The goal of the CIA exam is to confirm candidates have the skills required to perform at the top of their industry. Certified Internal Auditors need to know and be skilled in a lot, so the “singular” exam is actually divided into three CIA exam parts that you need to sit for and pass separately. Each part tests a different area. Here’s a summary, and we’ll look at each part in more detail a little later.
Candidates usually choose to sit for each part in order because each part builds on the one(s) before it, but you can sit for them in any order you’d like. Gleim recommends starting with Part 1 unless you have a good reason not to. The different parts of the CIA exam build off of each other, so studying for one will help with the other. For example, the topics in CIA Part 1 lead into CIA Part 2, so studying CIA Part 1 will help you understand the concepts in CIA Part 2, making studying that section slightly easier.
Once you’re comfortable with how the CIA exam is structured and know what each part tests, you can make a plan and start studying. You’ll be ready by the end of this guide.
The CIA exam is a three-part exam. Each part tests different topics using multiple-choice questions—there are no essays or free response questions.
CIA Part 1
125 multiple-choice questions
2.5 hours long
CIA Part 2
100 multiple-choice questions
2 hours long
CIA Part 3
100 multiple-choice questions
2 hours long
Candidates should budget one minute to answer each question to allow time for review after answering all the questions. Gleim recommends using a time management system to keep pace and to make sure you don’t spend too much time on any one question.
If you’re past your minute and don’t know the answer, make an educated guess and mark the question for review at the end. One question won’t keep you from passing on its own (unless it keeps you from finishing the test).
The best way to avoid being stumped is to ensure you cover all the content when you’re studying.
The IIA conducts regular studies to find out the scope of work CIAs are expected to perform. It then develops the CIA Exam Syllabus, which details what candidates are expected to know (and how well they’re expected to know it).
Each CIA exam part consists of high-level categories called “domains.” These domains are divided into subdomains that contain an objective and cognitive level that candidates must perform at in order to pass the CIA exam.
There are two cognitive proficiency levels tested on the CIA exam:
For the latest changes to the exam, check out our CIA Changes resource.
CIA Part 1 tests the basics of internal auditing, including fraud, and regulatory requirements from the Standards and Code of Ethics. It is the longest of the CIA exam parts and often the first candidates take.
According to The IIA, Part 1 of the CIA exam is
… well aligned with The IIA’s International Professional Practices Framework (IPPF) and includes six domains covering the foundation of internal auditing; independence and objectivity; proficiency and due professional care; quality assurance and improvement programs; governance, risk management, and control; and fraud risk. Part one tests candidates’ knowledge, skills, and abilities related to the International Standards for the Professional Practice of Internal Auditing, particularly the Attribute Standards (series 1000, 1100, 1200, and 1300) as well as Performance Standard 2100.
It breaks down like this:
CIA Part 2 covers management of the internal audit function and individual engagements, as well as fraud risks and controls. You will need to apply analysis to the internal audit basics covered in Part 1 and understand additional topics.
The IIA focused CIA Part 2 on
… managing the internal audit activity, planning the engagement, performing the engagement, and communicating engagement results and monitoring progress. Part 2 tests candidates’ knowledge, skills, and abilities particularly related to Performance Standards (series 2000, 2200, 2300, 2400, 2500, and 2600) and current internal audit practices.
|1. Internal Audit Operations|
|A||Describe policies and procedures for the planning, organizing, directing, and monitoring of internal audit operations||Basic|
|B||Interpret administrative activities (budgeting, resourcing, recruiting, staffing, etc.) of the internal audit activity||Basic|
|2. Establishing a Risk-based Internal Audit Plan|
|A||Identify sources of potential engagements (audit universe, audit cycle requirements, management requests, regulatory mandates, relevant market and industry trends, emerging issues, etc.)||Basic|
|B||Identify a risk management framework to assess risks and prioritize audit engagements based on the results of a risk assessment||Basic|
|C||Interpret the types of assurance engagements (risk and control assessments, audits of third parties and contract compliance, security and privacy, performance and quality audits, key performance indicators, operational audits, financial and regulatory compliance audits)||Proficient|
|D||Interpret the types of consulting engagements (training, system design, system development, due diligence, privacy, benchmarking, internal control assessment, process mapping, etc.) designed to provide advice and insight||Proficient|
|E||Describe coordination of internal audit efforts with the external auditor, regulatory oversight bodies, and other internal assurance functions, and potential reliance on other assurance providers||Basic|
|3. Communicating and Reporting to Senior Management and the Board|
|A||Recognize that the chief audit executive communicates the annual audit plan to senior management and the board and seeks the board’s approval||Basic|
|B||Identify significant risk exposures and control and governance issues for the chief audit executive to report to the board||Basic|
|C||Recognize that the chief audit executive reports on the overall effectiveness of the organization’s internal control and risk management processes to senior management and the board||Basic|
|D||Recognize internal audit key performance indicators that the chief audit executive communicates to senior management and the board periodically||Basic|
|A||Determine engagement objectives, evaluation criteria, and the scope of the engagement||Proficient|
|B||Plan the engagement to assure identification of key risks and controls||Proficient|
|C||Complete a detailed risk assessment of each audit area, including evaluating and prioritizing risk and control factors||Proficient|
|D||Determine engagement procedures and prepare the engagement work program||Proficient|
|E||Determine the level of staff and resources needed for the engagement||Proficient|
|1. Information Gathering|
|A||Gather and examine relevant information (review previous audit reports and data, conduct walk-throughs and interviews, perform observations, etc.) as part of a preliminary survey of the engagement area||Proficient|
|B||Develop checklists and risk-and-control questionnaires as part of a preliminary survey of the engagement area||Proficient|
|C||Apply appropriate sampling (nonstatistical, judgmental, discovery, etc.) and statistical analysis techniques||Proficient|
|2. Analysis and Evaluation|
|A||Use computerized audit tools and techniques (data mining and extraction, continuous monitoring, automated workpapers, embedded audit modules, etc.)||Proficient|
|B||Evaluate the relevance, sufficiency, and reliability of potential sources of evidence||Proficient|
|C||Apply appropriate analytical approaches and process mapping techniques (process identification, workflow analysis, process map generation and analysis, spaghetti maps, RACI diagrams, etc.)||Proficient|
|D||Determine and apply analytical review techniques (ratio estimation, variance analysis, budget vs. actual, trend analysis, other reasonableness tests, benchmarking, etc.)||Basic|
|E||Prepare workpapers and documentation of relevant information to support conclusions and engagement results||Proficient|
|F||Summarize and develop engagement conclusions, including assessment of risks and controls||Proficient|
|3. Engagement Supervision|
|A||Identify key activities in supervising engagements (coordinate work assignments, review workpapers, evaluate auditors’ performance, etc.)||Basic|
|1. Communicating Engagement Results and the Acceptance of Risk|
|A||Arrange preliminary communication with engagement clients||Proficient|
|B||Demonstrate communication quality (accurate, objective, clear, concise, constructive, complete, and timely) and elements (objectives, scope, conclusions, recommendations, and action plan)||Proficient|
|C||Prepare interim reporting on the engagement progress||Proficient|
|D||Formulate recommendations to enhance and protect organizational value||Proficient|
|E||Describe the audit engagement communication and reporting process, including holding the exit conference, developing the audit report (draft, review, approve, and distribute), and obtaining management’s response||Basic|
|F||Describe the chief audit executive’s responsibility for assessing residual risk||Basic|
|G||Describe the process for communicating risk acceptance (when management has accepted a level of risk that may be unacceptable to the organization)||Basic|
|2. Monitoring Progress|
|A||Assess engagement outcomes, including the management action plan||Proficient|
|B||Manage monitoring and follow-up of the disposition of audit engagement results communicated to management and the board||Proficient|
CIA Part 3 tests candidates on topics that most internal auditors need to be aware of in practice. While this part includes the most testable topics, the majority are tested at the “Basic” level rather than “Proficient,” so don’t get discouraged if you don’t know much about these topics up front and study only what you need to pass.
The IIA describes CIA Part 3 as
… focused on business acumen, information security, information technology, and financial management. Part 3 is designed to test candidates’ knowledge, skills, and abilities particularly as they relate to these core business concepts.
CIA Part 3 is considered the hardest of the CIA exam parts to pass by many CIA candidates because they aren’t as familiar with these topics as they are for CIA Parts 1 and 2. To add to the difficulty, this section also has the widest range of topics. However, prepared candidates are still able to pass this part on their first try.
|1. Organizational Objectives, Behavior, and Performance|
|A||Describe the strategic planning process and key activities (objective setting, globalization and competitive considerations, alignment to the organization’s mission and values, etc.)||Basic|
|B||Examine common performance measures (financial, operational, qualitative vs. quantitative, productivity, quality, efficiency, effectiveness, etc.)||Proficient|
|C||Explain organizational behavior (individuals in organizations, groups, and how organizations behave, etc.) and different performance management techniques (traits, organizational politics, motivation, job design, rewards, work schedules, etc.)||Basic|
|D||Describe management’s effectiveness to lead, mentor, guide people, build organizational commitment, and demonstrate entrepreneurial ability||Basic|
|2. Organizational Structure and Business Processes|
|A||Appraise the risk and control implications of different organizational configuration structures (centralized vs. decentralized, flat structure vs. traditional, etc.)||Basic|
|B||Examine the risk and control implications of common business processes (human resources, procurement, product development, sales, marketing, logistics, management of outsourced processes, etc.)||Proficient|
|C||Identify project management techniques (project plan and scope, time/team/resources/cost management, change management, etc.)||Basic|
|D||Recognize the various forms and elements of contracts (formality, consideration, unilateral, bilateral, etc.)||Basic|
|3. Data Analytics|
|A||Describe data analytics, data types, data governance, and the value of using data analytics in internal auditing||Basic|
|B||Explain the data analytics process (define questions, obtain relevant data, clean/normalize data, analyze data, communicate results)||Basic|
|C||Recognize the application of data analytics methods in internal auditing (anomaly detection, diagnostic analysis, predictive analysis, network analysis, text analysis, etc.)||Basic|
|A||Differentiate types of common physical security controls (cards, keys, biometrics, etc.)||Basic|
|B||Differentiate the various forms of user authentication and authorization controls (password, two-level authentication, biometrics, digital signatures, etc.) and identify potential risks||Basic|
|C||Explain the purpose and use of various information security controls (encryption, firewalls, antivirus, etc.)||Basic|
|D||Recognize data privacy laws and their potential impact on data security policies and practices||Basic|
|E||Recognize emerging technology practices and their impact on security (bring your own device [BYOD], smart devices, internet of things [IoT], etc.)||Basic|
|F||Recognize existing and emerging cybersecurity risks (hacking, piracy, tampering, ransomware attacks, phishing attacks, etc.)||Basic|
|G||Describe cybersecurity and information security-related policies||Basic|
|1. Application and System Software|
|A||Recognize core activities in the systems development lifecycle and delivery (requirements definition, design, developing, testing, debugging, deployment, maintenance, etc.) and the importance of change controls throughout the process||Basic|
|B||Explain basic database terms (data, database, record, object, field, schema, etc.) and internet terms (HTML, HTTP, URL, domain name, browser, click-through, electronic data interchange [EDI], cookies, etc.)||Basic|
|C||Identify key characteristics of software systems (customer relationship management [CRM] systems; enterprise resource planning [ERP] systems; and governance, risk, and compliance [GRC] systems; etc.)||Basic|
|2. IT Infrastructure and IT Control Frameworks|
|A||Explain basic IT infrastructure and network concepts (server, mainframe, client-server configuration, gateways, routers, LAN, WAN, VPN, etc.) and identify potential risks||Basic|
|B||Define the operational roles of a network administrator, database administrator, and help desk||Basic|
|C||Recognize the purpose and applications of IT control frameworks (COBIT, ISO 27000, ITIL, etc.) and basic IT controls||Basic|
|3. Disaster Recovery|
|A||Explain disaster recovery planning site concepts (hot, warm, cold, etc.)||Basic|
|B||Explain the purpose of systems and data backup||Basic|
|C||Explain the purpose of systems and data recovery procedures||Basic|
|1. Financial Accounting and Finance|
|A||Identify concepts and underlying principles of financial accounting (types of financial statements and terminologies such as bonds, leases, pensions, intangible assets, research and development, etc.)||Basic|
|B||Recognize advanced and emerging financial accounting concepts (consolidation, investments, fair value, partnerships, foreign currency transactions, etc.)||Basic|
|C||Interpret financial analysis (horizontal and vertical analysis and ratios related to activity, profitability, liquidity, leverage, etc.)||Proficient|
|D||Describe revenue cycle, current asset management activities and accounting, and supply chain management (including inventory valuation and accounts payable)||Basic|
|E||Describe capital budgeting, capital structure, basic taxation, and transfer pricing||Basic|
|2. Managerial Accounting|
|A||Explain general concepts of managerial accounting (cost-volume-profit analysis, budgeting, expense allocation, cost-benefit analysis, etc.)||Basic|
|B||Differentiate costing systems (absorption, variable, fixed, activity-based, standard, etc.)||Basic|
|C||Distinguish various costs (relevant and irrelevant costs, incremental costs, etc.) and their use in decision making||Basic|
CIA exam candidates can sit for the exam in any order they choose. However, based on the exam content and our 40 years of experience, Gleim recommends most candidates take the exams in sequential order. Topics in each part build off of one another, meaning mastering one part will help you prepare for the others.
An exception exists for recently graduated internal auditors. Because CIA Part 3 tests candidates on topics that they need to be aware of rather than what they’ll be using every day, many students find CIA Part 3 easier to take when their coursework is still fresh in their mind.
If you choose to take the exams out of order, pay close attention to what is tested on each topic to make sure you are well prepared!
The CIA exam is non-disclosed, meaning the questions on it aren’t available to anyone, and there is a large body of questions that each exam pulls from, so virtually no two exams will be the same.
Additionally, the exact number of questions from each topic is slightly randomized, so it is important to prepare for all of the topics to the best of your ability.
CIA exam candidates are instructed to select the best answer out of the given options. Candidates have reported that the CIA exam can be tricky and give two very close answer choices. Always select the best or most correct answer if you are torn between two options.
Be on the lookout for absolutes during your exam. Questions or answers with words like always or never can often be solved by asking yourself “are there any exceptions?” If so, you’ll know if an answer is more or less likely to be correct.
There are five types of multiple-choice questions found on the CIA exam. You are likely to encounter all five, but due to the non-disclosed nature of the CIA exam, your experience may be a little different. Don’t worry. As long as you’re prepared, you can easily answer anything the CIA exam throws at you.
The IIA typically tests updated standards approximately 6 months after the standards take effect. All three CIA exam parts begin testing new pronouncements at the same time. There are exceptions, typically in the case of large updates, which will be announced by The IIA in advance so candidates and review providers can be well prepared.
The CIA exam has a very low pass rate; last year it was 42%. This number reflects all candidates across all parts. Typically, fewer than half of CIA candidates pass the exam, which means only the properly prepared succeed.