Embedding the IIA Topical Requirement on cyber security

The cyber security topical requirement forms part of a broader overhaul of the International Professional Practices Framework (IPPF), and it is the first one to become mandatory. Sitting alongside the Global Internal Audit Standards, the topical requirements set the minimum baseline for how specific high-risk areas should be assessed by internal audit functions. Further topical requirements are pending, covering third-party risk management (from September 2026), organisational behaviour (from December 2026), and others through 2027.

The formalised expectations reflect cyber security’s role as the leading concern for both boards and audit committees, following a range of high-profile cyber incidents in the UK. For example, the attacks on UK retailers in early 2025 led to empty shelves, unavailable online trading, and disruption lasting for months. A later attack affecting the automotive sector was assessed as the single most financially damaging cyber event ever to hit the UK, halting production and leaving a trail of disruption up and down their supply chain. In each of these cases, third-party relationships appear to have been exploited as an entry point, consistent with Verizon’s finding that 30% of breaches in 2024 involved a third party, double the rate of the year before.

Consequently, chief audit executives, audit committees, and audit teams need to ensure they have appropriate and demonstrable assurance over a broad range of cyber risks.

How will this requirement apply?

The Topical Requirement applies in three circumstances: 

1. When cyber security is the subject of a planned internal audit / assurance engagement.
2. When cyber security risks emerge during an engagement that was not originally focused on cyber security.
3. When a cyber security engagement is requested outside the original audit plan (for example, when the internal audit team are asked to review controls following a specific incident).

The breadth of this applicability is an important part of the new requirements. Internal auditors cannot treat the requirement as only relevant to specific cyber security or technology internal audits, as they could become relevant for any internal audit engagement when that touches on cyber security risk. 

Auditors’ professional judgement will need to govern which parts of the topical requirements are relevant to each engagement and given the breadth of the requirements not every part will apply to all audits. Importantly, where requirements are excluded, a documented rationale will need to be retained to explain the decision. 

For most organisations, particularly those with larger internal audit plans, meeting the topical requirements may be demonstrated across several in-depth audit engagements. The IIA is clear that there is no requirement for a single comprehensive cyber review to tackle the full breadth of the requirements. The IIA’s User Guide includes an optional documentation tool to help teams record these decisions and demonstrate how they are achieving coverage.

What the requirement covers

All Topical Requirements are structured around three pillars, which align with the IIA’s standards as follows:

• Governance: Assessments must cover cyber security strategy, board-level reporting, cyber security policies, roles and responsibilities, and engagement with emerging cyber security threats amongst senior leaders in the business.
• Risk management: Here audit coverage should include cyber security risk identification and mitigation measures, coverage of cyber security risk management activity, risk escalation processes, and testing incident response capabilities.
• Controls: This is the most technically detailed part of the topical requirement and the one that will be most familiar to cyber security auditors, covering seven broad areas of cyber security. These areas include:
  • assessing systems for confidentiality
  • integrity, and availability
  • cyber security talent management
  • threat and vulnerability monitoring/reporting
  • IT asset lifecycle management.
• The final three parts of the controls pillar covers a wide range of technical areas including encryption, patching, access management, monitoring, DevSecOps, network security, and endpoint communication security. These final sections squeeze a potentially enormous amount of highly technical audit work into some very broad requirements.

It’s important to note that the requirement is only intended to set a minimum baseline for cyber security audit. For organisations that consider their cyber security risk to be high, internal auditors are expected to go beyond the standards and assess areas that aren’t explicitly covered. 

Common mistakes to avoid

Implementing the IIA requirements can strengthen the organisation’s cyber security posture and give senior management greater assurance over the associated controls. However, there are several key pitfalls to avoid, to ensure the work add value across the business. 

Seeing cyber as a tick-box exercise

The IIA guidance around the topical requirements specifically talks about avoiding treating cyber security as a periodic, tick-box exercise, however there is real risk that this is how the lengthy and detailed requirements may be treated by internal audit teams. Cyber security is a continuous and evolving risk area, and the IIA’s expectation is that internal audit functions will also continue to evolve their approach.

Not keeping pace with evolving cyber risks

As anyone who has seen real life cyber security incidents knows, addressing threats and responding to these incidents is a fast-paced process, with information quickly becoming outdated. The broader cyber landscape is also evolving on an almost daily basis, with new threats and attack vectors emerging all the time. Audit functions will need to mirror this pace in their dealings with cyber security teams to ensure audit work is timely and can address the live risks to the business.

Not considering the role of third parties/cloud providers

Where there are significant third-party or cloud dependencies, vendor controls will need to be explicitly included within audit scopes rather than excluded. The IIA’s guidance specifically references the review of Service Organisation Controls (SOC) reports from vendors, and the upcoming third-party risk management topical requirement will only increase the focus on managing these risks.

What do audit functions need to do?

For internal audit teams to meet the cyber security topical requirement they will need to focus on four key areas:

Audit planning

Cyber security needs to be embedded into the annual audit planning process, with coverage of the cyber security topical requirement mapped across the various planned engagements on the internal audit plan. Where elements of the topical requirements are addressed through multiple engagements over the course of a year, that approach must be clearly documented to demonstrate coverage.

Audit methodology

Existing audit testing programmes may need to be updated to address the three pillars of the cyber security topical requirement in a structured way. Teams that are already working to recognised cyber security frameworks such as NIST CSF 2.0, COBIT 2019, or NIST 800-53 will benefit from mapping the IIA topical requirement to all three of these widely used frameworks. 

Audit capability

There is certainly no need for all auditors to become cyber security specialists, but sufficient technical literacy will be required to ask the right questions and identify relevant cyber risks across all audits. Where internal audit functions lack the right technical skills to perform detailed assessments, the IIA suggest either outsourcing engagements, or bringing in external technical expertise. 

Audit documentation

Decision making around covering, and perhaps more crucially, excluding parts of the cyber security topical requirements, should be supported by documented rationale. Quality assessors and regulators will expect to see that coverage decisions were made in a deliberate and justified way, rather than by default.

The bottom line

The introduction of topical requirements, starting with cyber security, marks a shift in how the IIA is framing organisations’ internal audit obligations. Assurance on the risks that matter most to businesses will not be left to individual teams’ discretion and will increasingly be governed by these mandatory standards.

On reviewing the Topical Requirements, some internal audit functions may determine they are meeting or exceeding the requirement already, particularly those with mature functions who are regularly assessing cyber security risk, so no additional action will be needed. For others, however, this will represent a significant step up in their coverage of cyber security risk.

To discuss this topic or any other risk related areas with us, please get in contact with James Durrant.