.png){kind=small}
The IIA issued the Cybersecurity Topical Requirement (the “Requirement”), establishing a mandatory baseline for Internal Auditors when evaluating cybersecurity governance, risk management, and control processes.
Below, we provide a summary of the Requirement and key implementation considerations. Find the full text of the Cybersecurity Topical Requirement here: Cybersecurity_Topical_Requirement Final For implementation guidance, see the Cybersecurity Topical Requirement User Guide: Cybersecurity_TR_User_Guide
The Requirement was approved for publication on February 5, 2025, with an effective date of February 5, 2026.
Cybersecurity
NIST defines cybersecurity as the ability to protect cyberspace from cyberattacks. It is a subset of information security, focused on safeguarding information and systems to ensure confidentiality, integrity, and availability.
Because digital systems and data underpin critical operations, cybersecurity risk affects nearly every organization. The Requirement establishes a minimum, risk-based framework for Internal Auditors to evaluate the design and implementation of cybersecurity governance, risk management, and control processes. Organizations with higher risk profiles may require expanded coverage.
The Requirement applies when cybersecurity is:
Internal Auditors must document applicability and any exclusions. Conformance is subject to quality assessment.
Governance
Evaluating cybersecurity governance involves assessing whether leadership has established a formal cybersecurity strategy aligned with organizational objectives and whether it is periodically reviewed and communicated to the board.
Internal Auditors should determine whether a formal strategy and objectives are established and updated with appropriate board oversight and resource review; whether policies and procedures are documented and maintained; whether roles, responsibilities, and competencies are clearly defined and periodically assessed; and whether key stakeholders such as IT, risk management, HR, legal, compliance, operations, and vendors are engaged to address vulnerabilities and emerging threats. Effective governance facilitates appropriate visibility, oversight, and accountability at the board and senior management levels, consistent with The IIA’s Three Lines Model.
Risk management
The Requirement calls for a structured approach to identifying, assessing, mitigating, monitoring, and escalating cybersecurity risks.
Internal Auditors should evaluate whether cyber risk assessments are integrated into enterprise risk management and aligned with strategic objectives; whether accountability is clearly assigned; whether risks are escalated based on defined thresholds and financial and nonfinancial impacts; whether risk awareness and remediation efforts are communicated and reviewed; and whether a tested incident response and recovery process is in place. The User Guide emphasizes that applicability begins with the risk assessment and that professional judgment guides scope and documentation.
Controls
The Control Processes section sets baseline expectations for cybersecurity controls across internal systems and third-party relationships.
Internal Auditors should assess whether controls, including vendor controls, protect the confidentiality, integrity, and availability of systems and data and are periodically evaluated; whether talent management supports cybersecurity competencies; whether continuous monitoring identifies emerging threats; whether cybersecurity is integrated into the life cycle of IT assets; and whether core technical, network, and endpoint controls such as configuration management, encryption, patching, access management, firewalls, VPN, IDS or IPS, and secure communication tools are implemented.
How we can help
Socorro Partners supports Internal Audit and IT functions in strengthening cybersecurity governance, risk management, and control processes in alignment with the Cybersecurity Topical Requirement.
We work with management and boards to assess cybersecurity programs against baseline expectations, align existing frameworks such as NIST, COBIT, ISO, or sector standards, enhance risk assessment and escalation processes, evaluate incident response readiness, and provide independent or co-sourced cybersecurity assurance. Our team combines cybersecurity, risk management, and internal audit experience to help organizations enhance resilience and meet evolving standards.
Socorro Partners is the brand name under which Socorro CPAs & Advisors, LLC (a Florida, U.S. limited liability company) and Socorro Consulting, LLC (a Delaware, U.S. limited liability company) and its subsidiary provide professional services under an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable laws, regulations, and professional standards. Socorro CPAs & Advisors, LLC is a licensed independent CPA firm that provides attest services. Socorro Consulting, LLC and its subsidiary are not licensed CPA firms and provide only non-attest services, including tax and consulting services.
The Socorro Partners logo, including the icon, and the “Look through the noise” tagline are trademarks of Socorro Consulting, LLC.
© 2026 Socorro Partners. All rights reserved.
All content on this website is the property of Socorro Partners. Unauthorized use is strictly prohibited. Content on the socorropartners.com website has been prepared for general information only and is not intended to be relied upon as accounting, tax, or other professional advice. You should consult with your professional advisors regarding your specific circumstances.
