Most conversations about quantum computing live in the technical corners of an organization. Cryptographers debate algorithms, security engineers discuss key sizes, and the board hears, at most, a passing reference to quantum in an annual risk briefing. This is a mistake. The arrival of cryptographically relevant quantum computers is not only a technical event. It is an enterprise risk event, on the same scale as a major regulatory shift or a systemic cyber threat, and it demands the kind of structured oversight that internal audit exists to provide.
The challenge is that quantum risk does not behave like the threats internal audit teams are used to assessing. It is slow-moving, easy to defer, and invisible in day-to-day operations, right up until the moment it becomes catastrophic and irreversible. That combination makes it exactly the kind of risk that slips through the cracks of an organization without strong governance. This blog makes the case for why internal audit should be actively engaged in quantum readiness today, and what that engagement should look like in practice.
Understanding the threat: Q-day and the clock that is already running
Quantum computers solve certain problems in fundamentally different ways than classical machines. Where a classical computer works through possibilities largely in sequence, a quantum computer can evaluate many possibilities simultaneously, giving it an exponential advantage on a specific class of mathematical problems. Two of those problems, integer factorization and the discrete logarithm, are exactly what today’s public-key cryptography depends on.
RSA, ECC, and Diffie-Hellman, the algorithms that secure web traffic, digital signatures, VPNs, and authentication across nearly every enterprise, rely on the assumption that these problems are too hard to solve in any practical timeframe. A sufficiently powerful quantum computer running Shor’s algorithm breaks that assumption. Q-day is the point at which a quantum computer can run Shor’s algorithm at sufficient scale to break RSA, ECC, and Diffie-Hellman.
The replacements already exist. In August 2024, NIST finalized its first post-quantum standards: FIPS 203 (ML-KEM) for key establishment, FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) for digital signatures, with HQC selected in 2025 as an additional code-based key-encapsulation mechanism. The standards are final, which means the open question is no longer whether to migrate but how quickly an organization can.
The uncomfortable truth is that the timeline does not start at Q-day. It started years ago. Adversaries are already engaged in what is known as harvest now, decrypt later: intercepting and storing encrypted data today, with the intention of decrypting it once quantum capability arrives. For any data with a long confidentiality lifespan, such as financial records, health information, intellectual property, government data, or trade secrets, the exposure is happening right now even though the decryption is years away. The data being stolen today does not become safe simply because you migrate later.
The concern is widely shared, but preparation is not. According to ISACA’s 2025 Quantum Computing Pulse Poll of more than 2,600 digital trust, cybersecurity, audit, and risk professionals, 62 percent are worried that quantum computing will break today’s encryption and 56 percent cite harvest now, decrypt later as a concern, yet only about 5 percent say their organization has a defined quantum strategy. In other words, roughly 95 percent have no roadmap. That gap between awareness and action is precisely the kind of control weakness internal audit is built to surface.
This is what makes quantum risk an immediate governance concern rather than a future technical project. The decisions that determine whether your most sensitive long-lived data survives Q-day are being made, or neglected, today.
Why this is an internal audit problem, not just an IT problem
Security teams can implement cryptography, but they cannot, on their own, guarantee that quantum risk is being managed at the level the organization requires. That gap is precisely where internal audit adds value. Internal audit brings three things that a purely technical response lacks: independence, an enterprise-wide vantage point, and the authority to hold the organization accountable to its own commitments.
This is also where internal audit’s role differs from everyone else at the table. The distinguishing contribution of audit is independent assurance: verifying that controls exist and operate as intended, rather than implementing them. That separates internal audit from the consultancies and integrators who build migration programs and from the tooling vendors who supply the technology. Audit does not own the roadmap; it tests whether the roadmap is real, funded, and working. Keeping that line clear is what makes the assurance credible to a board.
Consider the questions a board should be able to answer about quantum readiness. Does the organization know which systems and data depend on quantum-vulnerable cryptography? Is there an owned, funded, and time-bound migration plan? Are third parties and vendors, who hold and process sensitive data, being assessed for their own readiness? Do regulatory obligations around cryptographic standards have a clear path to compliance? In most organizations, no single technical team can answer all of these, because the answers span IT, security, legal, procurement, risk, and executive leadership.
Internal audit is the function designed to look across all of those domains, test whether controls actually exist and operate as intended, and report the truth to leadership and the board. Quantum readiness needs exactly that kind of independent, cross-functional assurance. Without it, working on quantum becomes a comfortable assertion that no one ever verifies.
What internal audit should actually do
Engaging with quantum risk does not require auditors to become cryptographers. It requires applying the discipline of audit to a new and high-stakes domain. Six areas of focus stand out.
Validate that a cryptographic inventory exists and is complete. The foundation of all quantum readiness is knowing where vulnerable cryptography lives. Internal audit should assess whether the organization has a genuine, continuously maintained inventory of its cryptographic assets, including certificates, keys, algorithms, and the systems and data that depend on them. An inventory that is partial, stale, or maintained in a spreadsheet is a finding in itself.
Assess the existence and quality of a migration roadmap. Readiness is not a slogan, it is a plan with owners, budgets, milestones, and prioritization based on data sensitivity and system lifespan. Internal audit should evaluate whether such a roadmap exists, whether it is realistic, and whether it is actually being executed against, rather than sitting on a shelf.
Test data protection against the harvest now, decrypt later threat. Auditors should examine whether long-lived sensitive data is protected by anything beyond classical encryption alone. Where data with a multi-year confidentiality requirement is protected only by RSA or ECC, that is an active exposure that warrants immediate attention and escalation.
Examine third-party and supply chain risk. An organization’s quantum exposure extends to every vendor, partner, and service provider that holds or transmits its data. Internal audit is well positioned to ensure that quantum readiness becomes part of third-party risk assessments and contractual due diligence.
Map specific frameworks and deadlines to organizational action. Governments and regulators are moving quantum readiness from recommendation toward requirement. Rather than tracking generic applicable standards, internal audit should check the organization’s roadmap against the concrete references auditors and regulators actually use: CISA’s post-quantum cryptography migration guidance, NIST’s NCCoE practice guide SP 1800-38 (Migration to Post-Quantum Cryptography), the NSA’s CNSA 2.0 transition milestones, and, for federal agencies and their suppliers, OMB Memorandum M-23-02. Verify the current versions and dates at the time of review, since these continue to evolve.
Promote crypto-agility, delivered through cryptographic posture management. Perhaps the most strategic contribution internal audit can make is to press whether systems are being designed for crypto-agility, the ability to swap cryptographic algorithms without massive rework. Crypto-agility is the governing principle; the continuous operating discipline that delivers it is increasingly called cryptographic posture management (CPM), a repeating cycle of discover, assess, prioritize, remediate, and monitor. Organizations that hardcode cryptography will face the next transition, and the one after that, as a crisis each time. Those that build agility in, and operate it as an ongoing posture rather than a one-off project, will not.
Framing quantum as an enterprise risk
The most important shift internal audit can drive is one of framing. As long as quantum is treated as a niche technical topic, it will compete poorly for attention and budget against more immediate concerns. Reframed as what it actually is, a foreseeable, high-impact, and irreversible risk to the confidentiality and integrity of enterprise data, it earns its place on the enterprise risk register and in board-level discussion.
This framing also clarifies the cost of inaction. Cryptographic migration is not a quick patch. Credible estimates from NIST and major advisory firms describe full migration as a multi-year program, often years of planning before the work is complete, and ISACA’s poll shows roughly 95 percent of organizations still have no roadmap.
The runway is shrinking before preparation has even started. A near-term forcing function makes this concrete: under the CA/Browser Forum’s approved schedule, the maximum public TLS certificate lifetime drops from 398 days to 200 days in March 2026, to 100 days in March 2027, and to 47 days by March 2029. Long before Q-day, that cadence makes manual cryptographic change untenable and rewards organizations that have already built automation and agility.
An organization that begins migrating only when quantum computers are demonstrably capable will be far too late, both for its harvested historical data and for the operational scramble of a rushed transition. Internal audit’s role is to make that timeline visible now, while there is still time to act on it deliberately.
How Encryption Consulting can help
Internal audit can identify and frame quantum risk, but acting on it requires deep cryptographic expertise and the right tooling. This is where Encryption Consulting partners with organizations, turning audit findings and board mandates into an executable quantum readiness program.
CBOM Secure discovers cryptography across any certificate authority and any environment, which is exactly what an audit-led, independence-first program needs. It is our cryptographic discovery and inventory solution, built to give your audit and security teams the visibility this kind of oversight demands. It continuously discovers and inventories cryptographic assets, including certificates, keys, algorithms, and protocols, and flags which are quantum-vulnerable. This transforms the cryptographic inventory from an audit aspiration into a living, data-driven asset, and provides the evidence base internal audit needs to assess readiness objectively.
Our Post-Quantum Cryptographic Advisory Services guide organizations through the full readiness lifecycle, from quantum risk assessment and data sensitivity analysis to building a prioritized, owned migration roadmap and implementing hybrid and post-quantum algorithms. This is the structured, time-bound plan that internal audit should expect to see, delivered by specialists who do this work every day.
On the governance side, our Compliance Advisory Services help align your quantum readiness program with NIST, CISA, CMMC, and other evolving regulatory frameworks, ensuring that what internal audit recommends maps cleanly to what regulators will require. And our Encryption Advisory Services provide the broader strategic foundation for managing cryptographic risk across the enterprise.
Whether your internal audit team is opening its first review of quantum risk or your organization is ready to execute a full migration, Encryption Consulting brings the expertise and tooling to move you forward. Get in touch to start building defensible, auditable quantum readiness.
Conclusion
Quantum risk is unusual among enterprise threats because its most damaging consequences are being set in motion today, silently, while the visible impact remains years away. That delay is precisely what makes strong governance essential. Left to compete with the urgent issues of the moment, quantum readiness will always lose, until the day it can no longer be deferred and the window to respond has closed.
Internal audit exists to surface exactly these kinds of risks: foreseeable, high-impact, and easy to ignore. By validating cryptographic inventories, testing data protection, scrutinizing migration plans, and reframing quantum as the enterprise risk it truly is, internal audit can ensure the organization acts while action still makes a difference.
The clock to Q-day is already running, and so is the harvesting of data meant to be decrypted when it arrives. The organizations that treat quantum readiness as a matter of governance, not just engineering, are the ones that will reach that day prepared.
