The Cybersecurity Topical Requirement (CTR) document from The Institute of Internal Auditors Inc. aims to provide a structured approach for internal auditors when assessing cyber security risks, governance, and controls. It sets minimum expectations for auditing cybersecurity but, in my opinion, remains too high-level to be of significant value in practical audits.
Key Areas Covered
Governance – Establishing cybersecurity strategies, board-level reporting, and stakeholder engagement.
Risk Management – Identifying and mitigating threats, defining accountability, and setting incident escalation processes.
Controls – Implementing technical security measures such as encryption, network segmentation, and incident response.
While these areas provide a basic structure, they do not offer in-depth guidance on how auditors should practically assess cybersecurity risks or provide assurance on technical implementations.
After years in IT auditing, I find that cybersecurity audits require more than just high-level guidance. CTR document is useful in defining general expectations, but it lacks depth in practical cybersecurity auditing. Internal auditors, particularly those without a strong IT background, will struggle to assess real technical risks using this document alone.
- Auditing cybersecurity is not just about governance and frameworks—it requires deep technical expertise in, eg, OS, network security, cloud security, OT security, AI security, DevSecOps
- Internal auditors alone cannot keep up with the rapid changes in cybersecurity threats. Even IT auditors face difficulties, which is why collaboration with subject-matter experts is necessary.
- Documents like IIA GTAGs and ISACA’s cybersecurity audit programs provide far more practical approaches than CTR.
- Without technical cybersecurity knowledge, relying only on this guide is not enough to provide meaningful assurance on cybersecurity risks.
Cybersecurity auditors must go beyond frameworks and develop expertise in:
- Understanding shared responsibility models, misconfiguration risks, and compliance challenges in AWS, Azure, and GCP.
- Assessing industrial control systems, SCADA security, and NERC CIP compliance.
- Evaluating risks in AI-driven decision-making, bias detection, and adversarial AI threats.
- Understanding secure coding practices, CI/CD security, and SBOM.
- Aligning cybersecurity audits with evolving threats and attack patterns (MITRE).
Many audits fail because they focus on checklists rather than understanding how real cyber risks materialize. Without knowledge in these areas, audits become tick-box exercises rather than valuable risk assessments. If audit wants to add value in cybersecurity, it must evolve beyond high-level requirements and integrate real technical expertise.
Author: Sebastian Burgemejster
Comments