditors will ask.
2. Support for Resource Allocation: Auditors can serve as independent advocates for cybersecurity investments, lending credibility to requests for additional funding, tools, or personnel. As cybersecurity experts, the InfoSec team can guide the auditors to areas that need improvement and additional resources. They can present your case to senior management and make a proper argument as long as they understand the details.
3. Improved Collaboration: With auditors now equipped to understand cybersecurity risks, InfoSec professionals can work more effectively with them to align priorities and present a united front to leadership. Since auditors will conduct work across the organization, they can push for stronger cybersecurity controls in areas the InfoSec team may never reach directly.

Impacts on Internal Audit Professionals

For internal auditors, the Cybersecurity Topical Requirement represents both a challenge and an opportunity.

1. Expanded Responsibilities: Auditors must understand cybersecurity more deeply, including technical terminology, frameworks, and risk management practices. This requires continuous learning and closer collaboration with InfoSec to understand the organization’s risk appetite for cyber risks.
2. Enhanced Collaboration: The guidance emphasizes breaking down silos between audit and InfoSec. A collaborative approach allows auditors to understand the organization’s risk landscape and application of control processes. To be effective, you must learn from your InfoSec partners.
3. Advocacy for Cybersecurity Investments: Internal auditors can use their findings to advocate for stronger cybersecurity measures, helping secure needed resources to mitigate risks effectively. The CAE has a unique position as one of the few people who speak directly to the board so they can make a well-informed argument for allocating resources.
4. Driving Continuous Improvement: By identifying gaps and recommending actionable solutions, auditors can be trusted partners in enhancing the organization’s security posture. Cybersecurity is not a topic for a single audit but a pervasive concept that permeates the organization. As with fraud risk, cybersecurity risk should be considered in every audit.

Seize the Opportunity for Better Cybersecurity Audits

The Cybersecurity Topical Requirement offers a chance for audit and InfoSec teams to get aligned in the fight against cyber threats and strengthen business resilience. For internal auditors, this guidance can help you assess cybersecurity risks more effectively. For InfoSec professionals, this is an opportunity to align with audit objectives and secure resources for key security initiatives. We hope you’ll download a copy of our Cybersecurity Audit Survival Kit to share with your colleagues and help you get started.