Topical Requirements aim to address the most pervasive risk areas globally
Lake Mary, FL (February 5, 2025) – The Institute of Internal Auditors (The IIA) today released the Cybersecurity Topical Requirement, the first of several Topical Requirements to be published this year. Incorporating feedback from global practitioners and stakeholders, the Cybersecurity Topical Requirement provides a baseline approach to assessing the design and implementation of cybersecurity governance, risk management and control processes.
Topical Requirements are one of three key elements of The IIA’s International Professional Practices Framework® (IPPF®), alongside the Global Internal Audit Standards™ and Global Guidance. They provide a consistent baseline for assessing specific risk areas. When evaluating potential subjects for the Topical Requirements, The IIA considered pervasive risks which are most likely to impact organizations globally and therefore be included in audit plans.
“While internal audit priorities naturally evolve, some key risks will remain consistently critical to organizations and their internal audit plans well into the future,” said Anthony Pugliese, CIA, CPA, CGMA, CITP, President and CEO of The IIA. “Cybersecurity continues to be a top concern for organizations worldwide – in fact, it was once again ranked as the top risk in The IIA’s Risk in Focus 2025 report – and is fitting as the subject for our first Topical Requirement.”
The Cybersecurity Topical Requirement provides a baseline approach for internal audit functions when they assess cybersecurity as an audit topic or if cybersecurity is identified as a risk within other audits. Among other key requirements, this includes establishing clear roles and responsibilities within the organization regarding cybersecurity strategic objectives, ensuring a robust and up-to-date risk management approach to account for recurring cyber risks, and that management has established an effective internal control environment.
“Internal Audit functions have the flexibility to craft audit plans tailored to the unique needs, objectives, and risk profile of the organization they serve,” said Benito Ybarra, IIA Executive Vice President of Global Standards, Guidance, and Certifications. “It’s crucial to understand that Topical Requirements do not mandate internal audit functions to examine a specific topic, but rather provide practitioners with the resources and clear direction needed to assess and address priority risks identified in their audit plans in a consistent manner.”
The next Topical Requirement will focus on third-party risk, addressing key aspects of third-party risk management structures that internal auditors must evaluate to mitigate persistent risks. Additional topics in development include business culture, business resilience, and anti-corruption and bribery.
The Topical Requirements are developed by subject matter experts and global internal audit leaders across diverse sectors and industries. They are informed by global risk surveys, including The IIA’s Vision 2035 and Risk in Focus initiatives, as well as external risk and trend reports, and insight from The IIA’s Global Assembly. These requirements undergo a detailed review and approval process by the Global Guidance Council, the International Internal Auditing Standards Board, and the IPPF Oversight Council.
The IIA also offers a host of other resources for navigating the cybersecurity landscape, including webinars, training programs, and certificates. To learn more, visit the Cyber Resource Center.
About The Institute of Internal Auditors and Internal Audit Profession
Internal auditing is an independent, objective assurance and advisory service designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes.
The Institute of Internal Auditors (The IIA) is an international professional association that serves more than 260,000 global members and has awarded more than 200,000 Certified Internal Auditor (CIA) certifications worldwide. Established in 1941, The IIA is recognized throughout the world as the internal audit profession's leader in standards, certifications, education, research, and technical guidance. For more information, visit theiia.org.