The IIA’s New Cybersecurity Topical Requirement: What Internal Auditors Need to Know

Mar 25, 2025

A Major Update to Cybersecurity Auditing Standards

On February 5, 2025, the Institute of Internal Auditors (IIA) introduced a new Cybersecurity Topical Requirement, which will take effect on February 5, 2026. This requirement provides a structured framework for internal auditors to assess cybersecurity risks in conformance with the Global Internal Audit Standards™.

For organizations with internal audit functions, this update raises the bar for cybersecurity audits. It introduces mandatory requirements for assurance services and recommended guidance for advisory engagements, ensuring that cybersecurity audits are conducted with consistency, quality, and accountability.

What does this mean for internal auditors and cybersecurity decision-makers? Let’s explore the key changes, challenges, and how organizations can prepare.

What is the Cybersecurity Topical Requirement?

The Cybersecurity Topical Requirement is part of the IIA’s International Professional Practices Framework (IPPF) and aligns with global best practices. It provides a standardized approach to cybersecurity auditing by focusing on three critical areas:

Cybersecurity Governance – Evaluates an organization's cybersecurity strategy, policies, and oversight mechanisms.
Cybersecurity Risk Management – Assesses how organizations identify, mitigate, and monitor cybersecurity risks.
Cybersecurity Controls – Reviews internal controls, vendor security, incident response, and regulatory compliance measures.

Who Does This Cybersecurity Topical Requirement Affect?

Internal auditors must apply the Cybersecurity Topical Requirement when:

Cybersecurity is part of the internal audit plan.
Cyber risks emerge during an engagement (even if they were not originally in scope).
Management, regulators, or the board request a cybersecurity audit.

These requirements help strengthen cybersecurity oversight and protect organizations from cyber threats.

Key Cybersecurity Audit Areas Under the New Requirement

Cybersecurity Governance

Internal auditors must assess whether an organization has:

A documented cybersecurity strategy aligned with business objectives.
Board oversight of cybersecurity risks, resources, and funding.
Up-to-date policies and procedures to manage cybersecurity threats.
Clearly defined roles and responsibilities for cybersecurity teams.

Cybersecurity Risk Management

The requirement mandates that internal auditors evaluate:

Risk identification, analysis, and mitigation processes.
Cybersecurity risk monitoring across all business functions (IT, compliance, HR, finance, supply chain, etc.).
Incident escalation procedures for cyber threats.
Ongoing risk communication to management and employees.

Cybersecurity Control Processes

Internal auditors must assess how organizations:

Protect IT systems and sensitive data through internal and vendor-based security controls.
Maintain an incident response and recovery plan that is regularly tested.
Implement cybersecurity controls across IT asset management, cloud services, and vendor partnerships.
Ensure compliance with cybersecurity frameworks like NIST, COBIT, and ISO 27001.

By applying these standards, organizations can enhance cyber resilience and mitigate threats before they escalate.

Challenges for Internal Audit Teams

While this new requirement is designed to improve cybersecurity audit consistency, many internal audit teams may struggle to implement it due to:

Lack of Cybersecurity Expertise – Many internal audit teams lack specialized cyber auditors, making it harder to assess technical risks.
Limited Resources – Internal audit teams may not have enough personnel to conduct in-depth cybersecurity audits while balancing other responsibilities.
Complexity in Compliance – Cybersecurity audits must align with multiple frameworks and regulations (e.g., NIST, ISO 27001, CMMC, PCI DSS), requiring deep technical knowledge.

For organizations facing these challenges, outsourcing or co-sourcing cybersecurity audits with experienced IT audit professionals can be a practical solution.

How Our IT Audit Services Can Help

At Clark Schaefer Consulting, we specialize in IT Audit Outsourcing and Co-Sourcing to help internal audit teams navigate the complexities of cybersecurity compliance.

IT Audit Outsourcing – We conduct full cybersecurity audits on your behalf, ensuring alignment with the IIA’s Cybersecurity Topical Requirement.
Co-Sourcing Support – Our cybersecurity specialists collaborate with your internal audit team, providing technical expertise while keeping you in control.
Cybersecurity Audit Readiness Assessments – We evaluate your cybersecurity audit approach, identify gaps, and provide a roadmap for compliance before the 2026 deadline.

Whether you need full outsourcing or targeted support, our team ensures your cybersecurity audit program is compliant, effective, and resilient against risks. Contact us today to ensure your cybersecurity audits meet the new standards.

Copyright Clark Schaefer Consulting. All content provided is for informational purposes only. Matters discussed are subject to change. For up-to-date information on this subject please contact a Clark Schaefer Consulting professional. Clark Schaefer Consulting will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within these pages or any information accessed through this site.

Expert Contributors

Kourtney Nett

Managing Director

As Managing Director, Kourtney collaborates with CSC leadership to drive the growth of the Risk & Controls practice across new geographic regions while overseeing the successful execution of engagements performed by the Risk & Controls team.