The Institute of Internal Auditors presents all things internal audit tech. In this episode, Logan Wamsley talks with George Barum about the I a's newly released cybersecurity topical requirement.
They discuss what it means for internal auditors, how to prepare for its 2026 effective date, and why ca a e should take action Now, the conversation also highlights the companion User Guide, outsourcing Considerations framework references, and I a a resources available to help internal audit functions conform with confidence. George, I don't get to see you too often in the office, but it's a pleasure to talk to you today. Uh, thanks for taking some time to chat
with me about this. I really appreciate it. Hey, Logan, it's good to be with you. Thanks for the time. What I wanted to talk to you about today, um, it's kind of one of the most exciting things that we've kind of been having going on at the IA this year. Um, of course we had, um, our release of the, the new standards, the IPPF, but this year we also are combining that with the release of our, uh, topical requirements, which is one of the newest additions that we have to the IPPF.
They don't take effect until 2026, but, uh, I know there's a lot of discussion going around about the topical requirements that would entail. First one that we've released is on the cybersecurity. Um, now this first top requirements, um, has been released and people had some time to digest it and time to, to read it, analyze it. What are you hearing talked about the most and what you discussed with others?
Yeah, Logan, I guess it was February this year, February 5th is when we released the cybersecurity topical requirement. And before we, we actually published it, um, it went through a public comment period, and, um, you know, we spent some time talking to practitioners, um, across the country and, and around the globe on, uh, what we were trying to do with topical requirements and, and their intention.
And so I, I think, uh, a lot of people had a, had a pretty good understanding of, of what they would include. Um, and then we also talked about cybersecurity being the first one. So I felt like there was pretty good awareness, but even though, uh, there were maybe some people who hadn't heard about it or weren't familiar with the, with the concept, after we released it in February, we did a, a webinar the very next day, um, which is available on the IA still.
Um, and, and continued to, you know, follow that process where we provided some background information, some of the history of, of how we develop them, and then actually walking them through the topical requirements.
So most people who I've talked to, the comments we received, found that webinar valuable as far as, uh, you know, answering your question on, on what we're hearing now that they're out, the biggest thing that I'm hearing is just, you know, internal auditors saying that it's best to get started on them now versus waiting till when they're effective. So they're effective a year after, uh, publication. So they'll be effective February 5th, 2026.
So, um, I think it's the same, you know, understanding with the standards, you know, not to, to wait until they're effective to, to start doing your work, but to, um, start reading through making sure you have a good understanding, uh, of, of what's included in that. And just being familiar with it is possible.
Thank you. Yeah. So I know that you part, as part of your job, you have a, you talk to members and you get feedback from around since the release, but based on what you're hearing from our members, I know they love to share feedback with you, but what are some of the successful tips, um, that you have heard from CHIA audit executives as they're working to, you know, implement now the cybersecurity topical requirement?
Yeah, I mean, I think it, it kind of goes with what, uh, what we just talked about as far as, uh, not waiting, you know, to go ahead and get started. I think, you know, when it comes to, to IT, audit, cybersecurity, you know, having that skillset, making sure that your internal audit function is positioned well, uh, in terms of, uh, proficiency and competency to be able to look at some IT controls and IT processes.
So I think that that has been something that, that I've heard a lot people saying, you know, they're making sure that they, you know, have the resources lined up, um, whether that's internal or maybe, um, an advisor who can help them with this. So I think just, you know, lining up your resources, making sure that you know, who's gonna be working on this is key thing.
And then also for the, the people who are doing it, uh, in-house, you know, having their internal audit function doing it depends on your level of, of skill with IT audit, I guess I would say. So, uh, some people are using this as an opportunity to kind of brush up on maybe some of the cybersecurity, uh, risk and controls and, and typical things that you see.
So, uh, I think probably the biggest thing is just trying to get prepared, um, and, and just know what you're up against and plan accordingly. Yeah. On the topic of kind of knowing what you're up against, I think the IA is aware of this. So in coordination with the release of the topical requirement, we also very proudly released, um, a topical requirement user guide. How do you feel that this new user guide could support internal auditors, has began their work in conforming to the requirement?
Yeah, that's a great question, Logan. The user guide is, is really a companion to the topical requirement. So it's written, uh, the, the approach that we took to write it, it was written from the standpoint of, um, you know, define the scope we want, what we want it to cover, and make sure that it's written, written in a way that your average internal auditor can understand it. So by that, I mean, you don't necessarily have to have a, a very elaborate IT audit background.
So it's, it's written in a way that I think most internal auditors will be able to understand it conceptually. And then we also try to provide a lot of examples. So of course, we have the, the requirements or within the topical requirement, and then the user guide provides illustrations, examples. It really helps, you know, for a backup, uh, lack of better words, like hold, hold someone's hand to get through the process.
So it's written in a way that, um, you know, hopefully it's easy to understand, easy to read, and it's, it can be used, you know, to really help you get through the process. Yeah. As someone that has, uh, read it myself and has built some content around it, uh, you guys did a great job. Should be very proud of it. Anybody listening to this, I'd highly recommend that you review it.
One of the things that kind of strikes me while reading it, I know, um, I think it's great for hands-on, but I know there's a lot of internal audit functions out there, um, that in, in developing the system, they tend to have a tendency to outsource, um, which is, you know, completely necessary. But for internal audit functions that do outsource or cyber audit functions, how do you recommend that they work to conform the topical requirement?
Yeah, that's, that's a question, Logan, that we're asked quite frequently. At the end of the day, uh, under the IPPF, it's still the Chief audit executive's responsibility to ensure conformance with the top core requirement.
So that responsibility still resides with the CAE, but in terms of, you know, who's actually helping do the work, that's certainly something that, uh, you know, internal audit functions can reach out to outsource providers, you know, people who, who may be focused more on IT audit. So that's definitely an, an acceptable, uh, way to go about it. However, it's just important to be sure that it's understood.
The chief Audit executive, um, is responsible for making sure that that happens, reviewing what they do, you know, the work that's performed, if it's outsourced, no different than if another piece of their internal audit function was outsourced to someone else.
Just making sure that it's, it's clearly known that the chief audit executive, at the end of the day, owns the conformance piece of the topical requirements, so they can have people assist them with it, but at the end of the day, they're the ones who are responsible for it. One of the most useful aspects of it that I found when I was reading it is the framework references listed in the back of the appendix. I, again, something any, uh, CAE should probably print out, uh, for reference.
Can you tell me a little bit about these references and kind of how that was put together? Yeah, so cybersecurity, it's a very broad topic. I mean, it touches so many things. I think it would be, uh, pretty difficult to come up with, you know, a lot of business processes that have some aspect of, of cyber. So that was certainly something we had to keep in mind, that it touches so many things.
But I think the good thing about cybersecurity is it's been around for a long time, and so there are a lot of frameworks that have been out there for a while that are widely adopted across the globe, and we really tried to focus on, uh, some of those that we thought were the most appropriate, the most applicable for internal auditors. So we chose two of the NIST frameworks, which is 800 dash 53, and in particular the cybersecurity framework, and then COVID 2019 from isaka as well.
And we got a lot of input, um, not just from North America, but from the globe, that those are frameworks that are, that are widely used. A lot of organizations use those. And so we did a cross reference or a mapping between the topical requirement specifics, so the actual each requirement, we map those to what organizations might already be using under those, um, those frameworks from NIST and COVID. Um, and there are other frameworks that are out there.
Um, certainly we weren't gonna map it to everything, but, um, like I said, the number one thing was to be sure that, um, we identified relevant frameworks, you know, kind of tried and tested that are out there, that have been around for a while. And then also we tried to, to look at ones that wouldn't present an additional cost to members. So those NIST frameworks, the, um, isca, uh, COVID framework, those are all, uh, free of charge.
So it, uh, wouldn't result in, in our members or practitioners incurring additional costs. Um, there are other frameworks that are out there, like some from ISO that are really good as well, but those, um, have some costs associated with them. So, Yeah, uh, this is true not just for, uh, the frameworks themselves, but also for the cybersecurity risk landscape that it, it continually is evolving, right?
Every single day there's something new ongoing, it's always something internal auditors have to kind of keep up on. And I know this is kind of referred to in the topical requirement as well, so how often are the topical requirements gonna be updated as we try to keep up with this landscape? Yeah, certainly cybersecurity, um, you know, it has emerging aspects and, and things that are changing, so that is true.
However, I would say that the way this is written, Logan is more from a baseline standpoint, right? So really we try to establish, you know, the minimum requirements that an internal auditor would look at. So that's not to say that those baseline, um, items might change over time, but we feel like they're written in a very foundational manner. So we think we accomplished that.
Now, that's not to say that things could change, or like I said, there's maybe some emerging risk or, you know, you think about how, uh, artificial intelligence has grown so much over the past couple years. So as things change like that, we, we certainly wanna be sure that we're thinking about those and that this topical requirement remains relevant.
So the, the, what we're planning to do, or I'm say next steps on this is to, on an annual basis, take a look at the topical requirements, um, make sure that it's still relevant, look to see, you know, what the, the risk landscape looks like to see, like I said, if there's anything, uh, emerging out there that we need to include in terms of updating that baseline. And then we talked about, uh, you know, other frameworks that we've referenced.
I mean, certainly if those frameworks underwent, you know, uh, pretty significant changes, uh, we'd wanna be sure that we, you know, keep that mapping up to date. And so it's as, you know, easy to use as possible for practitioners. So, so to summarize, we'll look at it on a, on an annual basis, and we'll make changes as we need to. Are these frameworks updated on a kind of a regular timetable, or do they kind of just kind of come, uh, come when they come?
Do, do you know if this something that we need to keep in, keep in mind anytime soon? Yeah, I think it just varies, uh, based on the organization. So like, uh, Isaka for example, they have COVID 2019, so, you know, it's been out quite a while for a few years. Yeah, I would anticipate, you know, in the next few years, they'll probably update it. But that's, you know, I don't have any kind of in inside information. That's just my guess, based on how they refresh their frameworks.
Same with nist. Um, NIST will sometimes do, you know, a lighter refresh or a lighter update, or sometimes they'll do, you know, a completely different version. So it's, it's hard to say what happens, but I think they, they kind of go through the same process that we do at the ia. You know, they take a look, they make sure that they're scanning the environment, um, and that they're, they're staying up to date as possible
because so many people rely on this guidance. Onto Kind of a next topic that I have here, uh, I do one of the points that we kind of bring up in the requirements that's important in the notes that we highlight in bold, the release dates. I mean the, the, uh, the implementation date rather, uh, is February, 2026. I know that's, that is time, there is time to making adjustments that are needed, but also it's coming sooner rather than later.
You know, it's like Christmas, you know, before you know it, it's here. Uh, as we're approaching that date, what are some recommendations that you personally would give to internal auditors as we're going up and reaching that date? You know, from a chief audit executive standpoint, um, go ahead and start having those conversations, you know, talk to, talk to your audit committee, talk to your board, um, whoever provides the governance and, and you report to have those discussions.
Also, I think it's good to talk to management as well, you know, as you meet with your IT department and your leaders, um, you know, have responsibility for cyber related processes just to make sure that they're aware and that there's an understanding. I mean, we don't wanna wait till the end and then management or the audit committee for like, you know, you should have communicated this back a few months ago.
So I think having those discussions early in the process from a chief audit executive, uh, makes sense. I think from just a, if you're just a, you know, uh, internal audit, uh, working as a staff person or maybe as a manager within your function, I think just making sure that, um, that you've read through and you know, what the requirements entail.
So just being very familiar with it, being able to, uh, to be a resource to your internal audit function and understand what those requirements include. And I think going through that user guide, reading through that, making sure that, um, that you're aware and up to date with, with some of those examples that can help you demonstrate conformance, that would be a va a very valuable thing, um, as an internal audit function that anyone could do.
So, um, it's not just, uh, the chief audit executive. I think that internal auditors, you know, various roles can, you know, make sure that they, they've done their homework and be sure that they're as prepared as possible. Mm-hmm. And I think it's really important to kind of emphasize, you know, the IEA that, you know, we, beyond just hearing from us on a podcast, we offer real variety of resources to help all of our members along that way.
Are there any resources, BI offers to assist in this tasks that you can cite off your mind? Off your head? Yeah. Yeah. Another, another great question, Logan. Um, if you just go to our website and, and just search, and if you just search for cyber cybersecurity, you know, if you just type in those words, um, I feel like we have revamped our, our website and you get a lot of really good results. So that, that's a good place to start.
Um, some specific things that I would encourage, uh, people to do is we have some GT tags that are out there. We have, um, cybersecurity GT tags that have been updated with the most recent standards, so those are, uh, available as well. That's a good place to look. But we have, you know, other resources as well. I mean, I think there are other, um, podcasts. Um, there's a webinar that we did the day after the cybersecurity topical requirement was released.
So I think that could be a good, good place to start as well. And then just looking at the topical requirement section of our website, so it's under, uh, standards, and if you go there and you go to the cybersecurity one, um, you'll be able to of course, gain access to the topical requirement and the user guide.
There's also frequently asked questions on there, so maybe some of the things that at your organization that your internal audit function is thinking about, they, they might be already listed there and we'll update that section as well. But there's a lot of great information out there. But, um, the GT tags are websites, um, and some of those resources are, are really gonna be helpful, I think.
And to add to that, specifically for our OTTs leader network members, I'd also like to point them to, uh, executive knowledge brief that we released based on, uh, feedback that we have received from CAEs that we've talked to, that about strategies that they're implementing regarding the new topical requirements.
Um, and also, uh, the new service that Auto News Network has for ask the experts where if they have any questions about the requirements, they can reach out to us directly and we will give them kind of a detailed response based on their personal situation. I think that's two avenues that they, we can travel down as well. Before we're out of time, uh, is there anything else that you'd like to mention or talk about?
No, I mean, I think just doing something different with the IPPF, you know, this is the first time we have launched a topical requirement and we're planning to launch, uh, more in the future, um, coming up. I think there's the, you know, going through the process of just understanding what it entails and, and why we're doing it, and, you know, really trying to raise the level of assurance that, that we provide, um, as internal auditors.
Just, you know, getting everyone comfortable with it and, and, and making sure that they're aware, um, they have good information and that they're prepared as possible. I mean, we, we knew this first one, we'd have some of that. So I think once we get through this first one on cybersecurity, and it's been out there a while, I think hopefully the next ones that we release, um, at least, you know, people will be familiar with the concept and what we're trying to do.
And, um, I think the, the ones that come after cybersecurity hopefully will be a little easier to manage and prepare for. Yeah, I know probably initially if you see the topical requirements coming, I think the first thought, wow, wow, this is a whole lot of new conformance related things that we need to keep up with and things.
But I think as people kind of get comfortable with the idea and the concept, I think people are gonna realize that what this is really doing, it's raising the bar for internal audit functions everywhere. And I think that that raising that baseline is really going to go a long way toward kind of ensuring the future of the profession. Yeah, agreed. That is, uh, all I have for you today. I think we kind of covered a lot of ground. I hope anybody listening, please look at our other resources.
Please review the topical requirement as much as you can and, you know, kind of get understanding of it and development of it. George, I really appreciate your time. Thank you so much. Okay, Logan, thanks for having me To learn more about the I i a cybersecurity topical requirement and how some of the world's top internal audit leaders are implementing it. Be sure to check out the Audit Leader's Network's, latest Executive Knowledge brief, the cybersecurity topical requirement.
In practice, executive Knowledge briefs are only available for audit leaders network members. So if you're not a member, check out the many benefits of joining today by using the link in the show notes. If you like this podcast, please subscribe and rate us. You can subscribe wherever you get your podcasts. You can also catch other episodes on YouTube or@theia.org. That's THI.