Articles Auditoría Interna magazine Jan 29, 2025
On the eve of the release of the Cybersecurity Topical Requirement, Benito Ybarra discusses the IPPF’s new Topical Requirements in an interview with IIA–Spain’s Auditoría Interna magazine.
Just over a year ago, you joined The IIA as the new executive vice president of Global Standards, Oversight, and Certifications, with the goal of leading the implementation of the profession's new Global Internal Audit Standards and driving the development and evolution of technical guidance and professional credentials. What challenges have you set for yourself in this mandate? How do you assess this year?
December marked a year of joining The IIA, and it’s been tremendous. Understanding how The IIA’s leaders, network of institutes, chapters, professional partners, and members work to ensure the internal audit profession is understood and valued has been a primary area of focus. The work that this group has done to elevate the profession has been great, but we have many opportunities to do more, and I’m focused on ensuring we can work together to realize more success.
Ensuring that we understand the global implications of what we do is critical, and our Standards, Guidance, and Certifications are at the heart of it; they are the foundation of what we do, how we do it, and how we are recognized for it. We need to work together to be recognized as a global profession that is needed to provide leadership and confidence. We can continue to protect organizations, but we also must focus on enabling growth, while serving the public interest.
The IIA is developing the Topical Requirements as a new element of the International Professional Practice Framework (IPPF). For what purpose have they been designed and how will they help internal auditors succeed?
The Topical Requirements establish a global baseline for internal auditors’ coverage of themes that are globally pervasive and persistent. Internal auditors’ application of the Topical Requirements can be a source of confidence for business leaders, regulators, and stakeholders seeking to understand the strength of governance and risk management processes in an organization. This global approach amplifies internal auditors’ value because they will be recognized as being part of a global profession that is working together to protect value and promote growth.
Why are the Topical Requirements necessary and how should they be applied in an internal audit?
The Topical Requirements are applied in concert with the Standards. An internal audit function that is conforming with the Standards will conduct its risk assessments, determine capacity and capability, develop audit plans, and determine its capacity to perform advisory services to support conformance with the Standards. The Topical Requirements provide a baseline of activities that will be included in this work by providing governance, risk, and control elements that an internal auditor will evaluate for applicability and performance.
Whether a Topical Requirement element is applicable will depend on the risk exposure and audit coverage. In addition, some internal audit functions will perform work that is more advanced than the Topical Requirement element. In these cases, the internal auditor can document the reason(s) for not performing the Topical Requirement element(s) and move on. Again, this provides a global baseline — it’s not a checklist or set of compliance activities. Internal auditors must use their professional judgment and apply the Topical Requirements according to their situations.
Specifically, The IIA has issued a draft on cybersecurity for public consultation. What participation has it had and how has the public input enriched the document? How has the draft been received by internal audit professionals?
The Cybersecurity Topical Requirement generated global comments and feedback. The areas that seemed to be the most challenging were the length of the document and the ability to apply it in small audit functions. Reviewing these comments helped The IIA’s Global Guidance Council and staff focus on the objective of the document and adjust.
The draft that was originally distributed also included guidance and tools, which made the Topical Requirement seem long and onerous. The team is working to address these comments by simplifying the document and ensuring that guidance and tools are distinct and easier to reference.
The fact that cybersecurity is the first Topical Requirement suggests that it is the main risk, according to Risk in Focus 2025. Bearing in mind that cybersecurity is a key area of risk management and hugely complex, what approach does the Topical Requirement offer?
Cybersecurity continues to be one of the pervasive and persistent risks I mentioned earlier. These types of risk require attention and a baseline understanding and competence to address. This requires internal audit functions to ensure they have the resources and staff to address the cybersecurity risks they determine are important. The Topical Requirements provide a platform by which to reconcile their resources and competencies and discuss them with their governing bodies and senior leaders. Again, the Topical Requirements enable better conformance and performance against the Standards.
What should internal auditors primarily review in assessing cybersecurity risk in terms of governance, risk management, and internal control?
Internal auditors will have a good understanding of risk management and internal controls, because these areas are most often included in risk assessments, engagement assessments, and audit planning processes. These areas include a recognition of the organization’s strategic and operational objectives and whether the risks to those objectives are appropriately managed through a strong system of internal controls.
Governance is a theme that has been more difficult to include in internal audit processes. When considering governance, internal auditors must consider whether the leadership and structure of the organization is appropriate to address risks, promote growth, and serve the public interest. These are themes that are more difficult and potentially politically charged to audit.
The Topical Requirements seek to provide objective steps to address these areas and enhance the value of the internal audit function globally.
What are the next Topical Requirements The IIA is going to launch, and which ones do you consider to be the highest priority?
The next Topical Requirement that is being drafted addresses third parties. The risks associated with outsourcing work are pervasive and persistent. Auditors understand that we can outsource the work, but we cannot outsource the risks of bad performance. This Topical Requirement seeks to address areas that internal auditors must understand and evaluate to ensure their organizations are operating with the right mindsets and structures to succeed. You can find more information on the Topical Requirements web page.
The IIA recently published Internal Audit: Vision 2035. One of the report’s main conclusions is the need to transform internal auditing to prepare for a changing business environment and achieve the desired future of the profession. What is the key to this transformation?
One of the keys to this transformation is for internal auditors to realize that working collaboratively does not mean impairment of their independence. For too long, some internal auditors have isolated themselves to demonstrate independence. This isolation has created a perception of the internal auditor as a policing function, or a function overly concerned with compliance at the expense of promoting growth and smart risk-taking. The IIA has existed for over 80 years, and these perceptions must be addressed.
Internal auditors can directly begin to address these perceptions by creating their strategic plans in conformance with the new Standards. The new Standards require the internal auditor to gain insight and input from their governing bodies and senior leaders to ensure alignment and unified purpose. Internal auditors can take this opportunity to create or strengthen these key relationships and promote the support needed to ensure we see another 80+ years of success.
This transformation is driven by the acceleration of new technologies, significant disruptive trends, and emerging risks. How does digitalization affect internal audit, and are the Topical Requirements you have developed designed to address emerging risks?
The Topical Requirements are not designed to address emerging risks. The IIA creates guidance and thought leadership to help support internal auditors in assessing the need to consider risks on the horizon. Once a theme or risk becomes pervasive and persistent, like cybersecurity, it is considered for inclusion on the Topical Requirements list and the Standards.
Along these lines, how does a Quality Assessment certificate help internal auditors be perceived as change agents and trusted advisors?
A certificate in Quality Assessment helps establish competence in this subject area. A person who earns this certificate can be relied upon to conduct an assessment of an internal audit function in conformance with The IIA’s Quality Assessment Manual. This certificate is being updated, and there will be more information about it in the coming year.
The only thing that will not change in the profession are the principles of independence and objectivity inherent in the internal auditor. That is why it is important to preserve them. According to Vision 2035, a high percentage of internal audit leaders surveyed (71%) state that they have other responsibilities in their organizations beyond their own function. Does this affect the preservation of their independence and objectivity?
Internal auditors working on other responsibilities was not a surprising result; however, that 71% are doing so was more than we anticipated. It is obvious that our governing bodies and leaders see the value of an internal auditor’s knowledge, skills, and abilities, and they are asking us to do more. While this can lead to a potential impairment of independence, it is the internal auditor’s responsibility to ensure that safeguards are in place to preserve it. In the coming year, The IIA will be issuing more guidance regarding identifying impairments and addressing them through appropriate communication and creation of safeguards.
Does this trend lead you to rethink an update of The IIA’s Three Lines Model?
The results of Vision 2035 have already caused The IIA to place the Three Lines Model on its list for updated position papers. We will work with a network of global leaders and stakeholders to update this model over the next year.
How do you see the future of internal auditing?
The future of internal auditing is truly bright, and the opportunities are plentiful. The speed at which we need to take advantage of these opportunities is critical, however. If we are to capitalize on these opportunities, we must be able to understand, implement, and communicate the value of the IPPF, use emerging technologies, and be OK with taking smart risks.
In addition, we must realize our potential and operate better as a global profession. I still believe we can realize #OneIIA, and I joined The Institute to help ensure we do. Again, I’m proud to have been an internal auditor for most of my career; now, I’m super excited to be able to lead, improve, and promote the profession as the EVP of Standards, Guidance, and Certifications.
This article originally appeared in the November 2024 issue of Auditoría Interna magazine, published by IIA–Spain.