Why Add Cybersecurity to Internal Audit Plans?

The Institute of Internal Auditors (IIA) has started to release topical requirements. These Topical Requirements are part of the 2024 International Professional Practices Framework (IPPF) and are mandatory for assurance services. They must be implemented within twelve months of their effective date. The IIA has selected high-risk areas and is providing minimum audit standards for these areas. The goal is to provide consistency when auditing these high-risk areas.

What is the IIA Cybersecurity Topical Requirement?

The Cybersecurity Topical Requirement was issued February 2025. According to Statista, cybercrime cost in the US is predicted to reach $639.2 billion in 2025. This provides an incentive for businesses to include cybersecurity on their audit plan. The Cybersecurity Topical Requirements should also be applied when a cybersecurity risk or issue is identified during an audit and when there is an engagement request outside of the original plan.

For Cybersecurity, there are three domains which are emphasized. The three domains are Governance, Risk Management and Control Processes. The requirements provide the minimum baselines requirements for each of these areas:

Governance

The organization must have formal cybersecurity strategies and objectives with regular updates based upon risk assessments. These cybersecurity strategies and objectives should form the basis for cybersecurity reporting to the board of directors. In addition, these reports should also inform reporting to the Securities and Exchange Commission (SEC).

Strong cybersecurity policies and procedures are in place. Roles and responsibility are assigned to resources with the knowledge, skills, and abilities to fulfill the roles. There are adequate knowledgeable resources and controls implemented to provide reasonable assurance that cybersecurity threats are contained.

Risk Management

The organization’s risk management process includes the assessment of cybersecurity risks. The individuals accountable for risk management include resources with adequate knowledge and skills to assess cybersecurity risks. Internal Auditors evaluate the organization’s Incident Response Plan and process. The organization has a cybersecurity awareness program that includes metrics to evaluate the effectiveness of the program.

Control Processes

The cybersecurity controls implemented by the organization should be monitored on a continuous basis with periodic independent evaluations of the controls.

• The organization has a continuous monitoring process that maintains awareness of current cybersecurity threats and proactively adjusts controls to mitigate current threats.
• The organization has a vendor management process that evaluates and monitors third-party controls. Third-party controls provide assurance of the confidentiality, integrity, and availability of the services and data under control of the third-party.
• Cybersecurity is included in life-cycle management for IT assets and the system development life cycle for application software assets.
• There are adequate cybersecurity controls in place for all the security domains. Security control frameworks, such as Control Objectives for Information and Related Technologies (COBIT) and National Institute of Standards and Technology (NIST), are used to inform the implementation of the cybersecurity controls.
• Independent evaluations are conducted by auditors who are knowledgeable on cybersecurity internal controls evaluations.

Summary

Cybersecurity threats are a key risk for all organizations. Many organizations struggle with justification for the high cost of implementing strong cybersecurity controls and maintaining knowledgeable resources to monitor and maintain cybersecurity controls. This struggle includes Internal Audit. The demand for evaluations of cybersecurity controls usually does not require a full-time resource. A solution is for organizations to use co-sourced internal audit resources to perform the complex cybersecurity audits. With the right co-sourcing strategy, Internal Audit can also receive valuable training for their internal resources. This will increase the level of knowledge of internal resources and provide better opportunity to incorporate identification of cybersecurity risk during non-cybersecurity audits.

Looking Forward

The IIA plans to continue to release Topical Requirements. Third-Party Risk Management has been released for comment. The IIA is also planning to release Topical Requirements for business culture, business resilience, and anti-corruption and bribery.

To learn more about adding cybersecurity tropical requirements to Internal Audits, please contact Elaine Nissley, Director.

About the Author