CIA Exam Parts

Learn everything you need to know about what's tested on each part of the exam.

Which CIA exam part should I take first?
How is the CIA exam structured?
What’s tested on the CIA exam?
How are topics tested on the CIA exam?

The goal of the Certified Internal Auditor® (CIA®) exam is to confirm that aspiring candidates have the skills required to perform at the industry’s standards.

CIAs need to be equipped with the skills and know-how to perform their tasks, so the CIA exam is divided into three parts that test a broad range of cognitive abilities.

Aspiring CIA candidates will need to sit for and pass each of these three parts of the CIA exam individually.

Here’s a summary of the exam parts. Further down, we’ll guide you through each part of the CIA exam by breaking down the content tested in each category and subcategory.

CIA Exam Parts | 2019 Syllabus

Part 1: Essentials of Internal Auditing
Part 2: Practice of Internal Auditing
Part 3: Business Knowledge for Internal Auditing

CIA Exam Parts | 2025 Syllabus

Part 1: Internal Audit Fundamentals
Part 2: Internal Audit Engagement
Part 3: Internal Audit Function

CIA Exam Changes

The IIA’s updated CIA exam will become testable in English beginning May 28, 2025, and will be released throughout 2025 and 2026 for the additional exam languages.

Due to the staggered release of the upcoming CIA exam changes, the version of the exam you’re taking will depend on when the new exam becomes testable in your chosen exam language.

Which CIA exam part should I take first?

Although CIA candidates can take the exam in any order, Gleim recommends that most people take the exam in sequential order. Topics in each part build off the previous one, which means that mastering Part 1 will prepare you for Part 2, and mastering Parts 1 and 2 will help you prepare for Part 3.

One notable exception exists for recent graduates. Part 3 tests candidates on topics they need to have professional awareness of, rather than practical knowledge they will use in their everyday tasks. Therefore, many people find CIA Part 3 easier to take while the curriculum is still fresh in their minds.

If you’re not a recent graduate, you’re still welcome to take the exams in any order, but pay close attention to what’s tested on each topic to make sure you’re prepared!

How is the CIA exam structured?

Each of the three CIA exam parts test different topics using multiple-choice questions. There are no essays or free-response questions on the exam.

Candidates have reported that the CIA exam can be tricky and give two very similar answer choices. Always select the best or most correct answer out of the provided options, and if you’re ever in doubt make your best educated guess.

The CIA exam is non-disclosed, meaning the questions on it aren’t available to anyone, including professional review courses like Gleim.

There is a large body of questions that each exam pulls from, meaning no two exams will be exactly the same. The specific number of questions from each topic gets slightly randomized, so it’s important to prepare for all the possible topics that could be on the CIA exam.

CIA Part 1

125 multiple-choice questions
2.5 hours long

CIA Part 2

100 multiple-choice questions
2 hours long

CIA Part 3

100 multiple-choice questions
2 hours long

What's tested on the CIA exam?

The The Institute of Internal Auditors® (IIA®) regularly conducts studies in professional environments to understand the responsibilities and expectations of CIAs. This research then informs the CIA exam syllabus, which details what candidates are expected to know, and how well they’re expected to know it.

Each CIA exam part consists of high-level categories (called “domains” in the 2019 syllabus and “sections” in the 2025 syllabus). These categories are divided into subcategories that contain detailed objectives that candidates must perform to pass the CIA exam.

There are two cognitive proficiency levels tested on the version of the CIA exam using the 2019 syllabus:

Basic — Tests memory and comprehension
Proficient — Assesses application, analysis, and evaluation abilities

Regardless of which part of the CIA exam you’re taking, there are a few considerations that apply to all of them.

You should allocate one minute to answer each question on the exam. This will allow for time at the end to review your answers.
If you’re past your minute and don’t know the answer, make an educated guess, and mark the question for review at the end.
Make sure your study schedule and test preparation include studying for all material that could appear on the test.

CIA Exam Syllabus

See the breakdown below of what’s tested on each part of the current exam aligned with the 2019 syllabus compared to the updated exam testing the 2025 syllabus.

What's tested on the CIA Part 1 exam?

CIA Part 1 tests the basics of internal auditing, including fraud and regulatory requirements from the Global Internal Audit Standards.

Part 1 is the longest of the CIA exam parts with 125 multiple-choice questions and an allotted testing time of 2.5 hours.

Part 1 – 2019 Syllabus Essentials of Internal Auditing	Part 1 – 2025 Syllabus Internal Audit Fundamentals
1. Foundations of Internal Auditing – 15%	1. Foundations of Internal Auditing – 35%
2. Independence and Objectivity – 15%	2. Ethics and Professionalism – 20%
3. Proficiency and Due Professional Care – 18%	3. Governance, Risk Management, and Control – 30%
4. Quality Assurance and Improvement Program – 7%	4. Fraud Risks – 15%
5. Governance, Risk Management, and Control – 35%
6. Fraud Risks – 10%

CIA Syllabus Breakdown

The version of the CIA exam using The IIA’s 2019 exam syllabus is testable until May 28, 2025, in English, and will be tested throughout 2025 and 2026 for some of the additional CIA exam languages.

Beginning May 28, 2025, the new version of the CIA exam aligned with The IIA’s 2025 exam syllabus will become testable in English. The new exam will become testable in additional exam languages according to the language release schedule. Note that for the new CIA exam, The IIA’s updated exam syllabus no longer uses the basic/proficient learning specification.

If you want an in-depth look at what’s tested, read our detailed breakdowns of both the 2019 and 2025 exam syllabi below.

CIA Part 1 - 2019 Syllabus

Click on any topic below to see the detailed breakdown of each subdomain the proficiency levels.

1. Foundations of Internal Auditing (15%)

A	Interpret The IIA’s Mission of Internal Audit, Definition of Internal Auditing, and Core Principles for the Professional Practice of Internal Auditing, and the purpose, authority, and responsibility of the internal audit activity	Proficient
B	Explain the requirements of an internal audit charter (required components, board approval, communication of the charter, etc.)	Basic
C	Interpret the difference between assurance and consulting services provided by the internal audit activity	Proficient
D	Demonstrate conformance with the IIA Code of Ethics	Proficient

2. Independence and Objectivity (15%)

A	Interpret organizational independence of the internal audit activity (importance of independence, functional reporting, etc.)	Basic
B	Identify whether the internal audit activity has any impairments to its independence	Basic
C	Assess and maintain an individual internal auditor’s objectivity, including determining whether an individual internal auditor has any impairments to his/her objectivity	Proficient
D	Analyze policies that promote objectivity	Proficient

3. Proficiency and Due Professional Care (18%)

A	Recognize the knowledge, skills, and competencies required (whether developed or procured) to fulfill the responsibilities of the internal audit activity	Basic
B	Demonstrate the knowledge and competencies that an internal auditor needs to possess to perform his/her individual responsibilities, including technical skills and soft skills (communication skills, critical thinking, persuasion/negotiation and collaboration skills, etc.)	Proficient
C	Demonstrate due professional care	Proficient
D	Demonstrate an individual internal auditor’s competency through continuing professional development	Proficient

4. Quality Assurance and Improvement Program (7%)

A	Describe the required elements of the quality assurance and improvement program (internal assessments, external assessments, etc.)	Basic
B	Describe the requirement of reporting the results of the quality assurance and improvement program to the board or other governing body	Basic
C	Identify appropriate disclosure of conformance vs. nonconformance with The IIA’s International Standards for the Professional Practice of Internal Auditing	Basic

5. Governance, Risk Management, and Control (35%)

A	Describe the concept of organizational governance	Basic
B	Recognize the impact of organizational culture on the overall control environment and individual engagement risks and controls	Basic
C	Recognize and interpret the organization’s ethics and compliance-related issues, alleged violations, and dispositions	Basic
D	Describe corporate social responsibility	Basic
E	Interpret fundamental concepts of risk and the risk management process	Proficient
F	Describe globally accepted risk management frameworks appropriate to the organization (COSO – ERM, ISO 5%000, etc.)	Basic
G	Examine the effectiveness of risk management within processes and functions	Proficient
H	Recognize the appropriateness of the internal audit activity’s role in the organization’s risk management process	Basic
I	Interpret internal control concepts and types of controls	Proficient
J	Apply globally accepted internal control frameworks appropriate to the organization (COSO, etc.)	Proficient
K	Examine the effectiveness and efficiency of internal controls	Proficient

6. Fraud Risks (10%)

A	Interpret fraud risks and types of frauds and determine whether fraud risks require special consideration when conducting an engagement	Proficient
B	Evaluate the potential for occurrence of fraud (red flags, etc.) and how the organization detects and manages fraud risks	Proficient
C	Recommend controls to prevent and detect fraud and education to improve the organization’s fraud awareness	Proficient
D	Recognize techniques and internal audit roles related to forensic auditing (interview, investigation, testing, etc.)	Basic

CIA Part 1 - 2025 Syllabus

Click on any topic below to see the detailed breakdown of each section.

Section A. Foundations of Internal Auditing (35%)

1.	Describe the Purpose of Internal Auditing according to the Global Internal Audit Standards May include but is not limited to: a. Explain the overall objectives and benefits of the internal audit function b. Describe the conditions that contribute to the effectiveness of the internal audit function
2.	Explain the internal audit mandate and responsibilities of the board and chief audit executive May include but is not limited to: a. Describe the authority, role, and responsibilities of the internal audit function b. Explain the role of the chief audit executive in helping the board establish or update the internal audit mandate c. Explain the role of the board and senior management in determining the authority, role, and responsibilities of the internal audit function
3.	Recognize the requirements of an internal audit charter May include but is not limited to: a. Identify components required by the Global Internal Audit Standards b. Recognize the importance of discussing the charter with the board and senior management c. Recognize the importance of board approval
4.	Interpret the differences between assurance services and advisory services provided by the internal audit function May include but is not limited to: a. Define assurance services b. Differentiate between limited and reasonable assurance c. Define advisory services d. Describe how the nature and scope of advisory services are determined e. Determine which type of service (assurance or advisory) is appropriate in a given context
5.	Describe the types of assurance services performed by the internal audit function May include but is not limited to: a. Describe risk and control assessments b. Describe third-party and contract compliance audits c. Describe IT security and privacy audits d. Describe performance and quality audits e. Describe operational, financial, and regulatory compliance audits f. Describe audits of organizational culture g. Describe audits of the management reporting process
6.	Describe the types of advisory services performed by the internal audit function May include but is not limited to: a. Describe the internal auditor’s role in providing risk and control training b. Describe the internal auditor’s role in system design and development c. Describe the internal auditor’s role in due diligence services d. Describe the internal auditor’s role in maintaining data privacy e. Describe the internal auditor’s role in benchmarking f. Describe the internal auditor’s role in internal control assessments g. Describe the internal auditor’s role in process mapping
7.	Identify situations where the independence of the internal audit function may be impaired May include but is not limited to: a. Identify situations where the chief audit executive’s functional reporting line is not appropriate b. Describe the board’s responsibility for protecting internal audit independence c. Describe the chief audit executive’s responsibility for protecting and maintaining internal audit independence, including communicating to the board when an impairment or perceived impairment is identified d. Identify situations where budget limitations may restrict internal audit operations e. Describe the effects of scope limitations or restricted access
8.	Recognize the internal audit function’s role in the organization’s risk management process May include but is not limited to: a. Describe The IIA’s Three Lines Model b. Identify first and second line responsibilities that could impair the independence of the internal audit function c. Describe safeguards to implement when internal auditors conduct or are perceived to be conducting first or second line responsibilities

Section B. Ethics and Professionalism (20%)

1.	Demonstrate integrity May include but is not limited to: a. Describe how to apply honesty and professional courage when confronted with ethical dilemmas or difficult situations b. Describe how to practice legal and professional behavior in all situations
2.	Assess whether an individual internal auditor has any impairments to objectivity May include but is not limited to: a. Evaluate the impact of self-review and familiarity bias on engagements b. Analyze situations where conflicts of interest may arise
3.	Analyze policies that promote objectivity and potential options to mitigate impairments May include but is not limited to: a. Assess situations where reassigning internal auditors may be warranted b. Assess situations where it would be appropriate to outsource the performance or supervision of an engagement c. Determine when it is necessary to disclose impairments d. Recognize situations where it is inappropriate to accept a gift, reward, or favor
4.	Apply the knowledge, skills, and competencies required (whether developed or procured) to fulfill the responsibilities of the internal audit function May include but is not limited to: a. Apply written and verbal communication skills to deliver effective messages, reports, meetings, and presentations b. Apply critical thinking and problem-solving skills to address complex issues and identify innovative solutions c. Apply research skills to collect information from a variety of resources and expand knowledge on various topics d. Apply persuasion and negotiation skills to manage conflicts and collaborate effectively with teammates and stakeholders e. Apply relationship-building skills to establish trust and credibility f. Apply change management skills to thrive in evolving environments g. Demonstrate curiosity to uncover new information and foster continuous learning h. Evaluate situations that demonstrate a need for an internal auditor to pursue continuing professional development
5.	Demonstrate due professional care May include but is not limited to: a. Recognize that due professional care involves assessment of the organization’s strategy and objectives b. Recognize that due professional care involves assessment of the adequacy and effectiveness of governance, risk management, and control processes c. Recognize that due professional care involves assessment of the costs relative to potential benefits of an engagement d. Recognize that due professional care involves assessment of the probability of significant errors, fraud, noncompliance, and other risks e. Recognize that professional skepticism involves maintaining an unbiased mental attitude and critical assessment of the reliability of information
6.	Maintain confidentiality and use information appropriately during engagements May include but is not limited to: a. Apply relevant organizational policies, procedures, laws, and regulations b. Apply internal audit methodologies c. Demonstrate respect for privacy and ownership of information d. Apply appropriate methods to protect information

Section C. Governance, Risk Management, and Control (30%)

1.	Describe the concept of organizational governance May include but is not limited to: a. Describe the roles of the board, senior management, the internal audit function, and other assurance providers b. Recognize governance frameworks, principles, and models
2.	Recognize the impact of organizational culture on the overall control environment and individual engagement risks and controls May include but is not limited to: a. Define organizational culture and the control environment b. Define engagement risks and controls c. Recognize the impact of the organization’s decision-making processes on the organization’s governance, risk management, and control processes
3.	Recognize ethical and compliance-related issues May include but is not limited to: a. Identify ethical, legal, and compliance requirements applicable to an organization b. Recognize the internal auditor’s role in an organization’s ethical framework
4.	Interpret fundamental concepts of risk type May include but is not limited to: a. Differentiate between the following types of risk: strategic, operational, financial, compliance, reputational, and environmental, sustainability and social responsibility b. Compare and contrast inherent and residual risks
5.	Interpret fundamental concepts of the risk management process May include but is not limited to: a. Define risk management b. Recognize an organization’s risk appetite and risk tolerance c. Assess the elements of the risk management cycle d. Evaluate an organization’s responses to identified risks
6.	Describe risk management within organizational processes and functions May include but is not limited to: a. Evaluate the design and effectiveness of risk management processes b. Describe the purpose and benefit of using a risk management framework
7.	Interpret internal control concepts and types of controls May include but is not limited to: a. Describe the purpose of internal controls b. Describe and evaluate types of internal controls, such as preventive, detective, and corrective c. Recommend appropriate controls to mitigate risks
8.	Recognize the importance of the design, effectiveness, and efficiency of internal controls (financial and nonfinancial) May include but is not limited to: a. Review the design and effectiveness of internal controls b. Describe the purpose and benefit of using an internal control framework.

Section D. Fraud Risks (15%)

1.	Describe concepts of fraud risks and types of fraud May include but is not limited to: a. Describe the fraud triangle concepts: motivation, opportunity, and rationalization b. Recognize fraud risks c. Identify common fraud schemes
2.	Determine whether fraud risks require special consideration during an engagement May include but is not limited to: a. Recognize fraud risks when planning an engagement b. Assess processes that may have significant exposure to fraud risk
3.	Evaluate the potential for fraud and how the organization detects and manages fraud risks May include but is not limited to: a. Evaluate an organization’s fraud risk management processes b. Detect and assess red flags at the organizational level and process level c. Recognize the internal auditor’s role in reporting red flags identified during an engagement
4.	Describe controls to prevent and detect fraud May include but is not limited to: a. Recognize the impact that tone at the top has on the likelihood of fraud b. Recognize the appropriate application of segregation of duties c. Recognize how authority levels may prevent fraud d. Recognize common controls to detect fraud such as whistleblower hotlines, reconciliations, and supervisory reviews
5.	Recognize techniques and the internal audit function’s role related to fraud investigation May include but is not limited to: a. Define the internal audit function’s role related to fraud investigations b. Describe interviewing techniques c. Describe investigation techniques d. Describe fraud testing methods e. Recognize opportunities for internal auditors to coordinate with fraud investigators and review their risk assessments, prior investigations, investigation trends, and whistleblower complaints

What's tested on the CIA Part 2 exam?

CIA Part 2 tests candidates on 100 multiple-choice questions over 2 hours. On Part 2, you’ll be tested on topics related to planning and performing engagements as well as analyzing and communicating about the engagement.

Part 2 – 2019 Syllabus Practice of Internal Auditing	Part 2 – 2025 Syllabus Internal Audit Engagement
1. Managing the Internal Audit Activity – 20%	1. Engagement Planning – 50%
2. Planning the Engagement – 20%	2. Information Gathering, Analysis, and Evaluation – 40%
3. Performing the Engagement – 40%	3. Engagement Supervision and Communication – 10%
4. Communicating Engagement Results and Monitoring Progress – 20%

CIA Part 2 - 2019 Syllabus

Click on any topic below to see the detailed breakdown of each subdomain the proficiency levels.

1. Managing the Internal Audit Activity (20%)

1. Internal Audit Operations
A	Describe policies and procedures for the planning, organizing, directing, and monitoring of internal audit operations	Basic
B	Interpret administrative activities (budgeting, resourcing, recruiting, staffing, etc.) of the internal audit activity	Basic
2. Establishing a Risk-based Internal Audit Plan
A	Identify sources of potential engagements (audit universe, audit cycle requirements, management requests, regulatory mandates, relevant market and industry trends, emerging issues, etc.)	Basic
B	Identify a risk management framework to assess risks and prioritize audit engagements based on the results of a risk assessment	Basic
C	Interpret the types of assurance engagements (risk and control assessments, audits of third parties and contract compliance, security and privacy, performance and quality audits, key performance indicators, operational audits, financial and regulatory compliance audits)	Proficient
D	Interpret the types of consulting engagements (training, system design, system development, due diligence, privacy, benchmarking, internal control assessment, process mapping, etc.) designed to provide advice and insight	Proficient
E	Describe coordination of internal audit efforts with the external auditor, regulatory oversight bodies, and other internal assurance functions, and potential reliance on other assurance providers	Basic
3. Communicating and Reporting to Senior Management and the Board
A	Recognize that the chief audit executive communicates the annual audit plan to senior management and the board and seeks the board’s approval	Basic
B	Identify significant risk exposures and control and governance issues for the chief audit executive to report to the board	Basic
C	Recognize that the chief audit executive reports on the overall effectiveness of the organization’s internal control and risk management processes to senior management and the board	Basic
D	Recognize internal audit key performance indicators that the chief audit executive communicates to senior management and the board periodically	Basic

2. Planning the Engagement (20%)

A	Determine engagement objectives, evaluation criteria, and the scope of the engagement	Proficient
B	Plan the engagement to assure identification of key risks and controls	Proficient
C	Complete a detailed risk assessment of each audit area, including evaluating and prioritizing risk and control factors	Proficient
D	Determine engagement procedures and prepare the engagement work program	Proficient
E	Determine the level of staff and resources needed for the engagement	Proficient

3. Performing the Engagement (40%)

1. Information Gathering
A	Gather and examine relevant information (review previous audit reports and data, conduct walk-throughs and interviews, perform observations, etc.) as part of a preliminary survey of the engagement area	Proficient
B	Develop checklists and risk-and-control questionnaires as part of a preliminary survey of the engagement area	Proficient
C	Apply appropriate sampling (nonstatistical, judgmental, discovery, etc.) and statistical analysis techniques	Proficient
2. Analysis and Evaluation
A	Use computerized audit tools and techniques (data mining and extraction, continuous monitoring, automated workpapers, embedded audit modules, etc.)	Proficient
B	Evaluate the relevance, sufficiency, and reliability of potential sources of evidence	Proficient
C	Apply appropriate analytical approaches and process mapping techniques (process identification, workflow analysis, process map generation and analysis, spaghetti maps, RACI diagrams, etc.)	Proficient
D	Determine and apply analytical review techniques (ratio estimation, variance analysis, budget vs. actual, trend analysis, other reasonableness tests, benchmarking, etc.)	Basic
E	Prepare workpapers and documentation of relevant information to support conclusions and engagement results	Proficient
F	Summarize and develop engagement conclusions, including assessment of risks and controls	Proficient
3. Engagement Supervision
A	Identify key activities in supervising engagements (coordinate work assignments, review workpapers, evaluate auditors’ performance, etc.)	Basic

4. Communicating Engagement Results and Monitoring Progress (20%)

1. Communicating Engagement Results and the Acceptance of Risk
A	Arrange preliminary communication with engagement clients	Proficient
B	Demonstrate communication quality (accurate, objective, clear, concise, constructive, complete, and timely) and elements (objectives, scope, conclusions, recommendations, and action plan)	Proficient
C	Prepare interim reporting on the engagement progress	Proficient
D	Formulate recommendations to enhance and protect organizational value	Proficient
E	Describe the audit engagement communication and reporting process, including holding the exit conference, developing the audit report (draft, review, approve, and distribute), and obtaining management’s response	Basic
F	Describe the chief audit executive’s responsibility for assessing residual risk	Basic
G	Describe the process for communicating risk acceptance (when management has accepted a level of risk that may be unacceptable to the organization)	Basic
2. Monitoring Progress
A	Assess engagement outcomes, including the management action plan	Proficient
B	Manage monitoring and follow-up of the disposition of audit engagement results communicated to management and the board	Proficient

CIA Part 2 - 2025 Syllabus

Click on any topic below to see the detailed breakdown of each section.

Section A. Engagement Planning (50%)

1.	Determine engagement objectives and scope May include but is not limited to: a. Recognize how to apply Topical Requirements when determining objectives and scope b. Recognize elements to be considered in the development of engagement objectives, including regulatory requirements; the organization’s strategy and objectives; governance, risk management, and control processes; risk appetite and tolerance; internal policies; previous audit reports; work of other assurance providers; and whether the engagement is intended to provide assurance or advisory services c. Identify and document relevant scope limitations during planning d. Evaluate approaches for managing and documenting stakeholder requests e. Identify effective methods for addressing changes in objectives and scope
2.	Determine evaluation criteria based on relevant information gathered May include but is not limited to: a. Identify the most relevant criteria for evaluating the activity under review b. Determine whether a set of evaluation criteria is specific, practical, relevant, aligned with the objectives of the organization and the activity under review, and produces reliable comparisons
3.	Plan the engagement to assess key risks and controls May include but is not limited to: a. Recognize how to apply Topical Requirements when planning an engagement b. When planning an engagement, recognize the strategic objectives of the activity under review and their integration with risk management, business performance measures, and performance management techniques c. When planning an engagement, recognize existing and emerging cybersecurity risks, common information security and IT controls, IT general controls, the purpose and benefits of using an IT control framework, principles of data privacy, and data security policies and practices d. When planning an engagement, recognize business continuity and disaster recovery readiness concepts such as business resilience, incident management, business impact analysis, and backup and recovery testing e. When planning an engagement, recognize finance and accounting concepts related to the activity under review such as current and fixed assets, short-term and long-term liabilities, capital, and investments f. When planning an engagement, recognize key risks and controls related to common business processes such as asset management, supply chain management, inventory management, accounts payable, procurement, compliance, third-party processes, customer relationship management systems, enterprise resource planning systems, and governance, risk, and compliance systems
4.	Determine the appropriate approach for an engagement May include but is not limited to: a. Evaluate various approaches such as agile, traditional, integrated, and remote auditing to determine the most suitable approach b. Describe project management concepts as they relate to planning and conducting an engagement
5.	Complete a detailed risk assessment of each activity under review May include but is not limited to: a. Recognize how to apply Topical Requirements when completing a risk assessment b. Recognize the pervasive financial, operational, IT, cybersecurity, and regulatory risks as they relate to the activity under review c. Recognize the impact of emerging risks on the organization d. Determine appropriate methods and criteria to evaluate and prioritize identified risks and controls e. Recognize the impacts of change of people, processes, and systems on risk f. Recognize the impact of different organizational structures and environments on the risk assessment, including centralized versus decentralized, flat versus traditional, and in-person versus remote work g. Recognize the impact of organizational culture on the control environment, including individual and group behaviors and tone at the top
6.	Determine engagement procedures and prepare the engagement work program May include but is not limited to: a. Determine procedures to evaluate control design b. Identify procedures to test the effectiveness of controls c. Identify procedures to test the efficiency of controls d. Evaluate the adequacy of the engagement work program e. Identify testing methodologies for an engagement that includes accounting, finance, IT systems, business operations, or cybersecurity
7.	Determine the level of resources and skills needed for the engagement May include but is not limited to: a. Determine financial resources required for the engagement b. Determine human resources required for the engagement c. Determine technological resources required for the engagement d. Evaluate implications of resource limitations

Section B. Information Gathering, Analysis, and Evaluation (40%)

1.	Identify sources of information to support engagement objectives and procedures May include but is not limited to: a. Determine suitable methods for obtaining information, including interviews, observations, walk-throughs, and data analyses b. Determine suitable documents for obtaining information, including policies, checklists, risk and control questionnaires, and selfassessment surveys
2.	Evaluate the relevance, sufficiency, and reliability of evidence gathered to support engagement objectives May include but is not limited to: a. Apply suitable criteria in evaluating the quality of evidence b. Recognize factors that impact the reliability of evidence, such as obtaining the evidence directly from an independent source, obtaining corroborated evidence, and gathering evidence from a system with effective governance, risk management, and control processes c. Describe evidence that would allow an informed and competent person to reach the same conclusions as the internal auditor
3.	Evaluate technology options that internal auditors may use to develop and support engagement findings and conclusions May include but is not limited to: a. Recognize efficient and effective solutions, including artificial intelligence, machine learning, robotic process automation, continuous monitoring, dashboards, and embedded audit modules
4.	Apply appropriate analytical approaches and process mapping techniques May include but is not limited to: a. Define process workflow segments b. Analyze process workflows through process mapping, walk-throughs, and responsibility assignment matrices c. Explain data types, including structured and non-structured d. Explain data analytics processes, including defining objectives, obtaining relevant data, normalizing data, analyzing data, and communicating results e. Determine when to use various data analysis methods, such as diagnostic analysis, prescriptive analysis, predictive analysis, anomaly detection, and text analysis
5.	Apply analytical review techniques May include but is not limited to: a. Analyze ratios, variances, trends, financial and nonfinancial information, and benchmarking results b. Determine appropriate analytical techniques to achieve engagement objectives
6.	Determine whether there is a difference between evaluation criteria and existing conditions and evaluate the significance of each finding May include but is not limited to: a. Analyze existing conditions and compare to evaluation criteria b. Identify root causes and potential effects of deviations from evaluation criteria c. Appraise factors to establish the significance of findings
7.	Prepare workpapers, including relevant information to support conclusions and engagement results May include but is not limited to: a. Organize information in workpapers b. Identify elements of workpapers that are complete and include sufficient evidence c. Analyze the link between workpapers and the engagement results d. Determine factors to be considered when organizing and retaining engagement documentation, including regulatory requirements and internal policies
8.	Summarize and develop engagement conclusions May include but is not limited to: a. Determine the significance of aggregated findings by applying professional judgement b. Determine elements to be considered when developing engagement conclusions, such as the effectiveness of governance, risk management, and control processes

Section C. Engagement Supervision and Communication (10%)

Apply appropriate supervision throughout the engagement

May include but is not limited to:
a. Describe how supervision applies throughout engagements, including during engagement planning
b. Describe supervisor responsibilities related to coordinating work assignments
c. Describe supervisor responsibilities related to reviewing workpapers and engagement conclusions
d. Describe supervisor responsibilities related to evaluating auditors’ performance

Apply appropriate communication with stakeholders throughout the engagement

May include but is not limited to:
a. Determine effective communication methods (formal or informal, written or oral) during planning, fieldwork, and reporting
b. Identify situations that require escalation
c. Determine appropriate stakeholders for engagement communication

What's tested on the CIA Part 3 exam?

Part 3 of the CIA exam is 100 multiple-choice questions and candidates have 2 hours to finish it. For the 2019 version of the exam, Part 3 is considered the hardest of the CIA exam parts to pass by many CIA candidates because they aren’t as familiar with these topics as they are for CIA Parts 1 and 2. To add to the difficulty, this section also has the widest range of topics. However, prepared candidates are still able to pass this part on their first try.

Part 3 – 2019 Syllabus Business Knowledge for Internal Auditing	Part 3 – 2025 Syllabus Internal Audit Function
1. Business Acumen – 35%	1. Internal Audit Operations – 25%
2. Information Security – 25%	2. Internal Audit Plan – 15%
3. Information Technology – 20%	3. Quality of the Internal Audit Function – 15%
4. Financial Management – 20%	4. Engagement Results and Monitoring – 45%

CIA Part 3 - 2019 Syllabus

Click on any topic below to see the detailed breakdown of each subdomain the proficiency levels.

1. Business Acumen (35%)

1. Organizational Objectives, Behavior, and Performance
A	Describe the strategic planning process and key activities (objective setting, globalization and competitive considerations, alignment to the organization’s mission and values, etc.)	Basic
B	Examine common performance measures (financial, operational, qualitative vs. quantitative, productivity, quality, efficiency, effectiveness, etc.)	Proficient
C	Explain organizational behavior (individuals in organizations, groups, and how organizations behave, etc.) and different performance management techniques (traits, organizational politics, motivation, job design, rewards, work schedules, etc.)	Basic
D	Describe management’s effectiveness to lead, mentor, guide people, build organizational commitment, and demonstrate entrepreneurial ability	Basic
2. Organizational Structure and Business Processes
A	Appraise the risk and control implications of different organizational configuration structures (centralized vs. decentralized, flat structure vs. traditional, etc.)	Basic
B	Examine the risk and control implications of common business processes (human resources, procurement, product development, sales, marketing, logistics, management of outsourced processes, etc.)	Proficient
C	Identify project management techniques (project plan and scope, time/team/resources/cost management, change management, etc.)	Basic
D	Recognize the various forms and elements of contracts (formality, consideration, unilateral, bilateral, etc.)	Basic
3. Data Analytics
A	Describe data analytics, data types, data governance, and the value of using data analytics in internal auditing	Basic
B	Explain the data analytics process (define questions, obtain relevant data, clean/normalize data, analyze data, communicate results)	Basic
C	Recognize the application of data analytics methods in internal auditing (anomaly detection, diagnostic analysis, predictive analysis, network analysis, text analysis, etc.)	Basic

2. Information Security (25%)

A	Differentiate types of common physical security controls (cards, keys, biometrics, etc.)	Basic
B	Differentiate the various forms of user authentication and authorization controls (password, two-level authentication, biometrics, digital signatures, etc.) and identify potential risks	Basic
C	Explain the purpose and use of various information security controls (encryption, firewalls, antivirus, etc.)	Basic
D	Recognize data privacy laws and their potential impact on data security policies and practices	Basic
E	Recognize emerging technology practices and their impact on security (bring your own device [BYOD], smart devices, internet of things [IoT], etc.)	Basic
F	Recognize existing and emerging cybersecurity risks (hacking, piracy, tampering, ransomware attacks, phishing attacks, etc.)	Basic
G	Describe cybersecurity and information security-related policies	Basic

3. Information Technology (20%)

1. Application and System Software
A	Recognize core activities in the systems development lifecycle and delivery (requirements definition, design, developing, testing, debugging, deployment, maintenance, etc.) and the importance of change controls throughout the process	Basic
B	Explain basic database terms (data, database, record, object, field, schema, etc.) and internet terms (HTML, HTTP, URL, domain name, browser, click-through, electronic data interchange [EDI], cookies, etc.)	Basic
C	Identify key characteristics of software systems (customer relationship management [CRM] systems; enterprise resource planning [ERP] systems; and governance, risk, and compliance [GRC] systems; etc.)	Basic
2. IT Infrastructure and IT Control Frameworks
A	Explain basic IT infrastructure and network concepts (server, mainframe, client-server configuration, gateways, routers, LAN, WAN, VPN, etc.) and identify potential risks	Basic
B	Define the operational roles of a network administrator, database administrator, and help desk	Basic
C	Recognize the purpose and applications of IT control frameworks (COBIT, ISO 27000, ITIL, etc.) and basic IT controls	Basic
3. Disaster Recovery
A	Explain disaster recovery planning site concepts (hot, warm, cold, etc.)	Basic
B	Explain the purpose of systems and data backup	Basic
C	Explain the purpose of systems and data recovery procedures	Basic

4. Financial Management (20%)

1. Financial Accounting and Finance
A	Identify concepts and underlying principles of financial accounting (types of financial statements and terminologies such as bonds, leases, pensions, intangible assets, research and development, etc.)	Basic
B	Recognize advanced and emerging financial accounting concepts (consolidation, investments, fair value, partnerships, foreign currency transactions, etc.)	Basic
C	Interpret financial analysis (horizontal and vertical analysis and ratios related to activity, profitability, liquidity, leverage, etc.)	Proficient
D	Describe revenue cycle, current asset management activities and accounting, and supply chain management (including inventory valuation and accounts payable)	Basic
E	Describe capital budgeting, capital structure, basic taxation, and transfer pricing	Basic
2. Managerial Accounting
A	Explain general concepts of managerial accounting (cost-volume-profit analysis, budgeting, expense allocation, cost-benefit analysis, etc.)	Basic
B	Differentiate costing systems (absorption, variable, fixed, activity-based, standard, etc.)	Basic
C	Distinguish various costs (relevant and irrelevant costs, incremental costs, etc.) and their use in decision making	Basic

CIA Part 3 - 2025 Syllabus

Click on any topic below to see the detailed breakdown of each section.

Section A. Internal Audit Operations (25%)

1.	Describe methodologies for the planning, organizing, directing, and monitoring of internal audit operations May include but is not limited to: a. Describe methods for managing external providers of internal audit services b. Describe methods for monitoring internal audit operations c. Describe methods for balancing assurance and advisory engagements d. Identify the conditions that warrant the review and possible revision of iinternal audit methodologies
2.	Describe key activities for managing financial, human, and IT resources within the internal audit function May include but is not limited to: a. Outline the key steps and considerations of the budgeting process b. Recognize the steps and considerations involved in recruiting resources c. Identify the roles and responsibilities of various internal audit team members d. Describe strategies to train, develop, and retain internal auditors e. Describe the internal audit function’s performance management techniques f. Explain key considerations for technological resources to perform engagements g. Recognize behavioral and management techniques that would enhance the internal audit function, including job design, rewards, work schedules, mentoring, coaching, and constructive feedback
3.	Describe the key elements required to align internal audit strategy to stakeholder expectations May include but is not limited to: a. Describe how internal audit strategy supports the organization’s business strategy and risk management practices b. Explain the purpose of the internal audit function’s mission and vision statements c. Describe how internal audit resource planning is aligned with the internal audit strategy d. Identify the conditions that warrant the review and revision of internal audit strategy
4.	Recognize the chief audit executive’s responsibilities for building relationships and communicating with senior management and the board about various matters May include but is not limited to: a. Explain the importance of formal and informal communication with stakeholders b. Describe the protocol for communicating the audit plan and any subsequent changes and how it links to the organization’s overall strategy c. Describe the protocol for communicating independence concerns and significant risk exposures d. Describe the chief audit executive’s responsibility to report timely the overall effectiveness of the organization’s risk management and control processes and to identify themes based on multiple engagements e. Describe the chief audit executive’s responsibility for communicating quality assessment results, performance metrics, and any necessary remediation plans

Section B. Internal Audit Plan (15%)

Identify sources of potential engagements

May include but is not limited to:
a. Describe the process for defining the audit universe
b. Identify key components of the audit universe
c. Recognize applicability of Topical Requirements
d. Describe the process for considering board and management requests
e. Describe the process for identifying applicable laws and regulatory mandates
f. Describe the process for identifying relevant market and industry trends, organizational changes, emerging issues, and emerging technologies such as the internet of things, artificial intelligence, blockchain, digital currency and assets, and robotic process automation
g. Explain the reasons for audit cycle requirements

Describe the processes to develop a risk-based audit plan

May include but is not limited to:
a. Describe the risk assessment methodology and risk prioritization
b. Describe the process for maintaining the audit plan’s alignment with the organization’s strategy, the internal audit strategy, and stakeholder expectations
c. Recognize circumstances that may trigger the need to make timely updates to maintain a dynamic audit plan

Recognize the importance for internal auditors to coordinate with other assurance
providers and leverage their work

May include but is not limited to:
a. Identify internal and external assurance providers
b. Identify examples of, and methods for, coordinating assurance coverage
c. Identify the criteria for evaluating assurance providers to determine the ability to rely on their work

Section C. Quality of the Internal Audit Function (15%)

Describe the required elements of the quality assurance and improvement
program

May include but is not limited to:
a. Recognize the key components of quality assurance
b. Recognize the applicability of Topical Requirements
c. Explain the purpose of a quality assurance and improvement program
d. Recognize the chief audit executive’s responsibility for communicating
to the board the results of the quality assurance and improvement program
e. Compare the elements of internal and external assessments
f. Recognize acceptable qualifications of quality assessors
g. Describe key components of ongoing monitoring and periodic self-assessments

Identify appropriate disclosure of nonconformance with The IIA’s Global Internal
Audit Standards

May include but is not limited to:
a. Identify the information that must be communicated, such as the circumstances, actions taken, impact, and rationale for nonconformance
b. Describe the key steps for communicating nonconformance to senior management and the board

Recognize practical methods for establishing internal audit key performance indicators or scorecard metrics that the chief audit executive communicates to senior management and the board

May include but is not limited to:
a. Identify the objectives of key performance indicators
b. Identify key considerations when establishing performance indicators and the need to establish the target
c. Recognize the merit of both qualitative and quantitative performance indicators
d. Analyze the internal audit function’s performance measures, including financial, operational, quality, productivity, efficiency, and effectiveness

Section D. Engagement Results and Monitoring (45%)

1.	Recognize attributes of effective engagement results communication May include but is not limited to: a. Define the following terms in the context of final results communication: accurate, objective, clear, concise, constructive, complete, and timely b. Recognize application of these attributes in the communication of engagement results c. Identify effective communication methodologies
2.	Demonstrate effective communication of engagement results May include but is not limited to: a. Describe the key components of audit reports, including objectives, scope, conclusions, recommendations, and action plans b. Recognize when it is acceptable to include “conducted in accordance with the Global Internal Audit Standards” in the final communication of engagement results c. Identify when it is necessary to document scope limitation
3.	Determine whether to develop recommendations, request action plans from management, or collaborate with management to agree on actions May include but is not limited to: a. Recognize the appropriate protocol for internal auditors when there are disagreements with management about engagement findings or action plans b. Recognize the purpose of recommendations and action plans, including cost-benefit considerations c. Determine whether the action plan adequately addresses the root cause of a finding
4.	Describe the engagement closing communication and reporting process May include but is not limited to: a. Describe the purpose and parties involved in the closing communication (exit conference) b. Recognize the chief audit executive’s responsibility for distributing the final communication and reporting to stakeholders c. Recognize the various purposes of communicating with different stakeholders, such as management of the activity under review, senior management, the board, the risk management function, external auditors, regulators, and the general public d. Recognize the appropriate protocol for reporting on a finding that management has already resolved e. Describe the chief audit executive’s responsibility and protocol for correcting significant errors and omissions in the final communication
5.	Describe the chief audit executive’s responsibility for assessing residual risk for the engagement May include but is not limited to: a. Recognize methodologies to assess the existing controls for design adequacy and effectiveness and determine the level of residual risk b. Describe the purpose of aggregating and prioritizing findings c. Describe the purpose of using a rating scale to reflect the overall assessment of controls for the engagement
6.	Describe the process for communicating risk acceptance (when management has accepted a level of risk that may be unacceptable to the organization) May include but is not limited to: a. Recognize the method for determining whether a risk is unacceptable to the organization b. Recognize the appropriate parties involved in communicating risk acceptance c. Recognize the proper sequence of steps for communicating risk acceptance
7.	Describe the process for monitoring and confirming the implementation of management action plans May include but is not limited to: a. Recognize the internal audit function’s responsibility for follow-up and tracking of management actions b. Distinguish the key steps for monitoring and confirming management action plans
8.	Describe the escalation process if management has not adequately implemented an action plan May include but is not limited to: a. Recognize the appropriate parties involved in the escalation process b. Recognize the proper sequence of steps for the escalation process

How are topics tested on the CIA exam?

The CIA exam is non-disclosed, meaning the questions on it aren’t available to anyone, and there is a large body of questions that each exam pulls from, so virtually no two exams will be the same.

The exact number of questions from each topic is slightly randomized, so it’s important to prepare for all of the topics to the best of your ability.

CIA exam candidates are instructed to select the best answer out of the given options. Candidates have reported that the CIA exam can be tricky and give two very close answer choices. Always select the best or most correct answer if you are torn between two options.

Question types

There are five types of multiple-choice questions found on the CIA exam. You are likely to encounter all five, but due to the non-disclosed nature of the CIA exam, your experience may be a little different. Don’t worry. As long as you’re prepared, you can easily answer anything the CIA exam throws at you.

Be on the lookout for absolutes during your exam. Questions or answers with words like always or never can often be solved by asking yourself “are there any exceptions?” If so, you’ll know if an answer is more or less likely to be correct.

CIA Exam Changes

In the new version of the CIA exam, there will no longer be negative questions or questions two or three combined answer options.

Direct Questions

Everyone is likely familiar with this type of question, and it’s the most common type on the CIA exam. Most will either ask you a question or have you complete a sentence, but all are straightforward and present four single-statement answer choices.

Negative questions

Sometimes multiple-choice questions will include negative phrasing, with words like except, not, unless, least, etc. Presumably, The IIA will print negative words in bold, as we did, but you should always read the question stem carefully and completely just in case. These questions can be tricky because they ask you to select the false answer choice among three correct answers.

Questions with graphical illustrations

CIA exam questions will occasionally require you to interpret a graph or other image before selecting the appropriate answer choice. Any of the question types we discussed could include a graphical illustration.

Questions with two or three answer options

Some questions will provide a number of statements separate from the answer choices. The four answer choices will ask you specifically if one or more of the statements satisfy the question.

The best strategy is to determine which sentences you’re sure are right or wrong and use them to eliminate answer choices.

This type of question can be one of the most difficult to answer, so we’ve made a special Gleim Instruct video reviewing the best approaches to multiple-choice questions.

Example question with multiple answer options found on the CIA exam parts

Example question with multiple variables found on the CIA exam parts

Questions with several variables

Some multiple-choice questions present several variables within each answer choice. The answer choices appear in columns, and you must select the correct “row” containing the right mix of variables.

This question type is also considered to be quite difficult by CIA candidates, but our Gleim Instruct video also goes over how to answer these questions.

Frequently Asked Questions

What is the CIA exam pass rate?

The CIA exam pass rate averages between 40-50%. This number reflects all candidates globally across all parts of the exam. Typically, fewer than half of CIA candidates pass the exam, which means only the properly prepared succeed.

How soon are new pronouncements tested?

The IIA typically tests updated standards approximately 6 months after the standards take effect. All three CIA exam parts begin testing new pronouncements at the same time. There are exceptions, typically in the case of large updates, which will be announced by The IIA in advance so candidates and review providers can be well prepared.

How do I pass the CIA exam?

The best way to ensure that you are successful on each of the three CIA exam parts is to study with a complete review system and master all of the testable topics.