Standards for all professions are constantly being reviewed and updated, and the internal audit profession is no different. Our standards and guidance materials are constantly evolving to keep pace with the increasing complexity of modern business environments. One of the most significant shifts in the internal audit profession is the establishment of the Global Internal Audit Standards (GIAS), which are a mandatory component of the International Professional Practices Framework (IPPF). Issued by the Institute of Internal Auditors (IIA), the IPPF and the GIAS provide a comprehensive framework for performing internal audits across all industries, ensuring consistency and reliability in audit practices worldwide.

The introduction of the GIAS in January 2025 means that all levels of the internal audit fraternity – auditors, chief audit executives and audit committees – are now required to review and update their practices and materials to ensure compliance with the GIAS.

Continuing the themes of integrity, objectivity, competence and confidentiality, the GIAS has established five domains, including those for governing, managing and performing internal audit services.

Changes to standards are generally driven by several critical factors, including emerging risks, technological advancements, globalisation and shifting stakeholder expectations. The introduction of the GIAS reflects the need for internal audit functions to adapt and actively contribute to organisational governance, risk management and strategic objectives, and they will be accompanied by the mandatory Topical Requirements papers to ensure internal auditors remain abreast of current events.

Cyber Security Topical Requirement

Emerging risks are among the most significant catalysts for changes in internal audit standards. Cyber security threats, data breaches and the complexities of regulatory compliance require auditors to possess deeper technical knowledge and broader expertise than ever before. As such, another mandatory component of the IPPF are the Topical Requirements, with the first – Cybersecurity – launched in early 2025.

In today’s interconnected world, cyber security has emerged as one of the most pressing concerns for businesses. The rapid digitalisation of operations, combined with the increasing sophistication of cyber threats, has made it essential for organisations to integrate robust cyber security practices into their internal audit processes.

As a result, many internal audit functions have expanded their scope to include cyber security audits, assisting to identify vulnerabilities and strengthen the overall control environment. This in turn will help to protect information assets and limit the unauthorised access, theft, disruption or destruction of information. This involves reviewing the effectiveness of controls, policies and procedures related to information security and assessing whether the organisation is compliant with relevant cyber security regulations.

Internal auditors are increasingly tasked with reviewing:

• Cyber Risk Assessments: Identifying potential cyber threats and vulnerabilities that could affect the organisation’s systems and data. Cyber awareness and mitigation is included in the responsibilities of Company Directors and public servants
• Security Controls: Evaluating the effectiveness of security measures- such as encryption, access control and firewalls – in protecting against cyber-attacks.
• Incident Response Plans: Ensuring that the organisation has a well-defined process for responding to data breaches or cyber incidents.
• Regulatory Compliance: Assessing the organisation’s compliance with national and international cyber security regulations and standards e.g., Australian Government Information Security Manual (ISM), Australian Prudential Standard CPS 234 “Information Security”, ISO 27001:2022 “Information security, cybersecurity and privacy protection — Information security management systems” and the National Institute of Standards and Technology (NIST) Cybersecurity suite.

The growing importance of cyber security in internal audits reflects the increasing recognition that digital assets are a critical part of an organisation’s infrastructure. A breach or compromise of these assets can lead to severe consequences. As a result, auditors are now required to possess specialised knowledge in information technology and cyber security, making the profession more interdisciplinary.

Standards for Critical Infrastructure: Protecting Essential Systems

The security of critical infrastructure, meaning systems and assets that are vital to a country’s security, economy, and public health – is another area where internal audit functions are being called upon to play an enhanced role. In the Australian Security of Critical Infrastructure Act 2018 (the SOCI Act), ‘Critical Infrastructure’ includes sectors such as communications, financial markets, data, defence, education, transport, utilities, space and healthcare, all of which are integral to the functioning of society. Given the potential consequences of disruptions or attacks on these systems, organisations in these sectors are subject to stringent regulatory requirements and adherence to industry standards.

Internal auditors in organisations operating in critical infrastructure sectors are increasingly required to assess the resilience and security of these essential systems. This includes evaluating both physical and digital aspects of critical infrastructure, identifying potential vulnerabilities and ensuring that effective risk management and security protocols are in place. The importance of this role has been amplified by the growing frequency of cyber-attacks on critical infrastructure, such as ransomware attacks targeting hospitals or energy grids.

Key considerations for auditors in critical infrastructure sectors include:

• Risk Management and Resilience: Ensuring that organisations have comprehensive risk management frameworks in place to identify, assess and mitigate risks to critical systems.
• Security Controls: Auditors must evaluate the robustness of both physical and cyber security measures protecting critical infrastructure, including access controls, monitoring systems and incident detection protocols.
• Compliance with Industry Standards: Internal auditors must ensure that organisations comply with national and international standards for critical infrastructure protection, such as the SOCI Act.
• Crisis Management: Internal audits may also assess the effectiveness of crisis management and business continuity plans to ensure that the organisation can continue to function in the event of an attack or disaster.

The Institute of Internal Auditors has released a draft Topical Requirement on Third Parties which will provide further guidance on evaluating and assessing Third Party governance, risk management and control processes that are critical to the supply chain of all organisations. Particularly in the Critical Infrastructure industries, understanding the supply chain and the risks and controls associated with third parties is crucial to conformance and business survival. A further Topical Requirement on

Organisational Resilience, to be released later this year, may also help critical infrastructure operators manage their assurance framework.

Data Management: Ensuring the Integrity and Privacy of Information

Data management has become a top priority for businesses worldwide, as organisations increasingly rely on vast amounts of data to drive decision-making and operational efficiency. Beyond simply cyber security elements for data, and third-party elements for the supply chain, internal auditors are required to ensure that data management practices adhere to regulatory requirements and best practices in data privacy, security and governance.

The growing importance of data has also led to an increased focus on the accuracy and integrity of information, particularly in industries such as finance, healthcare and government, where errors or data breaches can have serious consequences. Internal auditors are tasked with evaluating whether data is properly secured, stored and processed, and whether organisations comply with privacy regulations in Australia (the Privacy Act 1988) and around the world, such as the General Data Protection Regulation (GDPR) in Europe.

Data breaches and the mishandling of data are not just a technical risk; they also present significant legal, financial and reputational hazards. Internal auditors must be increasingly vigilant in their assessments of data management practices.

Auditors must assess:

• Data Governance: Ensuring that the organisation has clear policies, procedures and controls in place to govern the collection, storage and use of data.
• Data Security: Reviewing the adequacy of the security controls in place to protect data from unauthorised access, theft or loss.
• Compliance with Privacy Laws: Ensuring that the organisation complies with data privacy regulations and that there is transparency in how customer data is handled.
• Data Quality and Accuracy: Verifying that data used for decision-making is accurate, complete and reliable.

Internal audit may also provide assurance of data frameworks utilising industry guidance such as the Data Management Association (DAMA) Data Governance Framework.

Conclusion: The Evolving Role of Internal Audit

The landscape of internal auditing is changing rapidly in response to evolving risks and emerging challenges. With the introduction of the GIAS and the Topical Requirements, internal auditors now have an updated framework to guide their work, ensuring greater consistency and reliability in audit practices across the globe. At the same time, the increasing importance of cyber security, critical infrastructure protection and data management has expanded the scope of internal audit, requiring auditors to develop specialised expertise in these areas.

As organisations face more complex and interconnected risks, the role of internal auditors has become more strategic and vital to the overall success of businesses. Anchoram Consulting’s Integrated Assurance service offerings combine the traditional functions of internal audit and risk management with our cyber security, technology services, protective security and data management practices to provide a holistic assurance offering that extends well beyond simply fulfilling compliance requirements.

Contact Anchoram Consulting today to find out how you can become an active contributor to your organisation’s resilience and sustainability.