Time to Prepare: Cybersecurity
The first Topical Requirement: Cybersecurity, will be effective from February 2026. With six months to go until their effective date, now is the time to prepare your internal audit function. Have you started to consider the inclusion of Topical Requirements in your internal audit methodology?
At the heart of it, Topical Requirements are focused on risk. They provide an opportunity to carefully consider the topic in relation to your internal audit activities. A risk area such as cybersecurity is typically present in an organisation’s risk profile and often results in cybersecurity related assurance engagements in internal audit plans. Internal auditors are in the driver’s seat to determine whether a Topical Requirement will apply to their cyber related assurance engagements going forward. Applicability of the Topical Requirement for these engagements is required to be assessed and documented. Internal audit teams can ‘early adopt’ these practices in order to get ready for February 2026.
The Cybersecurity Topical Requirement User Guide outlines that applicability of a Topical Requirement can be documented in the internal audit plan or in the engagement workpapers based on the auditor’s professional judgment.
As part of your preparation, have a think about how you can incorporate Topical Requirements into your internal audit methodology – particularly during the creation of the internal audit plan. More information on this will be shared through resources such as factsheets, webinars, training and tools over the coming months.
Watch this Space: Third Party
The second Topical Requirement: Third Party is expected to be finalised in September 2025 by IIA-Global. Public Consultation for this has closed. We will notify our members when the final version becomes available, and further resources will be developed.
Have Your Say: Organisational Behaviour (Culture)
Organisational behaviour refers to the habits, patterns and informal norms that influence how work gets done and is often summarised as “the way we do things.” The draft outlines how internal auditors can identify and assess these dynamics, not only in standalone culture reviews but across all audit engagements where behaviour influences risk or outcomes.
Review the draft and supporting documents:
The consultation period for this draft Topical Requirement is open until 22 August 2025. We invite all members to provide feedback using the form below or directly to [email protected], so we can represent the collective views of our profession in IIA-Australia’s formal submission.
Upon completing this 7-hour training program, participants will be well-equipped to apply the GIAS principles, enhance their audit skills, and contribute effectively to their organisations’ governance and risk management. Our content for this session is being revised to include the Topical Requirements, join us to learn more about their application.