Skip to main content
Someone pointing their finger at an illuminated digital screen

IIA Cybersecurity Topical Requirements: Strategies & Best Practices

August 27, 2025
See best practices to help internal audit conform with the IIA’s Cybersecurity Topical Requirements.

Conformance Is Not One Size Fits All

As internal audit functions (IAFs) prepare to implement the Institute of Internal Auditors’ (IIA) Cybersecurity Topical Requirements, it’s important to recognize that conformance is not a one-size-fits-all exercise. Each organization has its own culture, structure, and way of applying controls across business units. What works for one internal audit department may not work for another.

To be effective, internal audit teams must think creatively and strategically about how to apply the requirements in a way that aligns with their organization’s unique risk profile, operational complexity, and governance model. This means tailoring risk assessment and audit approaches, stakeholder engagement, and documentation practices to reflect the diverse environments in which cybersecurity risks are managed.

The IIA’s requirements are designed to drive consistency across the profession, but how that consistency is achieved may vary. The following strategies and best practices offer flexible, practical ways to conform while helping deliver meaningful assurance and value. IAFs should engage with leadership to fully understand the organization’s cybersecurity efforts—including governance, risk management, and existing assurance activities—to inform the IAF’s cybersecurity risk assessment and determine which approach may fit best.

When Do the Cybersecurity Topical Requirements Apply?

IAFs must apply the cybersecurity topical requirements when:

  • Cybersecurity is included in the internal audit plan.
  • Cybersecurity risks are identified during an assurance engagement.
  • A cybersecurity-related assurance engagement is requested, even if it falls outside the original audit plan.

A key component of conformance is to document your approach, maintain evidence that each requirement was assessed for applicability when covered in the audit plan, and include the rationale for any exclusions.

Three Approaches to Compliance

Approach 1: Mapping Requirements to the Annual Audit Plan During Risk Assessment

Best suited for: Large, complex organizations with decentralized operations and varied cybersecurity risks across business units.

Objective: Integrate cybersecurity topical requirements directly into the annual risk assessment and audit planning process.

Steps:

  1. Identify Cybersecurity Requirements: Review the IIA’s Cybersecurity Topical Guidance and extract key control areas and expectations.
  2. Risk Assessment Integration: Evaluate cybersecurity risks across business units and IT functions during the annual risk assessment.
  3. Audit Plan Mapping:
    • Embed relevant aspects of the cybersecurity requirements into audits already planned, e.g., finance, operations, or third-party risk management, where applicable.
    • Tailor cybersecurity considerations to the scope and objectives of each audit.
  4. Documentation: Clearly document how each requirement is addressed within the audit plan to demonstrate coverage and compliance.

Benefits: Embeds cybersecurity into the broader audit strategy without requiring separate audits, helping ensure efficient and risk-aligned coverage across a diverse enterprise.

Approach 2: Conduct an Overarching Cybersecurity Audit & Leverage It Across All Audits

Best suited for: Smaller or more centralized organizations where cybersecurity controls are applied uniformly across the enterprise.

Objective: Perform an in-depth cybersecurity audit and use its findings and framework to inform other audits throughout the year.

Steps:

  1. Annual Cybersecurity Audit: Conduct a detailed audit covering cybersecurity governance, risk management, and control effectiveness.
  2. Develop a Cybersecurity Control Framework: Establish a baseline of cybersecurity expectations and maturity.
  3. Leverage Across Audits: Apply the framework to other audits, e.g., procurement, HR, or finance, to help ensure cybersecurity is consistently considered.
  4. Cross-Audit Reporting: Reference the overarching audit in subsequent audit reports to demonstrate how cybersecurity risks are addressed.

Benefits: Provides a centralized view of cybersecurity posture and helps ensure consistent integration across all engagements with minimal duplication of effort.

Approach 3: Hybrid Approach – Combine Risk-Based Mapping & Multiple Cybersecurity Audits

Best suited for: Very large, complex organizations with diverse business units, varying cybersecurity maturity levels, and distributed control environments.

Objective: Enhance coverage and efficiency by combining both strategies—mapping requirements to the audit plan and conducting multiple targeted cybersecurity audits.

Steps:

  1. Conduct Multiple Cybersecurity Audits: Perform several audits across different business units or domains, e.g., cloud security, identity and access management, or third-party risk.
  2. Integrate Into Risk Assessment: Use insights from these audits to inform the annual risk assessment and audit planning.
  3. Map to Audit Plan: Identify intersections between cybersecurity and business risks, embedding cybersecurity objectives into relevant audits.
  4. Continuous Monitoring: Treat these audits as living documents, updating them as new risks and controls emerge.
  5. Reporting & Assurance: Demonstrate how the combination of targeted cybersecurity audits and integrated engagements collectively meet IIA requirements.

Benefits: Offers the most robust assurance model for complex environments by combining strategic oversight with deep, domain-specific coverage.

Other Tips & Best Practices for Conformance

  1.  Socialize the Requirements Within the Internal Audit Team

Before engaging with stakeholders across the organization, it’s essential to make sure that the internal audit team itself is fully aligned on the IIA Cybersecurity Topical Requirements. Socializing the requirements internally helps build a shared understanding of expectations, promotes consistency in execution, and strengthens the team’s ability to communicate effectively with business units.

Key actions include:

  • Conduct internal training sessions to walk through the requirements, their purpose, and when they apply.
  • Facilitate team discussions on how the requirements intersect with different types of audits and how to apply professional judgment in determining relevance.
  • Develop internal guidance or templates to help auditors document applicability assessments and rationale for exclusions.
  • Encourage knowledge sharing among team members who have cybersecurity knowledge or experience auditing technical areas.

Building internal awareness and confidence will help the audit team be better equipped to apply the requirements thoughtfully and consistently across engagements, regardless of the audit’s primary focus.

  1.  Engage Stakeholders & Communicate Effectively
  • During annual risk assessments or periodic meetings, share the requirements with cybersecurity leadership and key stakeholders.
  • Clarify how internal audit will assess cybersecurity and what evidence will be needed.
  • This transparency can prompt management to proactively strengthen controls and reduce audit findings.
  1.  Leverage Established Frameworks

Use recognized cybersecurity frameworks to guide your audit criteria and enhance credibility:

  • NIST Cybersecurity Framework
  • COBIT
  • ISO/IEC 27001

These frameworks align well with the IIA’s expectations and provide a structured approach to evaluating cybersecurity controls.

  1.  Prepare for Quality Assessments

Make sure your IAF can demonstrate conformance during external quality assessments by:

  • Maintaining documentation of how each requirement was addressed.
  • Including cybersecurity topical conformance in your internal Quality Assurance and Improvement Program (QAIP).
  1.  Promote Continuous Improvement
  • Regularly review and update your cybersecurity audit practices based on emerging threats, regulatory changes, and lessons learned.
  • Invest in training and upskilling auditors in cybersecurity to maintain audit quality and relevance.
  1.  Don’t Create a Checklist for Each Audit

Avoid treating the topical requirements as a rigid checklist for every engagement, as this approach adds friction without delivering value. Instead, apply professional judgment to determine which requirements are relevant based on the audit’s scope and objectives. This flexible approach helps ensure that audits remain focused, efficient, and risk-based.

Conclusion

The IIA’s Cybersecurity Topical Requirements represent a significant step toward standardizing how IAFs address one of the most critical risk areas facing organizations today. But conformance is not about uniformity—it’s about intentional, principled, and risk-aligned assurance.

By selecting the right approach—tailored to the organization’s size, complexity, and control environment—and applying best practices creatively, internal audit can provide meaningful assurance and help drive value across the enterprise.

If you have any questions or need assistance, please reach out to a professional at Forvis Mazars.

Related FORsights
Like what you see?
Subscribe to receive tailored insights directly to your inbox.