Contact Us : 800.874.5346 | International: +1 352.375.0772
Contact Us : 800.874.5346 | International: +1 352.375.0772

The goal of the CIA exam is to confirm candidates have the skills required to perform at the top of their industry. Certified Internal Auditors need to know and be skilled in a lot, so the “singular” exam is actually divided into three CIA exam parts that you need to sit for and pass separately. Each part tests a different area. Here’s a summary, and we’ll look at each part in more detail a little later.

Part 1: Essentials of Internal Auditing

Tests knowledge, skills, and abilities related to the foundation of internal auditing; independence and objectivity; proficiency and due professional care; quality assurance and improvement programs; governance, risk management, and control; and fraud risk.

Part 2: Practice of Internal Auditing

Tests knowledge, skills, and abilities particularly related to managing the internal audit activity, planning the engagement, performing the engagement, and communicating engagement results and monitoring progress.

Part 3: Business Knowledge for Internal Auditing

Tests knowledge, skills, and abilities related to business acumen, information security, information technology, and financial management.

Candidates usually choose to sit for each part in order because each part builds on the one(s) before it, but you can sit for them in any order you’d like. Gleim recommends starting with Part 1 unless you have a good reason not to. The different parts of the CIA exam build off of each other, so studying for one will help with the other. For example, the topics in CIA Part 1 lead into CIA Part 2, so studying CIA Part 1 will help you understand the concepts in CIA Part 2, making studying that section slightly easier.

Once you’re comfortable with how the CIA exam is structured and know what each part tests, you can make a plan and start studying. You’ll be ready by the end of this guide.

How is the CIA exam structured?

The CIA exam is a three-part exam. Each part tests different topics using multiple-choice questions—there are no essays or free response questions.

CIA Part 1

125 multiple-choice questions
2.5 hours long

CIA Part 2

100 multiple-choice questions
2 hours long

CIA Part 3

100 multiple-choice questions
2 hours long

Candidates should budget one minute to answer each question to allow time for review after answering all the questions. Gleim recommends using a time management system to keep pace and to make sure you don’t spend too much time on any one question.

If you’re past your minute and don’t know the answer, make an educated guess and mark the question for review at the end. One question won’t keep you from passing on its own (unless it keeps you from finishing the test).

The best way to avoid being stumped is to ensure you cover all the content when you’re studying.

What is tested on the CIA exam?

The IIA conducts regular studies to find out the scope of work CIAs are expected to perform. It then develops the CIA Exam Syllabus, which details what candidates are expected to know (and how well they’re expected to know it).

Each CIA exam part consists of high-level categories called “domains.” These domains are divided into subdomains that contain an objective and cognitive level that candidates must perform at in order to pass the CIA exam.

There are two cognitive proficiency levels tested on the CIA exam:

  • Basic — Tests memory and comprehension
  • Proficient — Assesses application, analysis, and evaluation abilities

For the latest changes to the exam, check out our CIA Changes resource.

What is tested on CIA exam Part 1?

CIA Part 1 tests the basics of internal auditing, including fraud, and regulatory requirements from the Standards and Code of Ethics. It is the longest of the CIA exam parts and often the first candidates take.

According to The IIA, Part 1 of the CIA exam is

well aligned with The IIA’s International Professional Practices Framework (IPPF) and includes six domains covering the foundation of internal auditing; independence and objectivity; proficiency and due professional care; quality assurance and improvement programs; governance, risk management, and control; and fraud risk. Part one tests candidates’ knowledge, skills, and abilities related to the International Standards for the Professional Practice of Internal Auditing, particularly the Attribute Standards (series 1000, 1100, 1200, and 1300) as well as Performance Standard 2100.

CIA exam Part 1 exam content breakdown

It breaks down like this:

1

Foundations of Internal Auditing

Candidates need to show proficiency with the foundations of the profession, including but not limited to the understanding of key aspects of internal auditing, interpreting The IIA’s Mission of Internal Audit, and demonstrating conformance to The IIA Code of Ethics.

2

Independence and Objectivity

This section emphasizes the need and policies for internal auditors to be objective and independent, as well as what that means for the organization and for the internal audit activity.

3

Proficiency and Due Professional Care

Potential CIAs must show that they have the knowledge and both technical and soft skills required to perform an internal audit as well as demonstrate due professional care.

4

Quality Assurance and Improvement Program

Candidates must demonstrate a basic understanding of quality assurance and the improvement program, how to report the results, and how to disclose appropriate information.

5

Governance, Risk Management, and Control

This is the largest percentage of questions on the CIA Part 1 exam. It contains questions at the basic and proficiency level that test candidates on the global concerns of organizational governance, acceptable risk management, corporate social responsibility, and acceptable control frameworks. Due to the amount of questions from this section, candidates should make sure they master these topics and concepts.

6

Fraud Risks

This section requires candidates to be able to interpret risks of fraud, evaluate the potential, and make recommendations to mitigate the risks of fraud.

If you want to see some sample questions, check out our Free CIA Exam Questions.

Click on any topic below to see the subdomains and their proficiency level.

1. Foundations of Internal Auditing (15%)

A Interpret organizational independence of the internal audit activity (importance of independence, functional reporting, etc.) Basic
B Identify whether the internal audit activity has any impairments to its independence Basic
C Assess and maintain an individual internal auditor’s objectivity, including determining whether an individual internal auditor has any impairments to his/her objectivity Proficient
D Analyze policies that promote objectivity Proficient

2. Independence and Objectivity (15%)

A Interpret organizational independence of the internal audit activity (importance of independence, functional reporting, etc.) Basic
B Identify whether the internal audit activity has any impairments to its independence Basic
C Assess and maintain an individual internal auditor’s objectivity, including determining whether an individual internal auditor has any impairments to his/her objectivity Proficient
D Analyze policies that promote objectivity Proficient

3. Proficiency and Due Professional Care (18%)

A Recognize the knowledge, skills, and competencies required (whether developed or procured) to fulfill the responsibilities of the internal audit activity Basic
B Demonstrate the knowledge and competencies that an internal auditor needs to possess to perform his/her individual responsibilities, including technical skills and soft skills (communication skills, critical thinking, persuasion/negotiation and collaboration skills, etc.) Proficient
C Demonstrate due professional care Proficient
D Demonstrate an individual internal auditor’s competency through continuing professional development Proficient

4. Quality Assurance and Improvement Program (7%)

A Describe the required elements of the quality assurance and improvement program (internal assessments, external assessments, etc.) Basic
B Describe the requirement of reporting the results of the quality assurance and improvement program to the board or other governing body Basic
C Identify appropriate disclosure of conformance vs. nonconformance with The IIA’s International Standards for the Professional Practice of Internal Auditing Basic

5. Governance, Risk Management, and Control (35%)

A Describe the concept of organizational governance Basic
B Recognize the impact of organizational culture on the overall control environment and individual engagement risks and controls Basic
C Recognize and interpret the organization’s ethics and compliance-related issues, alleged violations, and dispositions Basic
D Describe corporate social responsibility Basic
E Interpret fundamental concepts of risk and the risk management process Proficient
F Describe globally accepted risk management frameworks appropriate to the organization (COSO – ERM, ISO 5%000, etc.) Basic
G Examine the effectiveness of risk management within processes and functions Proficient
H Recognize the appropriateness of the internal audit activity’s role in the organization’s risk management process Basic
I Interpret internal control concepts and types of controls Proficient
J Apply globally accepted internal control frameworks appropriate to the organization (COSO, etc.) Proficient
K Examine the effectiveness and efficiency of internal controls Proficient

6. Fraud Risks (10%)

A Interpret fraud risks and types of frauds and determine whether fraud risks require special consideration when conducting an engagement Proficient
B Evaluate the potential for occurrence of fraud (red flags, etc.) and how the organization detects and manages fraud risks Proficient
C Recommend controls to prevent and detect fraud and education to improve the organization’s fraud awareness Proficient
D Recognize techniques and internal audit roles related to forensic auditing (interview, investigation, testing, etc.) Basic

What is tested on CIA exam Part 2?

CIA Part 2 covers management of the internal audit function and individual engagements, as well as fraud risks and controls. You will need to apply analysis to the internal audit basics covered in Part 1 and understand additional topics.

The IIA focused CIA Part 2 on

managing the internal audit activity, planning the engagement, performing the engagement, and communicating engagement results and monitoring progress. Part 2 tests candidates’ knowledge, skills, and abilities particularly related to Performance Standards (series 2000, 2200, 2300, 2400, 2500, and 2600) and current internal audit practices.

CIA exam Part 2 content breakdown
1

Managing the Internal Audit Activity

This section of CIA Part 2 is dedicated to candidates demonstrating their basic knowledge of the planning and organizing of internal audit operations, including establishing a plan and reporting the plan to the chief audit executive and the board.

2

Planning the Engagement

To expand on the first section, this domain is focused on internal auditors being proficient in specifically planning engagements of internal audits by determining the scope of the engagement, procedures, staff, and resources needed.

3

Performing the Engagement

Candidates will then need to demonstrate they know the proper policies and procedures to perform, analyze, evaluate, and supervise engagement plans. With an emphasis on conducting the engagement, this section contains most of the content tested on the CIA Part 2 exam.

4

Communicating Engagement Results and Monitoring Progress

Potential CIAs must show that they are competent to report on the results, make recommendations, and manage monitoring and follow-ups.

If you want to see some sample questions, check out our Free CIA Exam Questions.

Click below to see the subdomains and their associated proficiency level.

1. Managing the Internal Audit Activity (20%)

1. Internal Audit Operations
A Describe policies and procedures for the planning, organizing, directing, and monitoring of internal audit operations Basic
B Interpret administrative activities (budgeting, resourcing, recruiting, staffing, etc.) of the internal audit activity Basic
2. Establishing a Risk-based Internal Audit Plan
A Identify sources of potential engagements (audit universe, audit cycle requirements, management requests, regulatory mandates, relevant market and industry trends, emerging issues, etc.) Basic
B Identify a risk management framework to assess risks and prioritize audit engagements based on the results of a risk assessment Basic
C Interpret the types of assurance engagements (risk and control assessments, audits of third parties and contract compliance, security and privacy, performance and quality audits, key performance indicators, operational audits, financial and regulatory compliance audits) Proficient
D Interpret the types of consulting engagements (training, system design, system development, due diligence, privacy, benchmarking, internal control assessment, process mapping, etc.) designed to provide advice and insight Proficient
E Describe coordination of internal audit efforts with the external auditor, regulatory oversight bodies, and other internal assurance functions, and potential reliance on other assurance providers Basic
3. Communicating and Reporting to Senior Management and the Board
A Recognize that the chief audit executive communicates the annual audit plan to senior management and the board and seeks the board’s approval Basic
B Identify significant risk exposures and control and governance issues for the chief audit executive to report to the board Basic
C Recognize that the chief audit executive reports on the overall effectiveness of the organization’s internal control and risk management processes to senior management and the board Basic
D Recognize internal audit key performance indicators that the chief audit executive communicates to senior management and the board periodically Basic

2. Planning the Engagement (20%)

A Determine engagement objectives, evaluation criteria, and the scope of the engagement Proficient
B Plan the engagement to assure identification of key risks and controls Proficient
C Complete a detailed risk assessment of each audit area, including evaluating and prioritizing risk and control factors Proficient
D Determine engagement procedures and prepare the engagement work program Proficient
E Determine the level of staff and resources needed for the engagement Proficient

3. Performing the Engagement(40%)

1. Information Gathering
A Gather and examine relevant information (review previous audit reports and data, conduct walk-throughs and interviews, perform observations, etc.) as part of a preliminary survey of the engagement area Proficient
B Develop checklists and risk-and-control questionnaires as part of a preliminary survey of the engagement area Proficient
C Apply appropriate sampling (nonstatistical, judgmental, discovery, etc.) and statistical analysis techniques Proficient
2. Analysis and Evaluation
A Use computerized audit tools and techniques (data mining and extraction, continuous monitoring, automated workpapers, embedded audit modules, etc.) Proficient
B Evaluate the relevance, sufficiency, and reliability of potential sources of evidence Proficient
C Apply appropriate analytical approaches and process mapping techniques (process identification, workflow analysis, process map generation and analysis, spaghetti maps, RACI diagrams, etc.) Proficient
D Determine and apply analytical review techniques (ratio estimation, variance analysis, budget vs. actual, trend analysis, other reasonableness tests, benchmarking, etc.) Basic
E Prepare workpapers and documentation of relevant information to support conclusions and engagement results Proficient
F Summarize and develop engagement conclusions, including assessment of risks and controls Proficient
​3. Engagement Supervision
A Identify key activities in supervising engagements (coordinate work assignments, review workpapers, evaluate auditors’ performance, etc.) Basic

4. Communicating Engagement Results and Monitoring Progress (20%)

1. Communicating Engagement Results and the Acceptance of Risk
A Arrange preliminary communication with engagement clients Proficient
B Demonstrate communication quality (accurate, objective, clear, concise, constructive, complete, and timely) and elements (objectives, scope, conclusions, recommendations, and action plan) Proficient
C Prepare interim reporting on the engagement progress Proficient
D Formulate recommendations to enhance and protect organizational value Proficient
E Describe the audit engagement communication and reporting process, including holding the exit conference, developing the audit report (draft, review, approve, and distribute), and obtaining management’s response Basic
F Describe the chief audit executive’s responsibility for assessing residual risk Basic
G Describe the process for communicating risk acceptance (when management has accepted a level of risk that may be unacceptable to the organization) Basic
2. Monitoring Progress
A Assess engagement outcomes, including the management action plan Proficient
B Manage monitoring and follow-up of the disposition of audit engagement results communicated to management and the board Proficient

What is tested on CIA exam Part 3?

CIA Part 3 tests candidates on topics that most internal auditors need to be aware of in practice. While this part includes the most testable topics, the majority are tested at the “Basic” level rather than “Proficient,” so don’t get discouraged if you don’t know much about these topics up front and study only what you need to pass.

The IIA describes CIA Part 3 as

focused on business acumen, information security, information technology, and financial management. Part 3 is designed to test candidates’ knowledge, skills, and abilities particularly as they relate to these core business concepts.

 

CIA Part 3 is considered the hardest of the CIA exam parts to pass by many CIA candidates because they aren’t as familiar with these topics as they are for CIA Parts 1 and 2. To add to the difficulty, this section also has the widest range of topics. However, prepared candidates are still able to pass this part on their first try.

CIA exam Part 3 content
1

Business Acumen

As the largest section of CIA Part 3, candidates are expected to know the typical organization structures and processes, behavior and performance. They must also demonstrate a knowledge of data analytics and how they impact business.

2

Information Security

Candidates are expected to have a basic knowledge of current and emerging information security controls, risks, and policies. The IIA also tests candidates on their ability to recognize data privacy laws and how they impact these practices.

3

Information Technology

Understand the hardware and software components of data, IT infrastructure and control frameworks, and basic disaster recovery. Most of this section is identifying key terms and being able to define them.

4

Financial Management

Potential CIAs must demonstrate a basic knowledge of financial statements and managerial accounting, especially as these topics relate to internal auditing.

If you want to see some sample questions, check out our Free CIA Exam Questions.

Click below to see the subdomains and their associated proficiency level.

1. Business Acumen (35%)

1. Organizational Objectives, Behavior, and Performance
A Describe the strategic planning process and key activities (objective setting, globalization and competitive considerations, alignment to the organization’s mission and values, etc.) Basic
B Examine common performance measures (financial, operational, qualitative vs. quantitative, productivity, quality, efficiency, effectiveness, etc.) Proficient
C Explain organizational behavior (individuals in organizations, groups, and how organizations behave, etc.) and different performance management techniques (traits, organizational politics, motivation, job design, rewards, work schedules, etc.) Basic
D Describe management’s effectiveness to lead, mentor, guide people, build organizational commitment, and demonstrate entrepreneurial ability Basic
2. Organizational Structure and Business Processes
A Appraise the risk and control implications of different organizational configuration structures (centralized vs. decentralized, flat structure vs. traditional, etc.) Basic
B Examine the risk and control implications of common business processes (human resources, procurement, product development, sales, marketing, logistics, management of outsourced processes, etc.) Proficient
C Identify project management techniques (project plan and scope, time/team/resources/cost management, change management, etc.) Basic
D Recognize the various forms and elements of contracts (formality, consideration, unilateral, bilateral, etc.) Basic
3. Data Analytics
A Describe data analytics, data types, data governance, and the value of using data analytics in internal auditing Basic
B Explain the data analytics process (define questions, obtain relevant data, clean/normalize data, analyze data, communicate results) Basic
C Recognize the application of data analytics methods in internal auditing (anomaly detection, diagnostic analysis, predictive analysis, network analysis, text analysis, etc.) Basic

2. Information Security (25%)

A Differentiate types of common physical security controls (cards, keys, biometrics, etc.) Basic
B Differentiate the various forms of user authentication and authorization controls (password, two-level authentication, biometrics, digital signatures, etc.) and identify potential risks Basic
C Explain the purpose and use of various information security controls (encryption, firewalls, antivirus, etc.) Basic
D Recognize data privacy laws and their potential impact on data security policies and practices Basic
E Recognize emerging technology practices and their impact on security (bring your own device [BYOD], smart devices, internet of things [IoT], etc.) Basic
F Recognize existing and emerging cybersecurity risks (hacking, piracy, tampering, ransomware attacks, phishing attacks, etc.) Basic
G Describe cybersecurity and information security-related policies Basic

3. Information Technology (20%)

1. Application and System Software
A Recognize core activities in the systems development lifecycle and delivery (requirements definition, design, developing, testing, debugging, deployment, maintenance, etc.) and the importance of change controls throughout the process Basic
B Explain basic database terms (data, database, record, object, field, schema, etc.) and internet terms (HTML, HTTP, URL, domain name, browser, click-through, electronic data interchange [EDI], cookies, etc.) Basic
C Identify key characteristics of software systems (customer relationship management [CRM] systems; enterprise resource planning [ERP] systems; and governance, risk, and compliance [GRC] systems; etc.) Basic
2. IT Infrastructure and IT Control Frameworks
A Explain basic IT infrastructure and network concepts (server, mainframe, client-server configuration, gateways, routers, LAN, WAN, VPN, etc.) and identify potential risks Basic
B Define the operational roles of a network administrator, database administrator, and help desk Basic
C Recognize the purpose and applications of IT control frameworks (COBIT, ISO 27000, ITIL, etc.) and basic IT controls Basic
3. Disaster Recovery
A Explain disaster recovery planning site concepts (hot, warm, cold, etc.) Basic
B Explain the purpose of systems and data backup Basic
C Explain the purpose of systems and data recovery procedures Basic

4. Financial Management (20%)

1. Financial Accounting and Finance
A Identify concepts and underlying principles of financial accounting (types of financial statements and terminologies such as bonds, leases, pensions, intangible assets, research and development, etc.) Basic
B Recognize advanced and emerging financial accounting concepts (consolidation, investments, fair value, partnerships, foreign currency transactions, etc.) Basic
C Interpret financial analysis (horizontal and vertical analysis and ratios related to activity, profitability, liquidity, leverage, etc.) Proficient
D Describe revenue cycle, current asset management activities and accounting, and supply chain management (including inventory valuation and accounts payable) Basic
E Describe capital budgeting, capital structure, basic taxation, and transfer pricing Basic
2. Managerial Accounting
A Explain general concepts of managerial accounting (cost-volume-profit analysis, budgeting, expense allocation, cost-benefit analysis, etc.) Basic
B Differentiate costing systems (absorption, variable, fixed, activity-based, standard, etc.) Basic
C Distinguish various costs (relevant and irrelevant costs, incremental costs, etc.) and their use in decision making Basic

Which CIA exam part should I take first?

CIA exam candidates can sit for the exam in any order they choose. However, based on the exam content and our 40 years of experience, Gleim recommends most candidates take the exams in sequential order. Topics in each part build off of one another, meaning mastering one part will help you prepare for the others.

An exception exists for recently graduated internal auditors. Because CIA Part 3 tests candidates on topics that they need to be aware of rather than what they’ll be using every day, many students find CIA Part 3 easier to take when their coursework is still fresh in their mind.

If you choose to take the exams out of order, pay close attention to what is tested on each topic to make sure you are well prepared!

How are topics tested on the CIA exam?

The CIA exam is non-disclosed, meaning the questions on it aren’t available to anyone, and there is a large body of questions that each exam pulls from, so virtually no two exams will be the same.

Additionally, the exact number of questions from each topic is slightly randomized, so it is important to prepare for all of the topics to the best of your ability.

CIA exam candidates are instructed to select the best answer out of the given options. Candidates have reported that the CIA exam can be tricky and give two very close answer choices. Always select the best or most correct answer if you are torn between two options.

THE Gleim Logo SOLUTION 


Be on the lookout for absolutes during your exam. Questions or answers with words like always or never can often be solved by asking yourself “are there any exceptions?” If so, you’ll know if an answer is more or less likely to be correct.

Question types

There are five types of multiple-choice questions found on the CIA exam. You are likely to encounter all five, but due to the non-disclosed nature of the CIA exam, your experience may be a little different. Don’t worry. As long as you’re prepared, you can easily answer anything the CIA exam throws at you.

Direct Questions

Everyone is likely familiar with this type of question, and it’s the most common type on the CIA exam. Most will either ask you a question or have you complete a sentence, but all are straightforward and present four single-statement answer choices.

Negative questions

Sometimes multiple-choice questions will include negative phrasing, with words like except, not, unless, least, etc. Presumably, The IIA will print negative words in bold, as we did, but you should always read the question stem carefully and completely just in case. These questions can be tricky because they ask you to select the false answer choice among three correct answers.

Questions with graphical illustrations

CIA exam questions will occasionally require you to interpret a graph or other image before selecting the appropriate answer choice. Any of the question types we discussed could include a graphical illustration.

Questions with two or three answer options

Other times, the exam will pose a question and provide a number of statements separate from the answer choices. The four answer choices will ask you specifically if one or more of the statements satisfy the question.

This type of question can be one of the most difficult to answer, so we’ve made a special Gleim Instruct video reviewing the best approaches to multiple-choice questions.

The best strategy is to determine which sentences you are sure are right or wrong and use them to eliminate answer choices. Read the entire question stem carefully. Even if you’re not certain about the right answer, you have high odds of making a correct educated guess.

Example question with multiple answer options found on the CIA exam parts
Example question with multiple variables found on the CIA exam parts

Questions with several variables

Some multiple-choice questions present several variables within each answer choice. The answer choices appear in columns, and you must select the correct “row” containing the right mix of variables.

This question type is also considered to be quite difficult by CIA candidates, but our Gleim Instruct video also goes over how to answer these questions.

How soon are new pronouncements tested?

The IIA typically tests updated standards approximately 6 months after the standards take effect. All three CIA exam parts begin testing new pronouncements at the same time. There are exceptions, typically in the case of large updates, which will be announced by The IIA in advance so candidates and review providers can be well prepared.

What is the CIA exam pass rate?

The CIA exam has a very low pass rate; last year it was 42%. This number reflects all candidates across all parts. Typically, fewer than half of CIA candidates pass the exam, which means only the properly prepared succeed.

How do I pass the CIA exam?

The best way to ensure that you are successful on each of the three CIA exam parts is to study with a complete review system and master all of the testable topics.