Hot Take: Thoughts on the IIA's Topical Requirements and a Call to Action

My Hot Take on the Topical Requirements

The Institute of Internal Auditors (IIA) released it's first topical requirement as part of the new Global Internal Audit Standards. The first topical requirement, which focuses on Cybersecurity, is currently in draft form, and the IIA is asking for feedback on it. Here is the link to the draft and the feedback survey: https://www.theiia.org/en/standards/2024-standards/topical-requirements/public-comment-period-now-open/. Feedback is due by July 3, 2024. I STRONGLY encourage you - both auditors and audit clients - to review the proposed requirements and submit your feedback by the deadline. Your voice needs to be heard, regardless of what your opinion is - even if you disagree with me :) We have an opportunity to help shape our profession, and it is important that a diverse group of voices is heard in that opportunity.

For my audit clients in the room, you might be thinking this doesn't apply to you or that your opinion doesn't matter. If that's what you think, please reconsider. The requirements can impact both "sides of the table", particularly as they are written today. As other topical requirements are to be released in the future, this first one sets the precedence.

I'll share with you my thoughts on the document, which I have already submitted to the IIA for their consideration. Please let me know your thoughts in the commence once you've had a chance to review the proposed requirements.

I don't believe the IIA should require internals auditors to include specific tests in the scope of their audits. Instead, suggested, non-mandatory guidance that auditors can use to support their decision-making and professional judgement empowers auditors. Strict and narrowly focused requirements, like those in the proposed topical requirements hinder auditors from providing truly "risk-based assurance, advice, insight and foresight" [1]. The purpose of internal auditing includes providing risk-based assurance, and these topical requirements - as written - prevent auditors from fulfilling that purpose.

While the IIA states that topical requirements are "designed to strengthen the ongoing relevance of an internal audit function to the evolving global risk landscape and enhance the value of internal audit services"[2], the narrow checklist style of the topical requirements does precisely the opposite. instead of propelling the profession forward and strengthening its relevance, it pushes us backward into the days of rigid, static checklist-based auditing that does not adapt to the evolving global risk landscape.

The proposed requirements list what internals must assess "when performing an internal audit engagement that includes cybersecurity objectives in its scope" [3]. The list includes things like "Internal auditors must assess if the organization...optimizes...the use of preventive and detective technologies such as intrusion detection/prevention systems" [4]. I'm not sure if its the intent of the IIA, but this reads like we're requiring Management to use specific technology to manage a risk, which isn't our role as auditors.

In another example, the document requires internal auditors to assess whether "cybersecurity risk management processes are conducted by a cross-functional team" [5]. What if the organization chooses to manage the risk in more of a decentralized manner? I don't think it's within the scope of the IIA or the internal audit function to require an organization to manage risks using a centralized team.

Or what about the requirement that auditors assess whether "Vendors, suppliers, and other providers of outsourced processes and services are contractually obligated to implement effective cybersecurity controls"[6]? What authority does the IIA or the internal audit function have to dictate the contents of contracts for the organization?

It's a slippery slope and sets some dangerous precedence. These types of requirements turn the profession into one that tells the organization how to do things - how to run the business. It will drive organizations to do things a certain way just because the internal auditors said it has to be done that way, rather than them doing things in a way that makes sense for the organization. Instead of listing out what specifically internal auditors must assess in an audit, guidance on how to consider risks, potential control objectives, and leading practices for management's consideration is much more aligned with the purpose of internal auditing and the mission of the IIA itself, which is "to provide dynamic leadership for the global profession of internal auditing" [7]. These requirements put internal auditors in a position where they're managing the organization (by making the risk appetite decisions and selecting the specific controls to manage risks), which impairs our independence and objectivity.

As written, the topical requirements for Cybersecurity sets forth 27 expectations auditors are required to assess against. The document sets forth 27 criteria. The new Global Standards define a finding as a gap between the criteria and condition of the activity under review. Standard 8.1 states that the Board sets expectations with the chief audit executive for the "criteria for determining which issues should be escalated to the board" [8], yet the topical requirements document requires auditors to assess whether any gaps are communicated to the board. Does the board get to decide the criteria or does the IIA make that decision? According to the Standards, the Board has decision rights. According to the topical requirements, the IIA has those decision rights.

Thankfully, the IIA has the opportunity to modify the expectations. They provide a mechanism for us all to provide our feedback for them to consider before finalizing the expectations. I appreciate the effort the IIA has put into this monumental effort to update the Global Internal Audit Standards, including incorporating feedback loops in the process to improve the final product.

A Call to Action

Please take the time to review the proposed topical requirements for Cybersecurity and provide your feedback to the IIA. You have a chance to influence the direction of the profession and its impact on you.

And let me know your opinion and thoughts on the topical requirements in the comments below!

[1] From the purpose of internal auditing in the new Global Standards (page 15 of 62) https://www.theiia.org/globalassets/site/standards/condensedglobalinternalauditstandards_2024january9_printable.pdf

[2] From page 1 of 15 of the proposed topical requirements on cybersecurity https://www.theiia.org/globalassets/site/standards/editable-versions/cybersecurity-topical-requirement-english.pdf

[3] From page 2 of 15 of the proposed topical requirements on cybersecurity https://www.theiia.org/globalassets/site/standards/editable-versions/cybersecurity-topical-requirement-english.pdf

[4] From page 4 of 15 of the proposed topical requirements on cybersecurity https://www.theiia.org/globalassets/site/standards/editable-versions/cybersecurity-topical-requirement-english.pdf

[5] From page 2 of 15 of the proposed topical requirements on cybersecurity https://www.theiia.org/globalassets/site/standards/editable-versions/cybersecurity-topical-requirement-english.pdf

[6] From page 3 of 15 of the proposed topical requirements on cybersecurity https://www.theiia.org/globalassets/site/standards/editable-versions/cybersecurity-topical-requirement-english.pdf

[7] https://www.theiia.org/en/about-us/

[8] From page 33 of 62 of the condensed Global Standards https://www.theiia.org/globalassets/site/standards/condensedglobalinternalauditstandards_2024january9_printable.pdf

Don't forget to get your copy of Beyond Agile Auditing: Three Core Components to Revolutionize Your Internal Audit Practices today. It's available in paperback, eBook, and audiobook versions. Order here.

Views or opinions expressed here are solely my own and do not express the views or opinions of my employer