Stay connected: follow us on LinkedIn and explore more at
www.CherryHillAdvisory.com.
.svg)
Subscribe now to join the Risk Register community:
I've been doing this long enough to recognize when two major regulatory shifts land on the same week and nobody notices they're connected.
On February 5, 2026, the IIA's Cybersecurity Topical Requirement became mandatory. Exactly one month later, the Trump Administration released its six-pillar Cyber Strategy for America, fundamentally reshaping how the federal government approaches cyber regulation.
Most internal audit teams are treating these as separate compliance exercises. They're not.
The IIA gave you a mandate. The federal government just told you what to prioritize within it. If you build your audit plan correctly, you can satisfy both without duplicating effort or burning through your budget before Q3.
Here's the framework I'm using with clients to reconcile the two.
The IIA didn't pick cybersecurity randomly for its first-ever Topical Requirement. Cybersecurity ranked as the top risk in Risk in Focus 2025 for the second consecutive year. The timing gave internal audit functions exactly one year to prepare, and that year just expired.
The federal strategy shift changes the game mid-implementation.
The Biden Administration's 2023 National Cybersecurity Strategy emphasized mandatory compliance requirements for critical infrastructure. The new strategy pivots toward "common-sense regulation" and expanded private sector collaboration, organized around six policy pillars that internal auditors need to understand because they define where federal scrutiny will land next.
If your audit plan still reflects the old regulatory philosophy, you're building defenses for threats that have already moved.
The new federal strategy isn't just policy positioning. It's a roadmap for where cyber risk will concentrate over the next 24 months. Internal audit teams that map their work to these pillars will find their findings carry more weight with audit committees and executive leadership.
Here's how I'm translating each pillar into audit planning priorities.
The strategy explicitly calls for implementing cybersecurity best practices, post-quantum cryptography, zero-trust architecture, and cloud transition. It also emphasizes AI-powered cybersecurity solutions to defend federal networks.
Your audit question: Does management have a documented roadmap for each of these modernization priorities, and are resources allocated to execute them?
The gap I'm seeing in most organizations isn't awareness. Leadership knows zero trust matters. The problem is that "zero trust" has become a buzzword without implementation specifics.
What to audit:
That last point matters more than most audit teams realize.
A study by General Dynamics Information Technology found that 50% of federal IT leaders are actively developing strategies to accelerate their transition to post-quantum cryptography. The other 46% have identified key risks but haven't begun formal assessments.
That's a massive audit opportunity.
Only 3% of banking websites currently support post-quantum cryptography, placing financial institutions among the lowest adopters even within their own sector. Industry experts estimate that more than 20 billion digital devices will require updates to quantum-safe cryptography in the next two decades.
Microsoft aims to complete its transition by 2033, two years before the 2035 deadline most governments have set. Leading organizations are moving faster than regulatory timelines require, which means laggards will face both competitive and compliance pressure.
Your audit approach:
Ask management whether they've conducted a cryptographic inventory. Most organizations have no idea where encryption is deployed across their environment, which makes post-quantum planning impossible.
If the answer is no, that's your finding. If the answer is yes, validate that the inventory is comprehensive and that a transition plan exists with realistic timelines.
Internal audit leaders widely recognize that AI is becoming a genuine force multiplier for defense, especially in security operations where teams are overwhelmed and attackers move fast. AI capabilities improve detection, speed up investigation, enhance threat hunting, and help prioritize what matters most.
But here's the problem: You have to secure AI systems while simultaneously harnessing AI for cybersecurity.
Threat actors leveraged artificial intelligence to increase their scale and sophistication in 2025, driving incidents to record numbers through AI-driven social engineering and supply-chain compromises. NIST released initial draft guidelines for how businesses should orient their cybersecurity programs to safely integrate AI use.
What to audit:
The organizations getting this right are treating AI governance as an enterprise risk management issue, not just an IT problem. If your audit findings land exclusively with the CIO, you're missing the broader risk exposure.
The IIA's next Topical Requirement will focus on third-party risk and is expected to be released for public comment in March or April 2025. This isn't coincidence. Third-party risk sits at the intersection of cybersecurity, operational resilience, and compliance.
FINRA notes a rise in cyberattacks and outages involving third-party providers, warning that such incidents can disrupt multiple firms due to industrywide reliance on vendors. The New York Department of Financial Services issued guidance emphasizing that as third-party service offerings expand and evolve, so too will third-party service provider-related cybersecurity risks.
Your audit plan needs to address third-party cyber risk now, not after the next Topical Requirement becomes mandatory.
What to audit:
The gap I see most often: Organizations conduct vendor risk assessments at onboarding but never revisit them. A vendor's security posture can deteriorate significantly over a multi-year contract, and most organizations have no mechanism to detect that decline until an incident occurs.
The IIA's Cybersecurity Topical Requirement mandates that internal auditors evaluate risk identification, analysis, and mitigation processes across all business functions, including IT, compliance, HR, finance, and supply chain. The federal strategy tells you which risks should be at the top of that evaluation.
Here's the framework I'm using to build audit plans that satisfy both:
Take your existing cybersecurity risk assessment and overlay the six federal strategy pillars. Where do gaps appear? Which pillars have insufficient coverage in your current audit plan?
This exercise usually reveals that certain risks, like post-quantum cryptography readiness or AI governance, have zero audit coverage because they weren't on anyone's radar six months ago.
Not every pillar carries equal risk for every organization. A financial services firm with significant third-party payment processing relationships faces different exposure than a manufacturing company with extensive IoT deployments.
Use your organization's risk appetite and strategic priorities to determine where audit resources should concentrate. The goal isn't to audit everything. It's to audit what matters most.
The most efficient audit plans don't treat each pillar as a separate engagement. Instead, they design audits that address multiple risk areas within a single scope.
For example, an audit of cloud security controls can simultaneously address modernization priorities, zero-trust architecture implementation, third-party risk, and incident response capabilities.
This approach reduces audit fatigue for operational teams while providing comprehensive coverage of interconnected risks.
The IIA's Cybersecurity Topical Requirement emphasizes that management must have established an effective internal control environment and incident escalation procedures for cyber threats. The new federal strategy establishes a whole-of-government coordination effort through the National Coordination Center.
Your audit needs to validate that incident response plans are current, tested, and independent of the systems they're designed to protect.
What to audit:
The organizations that respond effectively to cyber incidents are the ones that practiced before the crisis hit. If your audit reveals that incident response plans exist but haven't been tested in over a year, that's a critical finding.
Here's where most internal audit functions struggle: translating technical cybersecurity findings into language that resonates with audit committees and executive leadership.
Your audit committee doesn't need to understand the technical details of post-quantum cryptography. They need to understand the business risk of failing to prepare for it.
When I present cybersecurity audit findings, I frame them around three questions:
This approach shifts the conversation from technical compliance to strategic risk management, which is exactly where internal audit needs to operate.
The IIA has already announced that additional Topical Requirements covering Organizational Resilience and Anti-Corruption and Bribery will be released in 2026. This roadmap signals where audit priorities must evolve beyond cybersecurity.
The organizations that will handle this evolution most effectively are the ones building flexible, risk-based audit plans now. They're not treating the Cybersecurity Topical Requirement as a one-time compliance exercise. They're using it as a blueprint for how to integrate future requirements without constantly rebuilding their approach.
The convergence of the IIA mandate and the federal strategy shift creates an opportunity for internal audit to demonstrate strategic value. You can show leadership that your function isn't just checking compliance boxes. You're providing forward-looking risk insights that help the organization navigate an increasingly complex regulatory environment.
That's the conversation that gets internal audit a seat at the table.
The window between regulatory signal and operational impact keeps shrinking. The question isn't whether your organization will face cyber risk. It's whether your audit function will see it coming in time to matter.
Start mapping your risk universe to the six pillars this week. You'll find gaps that need attention before your next audit committee meeting.
And if you need help building an audit plan that addresses both the IIA requirements and the federal strategy priorities without duplicating effort, that's exactly the kind of co-sourced support Cherry Hill Advisory provides.
We work alongside your internal audit team to bring specialized cybersecurity expertise when you need it, so you can focus on delivering strategic value to your organization.
You can get in touch with our team any time, here.
Subscribe now to join the Risk Register community:
.jpg)