Contact Us : 800.874.5346 | International: +1 352.375.0772
Contact Us : 800.874.5346 | International: +1 352.375.0772

The goal of the CIA exam is to confirm candidates have the skills required to perform at the top of their industry. Certified Internal Auditors need to know and be skilled in a lot, so the “singular” exam is actually divided into three CIA exam parts that you need to sit for and pass separately. Each part tests a different area. Here’s a summary, and we’ll look at each part in more detail a little later.

Part 1: Essentials of Internal Auditing

Tests knowledge, skills, and abilities related to the foundation of internal auditing; independence and objectivity; proficiency and due professional care; quality assurance and improvement programs; governance, risk management, and control; and fraud risk.

Part 2: Practice of Internal Auditing

Tests knowledge, skills, and abilities particularly related to managing the internal audit activity, planning the engagement, performing the engagement, and communicating engagement results and monitoring progress.

Part 3: Business Knowledge for Internal Auditing

Tests knowledge, skills, and abilities related to business acumen, information security, information technology, and financial management.

Candidates usually choose to sit for each part in order because each part builds on the one(s) before it, but you can sit for them in any order you’d like. Gleim recommends starting with Part 1 unless you have a good reason not to. The different parts of the CIA exam build off of each other, so studying for one will help with the other. For example, the topics in CIA Part 1 lead into CIA Part 2, so studying CIA Part 1 will help you understand the concepts in CIA Part 2, making studying that section slightly easier.

Once you’re comfortable with how the CIA exam is structured and know what each part tests, you can make a plan and start studying. You’ll be ready by the end of this guide.

How is the CIA exam structured?

The CIA exam is a three-part exam. Each part tests different topics using multiple-choice questions—there are no essays or free response questions.

CIA Part 1

125 multiple-choice questions
2.5 hours long

CIA Part 2

100 multiple-choice questions
2 hours long

CIA Part 3

100 multiple-choice questions
2 hours long

Candidates should budget one minute to answer each question to allow time for review after answering all the questions. Gleim recommends using a time management system to keep pace and to make sure you don’t spend too much time on any one question.

If you’re past your minute and don’t know the answer, make an educated guess and mark the question for review at the end. One question won’t keep you from passing on its own (unless it keeps you from finishing the test).

The best way to avoid being stumped is to ensure you cover all the content when you’re studying.

What is tested on the CIA exam?

The IIA conducts regular studies to find out the scope of work CIAs are expected to perform. It then develops the CIA Exam Syllabus, which details what candidates are expected to know (and how well they’re expected to know it).

Each CIA exam part consists of high-level categories called “domains.” These domains are divided into subdomains that contain an objective and cognitive level that candidates must perform at in order to pass the CIA exam.

There are two cognitive proficiency levels tested on the CIA exam:

  • Basic — Tests memory and comprehension
  • Proficient — Assesses application, analysis, and evaluation abilities

For the latest changes to the exam, check out our CIA Changes resource.

What is tested on CIA exam Part 1?

CIA Part 1 tests the basics of internal auditing, including fraud, and regulatory requirements from the Standards and Code of Ethics. It is the longest of the CIA exam parts and often the first candidates take.

According to The IIA, Part 1 of the CIA exam is

well aligned with The IIA’s International Professional Practices Framework (IPPF) and includes six domains covering the foundation of internal auditing; independence and objectivity; proficiency and due professional care; quality assurance and improvement programs; governance, risk management, and control; and fraud risk. Part one tests candidates’ knowledge, skills, and abilities related to the International Standards for the Professional Practice of Internal Auditing, particularly the Attribute Standards (series 1000, 1100, 1200, and 1300) as well as Performance Standard 2100.

CIA exam Part 1 exam content breakdown

It breaks down like this:

Foundations of Internal Auditing

Candidates need to show proficiency with the foundations of the profession, including but not limited to the understanding of key aspects of internal auditing, interpreting The IIA’s Mission of Internal Audit, and demonstrating conformance to The IIA Code of Ethics.

Independence and Objectivity

This section emphasizes the need and policies for internal auditors to be objective and independent, as well as what that means for the organization and for the internal audit activity.

Proficiency and Due Professional Care

Potential CIAs must show that they have the knowledge and both technical and soft skills required to perform an internal audit as well as demonstrate due professional care.

Quality Assurance and Improvement Program

Candidates must demonstrate a basic understanding of quality assurance and the improvement program, how to report the results, and how to disclose appropriate information.

Governance, Risk Management, and Control

This is the largest percentage of questions on the CIA Part 1 exam. It contains questions at the basic and proficiency level that test candidates on the global concerns of organizational governance, acceptable risk management, corporate social responsibility, and acceptable control frameworks. Due to the amount of questions from this section, candidates should make sure they master these topics and concepts.

Fraud Risks

This section requires candidates to be able to interpret risks of fraud, evaluate the potential, and make recommendations to mitigate the risks of fraud.

If you want to see some sample questions, check out our Free CIA Exam Questions.

Click on any topic below to see the subdomains and their proficiency level.

1. Foundations of Internal Auditing (15%)

AInterpret organizational independence of the internal audit activity (importance of independence, functional reporting, etc.)Basic
BIdentify whether the internal audit activity has any impairments to its independenceBasic
CAssess and maintain an individual internal auditor’s objectivity, including determining whether an individual internal auditor has any impairments to his/her objectivityProficient
DAnalyze policies that promote objectivityProficient

2. Independence and Objectivity (15%)

AInterpret organizational independence of the internal audit activity (importance of independence, functional reporting, etc.)Basic
BIdentify whether the internal audit activity has any impairments to its independenceBasic
CAssess and maintain an individual internal auditor’s objectivity, including determining whether an individual internal auditor has any impairments to his/her objectivityProficient
DAnalyze policies that promote objectivityProficient

3. Proficiency and Due Professional Care (18%)

ARecognize the knowledge, skills, and competencies required (whether developed or procured) to fulfill the responsibilities of the internal audit activityBasic
BDemonstrate the knowledge and competencies that an internal auditor needs to possess to perform his/her individual responsibilities, including technical skills and soft skills (communication skills, critical thinking, persuasion/negotiation and collaboration skills, etc.)Proficient
CDemonstrate due professional careProficient
DDemonstrate an individual internal auditor’s competency through continuing professional developmentProficient

4. Quality Assurance and Improvement Program (7%)

ADescribe the required elements of the quality assurance and improvement program (internal assessments, external assessments, etc.)Basic
BDescribe the requirement of reporting the results of the quality assurance and improvement program to the board or other governing bodyBasic
CIdentify appropriate disclosure of conformance vs. nonconformance with The IIA’s International Standards for the Professional Practice of Internal AuditingBasic

5. Governance, Risk Management, and Control (35%)

ADescribe the concept of organizational governanceBasic
BRecognize the impact of organizational culture on the overall control environment and individual engagement risks and controlsBasic
CRecognize and interpret the organization’s ethics and compliance-related issues, alleged violations, and dispositionsBasic
DDescribe corporate social responsibilityBasic
EInterpret fundamental concepts of risk and the risk management processProficient
FDescribe globally accepted risk management frameworks appropriate to the organization (COSO – ERM, ISO 5%000, etc.)Basic
GExamine the effectiveness of risk management within processes and functionsProficient
HRecognize the appropriateness of the internal audit activity’s role in the organization’s risk management processBasic
IInterpret internal control concepts and types of controlsProficient
JApply globally accepted internal control frameworks appropriate to the organization (COSO, etc.)Proficient
KExamine the effectiveness and efficiency of internal controlsProficient

6. Fraud Risks (10%)

AInterpret fraud risks and types of frauds and determine whether fraud risks require special consideration when conducting an engagementProficient
BEvaluate the potential for occurrence of fraud (red flags, etc.) and how the organization detects and manages fraud risksProficient
CRecommend controls to prevent and detect fraud and education to improve the organization’s fraud awarenessProficient
DRecognize techniques and internal audit roles related to forensic auditing (interview, investigation, testing, etc.)Basic

What is tested on CIA exam Part 2?

CIA Part 2 covers management of the internal audit function and individual engagements, as well as fraud risks and controls. You will need to apply analysis to the internal audit basics covered in Part 1 and understand additional topics.

The IIA focused CIA Part 2 on

managing the internal audit activity, planning the engagement, performing the engagement, and communicating engagement results and monitoring progress. Part 2 tests candidates’ knowledge, skills, and abilities particularly related to Performance Standards (series 2000, 2200, 2300, 2400, 2500, and 2600) and current internal audit practices.

CIA exam Part 2 content breakdown

Managing the Internal Audit Activity

This section of CIA Part 2 is dedicated to candidates demonstrating their basic knowledge of the planning and organizing of internal audit operations, including establishing a plan and reporting the plan to the chief audit executive and the board.

Planning the Engagement

To expand on the first section, this domain is focused on internal auditors being proficient in specifically planning engagements of internal audits by determining the scope of the engagement, procedures, staff, and resources needed.

Performing the Engagement

Candidates will then need to demonstrate they know the proper policies and procedures to perform, analyze, evaluate, and supervise engagement plans. With an emphasis on conducting the engagement, this section contains most of the content tested on the CIA Part 2 exam.

Communicating Engagement Results and Monitoring Progress

Potential CIAs must show that they are competent to report on the results, make recommendations, and manage monitoring and follow-ups.

If you want to see some sample questions, check out our Free CIA Exam Questions.

Click below to see the subdomains and their associated proficiency level.

1. Managing the Internal Audit Activity (20%)

1. Internal Audit Operations
ADescribe policies and procedures for the planning, organizing, directing, and monitoring of internal audit operationsBasic
BInterpret administrative activities (budgeting, resourcing, recruiting, staffing, etc.) of the internal audit activityBasic
2. Establishing a Risk-based Internal Audit Plan
AIdentify sources of potential engagements (audit universe, audit cycle requirements, management requests, regulatory mandates, relevant market and industry trends, emerging issues, etc.)Basic
BIdentify a risk management framework to assess risks and prioritize audit engagements based on the results of a risk assessmentBasic
CInterpret the types of assurance engagements (risk and control assessments, audits of third parties and contract compliance, security and privacy, performance and quality audits, key performance indicators, operational audits, financial and regulatory compliance audits)Proficient
DInterpret the types of consulting engagements (training, system design, system development, due diligence, privacy, benchmarking, internal control assessment, process mapping, etc.) designed to provide advice and insightProficient
EDescribe coordination of internal audit efforts with the external auditor, regulatory oversight bodies, and other internal assurance functions, and potential reliance on other assurance providersBasic
3. Communicating and Reporting to Senior Management and the Board
ARecognize that the chief audit executive communicates the annual audit plan to senior management and the board and seeks the board’s approvalBasic
BIdentify significant risk exposures and control and governance issues for the chief audit executive to report to the boardBasic
CRecognize that the chief audit executive reports on the overall effectiveness of the organization’s internal control and risk management processes to senior management and the boardBasic
DRecognize internal audit key performance indicators that the chief audit executive communicates to senior management and the board periodicallyBasic

2. Planning the Engagement (20%)

ADetermine engagement objectives, evaluation criteria, and the scope of the engagementProficient
BPlan the engagement to assure identification of key risks and controlsProficient
CComplete a detailed risk assessment of each audit area, including evaluating and prioritizing risk and control factorsProficient
DDetermine engagement procedures and prepare the engagement work programProficient
EDetermine the level of staff and resources needed for the engagementProficient

3. Performing the Engagement(40%)

1. Information Gathering
AGather and examine relevant information (review previous audit reports and data, conduct walk-throughs and interviews, perform observations, etc.) as part of a preliminary survey of the engagement areaProficient
BDevelop checklists and risk-and-control questionnaires as part of a preliminary survey of the engagement areaProficient
CApply appropriate sampling (nonstatistical, judgmental, discovery, etc.) and statistical analysis techniquesProficient
2. Analysis and Evaluation
AUse computerized audit tools and techniques (data mining and extraction, continuous monitoring, automated workpapers, embedded audit modules, etc.)Proficient
BEvaluate the relevance, sufficiency, and reliability of potential sources of evidenceProficient
CApply appropriate analytical approaches and process mapping techniques (process identification, workflow analysis, process map generation and analysis, spaghetti maps, RACI diagrams, etc.)Proficient
DDetermine and apply analytical review techniques (ratio estimation, variance analysis, budget vs. actual, trend analysis, other reasonableness tests, benchmarking, etc.)Basic
EPrepare workpapers and documentation of relevant information to support conclusions and engagement resultsProficient
FSummarize and develop engagement conclusions, including assessment of risks and controlsProficient
​3. Engagement Supervision
AIdentify key activities in supervising engagements (coordinate work assignments, review workpapers, evaluate auditors’ performance, etc.)Basic

4. Communicating Engagement Results and Monitoring Progress (20%)

1. Communicating Engagement Results and the Acceptance of Risk
AArrange preliminary communication with engagement clientsProficient
BDemonstrate communication quality (accurate, objective, clear, concise, constructive, complete, and timely) and elements (objectives, scope, conclusions, recommendations, and action plan)Proficient
CPrepare interim reporting on the engagement progressProficient
DFormulate recommendations to enhance and protect organizational valueProficient
EDescribe the audit engagement communication and reporting process, including holding the exit conference, developing the audit report (draft, review, approve, and distribute), and obtaining management’s responseBasic
FDescribe the chief audit executive’s responsibility for assessing residual riskBasic
GDescribe the process for communicating risk acceptance (when management has accepted a level of risk that may be unacceptable to the organization)Basic
2. Monitoring Progress
AAssess engagement outcomes, including the management action planProficient
BManage monitoring and follow-up of the disposition of audit engagement results communicated to management and the boardProficient

What is tested on CIA exam Part 3?

CIA Part 3 tests candidates on topics that most internal auditors need to be aware of in practice. While this part includes the most testable topics, the majority are tested at the “Basic” level rather than “Proficient,” so don’t get discouraged if you don’t know much about these topics up front and study only what you need to pass.

The IIA describes CIA Part 3 as

focused on business acumen, information security, information technology, and financial management. Part 3 is designed to test candidates’ knowledge, skills, and abilities particularly as they relate to these core business concepts.

 

CIA Part 3 is considered the hardest of the CIA exam parts to pass by many CIA candidates because they aren’t as familiar with these topics as they are for CIA Parts 1 and 2. To add to the difficulty, this section also has the widest range of topics. However, prepared candidates are still able to pass this part on their first try.

CIA exam Part 3 content

Business Acumen

As the largest section of CIA Part 3, candidates are expected to know the typical organization structures and processes, behavior and performance. They must also demonstrate a knowledge of data analytics and how they impact business.

Information Security

Candidates are expected to have a basic knowledge of current and emerging information security controls, risks, and policies. The IIA also tests candidates on their ability to recognize data privacy laws and how they impact these practices.

Information Technology

Understand the hardware and software components of data, IT infrastructure and control frameworks, and basic disaster recovery. Most of this section is identifying key terms and being able to define them.

Financial Management

Potential CIAs must demonstrate a basic knowledge of financial statements and managerial accounting, especially as these topics relate to internal auditing.

If you want to see some sample questions, check out our Free CIA Exam Questions.

Click below to see the subdomains and their associated proficiency level.

1. Business Acumen (35%)

1. Organizational Objectives, Behavior, and Performance
ADescribe the strategic planning process and key activities (objective setting, globalization and competitive considerations, alignment to the organization’s mission and values, etc.)Basic
BExamine common performance measures (financial, operational, qualitative vs. quantitative, productivity, quality, efficiency, effectiveness, etc.)Proficient
CExplain organizational behavior (individuals in organizations, groups, and how organizations behave, etc.) and different performance management techniques (traits, organizational politics, motivation, job design, rewards, work schedules, etc.)Basic
DDescribe management’s effectiveness to lead, mentor, guide people, build organizational commitment, and demonstrate entrepreneurial abilityBasic
2. Organizational Structure and Business Processes
AAppraise the risk and control implications of different organizational configuration structures (centralized vs. decentralized, flat structure vs. traditional, etc.)Basic
BExamine the risk and control implications of common business processes (human resources, procurement, product development, sales, marketing, logistics, management of outsourced processes, etc.)Proficient
CIdentify project management techniques (project plan and scope, time/team/resources/cost management, change management, etc.)Basic
DRecognize the various forms and elements of contracts (formality, consideration, unilateral, bilateral, etc.)Basic
3. Data Analytics
ADescribe data analytics, data types, data governance, and the value of using data analytics in internal auditingBasic
BExplain the data analytics process (define questions, obtain relevant data, clean/normalize data, analyze data, communicate results)Basic
CRecognize the application of data analytics methods in internal auditing (anomaly detection, diagnostic analysis, predictive analysis, network analysis, text analysis, etc.)Basic

2. Information Security (25%)

ADifferentiate types of common physical security controls (cards, keys, biometrics, etc.)Basic
BDifferentiate the various forms of user authentication and authorization controls (password, two-level authentication, biometrics, digital signatures, etc.) and identify potential risksBasic
CExplain the purpose and use of various information security controls (encryption, firewalls, antivirus, etc.)Basic
DRecognize data privacy laws and their potential impact on data security policies and practicesBasic
ERecognize emerging technology practices and their impact on security (bring your own device [BYOD], smart devices, internet of things [IoT], etc.)Basic
FRecognize existing and emerging cybersecurity risks (hacking, piracy, tampering, ransomware attacks, phishing attacks, etc.)Basic
GDescribe cybersecurity and information security-related policiesBasic

3. Information Technology (20%)

1. Application and System Software
ARecognize core activities in the systems development lifecycle and delivery (requirements definition, design, developing, testing, debugging, deployment, maintenance, etc.) and the importance of change controls throughout the processBasic
BExplain basic database terms (data, database, record, object, field, schema, etc.) and internet terms (HTML, HTTP, URL, domain name, browser, click-through, electronic data interchange [EDI], cookies, etc.)Basic
CIdentify key characteristics of software systems (customer relationship management [CRM] systems; enterprise resource planning [ERP] systems; and governance, risk, and compliance [GRC] systems; etc.)Basic
2. IT Infrastructure and IT Control Frameworks
AExplain basic IT infrastructure and network concepts (server, mainframe, client-server configuration, gateways, routers, LAN, WAN, VPN, etc.) and identify potential risksBasic
BDefine the operational roles of a network administrator, database administrator, and help deskBasic
CRecognize the purpose and applications of IT control frameworks (COBIT, ISO 27000, ITIL, etc.) and basic IT controlsBasic
3. Disaster Recovery
AExplain disaster recovery planning site concepts (hot, warm, cold, etc.)Basic
BExplain the purpose of systems and data backupBasic
CExplain the purpose of systems and data recovery proceduresBasic

4. Financial Management (20%)

1. Financial Accounting and Finance
AIdentify concepts and underlying principles of financial accounting (types of financial statements and terminologies such as bonds, leases, pensions, intangible assets, research and development, etc.)Basic
BRecognize advanced and emerging financial accounting concepts (consolidation, investments, fair value, partnerships, foreign currency transactions, etc.)Basic
CInterpret financial analysis (horizontal and vertical analysis and ratios related to activity, profitability, liquidity, leverage, etc.)Proficient
DDescribe revenue cycle, current asset management activities and accounting, and supply chain management (including inventory valuation and accounts payable)Basic
EDescribe capital budgeting, capital structure, basic taxation, and transfer pricingBasic
2. Managerial Accounting
AExplain general concepts of managerial accounting (cost-volume-profit analysis, budgeting, expense allocation, cost-benefit analysis, etc.)Basic
BDifferentiate costing systems (absorption, variable, fixed, activity-based, standard, etc.)Basic
CDistinguish various costs (relevant and irrelevant costs, incremental costs, etc.) and their use in decision makingBasic

Which CIA exam part should I take first?

CIA exam candidates can sit for the exam in any order they choose. However, based on the exam content and our 40 years of experience, Gleim recommends most candidates take the exams in sequential order. Topics in each part build off of one another, meaning mastering one part will help you prepare for the others.

An exception exists for recently graduated internal auditors. Because CIA Part 3 tests candidates on topics that they need to be aware of rather than what they’ll be using every day, many students find CIA Part 3 easier to take when their coursework is still fresh in their mind.

If you choose to take the exams out of order, pay close attention to what is tested on each topic to make sure you are well prepared!

How are topics tested on the CIA exam?

The CIA exam is non-disclosed, meaning the questions on it aren’t available to anyone, and there is a large body of questions that each exam pulls from, so virtually no two exams will be the same.

Additionally, the exact number of questions from each topic is slightly randomized, so it is important to prepare for all of the topics to the best of your ability.

CIA exam candidates are instructed to select the best answer out of the given options. Candidates have reported that the CIA exam can be tricky and give two very close answer choices. Always select the best or most correct answer if you are torn between two options.

THE Gleim Logo SOLUTION 


Be on the lookout for absolutes during your exam. Questions or answers with words like always or never can often be solved by asking yourself “are there any exceptions?” If so, you’ll know if an answer is more or less likely to be correct.

Question types

There are five types of multiple-choice questions found on the CIA exam. You are likely to encounter all five, but due to the non-disclosed nature of the CIA exam, your experience may be a little different. Don’t worry. As long as you’re prepared, you can easily answer anything the CIA exam throws at you.

Direct Questions

Everyone is likely familiar with this type of question, and it’s the most common type on the CIA exam. Most will either ask you a question or have you complete a sentence, but all are straightforward and present four single-statement answer choices.

Negative questions

Sometimes multiple-choice questions will include negative phrasing, with words like except, not, unless, least, etc. Presumably, The IIA will print negative words in bold, as we did, but you should always read the question stem carefully and completely just in case. These questions can be tricky because they ask you to select the false answer choice among three correct answers.

Questions with graphical illustrations

CIA exam questions will occasionally require you to interpret a graph or other image before selecting the appropriate answer choice. Any of the question types we discussed could include a graphical illustration.

Questions with two or three answer options

Other times, the exam will pose a question and provide a number of statements separate from the answer choices. The four answer choices will ask you specifically if one or more of the statements satisfy the question.

This type of question can be one of the most difficult to answer, so we’ve made a special Gleim Instruct video reviewing the best approaches to multiple-choice questions.

The best strategy is to determine which sentences you are sure are right or wrong and use them to eliminate answer choices. Read the entire question stem carefully. Even if you’re not certain about the right answer, you have high odds of making a correct educated guess.

Example question with multiple answer options found on the CIA exam parts
Example question with multiple variables found on the CIA exam parts

Questions with several variables

Some multiple-choice questions present several variables within each answer choice. The answer choices appear in columns, and you must select the correct “row” containing the right mix of variables.

This question type is also considered to be quite difficult by CIA candidates, but our Gleim Instruct video also goes over how to answer these questions.

How soon are new pronouncements tested?

The IIA typically tests updated standards approximately 6 months after the standards take effect. All three CIA exam parts begin testing new pronouncements at the same time. There are exceptions, typically in the case of large updates, which will be announced by The IIA in advance so candidates and review providers can be well prepared.

What is the CIA exam pass rate?

The CIA exam has a very low pass rate; last year it was 42%. This number reflects all candidates across all parts. Typically, fewer than half of CIA candidates pass the exam, which means only the properly prepared succeed.

How do I pass the CIA exam?

The best way to ensure that you are successful on each of the three CIA exam parts is to study with a complete review system and master all of the testable topics.