Describe the role of internal audit in cybersecurity governance.

Internal audit in cybersecurity governance focuses on providing independent assurance across IT, risk management, and compliance functions. It evaluates whether cybersecurity controls are properly designed and operating effectively, whether risk management processes identify and respond to cyber threats, and whether the organization complies with policies, standards, and applicable laws. By testing controls, reviewing governance practices, and following up on remediation, internal audit helps the board and senior management understand residual risk, control maturity, and areas needing improvement, offering objective recommendations to strengthen the overall governance framework. This is the best fit because it emphasizes independence and cross-functional coverage, not performing security operations or writing code. Writing security code is an operational development task; managing day-to-day security operations is the remit of security teams. Leading enterprise risk management reporting to the board is primarily a risk management leadership function, whereas internal audit provides assurance about how well that governance and risk management framework operates. Providing assurance across IT, risk management, and compliance captures the broad, governance-oriented role internal audit plays in cybersecurity.