Cybersecurity Topical Requirements: What Internal Audit Should Evaluate

Cybersecurity oversight has become a central concern for boards, regulators, and executive leadership teams. As organizations become more dependent on digital systems and interconnected vendors, cyber risk now sits alongside financial and operational risks as a key governance priority.

Recognizing this shift, the Institute of Internal Auditors introduced a Cybersecurity Topical Requirement as part of the updated Global Internal Audit Standards. The purpose of the requirement is not to turn internal audit into a technical security function. Instead, it provides a framework for evaluating whether cybersecurity is governed, managed, and controlled effectively within the organization.

‍

The topical requirement organizes cybersecurity oversight into three core areas:

• Governance
• Risk Management
• Controls

‍

For internal audit teams, the challenge is translating those requirements into practical audit procedures. The checklist below provides a structured way to evaluate cybersecurity programs through the lens of the topical requirement.

‍

Cybersecurity Governance

The first area focuses on how cybersecurity is governed within the organization. Internal audit should evaluate whether leadership oversight, accountability, and policy structures support effective cybersecurity management.

‍

A checklist for internal audit should include:

• A formal cybersecurity governance framework has been established and approved by executive leadership or the board
  
• Clear accountability for cybersecurity oversight is assigned to appropriate leadership roles or committees
  
• Cybersecurity policies and standards are documented, maintained, and aligned with recognized framework
  
• Cybersecurity risk oversight is integrated into the organization’s enterprise risk management structure
  
• The board or audit committee receives periodic reporting on cybersecurity risks, incidents, and program maturity
  
• Management regularly reviews cybersecurity strategy, risk posture, and control effectiveness

‍

Evidence may include governance charters, board reporting materials, cybersecurity policies, and documentation of management oversight.

‍

Cybersecurity Risk Management

The second area focuses on how the organization identifies, assesses, and prioritizes cybersecurity risks. Internal audit should evaluate whether management has a structured process for identifying cyber threats, prioritizing exposures, and communicating risks to leadership.

‍

A checklist for internal audit should include:

• An up to date inventory of systems, applications, cloud services, and data assets is maintained to support cybersecurity risk identification
  
• Data and systems are classified according to sensitivity and business impact to support risk prioritization
  
• A formal cybersecurity risk assessment process exists and is performed periodically
  
• Responsibility for cybersecurity risk management is clearly assigned to appropriate leadership or teams
  
• Cybersecurity risks are documented in a risk register and prioritized based on likelihood, impact, and risk tolerance
  
• Processes exist to escalate significant cybersecurity risks or control failures to senior management or the board when risk thresholds are exceeded
  
• Cybersecurity risks, control gaps, and remediation progress are regularly communicated to management and relevant stakeholders
  
• Remediation activities are tracked and monitored to ensure that identified risks are addressed in a timely manner
  
• Third party vendors and technology partners are incorporated into the cybersecurity risk assessment process

‍

Evidence may include risk assessment documentation, cyber risk registers, escalation procedures, vendor risk reviews, and records of management oversight.

‍

Cyber risk management also extends beyond internal systems. Many organizations rely heavily on vendors and technology partners, making third party exposure a critical component of the risk landscape, which may also be evaluated under the Third Party Risk Management Topical Requirement.

‍

Cybersecurity Controls

The third area evaluates the safeguards and operational controls designed to protect the organization’s systems and data. 

Internal audit should evaluate whether cybersecurity controls are designed and implemented to protect systems, data, and technology infrastructure.

‍

A checklist for internal audit should include:

• Identity and access management controls restrict system access according to least privilege principles and require strong authentication mechanisms
  
• Processes exist to identify and remediate system vulnerabilities, including vulnerability scanning, patch management, and security monitoring
  
• Data protection controls safeguard sensitive information through encryption, access restrictions, and secure storage practices
  
• Backup and recovery processes support system resilience and enable restoration of critical data following incidents
  
• Incident response and business continuity plans are documented, tested periodically, and aligned with cybersecurity risks
  
• Security awareness and training programs educate employees about cybersecurity responsibilities and emerging threats
• Evidence may include vulnerability reports, access review documentation, incident response plans, backup testing results, and training records.

‍

A Structured Approach To Cybersecurity Audit Coverage

When viewed collectively, these procedures allow internal audit teams to evaluate cybersecurity oversight across the three core areas outlined in the Cybersecurity Topical Requirement: governance, risk management, and controls.

‍

Embedding these procedures within the internal audit plan allows organizations to assess cybersecurity risk in a structured and repeatable way. It also helps ensure that cybersecurity oversight receives the same level of documentation and scrutiny as other critical risk areas.

‍

Cherry Hill Advisory works with internal audit leaders, audit committees, and executive teams to evaluate cybersecurity governance, strengthen risk oversight structures, and align audit programs with evolving professional standards.

‍

We have a more detailed cybersecurity Topical Requirements audit checklist, which you can download to support your internal audit planning.

‍

If you would like to assess your organization’s Topical Requirements readiness , we invite you to schedule a consultation with us.