Accounting
800.874.5346
CPA CIA CMA EA RTRP CE/CPE Students Professors

CIA EXAM CONTENT OUTLINES
2.1   Overview of Exam Content Outlines

2.1  OVERVIEW OF EXAM CONTENT OUTLINES

In this study unit, we have reproduced verbatim The IIA’s exam content outlines for the CIA exam from its website (global.theiia.org/certification/cia-certification/pages/exam-syllabus.aspx). Note that those levels labeled “proficiency level” mean the candidate should have a thorough understanding and the ability to apply concepts in the topics listed underneath. Those levels labeled “awareness level” mean the candidate must have a grasp of the terminology and fundamentals of the concepts listed underneath.

We also have provided cross-references to the study units and subunits in the appropriate Gleim book that correspond to The IIA’s more detailed coverage. If one entry appears above a list, it applies to all items.

The IIA summarizes each part as follows:

Part 1:  The Internal Audit Activity’s Role in Governance, Risk, and Control

Part 1 tests “aspects of the IPPF, responsibilities of the internal audit activity, independence and objectivity, governance concepts, risk identification and management, management controls, and audit planning.”

Part 2:  Conducting the Internal Audit Engagement

Part 2 tests “steps for conducting audit engagements, types of engagements (such as technology, financial, or operational), fraud elements, audit engagement tools, audit documentation and reporting, and follow-up procedures.”

Part 3:  Business Analysis and Information Technology

Part 3 tests “business process analysis, quality management, balanced scorecard, financial accounting, managerial accounting, regulatory and economic impacts on business, and information technology concepts.”

Part 4:  Business Management Skills

Part 4 tests “strategic decision-making, competitive analysis and strategies, product and industry life cycles, managing in a global business environment, organizational behavior, team building, negotiation, and leadership skills.”

The Gleim CIA Review System is organized to ensure comprehensive coverage of The IIA’s content outlines.

For the exam content outlines, The IIA discloses the percentage coverage of each subject in ranges, e.g., 15-25%. We present the midpoint of each range to simplify and provide more relevant information to CIA candidates, e.g., 20% instead of 15-25%. All Gleim presentations are simplified and more relevant to facilitate your study, learning, and success.

PART 1 – THE INTERNAL AUDIT ACTIVITY’S ROLE IN GOVERNANCE, RISK, AND CONTROL
  1. COMPLY WITH THE IIA’S ATTRIBUTE STANDARDS (20%) (proficiency level)
    1. Define purpose, authority, and responsibility of the internal audit activity (1.2)
      1. Determine if the purpose, authority, and responsibility of the internal audit activity are clearly documented and approved
      2. Determine if the purpose, authority, and responsibility of internal audit activity are communicated to the engagement clients
      3. Demonstrate an understanding of the purpose, authority, and responsibility of the internal audit activity
    2. Maintain independence and objectivity
      1. Foster independence (1.3, 1.5)
        1. Understand organizational independence
        2. Recognize the importance of organizational independence
        3. Determine if the internal audit activity is properly aligned to achieve organizational independence
      2. Foster objectivity (1.4, 1.5)
        1. Establish policies to promote objectivity
        2. Assess individual objectivity
        3. Maintain individual objectivity
        4. Recognize and mitigate impairments to independence and objectivity
    3. Determine if the required knowledge, skills, and competencies are available (2.1, 2.2)
      1. Understand the knowledge, skills, and competencies that an internal auditor needs to possess
      2. Identify the knowledge, skills, and competencies required to fulfill the responsibilities of the internal audit activity
    4. Develop and/or procure necessary knowledge, skills, and competencies collectively required by the internal audit activity (2.1, 2.2)
    5. Exercise due professional care (2.3)
    6. Promote continuing professional development (2.3)
      1. Develop and implement a plan for continuing professional development for internal audit staff
      2. Enhance individual competency through continuing professional development
    7. Promote quality assurance and improvement of the internal audit activity (2.4 - 2.7)
      1. Establish and maintain a quality assurance and improvement program
      2. Monitor the effectiveness of the quality assurance and improvement program
      3. Report the results of the quality assurance and improvement program to the board or other governing body
      4. Conduct quality assurance procedures and recommend improvements to the performance of the internal audit activity
    8. Abide by and promote compliance with The IIA Code of Ethics (3.2 - 3.6)
  2. ESTABLISH A RISK-BASED PLAN TO DETERMINE THE PRIORITIES OF THE INTERNAL AUDIT ACTIVITY (20%) (proficiency level)
    1. Establish a framework for assessing risk (4.1)
    2. Use the framework to:  (4.1)
      1. Identify sources of potential engagements (e.g., audit universe, management request, regulatory mandate)
      2. Assess organization-wide risk
      3. Solicit potential engagement topics from various sources
      4. Collect and analyze data on proposed engagements
      5. Rank and validate risk priorities
    3. Identify internal audit resource requirements (4.3)
    4. Coordinate the internal audit activity’s efforts with:  (4.5)
      1. External auditor
      2. Regulatory oversight bodies
      3. Other internal assurance functions (e.g., health and safety department)
    5. Select engagements
      1. Participate in the engagement selection process (4.1)
      2. Select engagements (4.1)
      3. Communicate and obtain approval of the engagement plan from board (4.2, 4.6)
  3. UNDERSTAND THE INTERNAL AUDIT ACTIVITY’S ROLE IN ORGANIZATIONAL GOVERNANCE (15%) (proficiency level)  (5.2)
    1. Obtain board’s approval of audit charter
    2. Communicate plan of engagements
    3. Report significant audit issues
    4. Communicate key performance indicators to board on a regular basis
    5. Discuss areas of significant risk
    6. Support board in enterprise-wide risk assessment
    7. Review positioning of the internal audit function within the risk management framework within the organization
    8. Monitor compliance with the corporate code of conduct/business practices
    9. Report on the effectiveness of the control framework
    10. Assist board in assessing the independence of the external auditor
    11. Assess ethical climate of the board
    12. Assess ethical climate of the organization
    13. Assess compliance with policies in specific areas (e.g., derivatives)
    14. Assess organization’s reporting mechanism to the board
    15. Conduct follow-up and report on management response to regulatory body reviews
    16. Conduct follow-up and report on management response to external audit
    17. Assess the adequacy of the performance measurement system, achievement of corporate objective
    18. Support a culture of fraud awareness and encourage the reporting of improprieties
  4. PERFORM OTHER INTERNAL AUDIT ROLES AND RESPONSIBILITIES (5%) (proficiency level) 
    1. Ethics/Compliance  (3.1)
      1. Investigate and recommend resolution for ethics/compliance complaints
      2. Determine disposition of ethics violations
      3. Foster healthy ethical climate
      4. Maintain and administer business conduct policy (e.g., conflict of interest)
      5. Report on compliance
    2. Risk Management  (5.3)
      1. Develop and implement an organization-wide risk and control framework
      2. Coordinate enterprise-wide risk assessment
      3. Report corporate risk assessment to board
      4. Review business continuity planning process
    3. Privacy  (6.6)
      1. Determine privacy vulnerabilities
      2. Report on compliance
    4. Information or physical security  (6.6)
      1. Determine security vulnerabilities
      2. Determine disposition of security violations
      3. Report on compliance
  5. GOVERNANCE, RISK, AND CONTROL KNOWLEDGE ELEMENTS (20%)
    1. Corporate governance principles (awareness level)  (5.2)
    2. Alternative control frameworks (awareness level)  (6.3)
    3. Risk vocabulary and concepts (proficiency level)  (6.4)
    4. Risk management techniques (proficiency level)  (6.4)
    5. Risk/control implications of different organizational structures (proficiency level)  (8.1)
    6. Risk/control implications of different leadership styles (awareness level)  (8.2)
    7. Change management (awareness level)  (8.3)
    8. Conflict management (awareness level)  (8.4)
    9. Management control techniques (proficiency level)  (7.2)
    10. Types of control (e.g., preventive, detective, input, output) (proficiency level)  (6.2)
  6. PLAN ENGAGEMENTS (20%) (proficiency level)
    1. Initiate preliminary communication with engagement client  (9.1)
    2. Conduct a preliminary survey of the area of engagement  (9.2)
      1. Obtain input from engagement client
      2. Perform analytical reviews
      3. Perform benchmarking
      4. Conduct interviews
      5. Review prior audit reports and other relevant documentation
      6. Map processes
      7. Develop checklists
    3. Complete a detailed risk assessment of the area (prioritize or evaluate risk/control factors)  (9.3)
    4. Coordinate audit engagement efforts with  (4.5)
      1. External auditor
      2. Regulatory oversight bodies
    5. Establish/refine engagement objectives and identify/finalize the scope of engagement  (9.4)
    6. Identify or develop criteria for assurance engagements (criteria against which to audit)  (5.4)
    7. Consider the potential for fraud when planning an engagement  (SU 10)
      1. Be knowledgeable of the risk factors and red flags of fraud
      2. Identify common types of fraud associated with the engagement area
      3. Determine if risk of fraud requires special consideration when conducting an engagement
    8. Determine engagement procedures  (9.4)
    9. Determine the level of staff and resources needed for the engagement  (9.5)
    10. Establish adequate planning and supervision of the engagement  (9.5)
    11. Prepare engagement work program  (9.6)
PART 2 – CONDUCTING THE INTERNAL AUDIT ENGAGEMENT
  1. CONDUCT ENGAGEMENTS (30%) (proficiency level)
    1. Research and apply appropriate standards:  (1.1, SU 3)
      1. IIA International Professional Practices Framework (Code of Ethics, Standards, Practice Advisories)
      2. Other professional, legal, and regulatory standards
    2. Maintain an awareness of the potential for fraud when conducting an engagement (SU 5)
      1. Notice indicators or symptoms of fraud
      2. Design appropriate engagement steps to address significant risk of fraud
      3. Employ audit tests to detect fraud
      4. Determine if any suspected fraud merits investigation
    3. Collect data (1.4, 1.5)
    4. Evaluate the relevance, sufficiency, and competence of evidence (1.2, 1.3, 1.6)
    5. Analyze and interpret data (2.1, 2.2)
    6. Develop work papers (2.3, 2.4)
    7. Review work papers (2.5, 2.6, 2.7)
    8. Communicate interim progress (4.3)
    9. Draw conclusions (4.5)
    10. Develop recommendations when appropriate (4.2)
    11. Report engagement results (4.3, 4.4)
      1. Conduct exit conference
      2. Prepare report or other communication
      3. Approve engagement report
      4. Determine distribution of report
      5. Obtain management response to report
    12. Conduct client satisfaction survey (4.6)
    13. Complete performance appraisals of engagement staff (4.6)
  2. CONDUCT SPECIFIC ENGAGEMENTS (30%) (proficiency level)
    1. Conduct assurance engagements
      1. Fraud investigation  (SU 5)
        1. Determine appropriate parties to be involved with the investigation
        2. Establish facts and extent of fraud (e.g., interviews, interrogations, and data analysis)
        3. Report outcomes to appropriate parties
        4. Complete a process review to improve controls to prevent fraud and recommend changes
      2. Risk and control self-assessment  (6.2)
        1. Facilitated approach
          1. Client-facilitated
          2. Audit-facilitated
        2. Questionnaire approach
        3. Self-certification approach
      3. Audits of third parties and contract auditing  (6.3)
      4. Quality audit engagements  (6.4)
      5. Due diligence audit engagements  (6.5)
      6. Security audit engagements  (7.5)
      7. Privacy audit engagements  (7.5)
      8. Performance (key performance indicators) audit engagements  (6.6)
      9. Operational (efficiency and effectiveness) audit engagement  (6.6)
      10. Financial audit engagements  (6.7)
      11. Information technology (IT) audit engagements
        1. Operating systems  (8.2)
          1. Mainframe
          2. Workstations
          3. Server
        2. Application development
          1. Application authentication  (8.4)
          2. Systems development methodology  (8.4)
          3. Change control  (8.5)
          4. End user computing  (8.6)
        3. Data and network communications/connections (e.g., LAN, VAN, and WAN)  (8.7)
        4. Voice communications  (8.7)
        5. System security (e.g., firewalls, access control)  (8.3, 8.8)
        6. Contingency planning  (8.9)
        7. Databases  (8.2)
        8. Functional areas of IT operations (e.g., data center operations)  (8.1)
        9. Web infrastructure  (8.7)
        10. Software licensing  (8.6)
        11. Electronic funds transfer (EFT)/Electronic data interchange (EDI)  (8.10)
        12. e-Commerce  (8.11)
        13. Information protection (e.g., viruses, privacy)  (8.12)
        14. Encryption  (8.13)
        15. Enterprise-wide resource planning (ERP) software (e.g., SAP R/3)  (8.14)
      12. Compliance audit engagements  (7.1)
    2. Conduct consulting engagements (7.3, 7.4)
      1. Internal control training  (7.4)
      2. Business process review  (7.4)
      3. Benchmarking  (7.4)
      4. Information technology (IT) and systems development  (8.4)
      5. Design of performance measurement systems  (6.6)
  3. MONITOR ENGAGEMENT OUTCOMES (10%) (proficiency level) (4.6)
    1. Determine appropriate follow-up activity by the internal audit activity
    2. Identify appropriate method to monitor engagement outcomes
    3. Conduct follow-up activity
    4. Communicate monitoring plan and results
  4. FRAUD KNOWLEDGE ELEMENTS (10%)
    1. Discovery sampling (awareness level)  (9.3)
    2. Interrogation techniques (awareness level)  (5.2)
    3. Forensic auditing (awareness level)  (5.4)
    4. Use of computers in analyzing data (proficiency level)  (10.7)
    5. Red flag (proficiency level)  (5.3)
    6. Types of fraud (proficiency level)  (5.1)
  5. ENGAGEMENT TOOLS (20%)
    1. Sampling (awareness level)  (9.1-9.6)
      1. Nonstatistical (judgmental)
      2. Statistical
    2. Statistical analyses (process control techniques) (awareness level)  (9.7)
    3. Data gathering tools (proficiency level)  (10.1-10.4)
      1. Interviewing
      2. Questionnaires
      3. Checklists
    4. Analytical review techniques (proficiency level)  (1.7, 1.8)
      1. Ratio estimation
      2. Variance analysis (e.g., budget vs. actual)
      3. Other reasonableness tests
    5. Observation (proficiency level)  (10.4)
    6. Problem solving (proficiency level)  (10.5, 10.6)
    7. Risk and control self-assessment (CSA) (awareness level)  (6.2)
    8. Computerized audit tools and techniques (proficiency level)
      1. Embedded audit modules  (10.7)
      2. Data extraction techniques  (10.7)
      3. Generalized audit software (e.g., ACL, IDEA)  (10.7)
      4. Spreadsheet analysis  (10.7)
      5. Automated work papers (e.g., Lotus Notes, Auditor Assistant)  (2.4)
    9. Process mapping including flowcharting (proficiency level)  (10.8, 10.9)
PART 3 – BUSINESS ANALYSIS AND INFORMATION TECHNOLOGY
  1. BUSINESS PROCESSES (20%)
    1. Quality management (e.g., TQM) (awareness level)  (1.1-1.4)
    2. The International Organization for Standardization (ISO) framework (awareness level)  (1.5)
    3. Forecasting (awareness level)  (1.6-1.9)
    4. Project management techniques (proficiency level)  (1.10)
    5. Business process analysis (e.g., workflow analysis and bottleneck management, theory of constraints) (proficiency level)  (1.11-1.13)
    6. Inventory management techniques and concepts (proficiency level)  (2.1, 2.2)
    7. Marketing -- pricing objectives and policies (awareness level)  (2.3)
    8. Marketing -- supply chain management (awareness level)  (2.4)
    9. Human Resources (Individual performance management and measurement, supervision, environmental factors that affect performance, facilitation technique, personnel sourcing/staffing, training and development, safety) (proficiency level)  (2.5)
    10. Balanced scorecard (awareness level)  (2.6)
  2. FINANCIAL ACCOUNTING AND FINANCE (20%)
    1. Basic concepts and underlying principles of financial accounting (e.g., statements, terminology, relationships) (proficiency level)  (3.1-3.4, 3.10, 3.11)
    2. Intermediate concepts of financial accounting (e.g., bonds, leases, pensions, intangible assets, R&D) (awareness level)  (3.5-3.9, 3.12-3.15, 4.1-4.9)
    3. Advanced concepts of financial accounting (e.g., consolidation, partnerships, foreign currency transactions) (awareness level)  (4.10-4.13)
    4. Financial statement analysis (proficiency level)  (5.1-5.6)
    5. Cost of capital evaluation (awareness level)  (5.11)
    6. Types of debt and equity (awareness level)  (5.9, 5.10)
    7. Financial instruments (e.g., derivatives) (awareness level)  (5.7, 5.8)
    8. Cash management (treasury functions) (awareness level)  (5.12)
    9. Valuation models (awareness level)
      1. Inventory valuation  (3.8, 3.9)
      2. Business valuation  (5.5)
    10. Business development life cycles (awareness level) (5.13)
  3. MANAGERIAL ACCOUNTING (15%)
    1. Cost concepts (e.g., absorption, variable, fixed) (proficiency level)  (6.1-6.3)
    2. Capital budgeting (awareness level)  (6.4)
    3. Operating budget (proficiency level)  (6.5, 6.6)
    4. Transfer pricing (awareness level)  (6.7)
    5. Cost-volume-profit analysis (awareness level)  (6.8)
    6. Relevant cost (awareness level)  (6.9)
    7. Costing systems (e.g., activity-based, standard) (awareness level)  (6.10-6.12)
    8. Responsibility accounting (awareness level)  (6.13)
  4. REGULATORY, LEGAL, AND ECONOMICS (10%) (awareness level)
    1. Impact of government legislation and regulation on business  (7.1)
    2. Trade legislation and regulations  (7.2)
    3. Taxation schemes  (7.4)
    4. Contracts  (7.7)
    5. Nature and rules of legal evidence  (7.6)
    6. Key economic indicators  (7.3, 7.5)
  5. INFORMATION TECHNOLOGY - IT (35%) (awareness level)
    1. Control frameworks (e.g., COBIT)  (8.1)
    2. Data and network communications/connections (e.g., LAN, VAN, and WAN)  (8.4)
    3. Electronic funds transfer (EFT)  (8.5)
    4. e-Commerce  (8.6)
    5. Electronic data interchange (EDI)  (8.7)
    6. Functional areas of IT operations (e.g., data center operations)  (9.1)
    7. Encryption  (9.2)
    8. Information protection (e.g., viruses, privacy)  (9.3)
    9. Evaluate investment in IT (cost of ownership)  (9.4)
    10. Enterprise-wide resource planning (ERP) software (e.g., SAP R/3)  (9.5)
    11. Operating systems  (9.6)
    12. Application development  (9.7-9.9)
    13. Voice communications  (10.1)
    14. Contingency planning  (10.2)
    15. Systems security (e.g., firewalls, access control)  (10.3)
    16. Databases  (10.4)
    17. Software licensing  (10.5)
    18. Web infrastructure  (10.6)
PART 4 – BUSINESS MANAGEMENT SKILLS
  1. STRATEGIC MANAGEMENT (25%) (awareness level)
    1. Global analytical techniques
      1. Structural analysis of industries  (1.2, 2.4)
      2. Competitive strategies (e.g., Porter’s model)  (1.1, 1.3, 1.4)
      3. Competitive analysis  (2.1, 2.2)
      4. Market signals  (2.3)
      5. Industry evolution  (2.5)
    2. Industry environments  (2.4)
      1. Competitive strategies related to:
        1. Fragmented industries  (3.1)
        2. Emerging industries  (3.2)
        3. Declining industries  (3.3)
      2. Competition in global industries  (3.4)
        1. Sources/impediments
        2. Evolution of global markets
        3. Strategic alternatives
        4. Trends affecting competition
    3. Strategic decisions
      1. Analysis of integration strategies  (4.1)
      2. Capacity expansion  (4.2)
      3. Entry into new businesses  (4.3)
    4. Portfolio techniques of competitive analysis  (2.2)
    5. Product life cycles  (2.5)
  2. GLOBAL BUSINESS ENVIRONMENTS (20%) (awareness level)
    1. Cultural/legal/political environments
      1. Balancing global requirements and local imperatives  (5.1)
      2. Global mindsets (personal characteristics/competencies)  (5.3)
      3. Sources and methods for managing complexities and contradictions  (5.1-5.3)
      4. Managing multicultural teams  (5.4)
    2. Economic/financial environments
      1. Global, multinational, international, and multilocal compared and contrasted  (5.1)
      2. Requirements for entering the global market place  (5.1)
      3. Creating organizational adaptability  (5.3)
      4. Managing training and development  (5.4)
  3. ORGANIZATIONAL BEHAVIOR (20%) (awareness level)
    1. Motivation  (6.1, 6.2)
      1. Relevance and implication of various theories
      2. Impact of job design, rewards, work schedules, etc.
    2. Communication
      1. The process  (6.3, 6.4)
      2. Organizational dynamics  (6.3)
      3. Impact of computerization  (6.5)
    3. Performance  (7.1, 7.2)
      1. Productivity
      2. Effectiveness
    4. Structure  (7.4, 7.5)
      1. Centralized/decentralized  (7.6)
      2. Departmentalization  (7.3)
      3. New configurations (e.g., hourglass, cluster, network)  (7.6)
  4. MANAGEMENT SKILLS (25%) (awareness level)
    1. Group dynamics
      1. Traits (e.g. cohesiveness, roles, norms, groupthink)  (8.1)
      2. Stages of group development  (8.2)
      3. Organizational politics  (8.3)
      4. Criteria and determinants of effectiveness  (8.4)
    2. Team building  (8.4)
      1. Methods used in team building
      2. Assessing team performance
    3. Leadership skills
      1. Theories compared/contrasted  (9.1, 9.2)
      2. Leadership grid (topology of leadership styles)  (9.2)
      3. Mentoring  (9.2)
    4. Personal time management  (10.1)
  5. NEGOTIATING (10%) (awareness level)
    1. Conflict resolution  (10.2)
      1. Competitive/cooperative
      2. Compromise, forcing, smoothing, etc.
    2. Added-value negotiating  (10.3)
      1. Description
      2. Specific steps

Back to top

[PREVIOUS - Study Unit 1 - The CIA Examination:  An Overview and Preparation Introduction]

[NEXT - Study Unit 3 - Content Preparation, Test Administration, and Performance Grading]