ComplianceApril 30, 2026

Cybersecurity and digital resilience: The 2026 outlook for governance

By: Liz Sandwith CFIIA

Cybersecurity is no longer just an IT issue—it’s a critical board-level business risk. With cybersecurity threats growing more sophisticated, driven by geopolitical tensions and rapid technological advancements like artificial intelligence, organizations are under immense pressure to stay ahead. The stakes are high, and the role of internal audit in this evolving landscape has never been more important.

In this fast-paced environment, organizations must balance innovation with security. But keeping up isn’t easy. Disruption can spread across borders quickly, and governance frameworks and human expertise often lag behind the pace of change. Meanwhile, increasingly stringent global regulations in regions like the United States, European Union, and Asia Pacific, are forcing organizations to not only comply with evolving standards but also strengthen their digital resilience.

How can organizations protect their data while staying compliant? It starts at the top. Boards, Audit Committees, and senior management must lead the charge by establishing robust resilience strategies and embedding a culture of cybersecurity awareness throughout the organization. Internal auditors also play a critical role in this effort. By applying the Institute of Internal Audit’s (IIA) new Cybersecurity Topical Requirement, which became effective February 5, 2026, internal auditors can help their organizations be better prepared for what’s ahead.

Want to stay up to date on Expert Insights?

Subscribe to our newsletter to receive monthly Expert Insights in your inbox.
Subscribe Now

Cybersecurity as a critical business and enterprise risk

The IIA’s 2026 Risk in Focus survey sheds light on the world’s top five highest risks, based on insights from over 4,000 chief audit executives and directors across 131 countries. For the fifth consecutive year, cybersecurity was ranked as the No. 1 global risk and internal audit priority, with 73% of respondents identifying it as a key concern. Cybersecurity was followed by digital disruption (48%), business resilience (47%), human capital (43%), and regulatory change (41%).

What’s notable is how interconnected these risks are. Cybersecurity often drives digital disruption, while business resilience is the ability to manage both. Human capital consists of the people in the organization who know and understand the significance of cyber resilience, and regulatory change requires oversight from Boards, Audit Committees, and senior management. Internal audit, however, is the function that brings it all together, providing assurance that cybersecurity risk is being effectively managed.

The World Economic Forum’s Global Cybersecurity Outlook 2026 also examines the importance of digital resilience in minimizing the impact of cybersecurity incidents, whether from a data loss or ransomware attack, on an organization’s business goals and objectives. While 64% of organizations report meeting their minimum cybersecurity resilience requirements, only 19% claim to exceed them. This is an improvement from 2025, but there’s still significant room for growth.

Could your business recover from a cybersecurity incident?

When a cybersecurity incident happens, the impact reaches far beyond IT systems. Organizations often face:

  • Operational downtime and lost productivity
  • Regulatory and compliance concerns
  • Financial losses and recovery costs
  • Loss of customer trust and reputational damage

Post-incident investigations often reveal a common root cause: a lack of cybersecurity awareness among employees. Building a strong cybersecurity culture is crucial. Cybersecurity awareness isn’t about instilling fear; it’s about prevention and preparedness. Employees should understand their role in protecting the organization and be able to recognize common cybersecurity threats to encourage safer decision making. This can be achieved by embedding cybersecurity awareness into everyday working practices, hosting regular training, and conducting phishing simulations.

Cybersecurity insurance: Can you afford to be without it?

When it comes to cybersecurity insurance, the question isn’t whether your organization can afford it, it’s whether you can afford to be without it. Risk is about uncertainty, and cybersecurity threats are a major risk impacting all sectors due to the widespread use of technology and data. Internal auditors can play a vital role in helping senior management assess whether cybersecurity insurance is necessary by evaluating the organization’s risk appetite as cybersecurity threats continue to evolve.

While cybersecurity insurance can help organizations mitigate the financial impact of cybersecurity attacks, it’s not a substitute for robust cybersecurity measures. Internal audit should ensure that insurance is just one part of a broader risk management strategy rather than a standalone solution.

The expanding scope and complexity of cybersecurity risk

For many organizations, a gap still exists between the scale of the cybersecurity threat and actions being taken to address it. While senior management may prioritize cybersecurity, only about half of businesses have implemented measures to identify and mitigate these risks. Internal audit can help close this gap by providing assurance that cybersecurity controls are in place, policies are communicated, and protocols are tested across departments and business units.

When evaluating cybersecurity controls, internal auditors should ask:

  • Are the controls fit for purpose and effectively implemented?
  • Are they being monitored and tested across departments?
  • Have cybersecurity policies been communicated across the organization?
  • Has scenario planning and testing been conducted?
  • Can the organization mitigate the risk of a cybersecurity attack beyond relying on insurance?

By embedding cybersecurity into governance frameworks and strategic planning, organizations can ensure accountability at the Board level and strengthen their long-term resilience.

Global cybersecurity regulatory developments

The regulatory environment for cybersecurity is becoming increasingly complex, with obligations that include Board oversight, incident disclosure, third-party risk management, and operational resilience.

In the EU and UK, key regulatory frameworks set high standards for cybersecurity and data privacy standards. They include:

In the U.S., the Securities and Exchange Commission (SEC) now requires public companies to disclose cybersecurity incidents and ensure board-level cybersecurity risk oversight. While state-level privacy laws, such as the California Consumer Privacy Act and the California Privacy Rights Act, impose strict data handling, consumer rights, and breach notification requirements.

Meanwhile, countries in the Asia-Pacific region, countries such as Singapore, Japan, China, and India, are updating laws to strengthen their own data privacy and cybersecurity enforcement.

Internal auditors must stay informed about these geographical regulations and legislation, especially when organizations operate across multiple jurisdictions. Focus areas should include cross-border data flows, vendor risk management, and readiness for breach notification.

View a demo

TeamMate Audit

TeamMate Audit has revolutionized the industry, empowering audit departments of all sizes. Join us for a demonstration of TeamMate Audit’s most powerful benefits leading audit evolution.

Length: 5 minutes, 49 seconds
View Demo

Board-level accountability and regulatory enforcement expectations

Regulators are increasingly focused on organizations’ efforts toward fostering a cybersecurity-aware culture. This means Boards and Audit Committees are responsible for providing oversight, setting the tone for cybersecurity, aligning strategy with organizational goals, and defining the organization’s risk appetite.

To meet these requirements, Boards and Audit Committees should focus on three key areas:

  • Effective oversight practices. Regular engagement with management and conducting scenario exercises help support proactive cybersecurity risk management and adapt governance frameworks to evolving threats. Domain III of the IIA’s Global Internal Audit Standards, Governing the Internal Audit Function, provides clear guidance on the oversight requirements for Boards, Audit Committees, and senior management.
  • Cultivating a cybersecurity-aware culture. The Board and Audit Committee must ensure that security awareness, training, and accountability are embedded across the organization, ensuring a resilient culture beyond technical controls.
  • Internal audit’s assurance role. Internal audit plays an important role in assessing the effectiveness of cultural initiatives, policy consistency, and governance structures to aid effective decision making.

Cybersecurity governance and internal audit responsibilities

Internal auditors are uniquely positioned to evaluate and strengthen an organization’s cybersecurity measures, emphasizing governance, risk management, and operational resilience.

Here’s how internal audit can make a difference:

  • Assessing cybersecurity governance. Internal audit should evaluate the organization’s cybersecurity strategies, ensuring policies are up to date and roles and responsibilities are clearly defined to support governance effectiveness.
  • Conducting risk assessment and incident planning. Internal auditors must verify enterprise-wide risk assessments and escalation thresholds, supported by testing incident response plans with simulations.
  • Embedding a security culture. By evaluating awareness programs and cultural initiatives, internal auditors verify that security practices are integrated into daily operations and employee behavior.
  • Board and Audit Committee reporting compliance. Internal audit must review Board and Audit Committee reports for clarity and completeness and provide actionable insights to decision makers.

Internal auditors should also focus on auditing controls for digital resilience. This includes identity management, encryption, and network segmentation to strengthen the organization’s security position. For example, access rights and privileges often accumulate as employees move across departments, creating potential vulnerabilities. Internal audit can help identify and address these risks.

Additionally, vendor risk management is critical. Internal auditors should verify third-party reports, ISO certifications, and penetration tests to ensure vendors meet the organization’s security standards. Resilience and continuity are equally important, with internal audit assessing backup integrity, disaster recovery plans, and third-party continuity strategies.

Data analytics can further enhance audit effectiveness by detecting anomalies, insider threats, and control failures. Internal auditors should ask themselves:

  • Are we identifying control failures?
  • Are we understanding the impact of these failures on key risks?
  • Are we leveraging these insights to better support our organization?

IIA Cybersecurity Topical Requirement

The IIA’s new Cybersecurity Topical Requirement sets a mandatory baseline for auditing cybersecurity risks. It addresses inconsistencies in cybersecurity audit practices by establishing clear, minimum expectations to improve the consistency and quality of assurance results. While not codified in the Global Internal Audit Standards, the requirement carries the same authority, and conformance is mandatory.

Whether conducting assurance or advisory engagements, internal audit must apply the Cybersecurity Topical Requirement whenever cybersecurity risks are part of the audit scope. This allows internal auditors to align with Global Internal Audit Standards and provide consistent, high-quality assurance results.

It’s also important for internal auditors to brief Boards and Audit Committees on whether governance, risk management, and control processes for cybersecurity are effectively designed and implemented.

Governance

Strong governance is the backbone of effective cybersecurity. Internal auditors must assess how cybersecurity is managed and overseen within the organization. Key considerations include:

  • Establishing and periodically updating a formal cybersecurity strategy and objectives, with regular Board/Audit Committee review of progress, resources, and budget.
  • Updating cybersecurity policies and procedures to strengthen the control environment and address potential gaps.
  • Clearly defining roles and responsibilities, including a process to periodically assess the knowledge, skills, and abilities of the individuals filling the roles.
  • Engaging with relevant stakeholders, such as senior management, operations, risk management, human resources, legal, compliance, and vendors, to address vulnerabilities and emerging threats.

Risk management

The Cybersecurity Topical Requirement mandates a cross-functional approach to cybersecurity risk. Internal auditors should:

  • Verify that the organization’s risk assessment and risk management processes identify, analyze, mitigate, and monitor cybersecurity threats and their impact on strategic objectives.
  • Assess whether cybersecurity risk management extends across departments, including IT, enterprise risk management, HR, legal, compliance, operations, supply chain, accounting, and finance, to ensure it has the right level of attention. All business functions share the responsibility to assess, understand, and mitigate cybersecurity risk.
  • Establish accountability and responsibility for cybersecurity risk management, with designated individuals or teams responsible for monitoring and reporting on risks.
  • Evaluate processes to quickly escalate any cybersecurity risk, whether emerging or previously identified, that reaches an unacceptable level. Financial and non-financial impacts of cybersecurity risk should be considered.
  • Review training development and communication channels to address gaps, deficiencies, or control failures with timely reporting and remediation.
  • Assess the organization’s cybersecurity incident response and recovery processes, ensuring they include detection, containment, recovery, and post-incident analysis. Regular testing of these processes is critical for resilience.

Controls

Internal auditors must evaluate the technical and operational controls that safeguard the organization. Key areas of focus include:

  • Ensuring internal and vendor-based controls protect the confidentiality, integrity, and availability of the organization’s systems and data.
  • Implementing a talent management process to maintain technical competencies with periodic review for effectiveness.
  • Monitoring and reporting on emerging cybersecurity threats and vulnerabilities to identify, prioritize, and implement opportunities for improvement.
  • Integrating cybersecurity into the lifecycle management of IT assets, including hardware, software, and vendor services.
  • Assessing controls related to configuration, end-user device administration, encryption, patching, user-access management, and network security.
  • Evaluating endpoint communication security for services such as email, internet browsers, video conferencing, messaging, social media, cloud, and file sharing protocols.

Next steps: Building trust and resilience

Cybersecurity must be treated as an enterprise-wide responsibility. To navigate the complexities of global regulations and escalating threats, organizations must prioritize resilience, align with regulatory requirements, and maintain continuous oversight.

Immediate actions include reviewing cybersecurity strategy, updating third-party inventories, testing backups, and initiating cybersecurity control internal audits. By fostering a culture of awareness, strengthening defenses and harmonizing compliance efforts, organizations can build trust with stakeholders and enhance their ability to withstand escalating cybersecurity threats.

AI‑driven threats, regulatory pressure, and geopolitical instability mean organizations must evolve faster than ever. To keep pace with rapid change, cybersecurity must become a shared responsibility throughout the organization, with internal auditors at the forefront of driving meaningful change. To be successful, internal auditors have a critical role to play in ensuring that cybersecurity is not just a risk to be managed but an opportunity to build resilience and trust for the future.

Frequently asked questions

We’ve asked Liz Sandwith to review the most frequently asked questions and provide her informed responses for additional consideration and clarity.

  • Cybersecurity insurance coverage: What types of losses are typically covered or excluded — including fraud/BEC, business interruption, recovery costs, and liability — and what control expectations do insurers commonly require?
    Policies vary widely and often separate first‑party (e.g., incident response, forensics, system/restoration, business interruption) and third‑party (e.g., liability, claims, legal costs). Certain losses — especially direct financial fraud, such as Business E-mail Compromise/wire diversion — may be excluded or require explicit endorsements. Limits rarely cover true worst‑case scenarios, and insurers increasingly require strong controls (e.g., Multi Factor Authentication, segregation of duties, verified call‑backs, patching, backups) for underwriting and renewal.
  • Many organizations treat regulatory compliance as a checkbox exercise, yet true digital resilience requires going beyond minimum requirements. What practical strategies have you seen work best to turn compliance obligations (such as NIS2, DORA, or similar frameworks) into a genuine driver for building long-term cybersecurity resilience, especially for mid-sized or resource-constrained companies?

    Many organizations focus on meeting the minimum requirements of NIS2, DORA, GDPR, or national frameworks but don’t link controls to actual business‑impact scenarios. This results in money being spent on documentation rather than true preparation.

    How to avoid such an approach:

    • Build investment cases around impact-based scenarios (e.g., disruption to critical services, supply‑chain outages, recovery timelines).
    • Use regulatory requirements as a baseline, then uplift based on the organization’s actual threat landscape and critical service dependencies.
  • As a small firm, how can you strengthen your cybersecurity while working within a budget?

    Costs increase due to controls, insurance, skills, and compliance demands. The World Economic Forum Global Cybersecurity Outlook 2026 research shows cybersecurity risk is now a strategic economic issue, with high incident costs.

    Support for small firms typically includes:

    • Regional capability building initiatives (e.g., public interest cybersecurity, training support)
    • Industry associations or government cybersecurity essentials type programs

    However, cybersecurity inequity remains a major challenge for small organizations.

  • How can you influence the tone at the top to pay more attention to cybersecurity?

    Your Board/Audit Committee briefing resources should highlight several effective levers. These include:

    •  Present cybersecurity as a business and resilience risk, not an IT issue and explore financial, operational, reputational impact
    • Use real incident scenarios and quantified loss estimates to demonstrate exposure
    • Highlight regulatory expectations (NIS2/DORA equivalents, SEC cybersecurity disclosure requirements in the U.S.)
    • Demonstrate governance gaps and show how strong oversight improves resilience and audit readiness

    Frequent briefings and involving the Board/Audit Committee in tabletop exercises materially strengthens the tone at the top.

  • How can internal audit better assess the effectiveness of Cybersecurity Awareness training, apart from % passing?

    The best way is to combine culture and outcomes:

    • Governance: Frequency/quality of Board/Audit Committee reporting, clear ownership, escalation paths
    • Behavioral metrics: Phishing results over time, near miss/incident reporting rates, policy exceptions
    • Control adherence: Access reviews, patch cadence, response test results by business unit
    • Third party position: Supplier assurance evidence and exercise participation

    The World Economic Forum Global Cybersecurity Outlook 2026 links higher resilience to strong governance, skills, ecosystem engagement, and regular exercises.

  • Do you see the cybersecurity strategy as a standalone document that is submitted to the board? Or have you seen this collectively across multiple risk management policies and objectives?

    Internal audit research indicates that organizations should have a clear, board-approved cybersecurity strategy, but they do not mandate a single standalone document.

    A strategy may be:

    • A dedicated strategy paper submitted to the board, or
    • Embedded across risk management, resilience, technology, and governance documents, provided it is coherent and clearly overseen

    Boards must have clear visibility on:

    • Strategic objectives
    • Resourcing
    • Roles/responsibilities
    • Risk appetite
    • Resilience position
  • Is NIST good guidance for an EU-based entity? Should ISO be followed/implemented instead?

    While no single universal standard is emerging, research shows movement toward convergence around:

    The World Economic Forum's Global Cybersecurity Outlook 2026 analysis indicates that organizations increasingly align to these two frameworks to enable global interoperability.

  • How do you enforce third parties to comply, or show evidence they comply, with regulations such as ISO 27001, NIS2 etc.? Is it just a matter of a questionnaire to them and we accept their response, or is it acceptable to challenge and ask for evidence?

    Use a formalized third‑party risk process:

    • Request evidence through contractual rights, audit clauses, SOC2/ISO reports, or parent approved summaries
    • Escalate through governance structures (Board/Audit Committee) to ensure access aligns with your assurance obligations under the IIA Cybersecurity Topical Requirement

    If access is restricted, document limitations and raise it as a risk.

  • How do we address the issue around obtaining funding when finance directors may not approve?

    Use a risk prioritized roadmap:

    • Focus on high value assets and top threat paths
    • Prioritize basic, high ROI controls (Multi Factor Authentication, patching, backups)
    • Use phased investment aligned to resilience objectives

    The World Economic Forum Global Cybersecurity Outlook 2026 highlights using scenario-based impact modelling to justify incremental spending.

  • How can we protect data when employees mistakenly disclose this information?

    Access management is a core control:

    • Tighten joiner–mover–leaver processes
    • Enforce privileged access reviews
    • Ensure HR and IT are aligned with clear accountability
    • Use analytics to detect dormant, excess, or orphaned accounts
  • Our plan is to evaluate governance and risk management during our risk assessment and audit plan development process and evaluate controls as part of each engagement. Does that approach meet the spirit of the requirement? Is it too much?

    This approach aligns well with the Cybersecurity Topical Requirement, which mandates that internal audit assess:

    • Governance
    • Risk management
    • Controls

    This method (enterprise level assessment during planning and engagement level control testing) is entirely consistent with the requirement, as long as rationale is documented for any elements not covered.

  • We usually do tabletop exercises, do you think they are enough to prepare for an attack?
    Use compliance as a minimum baseline, then uplift through scenario testing, continuous monitoring, and embedding the IIA’s Cybersecurity Topical Requirement.

    To turn compliance into true resilience, organizations must use regulatory frameworks as a starting point, embed controls into everyday operations, strengthen supply‑chain assurance, upskill leadership, prioritize high‑impact controls, and continually test their ability to withstand and recover from attacks.

  • Cybersecurity threats are evolving faster than regulations in many regions. In your experience, what are the top 2–3 pitfalls organizations encounter when trying to align cybersecurity investments with both digital resilience goals and regulatory compliance?

    Top pitfalls organizations face typically include:

    • Checkbox compliance instead of resilience focus
    • Poor supply-chain visibility
    • Lack of skills and AI governance

    Many organizations focus on meeting the minimum requirements of NIS2, DORA, GDPR, or national frameworks but don’t link controls to actual business‑impact scenarios. This results in money being spent on documentation rather than true preparation.

    How to avoid it:

    • Build investment cases around impact-based scenarios (e.g., disruption to critical services, supply‑chain outages, recovery timelines)
    • Use regulatory requirements as a baseline, then uplift based on the organization’s actual threat landscape and critical service dependencies
  • Can internal audit carry/hold the DPO (Data Protection Officer) role?
    This is not advisable as it impairs internal audit independence. If unavoidable, document safeguards and exclude affected areas from assurance.
  • Who is responsible and accountable for Cybersecurity Topical Requirements?

    This responsibility is shared:

    • Internal audit (IA) is accountable for conforming to the topical requirement when cybersecurity is in scope
    • Chief Audit Executive (CAE) must ensure methodology, documentation, and evidence of applicability/exclusion are in place
    • Audit Committee/Board is responsible for ensuring internal audit has the resources and skills (or co-sourcing) required
    • Cybersecurity risk ownership remains with management, not internal audit, but internal audit must provide assurance.
  • How should internal audit assess cybersecurity resilience when an organization relies heavily on third‑party services (cloud, outsourced IT, managed security providers)?

    When third‑party dependency is high, internal audit should shift from traditional control testing to ecosystem‑based assurance, focusing on:

    • Third‑party visibility and transparency — whether the organization receives meaningful evidence (SOC 2 reports, test results, incident‑response evidence). The World Economic Forum Global Cybersecurity Outlook 2026 stresses that third‑party opacity is a major global resilience gap.
    • Shared‑responsibility clarity — especially for cloud services (who patches? who monitors? who configures?).
    • Contractual rights — audit rights, breach notification timeframes, evidence requirements, and access to security certifications.
    • Resilience validation, not just documentation — e.g., joint tabletop exercises, failover testing, and supplier‑level incident‑response walkthroughs. The World Economic Forum Global Cybersecurity Outlook 2026 shows resilient organizations actively test across their ecosystem.
    • Concentration risk — whether critical services depend on a single cloud or IT provider (a key World Economic Forum Global Cybersecurity Outlook 2026‑identified systemic risk).

    Internal audit’s role is to determine whether third‑party reliance is understood, governed, monitored and tested, not just contracted.

  • How can internal audit assess whether the organization’s incident‑response plan is truly effective, rather than just documented?

    Internal audit should focus on evidence of capability, not just the existence of documentation. This aligns with the IIA Cybersecurity Topical Requirement, which requires internal audit to assess the design and operating effectiveness of cybersecurity‑incident preparedness and escalation processes.

    Key criteria internal audit should evaluate include:

    1. Testing frequency and realism
      • Has the incident‑response (IR) plan been tested in the last 12 months?
      • Are exercises scenario‑based and reflective of real threats (e.g., ransomware, supplier outage, data breach)?
      • Does testing include the Board, Audit Committee, IT, business operations, legal, communications, and third parties where appropriate?
    2. Clear roles, responsibilities, and decision rights
      • Are responsibilities defined for executives, IT, communications, and external partners?
      • Is there a clear escalation path and authority for triggering crisis response and external notifications?
    3. Speed of detection and response
      • Are lessons from past incidents or near‑misses integrated into continuous improvement?
    4. Integration with business continuity and disaster recovery
      • Does the incident response plan connect to continuity arrangements (e.g., RTO/RPO targets)?
      • Have dependencies on cloud providers or third‑party services been tested?
    5. Evidence of continuous updates
      • Is the plan updated when personnel, systems, or regulations change?
      • Are lessons from external sector incidents (e.g., supply‑chain outages) incorporated into improvements?

    Internal audit’s assurance should demonstrate whether the organization can detect, respond, and recover from a cybersecurity incident in real operational conditions, not just “on paper.”

  • Is any information available on cybersecurity and digital resilience in varied geographical locations?
    The World Economic Forum Global Cybersecurity Outlook 2026 report shows high levels of cybersecurity enabled fraud and the growing threat activity in a variety of regions across the globe. While cybersecurity‑enabled fraud and threat activity are increasing, the World Economic Forum Global Cybersecurity Outlook 2026 shows that resilience challenges across the globe are shaped primarily by capability gaps, resource constraints, and uneven access to skills and infrastructure.
  • How else can we audit a cloud service provider, aside from asking for the SOC2 report?

    SOC2 reports are helpful but not sufficient alone. You should also:

    • Assess alignment to your cybersecurity strategy and risk appetite
    • Review cloud resilience capabilities, incident response processes, and shared responsibility models
    • Consider independent testing results or additional assurance steps

    The World Economic Forum Global Cybersecurity Outlook 2026 emphasizes cloud concentration risk and the need for deeper visibility.

    A SOC 2 report evaluates whether a service provider has effective controls to protect systems and data. Much more relevant for cybersecurity and cloud risk, is based on the Trust Services Criteria:

    • Security (always included)
    • Availability
    • Confidentiality
    • Processing integrity
    • Privacy
  • Our company is struggling to hire IT auditors. What can my organization do about training current employed internal auditors to become skilled?

    Use a framework first, risk‑based approach:

    • Build literacy in ISO 27001, NIST CSF and emerging AI risks
    • Co‑source deep technical expertise while developing internal capability over time
    • Focus internal audit work on governance, decision making, risk prioritization, and resilience, not just technical controls
    • Use The IIA’s Cybersecurity Topical Requirements document as a guide

    Use the World Economic Forum Global Cybersecurity 2026 insights to challenge business assumptions on supply chain risk, AI governance, and workforce capability gaps.

Subscribe below to receive monthly Expert Insights in your inbox

Missing the form below?

To see the form, you will need to change your cookie settings. Click the button below to update your preferences to accept all cookies. For more information, please review our Privacy & Cookie Notice.

Liz Sandwith
Liz Sandwith CFIIA
Internal Audit and Risk Management Consultant
Liz Sandwith has been a member of the IIA Standards Board for the last 6 years. Because of her involvement in the IPPF Evolution project, the IIA asked her to stay on as a Special Adviser to the Standards Board. 

Subscribe below to receive monthly Expert Insights in your inbox

Missing the form below?

To see the form, you will need to change your cookie settings. Click the button below to update your preferences to accept all cookies. For more information, please review our Privacy & Cookie Notice.

Solutions

TeamMate Audit

Audit management

Learn More

The world’s leading audit management software - empowering audit departments of all sizes.

Learn More
View a Demo
Contact Us

Related Insights

  • Article
    Compliance
    February 09, 2026

    How internal quality assessment enhances internal audit performance

    An effective internal quality assessment will enable your internal audit function to align its strategies with organizational goals and successfully communicate those results to leadership.
    Learn More
  • Article
    Compliance
    October 29, 2025

    Internal audit performance measures: Aligning metrics with strategy

    In this article, we’ll explore how internal audit teams can use a performance measurement framework to align metrics with strategy, demonstrate value, and drive continuous improvement.
    Learn More
  • Article
    Compliance
    August 06, 2025

    Bridging the Lines: Enhancing assurance through collaboration

    Learn how the 2nd and 3rd lines can collaborate effectively within the three lines model to strengthen assurance and reduce duplication.
    Learn More
  • Article
    Compliance
    April 30, 2025

    Maximizing internal audit effectiveness through external quality assessments

    One of the key processes that bolsters the trustworthiness and effectiveness of the internal audit function is the external quality assessment (EQA).
    Learn More
Back To Top