ON THIS PAGE
Are you ready for new audit rules?
Cyber audit rules are now mandatory
The IIA’s Cybersecurity Topical Requirement is now mandatory for every internal audit function that conforms with the Global Internal Audit Standards. It establishes — for the first time — a standardized baseline for how cybersecurity governance, risk management, and controls must be assessed. Here’s what changed, what conformance demands, and how to meet the new bar with confidence.
For the first time in the history of the profession, internal audit has a mandatory, standardized baseline for assessing cybersecurity — and the clock has already run out on preparation.
On February 5, 2025, the Institute of Internal Auditors released its first-ever Topical Requirement under the new International Professional Practices Framework. The subject: cybersecurity. The grace period: one year. The effective date that quietly arrived: February 5, 2026.
For every internal audit function that claims conformance with the IIA Global Internal Audit Standards — which is the overwhelming majority of professional internal audit functions globally — the IIA Cybersecurity Topical Requirement is now binding. Quality assessments performed after that date evaluate whether the function has applied each of its 17 requirements during any cybersecurity engagement. The threshold for “good enough” cybersecurity audit work has been redrawn — and most internal audit functions have not fully met it.
The New Reality This is not optional guidance. For internal audit functions conforming with IIA Standards, applying the IIA Cybersecurity Topical Requirement is mandatory whenever cybersecurity is within scope. Functions that fall short during their next external quality assessment now risk a non-conformance finding on something previously left to professional judgement.
What Actually Changed — and Why It Matters
Internal audit has always done cybersecurity work. What changed in February 2026 is that how that work is conducted is no longer a matter of practitioner discretion. The IIA has codified what was previously inferred from professional standards, framework references, and audit committee expectations.
The IIA Cybersecurity Topical Requirement establishes three things that did not formally exist before:
▸ A mandatory baseline — 17 specific requirements that must be considered for applicability on every cybersecurity engagement
▸ A documented justification standard — when a requirement is excluded, the rationale must be retained as evidence
▸ A conformance test — external quality assessments now evaluate whether the function actually applied the requirements, not just whether it could
The most important word in that summary is mandatory. The IIA has previously issued guidance, recommended practices, and global standards. Topical Requirements are different. They sit alongside the Global Internal Audit Standards inside the IPPF and carry the same enforcement weight when an internal audit function is assessed.
A Critical Nuance The Topical Requirement does not mandate that every internal audit function must perform cybersecurity audits. It mandates that if you do perform cybersecurity audit work, you must do it to this baseline. The distinction matters: ad-hoc cybersecurity engagements, IT general control reviews that touch cyber, even financial process audits where cyber risk is material — all fall within scope when cybersecurity is being assessed.
The Three Dimensions Every Cybersecurity Engagement Must Now Cover
The 17 specific requirements organize themselves around three dimensions of cybersecurity assurance. Every engagement that touches cybersecurity must now demonstrably address each. This is the new structural expectation:
| Dimension | What Internal Audit Must Assess | Frameworks Referenced |
| Governance | Clarity of cybersecurity roles and accountabilities, alignment of cybersecurity strategy to enterprise strategy, board-level oversight, policy framework completeness, and executive ownership of cyber risk. | NIST CSF 2.0 (Govern function), COBIT 2019 |
| Risk Management | Design and operation of cybersecurity risk assessment processes, threat-informed risk modeling, dynamic risk monitoring, third-party cyber risk treatment, and integration of cyber risk into enterprise risk management. | NIST CSF 2.0, NIST SP 800-53, ISO 27001 |
| Controls | Design adequacy and operating effectiveness of technical and procedural cybersecurity controls — including identity and access management, vulnerability management, incident response, data protection, and continuous monitoring. | NIST CSF 2.0, NIST SP 800-53, COBIT 2019, CIS Controls |
For most internal audit functions, the first dimension is the least familiar. Governance assessments demand engagement with the board, the audit committee, and the CISO at a level that goes beyond traditional control testing. The IIA is telling the profession that cybersecurity is no longer a technical audit — it is a governance audit with a technical dimension.
Why the IIA Issued This Now — The Strategic Context
Two trends made the Topical Requirement inevitable.
The first is the rapid acceleration of cyber threat sophistication. Generative AI has industrialized social engineering, ransomware groups have professionalized, and supply chain attacks have demonstrated that no organization is downstream of cyber risk. Internal audit functions were being asked to assure cybersecurity programs at a level of rigor that the profession’s existing standards could not consistently deliver.
The second is the regulatory environment that internal audit operates inside. The SEC’s 2023 cybersecurity disclosure rules, the EU’s NIS2 Directive, expanded state-level breach notification requirements, and a wave of industry-specific regulation (HIPAA Security Rule updates, NERC CIP enhancements, NYDFS Part 500) have collectively raised the bar. Internal audit cannot credibly assure cybersecurity to a board if its own assurance methodology lags behind the regulators it is helping the organization conform to.
| 86% | Of internal audit leaders in North America rate cybersecurity as a top-five risk — 13 percentage points higher than the global average, per the IIA’s Risk in Focus 2026 report. The pressure to assure cybersecurity at this level of seriousness — without a standardized methodology — was unsustainable. The Topical Requirement is the IIA’s response. |
What This Means Operationally — Five Things Every CAE Must Do Now
The deadline has passed. The conformance test now begins. Here is what every Chief Audit Executive should be doing immediately, in the order that creates the least exposure and the most strategic upside:
| 1 | Map Your Existing Cybersecurity Methodology Against the 17 Requirements Pull the requirement set and the User Guide from the IIA. Conduct a gap analysis against your current cybersecurity audit programs. For each of the 17 requirements, document either how your methodology addresses it or why it is being excluded. The gap analysis itself becomes evidence of conformance. |
| 2 | Integrate Framework Mappings into Your Audit Programs The User Guide maps the requirements to NIST CSF 2.0, NIST SP 800-53, and COBIT 2019. Pick the framework already in use across your organization — likely NIST CSF or COBIT — and embed those mappings directly into your work programs so that conformance is documented as a byproduct of fieldwork. |
| 3 | Establish a Continuous Documentation Discipline Each requirement must be documented at the engagement level. If you have 12 cybersecurity engagements per year, that is 12 documented applicability assessments. The functions that will struggle with quality assessments are those treating this as a one-time exercise rather than a sustained discipline. Build documentation into your engagement workflow. |
| 4 | Coordinate Formally with InfoSec — Not Informally The User Guide’s framework mapping creates shared language between internal audit and the second line. Use it. Establish a recurring coordination cadence with the CISO function, agree on terminology, and align on which framework controls each engagement is testing. This is also where boards are looking for evidence of organizational maturity. |
| 5 | Address the Talent and Capacity Gap Honestly Most internal audit functions do not have deep cybersecurity expertise in-house. The Topical Requirement does not require that you do — but it does require that the engagement team is competent to apply the requirements. For most functions, this means co-sourcing, hiring, or formal training. Identifying the gap and addressing it is itself evidence of professional discipline. |
Why Continuous Controls Monitoring Is Now Operationally Inseparable from Conformance
Here is the structural truth that the Topical Requirement makes inescapable: a baseline that requires evidence of how 17 requirements were applied across every cybersecurity engagement cannot be satisfied by annual, sample-based testing. The volume of evidence, the breadth of controls in scope, and the documentation expectation are too large for traditional point-in-time methodologies.
This is where the conversation about IIA conformance and the conversation about continuous controls monitoring become the same conversation.
If a cybersecurity engagement requires testing of identity and access management, privileged user activity, vulnerability remediation timelines, security event detection, and third-party access controls — each across the full population, each with audit-ready evidence — then a function that is relying on Excel-based sampling and quarterly screenshots is structurally unable to demonstrate conformance at scale.
“The IIA Cybersecurity Topical Requirement does not directly mandate continuous monitoring. It mandates an evidence standard that, at enterprise scale, can only be satisfied through it.”
How EagleEye365® Is Built for the New Conformance Bar
This is the moment to be direct about why a platform like EagleEye365® from IntoneCCM is no longer a productivity tool but a conformance enabler.
EagleEye365® — Conformance as a Continuous Capability
EagleEye365® is a patented, AI-enabled continuous controls monitoring platform purpose-built for the era the IIA Cybersecurity Topical Requirement defines. Where most cybersecurity audit programs are scrambling to retrofit conformance evidence, EagleEye365® delivers conformance as a byproduct of how the platform operates.
▸ 17-Requirement Mapping Built In — work programs come pre-mapped to NIST CSF 2.0 and COBIT 2019, the two frameworks referenced by the IIA User Guide
▸ 100% Population Testing — cybersecurity controls across identity, access, vulnerability, and event monitoring are tested continuously, eliminating sampling risk
▸ Continuous Evidence Capture — every test execution generates audit-ready evidence with full data lineage, satisfying the documented applicability standard the IIA now requires
▸ Engagement-Level Conformance Reporting — each cybersecurity engagement produces a conformance package that maps test work directly to the relevant Topical Requirements
▸ AI-Enabled Anomaly Detection — identifies cyber control failures and exceptions the moment they occur, supporting the dynamic risk management dimension of the requirement
▸ Coordination With InfoSec — shared dashboards across internal audit and the second line, using the framework-mapped vocabulary the IIA encourages
For an internal audit function staring at a quality assessment with the Topical Requirement now in scope, EagleEye365® turns what would be a manual evidence sprint into a continuous, defensible operating model.
What Comes Next — The Topical Requirements Don’t Stop Here
The IIA has made clear that the Cybersecurity Topical Requirement is the first of a sequence. The Third-Party Risk Topical Requirement followed in 2025 with an effective date of September 15, 2026. Organizational Behavior is effective December 15, 2026. Organizational Resilience is expected April 30, 2027. Each will expand the mandatory baseline that defines what conforming internal audit work looks like.
Functions that meet the Cybersecurity Topical Requirement well will find that the operating infrastructure — continuous monitoring, framework mapping, engagement-level documentation discipline — is exactly what the next requirements demand. Functions that meet it poorly will face the same scramble again, in nine months, with a new topic.
This is why the strategic response to February 2026 is not to treat it as a one-time compliance exercise. It is to use it as the forcing function to modernize the internal audit operating model — and the platforms that support it.
The Bottom Line
February 5, 2026 changed what internal audit’s cybersecurity work is allowed to look like. The IIA has drawn a line. Quality assessors will now hold the line. CAEs, audit committees, and boards will increasingly hold themselves to it.
The internal audit functions that emerge from 2026 as credible cybersecurity assurance providers will be the ones that responded to the Topical Requirement with a continuous, technology-enabled operating model — not the ones that bolted on extra documentation to an unchanged methodology.
EagleEye365® from IntoneCCM exists to make that response practical, defensible, and durable. The conversation about how starts with a 30-minute briefing — and the sooner that conversation begins, the more time your function has to enter its next quality assessment with confidence.
FAQ’s
The IIA Cybersecurity Topical Requirement is a mandatory baseline established by the Institute of Internal Auditors for how internal audit functions assess cybersecurity governance, risk management, and control processes. Issued February 5, 2025 and effective February 5, 2026, it consists of 17 specific requirements that internal audit must apply during any cybersecurity engagement to conform with the IIA Global Internal Audit Standards.
The IIA Cybersecurity Topical Requirement became effective on February 5, 2026 — exactly one year after its issuance on February 5, 2025. From that date forward, quality assessments of internal audit functions evaluate conformance with this requirement during any engagement involving cybersecurity scope.
Yes — for internal audit functions that conform with the IIA Global Internal Audit Standards, the Cybersecurity Topical Requirement is mandatory whenever cybersecurity is within an engagement’s scope. The requirement does not mandate that internal audit perform cybersecurity audits, but if they do, the topical requirement must be applied. For functions that do not formally conform with IIA Standards, it is strongly recommended as leading practice.
The IIA Cybersecurity Topical Requirement’s User Guide maps its 17 requirements to globally recognized frameworks including NIST Cybersecurity Framework 2.0, NIST SP 800-53, and COBIT 2019. This mapping provides internal auditors with a shared technical vocabulary to coordinate with information security and IT teams, while allowing each organization to apply its preferred framework.
To conform, internal audit must demonstrate that each of the 17 requirements was assessed for applicability at the engagement level, that any exclusions are justified with documented rationale, and that the audit work product addresses cybersecurity governance, risk management, and controls dimensions. Evidence must be retained for quality assessment review.
EagleEye365 from IntoneCCM is an AI-enabled continuous controls monitoring platform that automates cybersecurity control testing across 100% of populations, captures audit-ready evidence continuously, maps controls to NIST CSF 2.0 and COBIT 2019, and produces the documentation auditors need to demonstrate conformance with each of the 17 IIA topical requirements — turning what would be a manual conformance burden into a continuous operational capability.
