✓ Active ⚠️ Mandatory Priority #6

Cybersecurity Topical Requirement – February 2025 Release IIA

Mandatory cybersecurity audit requirement effective February 5, 2026, enhancing consistency in cyber risk assessments.

📅 Effective: February 5, 2026
🔄 Next Review: February 5, 2027

🎯 Key Focus Areas

  • Information security governance evaluation
  • Technical control assessment procedures
  • Incident response capability review
  • Compliance framework validation
  • Emerging technology risk assessment

📋 Requirement Details

The IIA’s first mandatory Topical Requirement focuses on cybersecurity risk assessment and audit procedures. Released in February 2025 and effective February 5, 2026, this requirement aims to enhance the consistency and quality of internal audit services related to cybersecurity risks. It provides comprehensive guidance on evaluating information security governance, assessing technical controls, reviewing incident response capabilities, and validating compliance with cybersecurity frameworks. The requirement addresses emerging technologies including cloud security, artificial intelligence risks, IoT vulnerabilities, and supply chain cyber threats. Internal audit functions must develop specific competencies in cybersecurity auditing and maintain current knowledge of the evolving threat landscape.

📄 Reference Documents

  • 2025 IIA Cybersecurity Topical Requirement
  • NIST Cybersecurity Framework
  • ISO 27001:2022
  • Forvis Mazars Implementation Guide
Published: April 7, 2026
Last Updated: April 7, 2026

Sign In

Welcome back! Enter your credentials to continue.

Forgot password?
Don't have an account? Sign Up

Create Account

Join us today. It only takes a minute.

Already have an account? Sign In