Lead the AI era of GRC at Elevate 2026 — Join us April 22–24 in Atlanta Register nowarrow_forward

menu

Lead the AI era of GRC at Elevate 2026 — Join us April 22–24 in Atlanta Register now

arrow_forward

language

Products

arrow_drop_down

Solutions

arrow_drop_down

Resources

arrow_drop_down

Diligent AI

Request a demo

Governance

Risk

Compliance

Audit

Diligent Boards

Automate meeting prep, secure sensitive data and give directors the clarity to make the best decisions.

BoardEffect

Secure, flexible board management software for nonprofits and higher education.

Community

Increase transparency, streamline governance and empower your school board or local government.

Diligent Market Intelligence

On-demand access to exclusive shareholder activism, executive compensation and ESG data.

FEATURED

Diligent One Platform

Centralize and unify all your board management and GRC activities

Role

Use Cases

Company Type

Industries

General Counsel

Safeguard your organization with centralized oversight of governance, risk and compliance.

Corporate Secretary

Run governance flawlessly with AI tools that eliminate busywork and ensure audit-readiness.

Executive Assistant

Streamline board prep, communications and approvals with AI workflows for seamless meetings.

C-Suite

Accelerate decisions and inspire confidence with AI-powered reporting and real-time risk intelligence.

Directors & Trustees

Prepare faster, mitigate risk and make smarter decisions with purpose-built board tools.

Risk Manager

See enterprise risk in real time, act decisively, and deliver AI-powered insights.

Information Security

Unify IT risk, compliance and cyber oversight in one secure platform.

Compliance Officer

Turn regulatory obligations into clear, actionable metrics — proving compliance and ROI.

Internal Auditor

Connect audit management, analytics and monitoring in a secure, AI-powered hub.

FEATURED

Diligent One Platform

Centralize and unify all your board management and GRC activities

Content Library

Case Studies

Virtual Summits

Events

Resources Hub

Discover all of Diligent's insights in one place. Stay ahead of trends with expert perspectives, exclusive research and information you won't find anywhere else.

MEDIA TYPE

Blog Guides Videos Podcasts Content Toolkits Research & Reports

BY TOPIC

Governance Risk & Audit Compliance AI & Cyber Public Sector Diligent Institute

FEATURED

Diligent named a Leader in 2025 Gartner® Magic Quadrant™ for GRC

How Internal Audit can strengthen cybersecurity through strategic collaboration with InfoSec

June 12, 2025

•

5 min read

Man looking at computer screen in tech environment

Mike Levy

CEO and Managing Principal of Cherry Hill Advisory

Share:

Cybersecurity isn’t just an IT problem. For internal auditors, it's a growing pressure point — one they’re expected to weigh in on, even if they don’t hold the technical keys. But with the introduction of the IIA’s new Cybersecurity Topical Requirement, that expectation is becoming an obligation.

So how can audit teams contribute meaningfully to cyber risk oversight when they’re not the ones managing firewalls or scanning for intrusions? The answer lies in something deceptively simple: better collaboration.

Why cybersecurity challenges audit in unique ways

Cybersecurity is different from other enterprise risks. It’s fast-moving, highly technical, and, unlike most risks, you have to get it right every single time. The consequences of failure — financial, reputational, and operational — are often severe.

But for internal auditors, there’s a catch: we don’t own this risk. We’re supposed to provide objective assurance, but when it comes to cybersecurity, it’s hard to give assurance on things you can’t fully see or don’t fully understand. And that creates a knowledge and visibility gap that many audit teams struggle to close.

To help address this, the Institute of Internal Auditors has introduced a Cybersecurity Topical Requirement, which will become mandatory in 2026. It doesn't prescribe how to audit cybersecurity in detail — instead, it sets a baseline. It ensures that when internal audit says “we’ve audited cybersecurity,” that actually means something.

At a high level, the requirement asks auditors to:

Align with an established cybersecurity framework (like NIST or ISO 27001)
Assess cyber governance, risk management, and controls
Document how they’ve approached each of these areas

Most functions are already doing parts of this — but documentation and consistency are where many fall short. That’s where the opportunity lies.

What stronger Audit–InfoSec collaboration looks like

If audit is the third line of defense, the second is usually a combination of IT security, compliance and risk teams. And these relationships can be tense.

In some organizations, InfoSec teams are hesitant to let audit in. They say, “We’re already testing our own controls,” or “We know our systems better than anyone.” While those statements may be true, they miss the point. Independent validation isn’t a challenge to ownership, it’s a safeguard.

And when those walls stay up, real risks get missed. It’s only after a breach that both sides realize just how much they could’ve benefited from tighter coordination.

Audit and InfoSec don’t need to merge roles. But they do need to build trust, align on goals, and communicate regularly, not just after something goes wrong. High-performing audit teams are starting to shift left — getting involved earlier in the process, not just showing up after the incident or implementation.

This doesn’t mean taking over InfoSec’s job. It means:

Participating in vendor risk evaluations
Observing security governance meetings
Advising on control design during system changes
Sharing threat and control monitoring data in near-real time

This kind of partnership pays off. Not only does it improve cyber resilience, but it also gives internal audit more credibility with stakeholders — and a seat at the table in cyber discussions.

The right technology can bridge the gap

One of the biggest barriers between audit and InfoSec isn’t mindset, it’s infrastructure. These teams often work in different systems, with different data, using different terminology. That fragmentation slows everything down: risk identification, reporting, response and trust-building.

Technology isn’t a silver bullet, but it’s a powerful enabler. When audit and InfoSec can access the same risk data, track issues through shared dashboards, and automate low-level work, two big things happen:

Collaboration gets easier.
Everyone spends more time on high-value analysis instead of chasing information.

What to look for in enabling technology:

Unified GRC platforms that bring audit, risk, and InfoSec into a single environment
Automated control testing and continuous monitoring — especially for cyber-related controls
Shared risk libraries and common frameworks (like NIST or ISO 27001) baked into workflows
Real-time dashboards that surface issues before they escalate
Role-based access and traceability so teams can collaborate without losing independence

For auditors, these tools help close the knowledge gap. You don’t need to be a security engineer to understand risk posture when analytics, audit plans and control testing are integrated. And for InfoSec, working alongside audit no longer feels like an extra burden — it’s part of a coordinated effort.

The right tooling also supports growing expectations around documentation and defensibility. If your audit team needs to demonstrate alignment with the IIA’s Cybersecurity Topical Requirement, having a system that tracks activities, links evidence and maps to frameworks makes that achievable.

Final thought: Audit's role in cyber strategy Is growing

Internal audit doesn’t need to become technical experts in penetration testing or endpoint detection. But they do need to understand the risk well enough to ask the right questions — and spot when something doesn’t add up.

That means:

Advising, not just assuring
Upskilling, or partnering with subject matter experts
Investing in tools that close the visibility gap

The most effective audit leaders aren’t just checking boxes. They’re helping shape how their organizations invest in cyber controls and measure their maturity. And they’re doing it in partnership with InfoSec — not in isolation from it.

Cybersecurity is evolving fast, and so is internal audit. The gap between the two is no longer just a missed opportunity, it’s a liability. But with the right relationships, frameworks, and tools, audit can play a critical role in keeping organizations secure, compliant and resilient.

Explore how the right tools can help internal audit teams work smarter, close risk gaps faster, and prepare for evolving standards like the IIA’s Cybersecurity Topical Requirement.

Guide

· Feb 21, 2025

· 1 min read

Internal audit’s expanding scope: A checklist

Download now to see how your audit team can achieve next-level efficiency and strategic insight.

Podcast

· Apr 17, 2024

· 1 min read

Connecting cybersecurity, audit, and the board

By Dottie Schindlinger

How do board oversight structures impact cybersecurity performance? How does cyber performance impact financial performance? In this episode of the Corporate Director Podcast, Jeff Barnett, Senior ...

Blog

· Jun 24, 2024

· 5 min read

Using technology for enhanced audit efficiency and strategic insight

By Tom Faraday

By integrating technology and adopting a strategic mindset, audit can move beyond a compliance role to become a trusted advisor.