#USA #Cybersecurity #Internal Auditors #IIA #Lake Mary, Florida

The New Cybersecurity Topical Requirement from The IIA

On February 5, 2025, The Institute of Internal Auditors (The IIA) introduced the Cybersecurity Topical Requirement, marking the first of a series of essential guidelines aimed at combating pervasive risks within organizations globally. This initiative comes in direct response to feedback from practitioners and stakeholders around the world, emphasizing the importance of establishing a solid foundation for assessing cybersecurity measures.

The Cybersecurity Topical Requirement is a crucial component of The IIA’s International Professional Practices Framework® (IPPF®), which also includes the Global Internal Audit Standards™ and Global Guidance. These Topical Requirements serve as benchmarks for evaluating specific areas of risk for organizations, particularly those risks deemed critical enough to be incorporated into audit plans.

According to Anthony Pugliese, President and CEO of The IIA, “Some key risks will remain consistently critical to organizations and their internal audit plans well into the future.” He emphasized that cybersecurity is among the top concerns for entities around the globe and was recognized as the leading risk in The IIA’s 2025 'Risk in Focus' report. This highlights the timeliness and significance of the Cybersecurity Topical Requirement.

Aimed at enhancing internal audit functions, the new guideline offers an actionable framework that auditors can leverage to evaluate cybersecurity as an integral part of their audits. It outlines key responsibilities, ensures a contemporary risk management strategy to deal with ongoing cyber threats, and highlights the necessity for an effective internal control environment.

Furthermore, it is designed to lend flexibility to internal audit functions, allowing them to tailor their audit plans based on their organization’s specific objectives and risk profile. Benito Ybarra, Executive Vice President of Global Standards, Guidance, and Certifications at The IIA, stated, “It’s important to note that these Topical Requirements do not compel internal audit teams to address a specific subject. Instead, they offer practitioners the resources and direction needed to assess identified risks systematically.”

Following this release, the next Topical Requirement will focus on addressing risks associated with third-party engagement—an area of increasing concern as businesses rely on external partnerships. Future topics in development by The IIA include a range of areas such as business culture, resilience, anti-corruption, and bribery measures, indicating a holistic approach towards mitigating diverse risks.

These Requirements are developed by a team of subject matter experts and internal audit leaders across various industries. They are informed by comprehensive risk surveys, like the Vision 2035 and Risk in Focus initiatives, and incorporate insights from The IIA’s Global Assembly. After a rigorous review process by the Global Guidance Council, International Internal Auditing Standards Board, and the IPPF Oversight Council, the Cybersecurity Topical Requirement has been approved and is now ready for implementation.

To further assist organizations in navigating the complicated landscape of cybersecurity, The IIA provides numerous resources such as webinars, training programs, and certification opportunities. For anyone interested in enhancing their understanding of cybersecurity measures and practices, these resources represent a wealth of knowledge and guidance.

In summary, the launch of the Cybersecurity Topical Requirement signifies a proactive step by The Institute of Internal Auditors to equip organizations with the necessary tools to enhance their cybersecurity posture. By providing a structured basis for internal audit functions to evaluate cybersecurity, The IIA reinforces its commitment to supporting organizations in achieving their operational objectives while effectively managing risks.

For additional information, or to explore the resources available for navigating the complexities of cybersecurity, you can visit The IIA’s Cyber Resource Center for invaluable insights and tools.