You may recall that when the new Global Internal Audit Standards™ (GIAS) were released in January 2024, we flagged that the GIAS would be joined by Topical Requirements – a more consistent approach to setting minimum requirements for internal auditing of fast moving and evolving topics.
The first Topical Requirement 🛡️Cybersecurity🛡️ launched today (US time) and comes into effect in 12 months, on 5 February 2026. It is supported by a helpful user guide that includes additional practical information such as mapping to international cybersecurity standards.
The Topical Requirement is applicable when the topic is one of the following:
- The subject of an engagement in the internal audit plan.
- Identified while performing an engagement.
- The subject of an engagement request not on the original internal audit plan.
With the GIAS, Topical Requirements form a mandatory component of the 2024 International Professional Practices Framework (IPPF). These requirements ensure that internal audit functions—regardless of size or sector—apply a consistent audit methodology when assessing governance, risk management, and controls in specific topical areas.
Additional Topical Requirements are expected to be released for public consultation in 2025, including:
- Third-Party Risk Management
- Culture
- Business Resiliency
We encourage you to familiarise yourself with these documents. As we did with the GIAS release and effective date, over the coming months we will provide additional resources to support you in your application of these and other aspects of the IPPF. For this Topical Requirement, we will specifically provide mapping to local requirements such as those defined by APRA.
Please remember, if you have technical enquires, you can always drop us a line at IAassist.