All Things Internal Audit Tech: The IIA’s New Cybersecurity Topical Requirement

In this episode, Logan Wamsley talks with George Barham about The IIA’s Cybersecurity Topical Requirement. They discuss how internal audit functions should prepare for its 2026 effective date, and why CAEs should take action now. The conversation also highlights the requirement's companion user guide, outsourcing considerations, framework references, and IIA resources available to help internal audit functions conform with confidence.

Host:

Logan Wamsley

Associate Manager, Content Development, The IIA

Guests:

George Barham, CIA, CRMA, CISA,

Director, Standards & Guidance, The IIA

Key Points

Introduction [00:00-00:00:21]
Background on the Cybersecurity Topical Requirement [00:00:21-00:01:31]
Key Feedback and Early Implementation Advice [00:01:31-00:03:09]
Tips from CAEs on Getting Started [00:03:09-00:04:37]
How to Use the Companion User Guide [00:04:37-00:05:57]
Outsourcing Considerations [00:05:57-00:07:30]
Framework References and Mapping [00:07:30-00:09:37]
Keeping Up with the Evolving Cyber Landscape [00:09:37-00:11:30]
Annual Review and Updates [00:11:30-00:12:24]
Advice as the Effective Date Approaches [00:12:24-00:14:26]
Additional IIA Resources and Support [00:14:26-00:16:38]
Final Thoughts [00:16:38-00:18:23]

The IIA Related Content

Interested in this topic? Visit the links below for more resources:

Visit The IIA's website or YouTube channel for related topics and more.

View More Episodes

Get the Transcript

00:00:02 Speaker 1

The Institute of Internal Auditors presents all things internal audit tech in this episode, Logan Walmsley talks with George Barham about the IA's newly released cyber security topical requirement. They discussed what it means for internal auditors, how to prepare for its 2026 effective date, and why CAE.

00:00:21 Speaker 1

Should take action now. The conversation also highlights the companion user guide, outsourcing considerations, framework references and IRA resources available to help internal audit functions conform with.

00:00:36 Speaker 3

George, I don't get to see you too often in the office, but it's a pleasure to talk to you today. Thanks for taking some time to chat.

00:00:43 Speaker 3

With me about this, I really appreciate it.

00:00:45 Speaker 2

Hey, Logan, it's.

00:00:45 Speaker 2

Good to be with you. Thanks for the time.

00:00:47 Speaker 3

What I wanted to talk to you about today, I was kind of one of the most exciting things that we've kind of been having going on at the IEA this year. Of course we had our release of the the new standards, the IP.

00:00:57 Speaker 3

Jeff, but this year we also are combining that with the release of our topical requirements, which is one of the newest additions that we have to the.

00:01:08 Speaker 3

They won't take effect until 2026, but I know there's a lot of discussion going around about the topical requirements that would entail. First one that we've released is on the cybersecurity. Now, this first type of requirements has been released and people had some time to digest it and time to to read it, analyze it. What are you hearing? Talked about the most?

00:01:29 Speaker 3

And what you discussed with?

00:01:31 Speaker 2

Yeah, Logan, I guess it was February this year, February 5th this when we released the cybersecurity topical requirements. And before we we actually published it, it went to a public comment period and we spent some time talking to practitioners across the country and around the globe on what we were trying to do with topic requirements.

00:01:51 Speaker 2

And their attention. And so I think a lot of people had a had a pretty good understanding of what they would include.

00:01:58 Speaker 2

And then we also talked about cybersecurity being the first one. So I feel like it was pretty good awareness. But even though there were maybe some people who hadn't heard about it or weren't familiar with the with the concept after we released it in February, we did a a webinar the very next day, which is available on the IA still and and continue to.

00:02:19 Speaker 2

You know, follow that process where we provided some background information, some of the history of.

00:02:24 Speaker 2

Of how we develop.

00:02:25 Speaker 2

And then actually walking them through the topic requirements. So most people who I've talked to the comments we received from that webinar valuable as far as you know, answering your question on on what we're hearing now that they're out. The biggest thing that I'm hearing is just, you know, internal auditor saying that it's best to get started on them.

00:02:44 Speaker 2

Now versus waiting till when they're effective. So they're effective a year after publication. So they'll be effective February 5th of 2026. So I think it's the same. You know, understanding with the standards you know, not to to wait until they're effective to to start doing your work, but to.

00:03:02 Speaker 2

Start reading through, making sure you have a good understanding of what's included in that and just being familiar with it is possible.

00:03:09 Speaker 3

Thank you. Yeah. So I know that you as part of your job you have you talked to Members and you get feedback for around since the release. But based on what you're hearing from our Members, I know they love to share feedback with you. But what are some of the successful tips that you have heard from cheese audit executives as they are working to, you know, implement now the cybersecurity topic?

00:03:30 Speaker 3

Requirement.

00:03:30 Speaker 2

Yeah. I mean, I think it it kind of goes with what what we just talked about as far as not waiting you know to go ahead and get.

00:03:38 Speaker 2

I think when it comes to IT, audit cyber security, you know, having that skill set, making sure that your internal audit function is positioned well in terms of proficiency and competency to be able to look at some IT controls and IT processes. So I think that that has been something that that I've heard a lot of people saying you.

00:03:57 Speaker 2

Know they're making sure that they.

00:03:59 Speaker 2

You know, have the resources lined up, whether that's internal or maybe an advisor who can help them with.

00:04:05 Speaker 2

This so I think just you know, lining up your resources, making sure that you know who's going to be working on this is a key thing. And then also for the the people who are doing it in house, you know, having their internal audit function doing it depends on.

00:04:18 Speaker 2

Your level of.

00:04:19 Speaker 2

Of skill with IT audit I guess I would say so. Some people are using this as an opportunity to kind of brush up on maybe some of the.

00:04:26 Speaker 2

Cyber security.

00:04:27 Speaker 2

Risks and controls and typical things that you see. So I think one of the biggest thing is just trying to get prepared and and just know what you're up against and plan accordingly.

00:04:37

Yeah.

00:04:38 Speaker 3

On the topic of kind of knowing what you're up against, I think the idea is aware of this. So in coordination with the release of the topic requirement, we also very proudly released the topical requirement user guide. How do you feel that this new user guide to support internal auditors begin their work and conforming to?

00:04:57

Garmin.

00:04:59 Speaker 2

Yeah, that's a great question, Logan. The user guide is is really a companion to the topic requirement. So it's written the the approach that we took to write it. It was written from the standpoint of, you know, define the scope what we want it to cover and make sure that it's written, written in a way that your average internal auditor can understand it. So.

00:05:19 Speaker 2

By that I mean you don't necessarily have to have a very elaborate IT audit background, so it's it's written in a way that I think most internal auditors will be able to understand it conceptually. And then we also try to provide a lot of examples. So of course we have the the requirements or within the topical.

00:05:36 Speaker 2

Environment and then the user guide provides illustrations, examples. It really helps you know for back a lack of better words like hold someone's hand to get through the process. So it's written in a way that you know. Hopefully it's easy to understand, easy to read and it's it can.

00:05:54 Speaker 2

Be used you.

00:05:55 Speaker 2

Know to really help you get through the process.

00:05:57 Speaker 3

As someone that has read it myself and it's built some content around it, you guys did a great job. Should be very proud that anybody listen to this. I highly recommend that you review it.

00:06:07 Speaker 3

One of the things that kind of strikes me while reading it, I know, I think it's great for hands on, but I know there's a lot of internal, a lot of functions out there.

00:06:15 Speaker 3

That.

00:06:16 Speaker 3

And and developing this system, they tend to have.

00:06:18 Speaker 3

A tendency to outsource.

00:06:20 Speaker 3

Which is, you know, it's completely necessary, but for internal audit functions that do outsource or cyber audit functions, how do you recommend?

00:06:27 Speaker 3

That they work to conform the topic requirement.

00:06:30 Speaker 2

Yeah, that's that's a question, Logan that we're asked quite frequently at the end of the day under the IPF. It's still the chief audit executive responsibility to ensure conformance with the top 4 requirement. So that response that he still resides with the CAE.

00:06:46 Speaker 2

But in terms of, you know, who's actually helping do the work, that's certainly something that, you know, internal audit functions can reach out to outsource providers, you know, people who may be focused more on IT audit. So that's definitely an acceptable way to go about it. However, it's just important to be sure that it's understood that chief audit executive.

00:07:06 Speaker 2

Is responsible for making sure that that happens. Reviewing what they do, you know the work that's performed. If it's outsourced, no different than in. If another piece of their internal audit function was outsourced to someone else, just making sure that it's it's clearly known that the chief audit executive at the end of the day.

00:07:21 Speaker 2

Owns the conformance piece of the topical requirement, so they can have people assist them with it, but at the end of the day, they're the ones who are responsible for it.

00:07:30 Speaker 3

One of the most useful aspects of it that I found when I was reading it is the framework references listed in the back of the appendix. Again, something any CA should probably print out for reference. Can you tell me a little bit about these references and kind of how that was put together?

00:07:46 Speaker 2

Yeah.

00:07:47 Speaker 2

So cyber security, it's a very broad topic. I mean it touches so many things.

00:07:52

I think it.

00:07:53 Speaker 2

Would be pretty difficult to come up with. You know, a lot of business processes that don't have some aspect of of cyber. So that was certainly something we had to keep in mind that it touches so many things. But I think the good thing about cybersecurity is it's been around for a long time.

00:08:08 Speaker 2

And so there are a lot of frameworks that have been out there for a while that are widely adopted across the globe.

00:08:14 Speaker 2

And we really tried to focus on some of those that we thought were the most appropriate, the most applicable for internal auditors. So we chose two of the NIST frameworks, which is 800-53 and in particular the cybersecurity framework, and then COVID 2019 from ISAKA as well. We got a lot of input.

00:08:35 Speaker 2

Not just from North America, but from the globe that those are frameworks that are widely used, a lot of organizations use those. And so we did a cross reference or a mapping.

00:08:45 Speaker 2

Between the topical requirement specifics, so the actual each requirement, we map those to what organizations might already be using under those those frameworks from NIST and COVIT. And there are other frameworks that are out there. Certainly we're going to map it to everything. But like I said, the number one thing was to be sure that we identified.

00:09:06 Speaker 2

Relevant frameworks you know, kind of tried and tested that are out there that have been around for a while. And then also we tried to to look at ones that wouldn't present an additional cost to Members so.

00:09:17 Speaker 2

Those NIST frameworks Isaca Cobit framework. Those are all free of charge, so it it wouldn't result in in our members or practitioners incurring additional costs. There are other frameworks that are out there like some from ISO that are really good as well, but those have some costs associated with them so.

00:09:36

Yes.

00:09:37 Speaker 3

This is true not just for the frameworks themselves. Also, for the cyber security risk landscape that it continually is evolving right at every single day, there's something new ongoing. It's always something internal auditors have to kind of keep up on and I know this is kind of referred to in the topical requirement as well. So how often are the topical requirements going to be updated?

00:09:58 Speaker 3

We try to keep up with this landscape.

00:09:59 Speaker 2

Yeah, certainly cyber security, you know, it has emerging aspects and and things that.

00:10:05 Speaker 2

Changing so that is true. However, I would say that the way this is written, Logan is more from a baseline standpoint. So really we tried to establish you know, the minimum requirements that an internal auditor would look at. So that's not to say that those baseline items might change overtime, but we feel like they're written in a very.

00:10:26 Speaker 2

Foundational manner. So we think we accomplished that. Now that's not to say that things could change or like I said, there's maybe some emerging risk or you know you think about how artificial intelligence has grown so much over the past couple of years.

00:10:40 Speaker 2

So as things change like that we we certainly want to be sure that we're thinking about those and that this topical requirement remains relevant. So the the what we're planning to do or say next steps on this is to on an annual basis take a look at the topical requirements, make sure that it's still relevant look to.

00:11:00 Speaker 2

See, you know what?

00:11:01 Speaker 2

Well, at the risk landscape looks like.

00:11:03 Speaker 2

To see, like I said, if there's anything emerging out there that we need to include in terms of updating that baseline and then we talked about, you know, other frameworks that we've referenced and certainly if those frameworks underwent, you know, pretty significant changes, we want to be sure that we keep that mapping up to date. And so it's, as you know, easy to use as possible.

00:11:24 Speaker 2

For practitioners, so to summarize, we'll look at it on a on an annual basis and we'll make changes as.

00:11:30 Speaker 2

We need to.

00:11:31 Speaker 3

Are these frameworks updated on a kind of a regular timetable, or do they kind of just kind of come come when they come? Do you, do you know? Is this something that we need to keep in?

00:11:40 Speaker 3

Keep in mind anytime soon.

00:11:42 Speaker 2

Yeah, I think it just varies based on the organization. So like isaka, for example, they have COVID 2019. So you know it's been out for a few years. Yeah, I would anticipate you know in the next few years they'll probably be updated, but that's you know, I don't have any kind of insider information. That's just my guess based on.

00:11:51 Speaker 3

Quite a while.

00:12:02 Speaker 2

How they refresh their frameworks? Same with NIST. Mist will sometimes do.

00:12:07 Speaker 2

You know a lighter refresh or a lighter update, or sometimes they'll do, you know, a completely different version, so it's it's hard to say what happens, but I think they they kind of go through the same process that we do at the I, you know, they take a look, they make sure that they're scanning the environment and that they're they're staying up to date as possible.

00:12:24 Speaker 2

Because so many.

00:12:25 Speaker 2

People rely on this guidance.

00:12:27 Speaker 3

On to kind.

00:12:28 Speaker 3

Of our next topic that I have here, I do one of the points that we kind of bring up in the requirements. That's in point. The notes that we highlight in bold, the release dates, I mean the, the, the implementation dates rather is February 2026, I know.

00:12:42 Speaker 3

That's that is time. There is time to making adjustments that are needed, but also it's coming sooner rather than later. You know, it's like Christmas, you know, before you know what? It's here as we're approaching that date, what are some recommendations that you personally would give to internal auditors as we're going up and reaching that?

00:13:00 Speaker 2

Date. You know from a chief audit executive standpoint?

00:13:04 Speaker 2

Go ahead and start having those conversations. You know, talk to talk to your audit committee. Talk to your board.

00:13:10 Speaker 2

Whoever provides the governance and and your report to have those discussions also, I think it's good to talk to management as well. You know as you meet with your IT department and your leaders you know have responsibility for cyber related processes just to make sure that they're aware and that there's an understanding. I mean we don't want to wait till the end and then.

00:13:30 Speaker 2

Management or the audit committee. So like you know, you should have communicated this back a few months ago. So I think having those discussions early in the process from the chief audit executives makes sense.

00:13:40 Speaker 2

I think from just a if you're just a, you know, internal audit working as a staff person or maybe as a manager within your function. I think just making sure that that you've read through and you know what the requirements entail. So just being very familiar with it, being able to to be a resource to your internal audit function and understand what those requirements.

00:14:00 Speaker 2

Include and I think going through that user guide, reading through that and making sure that that you're aware and up-to-date with with some of those examples that can help you demonstrate conformance, that would be a very valuable thing as an internal audit function that that anyone could do. So it's not just the chief audit executive, I think that internal auditors.

00:14:20 Speaker 2

You know, the various roles, can, you know, make.

00:14:23 Speaker 2

Sure that they've done their homework.

00:14:25 Speaker 2

And be sure that there's prepared.

00:14:26 Speaker 2

Possible.

00:14:28 Speaker 3

And I think it's really important to kind of emphasize the idea that, you know, we beyond just hearing from us on the podcast, we offer a real variety of resources to help all of our members along that way. Are there any resources guy offers to assist in this task that you can cite off your mind off your head?

00:14:46 Speaker 2

Yeah, yeah. Another another great question, Logan, if you just go to our website and and just search and you just search for cyber, cyber.

00:14:54 Speaker 2

Security. If you just type in those words, I feel like we have revamped our website and you get a lot of really good results. So that that's a good place to start. Some specific things that I would encourage people to do is we have some G tags that are out there. We have some cybersecurity G tags that have been updated with the most recent standards.

00:15:14 Speaker 2

So those are available as well. That's a good.

00:15:17 Speaker 2

Place to look. But we have, you know, other resources as well. I mean I think there are other podcasts. There's a webinar that we did the day after the cybersecurity topical requirement was released. So I think that could be a good, good place to start as well. And then just looking at the topical requirements section of our website. So it's under.

00:15:38 Speaker 2

Standards. And if you go there.

00:15:40 Speaker 2

And you go to the cybersecurity one, you'll be able to of course gain access to the topical requirement and the user guide. There's also frequently asked questions on there. So maybe some of the things that your organization that your internal audit function is thinking about, they they might be already listed there, and we'll update that section as well. But there's a lot of great information out there, but the G tags.

00:16:00 Speaker 2

Websites and some of those resources are.

00:16:03 Speaker 2

Really going to be helpful, I think.

00:16:05 Speaker 3

And to add to that, specifically for our authors leader network members, I'd also like to point them to executive knowledge brief that we released based on feedback that we have received from cities that we've talked to about the strategies that they're implementing.

00:16:20 Speaker 3

Regarding the new.

00:16:21 Speaker 3

Topical requirements and also the new service that our views.

00:16:25 Speaker 3

Or has or asked the experts where if they have any questions about the requirements they can reach out to us directly and we would give them kind of a detailed response based on their personal situation. I think that's two avenues if they we could travel down as well.

00:16:38 Speaker 3

Before we're out of time, is there anything else that you would like to mention or talk?

00:16:42

About.

00:16:42 Speaker 2

No, I mean, I think just doing something different with the IPF. You know this is the first time we have launched A topical requirement and we're planning to launch more in the future coming up. I think there's, you know, going through the process of just understanding what it entails and and why we're doing it. And you know really.

00:17:02 Speaker 2

Trying to raise the level of assurance.

00:17:04 Speaker 2

That that, we.

00:17:04 Speaker 2

But as internal auditors, just you know.

00:17:07 Speaker 2

Getting everyone comfortable with.

00:17:08 Speaker 2

It and making sure that they're aware they have good information and that they're prepared as possible I.

00:17:15 Speaker 2

Mean we, we.

00:17:16 Speaker 2

Knew this first one, we'd have some of that.

00:17:17 Speaker 2

So I think.

00:17:18 Speaker 2

Once we get through this first one on cyber security and it's been out there a while, I think hopefully the next ones that we release.

00:17:25 Speaker 2

At least you know people will be familiar.

00:17:27 Speaker 2

With the concept of what we're trying to do.

00:17:30 Speaker 2

I think the the.

00:17:31 Speaker 2

Ones that come after cybersecurity hopefully will be a little easier to manage and prepare.

00:17:35 Speaker 3

For yeah, I know probably initially if you see the topic requirements coming, I think the first thought was well, this is a whole lot of new conformance related things that we need to keep up with and things. But I think as people kind of get comfortable with the idea.

00:17:47 Speaker 3

And the concept.

00:17:47 Speaker 3

I think people going to realize that what this is.

00:17:50 Speaker 3

Really doing it's raising the bar for internal audit functions everywhere and I think that that raising that baseline is really going to go a long way toward kind of ensuring the future of the Prof.

00:18:03 Speaker 1

Yeah. Agree.

00:18:03 Speaker 2

Great.

00:18:04 Speaker 3

That is all I have for you today. I think we kind of covered a lot of ground. I hope anybody listening, please look at our other resources. Please review the topic requirement as much as you can and you know kind of get understanding of it and development of it. George, I really appreciate your time. Thank you so much.

00:18:23 Speaker 2

OK, Logan, thanks for having me.

00:18:24 Speaker 1

To learn more about the IAA cybersecurity topical requirement and how some of the world's top internal audit leaders are implementing it, be sure to check out the audit Leaders Network's latest executive Knowledge brief. The cybersecurity topical requirement in practice.

00:18:39 Speaker 1

Executive knowledge briefs are only available for audit leaders, network members, so if you're not a member, check out the many benefits of joining today by using the link in the show notes. If you like this podcast, please subscribe and rate us. You can subscribe wherever you get your podcasts. You can also catch other episodes on YouTube or at the CIA.

00:19:00 Speaker 1

Dot org that's TH eisa.org.