Skip to main content
Rehmann
Pay Bill
Rehmann
Solutions
Audit and AssuranceConsultingClient Accounting and Advisory SolutionsTaxTechnology ServicesWealth Management View all solutions
No matter the organizational need, our experienced and focused team is ready and eager to help. We invite you to put our expertise to work.
Future-proof Your Organization: Strategies for Uncertain Times
Webinar
Future-proof Your Organization: Strategies for Uncertain Times
Succession Planning for High-Growth Businesses: Avoiding Forced Sales and Preserving Legacy
Article
Succession Planning for High-Growth Businesses: Avoiding Forced Sales and Preserving Legacy
Industries
ConstructionDealershipsFinancial ServicesHealthcareManufacturingPrivate Client AdvisoryPrivate EquityPublic Sector View industries we serve
We understand where you’re coming from. Rehmann professionals provide expertise in a wide range of industries to help you address challenges and seize opportunities.
Resources
ArticlesGuidesPodcastsWebinarsOne Big Beautiful Bill View all resources
Our team is focused on helping clients through consultation and connection. We’re also dedicated to sharing our knowledge and insights. Feel free to browse our wealth of information.
Future-proof Your Organization: Strategies for Uncertain Times
Webinar
Future-proof Your Organization: Strategies for Uncertain Times
The 25-Year “Retirement”: How PTI and Rehmann Kept a CFO — and a Founder’s Vision — Thriving
Success Story
The 25-Year “Retirement”: How PTI and Rehmann Kept a CFO — and a Founder’s Vision — Thriving
About Us
Who We AreLocationsNewsThe Rehmann TeamEventsThe Rehmann FoundationHLB
Our mission is to bring energy, focus, and integrity to every interaction — relentlessly pursuing expertise to accelerate our clients’ and associates’ goals. Take a look at the world of Rehmann.
Resources  >  Articles

IIA Cybersecurity Topical Requirements: The Basics

Related Solutions: Cybersecurity Solutions, Technology Services, Risk Advisory Services, Information Technology Assessments

April 23, 2026

Contributors: Jessica R. Dore, CISA

The Basics 

  • The Institute of Internal Auditors (IIA) has established a mandatory baseline for cybersecurity internal audits, guiding internal auditors in evaluating governance, risk management, and controls against 17 specific requirements.
  • Effective Feb. 5, 2026, the framework standardizes how cybersecurity risks are assessed across multiple organizational functions.
  • Implementation requires auditors to document the applicability of each requirement at the individual engagement level, providing clear justification for any exclusions while ensuring that even non-IT audits address relevant cyber risks. 

 ______________________________________________________________________________________________

What Your Organization Needs to Know  

The IIA’s Cybersecurity Topical Requirement is a regulatory framework that represents the first of several topical requirements that will fundamentally reshape how internal audit functions approach high-priority risks in 2026 and beyond. 

The Topical Requirement provides a consistent framework internal auditors can use to evaluate cybersecurity. It presents an opportunity to standardize the approach for assessing cybersecurity across internal audit engagements. Utilizing the requirement demands thoughtful integration into internal audit engagement level planning. 

Why Did the IIA Change Cybersecurity Audit Requirements? 

The IIA introduced the Cybersecurity Topical Requirement to address the lack of a standardized assessment baseline for what is now a pervasive, organization-wide risk. By establishing a mandatory framework for governance, risk management, and controls, the requirement shifts the focus from a surface-level check of a program’s existence to a deeper evaluation of whether its processes are actually designed and operating effectively.
 

What Are the 17 IIA Cybersecurity Topical Requirements? 

The IIA organizes its cybersecurity requirements across three core areas:

How to Implement the Cybersecurity Requirement 

Your organization should assess whether the new requirements apply whenever one of the following “triggers” occurs: 

  • Audit Planning: Evaluate any engagement already listed on your annual internal audit plan to see if it carries cybersecurity implications.
  • Fieldwork Discovery: Apply the requirements if you identify unforeseen cyber risks while already performing an audit.
  • Ad Hoc Requests: Review any new, unplanned audit requests to determine if they involve systems or data that fall under the topical scope. 

If your organization already maintains robust cybersecurity programs with regular board updates, comprehensive risk assessments, and mature control environments, internal audit’s role shifts to validation. This doesn’t diminish the Topical Requirement’s importance but positions internal audit as a value-added partner, providing assurance that strong practices are in place and operating effectively. 

Where Organizations May Struggle 

The most challenging aspect of the requirement is determining the applicability of the individual requirements at the internal audit engagement level.  

This is where confusion often arises because not all requirements may be applicable for every internal audit engagement in the plan. In that case, internal auditors must document applicability, including clear justification for any excluded requirements.  

 A Nuanced Distinction 

Consider an accounts payable audit. The engagement is not directly related to cybersecurity, but imagine if, during the initial walkthrough, the engagement team determines that a web portal used for vendor-invoice submission presents cybersecurity risks. Once the engagement team identifies the relevant risks, internal auditors must review the Cybersecurity Topical Requirement and determine which requirements are applicable. Not all may be applicable. The key is to ensure that the rationale for excluding any requirements is properly documented.    

How Can Teams Comply with the Topical Requirement? 

Teams can integrate the IIA’s Cybersecurity Topical Requirement into their 2026 audit plan by ensuring the Cybersecurity Topical Requirements are considered during engagement-level planning and scoping.  

Individual Engagement Scoping 

For each planned internal audit engagement, ask this: Does this process involve systems, data, or access that present cybersecurity risks? If so, document your assessment and rationale for whether each requirement applies, and also document the rationale for excluding any requirements.  

Remember: The requirement is mandatory for assurance engagements but still recommended for advisory engagements.  

Your Takeaways 

  • The IIA Cybersecurity Topical Requirement is effective now and mandatory for those that adhere to the IIA Standards.   
  • For IA functions that do not fully conform to the IIA Standards, the Cybersecurity Topical Requirement is still strongly recommended as a leading practice.
  • The Topical Requirement provides a standardized framework for internal audit functions to evaluate cybersecurity risk.
  • Required at the engagement level, the approach requires thoughtful implementation.
  • Documentation is critical: Detail why a requirement is in-scope or not in-scope for internal audit engagements that contain cybersecurity risks.
  • Additional topical requirements are coming, so ensure your internal audit function is aware of the effective dates and requirements.  

Need Help Navigating the Requirement? 

Rehmann’s Risk Advisory team can help translate the IIA’s Cybersecurity Topical Requirement into a practical, scalable audit approach for your organization. Additionally, whether you need support with gap assessments, methodology development, or team training, we can help you implement the requirement efficiently and effectively. To discuss your organization’s specific cybersecurity challenges and opportunities, reach out to Jessica Dore at [email protected]. 

Frequently Asked Questions 

Q: Does every internal audit engagement now require a full cybersecurity assessment?  

A: No, the requirements are applied based on the scope of the specific engagement. While the framework provides a standardized list of 17 requirements, auditors must determine which individual points are relevant to the systems, data, or access points involved in that specific audit and document the rationale for any requirements that are excluded. 

Q: Is compliance with these topical requirements mandatory for all organizations? 

A. The Cybersecurity Topical Requirement is mandatory for internal audit functions that adhere to the IIA Standards. For organizations that do not fully conform to these standards, the IIA still strongly recommends the framework as a leading practice for maintaining a robust and consistent defense against cybersecurity risks. 

Q: What other regulatory changes are expected from the IIA in the near future?  

A. The cybersecurity requirement is the first in a series of new frameworks designed to reshape internal audit approaches.Additional requirements scheduled for 2026 include Third-Party Risk Management (effective Sept. 15), Organizational Behavior (effective Dec. 15), and Organizational Resilience (expected April 30, 2027). 

Note: This article is provided for informational purposes. For more information about the IIA Cybersecurity Topical Requirement, including a downloadable user guideplease visit www.theiia.org.