²ÝÝ®ÊÓƵ

Skip to main content
²ÝÝ®ÊÓƵ
Pay Bill
²ÝÝ®ÊÓƵ
²ÝÝ®ÊÓƵ
Audit and AssuranceConsultingClient Accounting and Advisory ²ÝÝ®ÊÓƵTaxTechnology ServicesWealth Management View all solutions
No matter the organizational need, our experienced and focused team is ready and eager to help. We invite you to put our expertise to work.
Future-proof Your Organization: Strategies for Uncertain Times
Webinar
Future-proof Your Organization: Strategies for Uncertain Times
Succession Planning for High-Growth Businesses: Avoiding Forced Sales and Preserving Legacy
Article
Succession Planning for High-Growth Businesses: Avoiding Forced Sales and Preserving Legacy
Industries
ConstructionDealershipsFinancial ServicesHealthcareManufacturingPrivate Client AdvisoryPrivate EquityPublic Sector View industries we serve
We understand where you’re coming from. ²ÝÝ®ÊÓƵ professionals provide expertise in a wide range of industries to help you address challenges and seize opportunities.
Resources
ArticlesGuidesPodcastsWebinarsOne Big Beautiful Bill View all resources
Our team is focused on helping clients through consultation and connection. We’re also dedicated to sharing our knowledge and insights. Feel free to browse our wealth of information.
Future-proof Your Organization: Strategies for Uncertain Times
Webinar
Future-proof Your Organization: Strategies for Uncertain Times
The 25-Year “Retirement”: How PTI and ²ÝÝ®ÊÓƵ Kept a CFO — and a Founder’s Vision — Thriving
Success Story
The 25-Year “Retirement”: How PTI and ²ÝÝ®ÊÓƵ Kept a CFO — and a Founder’s Vision — Thriving
About Us
Who We AreLocationsNewsThe ²ÝÝ®ÊÓƵ TeamEventsThe ²ÝÝ®ÊÓƵ FoundationHLB
Our mission is to bring energy, focus, and integrity to every interaction — relentlessly pursuing expertise to accelerate our clients’ and associates’ goals. Take a look at the world of ²ÝÝ®ÊÓƵ.
Resources  >  Articles

IIA Cybersecurity Topical Requirements: The Basics

Related ²ÝÝ®ÊÓƵ: Cybersecurity ²ÝÝ®ÊÓƵ, Technology Services, Risk Advisory Services, Information Technology Assessments

April 23, 2026

Contributors: Jessica R. Dore, CISA

The BasicsÌý

  • The Institute of Internal Auditors (IIA) has established a mandatory baseline for cybersecurity internal audits, guiding internal auditors in evaluating governance, risk management, and controls against 17 specific requirements.
  • Effective Feb. 5, 2026, the framework standardizes how cybersecurity risks are assessed across multiple organizational functions.
  • Implementation requires auditors to document the applicability of each requirement at the individual engagement level, providing clear justification for any exclusions while ensuring that even non-IT audits address relevant cyber risks.Ìý

Ìý______________________________________________________________________________________________

What Your Organization Needs to KnowÌýÌý

The IIA’s Cybersecurity Topical RequirementÌýis a regulatory frameworkÌýthatÌýrepresentsÌýthe first of several topical requirements that will fundamentally reshape how internal audit functions approach high-priority risksÌýin 2026Ìýand beyond.Ìý

TheÌýTopical RequirementÌýprovidesÌýa consistent framework internal auditorsÌýcan useÌýto evaluate cybersecurity.ÌýItÌýpresents anÌýopportunity toÌýstandardize the approach forÌýassessingÌýcybersecurityÌýacross internal audit engagements.ÌýUtilizingÌýthe requirement demands thoughtful integration intoÌýinternalÌýauditÌýengagement levelÌýplanning.Ìý

Why Did the IIA Change Cybersecurity Audit Requirements?Ìý

The IIA introducedÌýthe Cybersecurity Topical RequirementÌýto address the lack of a standardized assessment baseline for what is now a pervasive, organization-wide risk. ByÌýestablishingÌýa mandatoryÌýframework forÌýgovernance, risk management, and controls, the requirement shifts the focus from a surface-level check of a program’s existence to aÌýdeeperÌýevaluation ofÌýwhetherÌýitsÌýprocesses areÌýactuallyÌýdesignedÌýandÌýoperatingÌýeffectively.
Ìý

What Are the 17 IIA Cybersecurity Topical Requirements?Ìý

The IIA organizes its cybersecurityÌýrequirementsÌýacross threeÌýcore areas:

HowÌýtoÌýImplement the Cybersecurity RequirementÌý

Your organization should assess whether the new requirements apply whenever one of the following “triggers” occurs:Ìý

  • Audit Planning:ÌýEvaluate any engagement already listed on your annual internal audit plan to see if it carries cybersecurity implications.
  • Fieldwork Discovery:ÌýApply the requirements if youÌýidentifyÌýunforeseen cyber risks while already performing an audit.
  • Ad Hoc Requests:ÌýReview any new, unplanned audit requests toÌýdetermineÌýif they involve systems or data that fall under the topical scope.Ìý

If yourÌýorganizationÌýalreadyÌýmaintainsÌýrobust cybersecurity programs with regularÌýboard updates, comprehensive risk assessments, and mature control environments,ÌýinternalÌýaudit’sÌýrole shifts to validation.ÌýThisÌýdoesn’tÌýdiminish theÌýTopical Requirement’s importanceÌýbutÌýpositionsÌýinternalÌýaudit as a value-addedÌýpartner,ÌýprovidingÌýassuranceÌýthat strong practices are in place andÌýoperatingÌýeffectively.Ìý

Where Organizations May StruggleÌý

The most challenging aspect of the requirement isÌýdeterminingÌýthe applicability of the individual requirements at the internal audit engagement level.ÌýÌý

This is where confusion often arisesÌýbecauseÌýnot all requirements may be applicable for every internal audit engagement in the plan.ÌýIn that case, internal auditorsÌýmustÌýdocument applicability,Ìýincluding clear justification for any excluded requirements.ÌýÌý

ÌýA Nuanced DistinctionÌý

Consider anÌýaccountsÌýpayable audit.ÌýThe engagementÌýis notÌýdirectlyÌýrelatedÌýto cybersecurity,ÌýbutÌýimagineÌýif, duringÌýtheÌýinitialÌýwalkthrough,Ìýthe engagement teamÌýdeterminesÌýthatÌýa webÌýportalÌýusedÌýforÌývendor-invoice submission presents cybersecurityÌýrisks.ÌýOnceÌýthe engagement teamÌýidentifiesÌýtheÌýrelevantÌýrisks,Ìýinternal auditorsÌýmustÌýreview the Cybersecurity TopicalÌýRequirementÌýandÌýdetermineÌýwhich requirements are applicable.ÌýNot all may be applicable.ÌýThe key is to ensure that the rationale for excluding any requirements is properly documented.ÌýÌýÌýÌý

How Can TeamsÌýComplyÌýwith the Topical Requirement?Ìý

Teams can integrate the IIA’s Cybersecurity Topical Requirement intoÌýtheirÌý2026 audit plan by ensuring theÌýCybersecurityÌýTopicalÌýRequirementsÌýare considered duringÌýengagement-levelÌýplanning andÌýscoping.ÌýÌý

Individual Engagement ScopingÌý

For each plannedÌýinternal auditÌýengagement,Ìýask this: Does this process involve systems, data, or access that present cybersecurity risks?ÌýIfÌýso,ÌýdocumentÌýyour assessment and rationaleÌýforÌýwhetherÌýeachÌýrequirementÌýapplies,ÌýandÌýalsoÌýdocument the rationale for excluding any requirements.ÌýÌý

Remember:ÌýTheÌýrequirementÌýis mandatory forÌýassurance engagements butÌýstillÌýrecommended forÌýadvisoryÌýengagements.ÌýÌý

YourÌýTakeawaysÌý

  • The IIA Cybersecurity Topical Requirement isÌýeffective nowÌýand mandatory for those that adhere to the IIA Standards.ÌýÌýÌý
  • For IA functions thatÌýdoÌýnot fully conformÌýto theÌýIIA Standards, the Cybersecurity Topical Requirement is stillÌýstrongly recommended asÌýaÌýleading practice.
  • The Topical Requirement provides aÌýstandardized framework for internal audit functions to evaluate cybersecurity risk.
  • Required at theÌýengagementÌýlevel, the approachÌýrequires thoughtful implementation.
  • Documentation is critical:ÌýDetail whyÌýa requirement is in-scope or not in-scopeÌýforÌýinternal auditÌýengagementsÌýthatÌýcontainÌýcybersecurity risks.
  • AdditionalÌýtopical requirements are coming,Ìýso ensure your internal audit function is aware of the effective dates and requirements.ÌýÌý

Need Help Navigating the Requirement?Ìý

²ÝÝ®ÊÓƵ’s Risk AdvisoryÌýteamÌýcan helpÌýtranslateÌýthe IIA’sÌýCybersecurity Topical Requirement intoÌýaÌýpractical, scalable auditÌýapproachÌýfor your organization.ÌýAdditionally,ÌýwhetherÌýyou need support with gap assessments,ÌýmethodologyÌýdevelopment, or team training, we can help you implement the requirement efficiently and effectively.ÌýToÌýdiscuss your organization’s specificÌýcybersecurityÌýchallenges and opportunities, reach out toÌýJessica DoreÌýatÌý[email protected].Ìý

Frequently Asked QuestionsÌý

Q:ÌýDoes every internal audit engagement now require a full cybersecurity assessment?ÌýÌý

A:ÌýNo, the requirements are applied based on the scope of the specific engagement. While the framework provides a standardized list of 17 requirements, auditors mustÌýdetermineÌýwhich individual points are relevant to the systems, data, or access points involved in that specific audit and document the rationale for any requirements that are excluded.Ìý

Q:ÌýIs compliance with these topical requirements mandatory for all organizations?Ìý

A.ÌýThe Cybersecurity Topical Requirement is mandatory for internal audit functions that adhere to the IIA Standards. For organizations that do not fully conform to these standards, the IIA still strongly recommends the framework as a leading practice forÌýmaintainingÌýa robust and consistent defense against cybersecurity risks.Ìý

Q: What other regulatory changes are expected from the IIAÌýin the near future?ÌýÌý

A. The cybersecurity requirement is the first in a series of new frameworks designed to reshape internal audit approaches.Additional requirements scheduled for 2026 include Third-Party Risk Management (effective Sept. 15), Organizational Behavior (effective Dec. 15), and Organizational Resilience (expected April 30, 2027).Ìý

Note:ÌýThis article is provided for informational purposes.ÌýFor more information aboutÌýtheÌýIIAÌýCybersecurityÌýTopicalÌýRequirement,ÌýincludingÌýaÌýdownloadableÌý,Ìýplease visitÌýÌý