CIA® is the acronym for Certified Internal Auditor. CIA® is a registered trademark of The Institute of Internal Auditors, Inc. The CIA designation is international, with the examination administered in numerous countries. The CIA exam has been administered by The IIA since 1974.

CIA Exam (3-Part)
Part Title Exam Length Number of Questions
1 Internal Audit Basics 2.5 hrs 125 multiple-choice
2 Internal Audit Practice 2 hrs 100 multiple-choice
3 Internal Audit Knowledge Elements 2 hrs 100 multiple-choice


The total exam is 6.5 hours of testing (plus 5 minutes per part for a survey). It is divided into three
parts as follows:
Part 1 – Internal Audit Basics
Part 2 – Internal Audit Practice
Part 3 – Internal Audit Knowledge Elements
Part 1 consists of 125 questions and lasts for 2.5 hours, while Parts 2 and 3 each contain
100 questions and last for 2 hours. All CIA questions are multiple-choice. The exam is offered
continually throughout the year.



According to The IIA, the CIA® is a “globally accepted certification for internal auditors” through which “individuals demonstrate their professionalism in the internal audit field.” Successful candidates will have gained “educational experience, information, and business tools that can be applied immediately in any organization or business environment.”
Passing this exam validates and confirms your professional work experience and requires your complete dedication and determination. The benefits include higher salary, increased confidence and competence, and recognition as a member of an elite group of professionals.


The IIA is an international professional association that was organized in 1941 to develop the professional status of internal auditing. The IIA’s mission is to be the global voice of the internal audit profession and provide dynamic leadership. The chapters and affiliated institutes around the world hold regular meetings, seminars, and conferences that encourage members to network with peers, develop professional contacts, and stay informed about current issues and practices in internal auditing.

Part 1: Internal Audit Basics Part 3: Internal Audit Knowledge Elements
I Mandatory Guidance 40% I Governance/Business Ethics 10%
II Internal Control/Risk II Risk Management 15%
III Conducting Internal Audit Engagements – Audit Tools and Techniques 30% III Organizational Structure/Business Processes and Risks 20%
IV Communication 7.5%
Part 2: Internal Audit Practice V Management/Leadership Principles 15%
I Managing the Internal Audit Function 45% VI IT/Business Continuity 20%
II Managing Individual Engagements 45% VII Financial Management 15%
III Fraud Risks and Controls 10% VIII Global Business Environment 5%


Anyone who satisfies these character, educational, and professional requirements may sit for the examination.

1. Bachelor’s degree or equivalent. Candidates must have an undergraduate (4-year) degree, or its equivalent, from an accredited college-level institution.
a. Full-time university students who are in their senior (final) year may sit for the CIA exam before completing their education requirement as long as they complete the Student/Professor Application Form and submit the Full-Time Student Status Form.
b. Alternatively, subject to approval, candidates may be eligible if they possess (1) 2 years of post-secondary education and 5 years of verified experience in internal audit or its equivalent or (2) 7 years of verified experience in internal audit or its equivalent.
2. Character reference. CIA candidates must exhibit high moral and professional character and must submit a character reference from a responsible person, such as a CIA®, supervisor, manager, or educator. The character reference must accompany the candidate’s exam application. A character reference form is available on The IIA website.
3. Work experience. Candidates are required to have 24 months of internal auditing experience (or the equivalent) prior to receiving the CIA certificate. A master’s degree can substitute for 12 of the 24 months. A candidate may sit for the exam before completing the work experience requirements, but (s)he will not be certified until the experience
requirement is met.
a. Work experience must be verified by a CIA® or the candidate’s supervisor. An Experience Verification Form is available on The IIA website and in The IIA’s Certification Candidate Handbook for use in verifying professional experience. This may accompany the candidate’s application or be submitted later when criteria have been met.


Follow these five easy steps to apply to the CIA Certification Program, register to take an exam part, and schedule your exam at Pearson VUE. You should read through these steps so you are completely comfortable when you begin the process for yourself. You can track your progress and organize your documentation with the help of our CIA Exam Worksheet at the end of this guide.

1. Create a profile in The IIA’s Certification Candidate Management System (CCMS).
If you have not done so already or if your previous login information has expired, go to The IIA’s website ( and click on the link to the CCMS on the right side of the page.
a. At the CCMS login page, click on the “First Time Users” link, agree to the terms of use, and complete all of the information to set up your profile. Submit your information.
b. The IIA will send you a Candidate ID number and information on how to activate your account.

2. Apply to the CIA Certification Program.
a. Log in and activate your account from your confirmation email. You will be directed to your Candidate Landing Page, where you can view the status of any IIA certifications in which you are involved.
b. Click on the “Complete a Form” link in the menu bar on the left. All the programs for which you have been authorized to register are displayed.
c. Choose “CIA Application” or “CIA Application – Student/Professor.”
d. Submit your application to the CIA program and wait to receive a “Your application has been approved” email. This email reminds you that you must still submit your education credentials.
e. Complete your application process by filling out your payment information and submitting your order. Paying by credit card will ensure the quickest processing time. You will receive an “Order Completed” email.
f. Submit any required supporting documentation (e.g., education transcripts, Experience Verification Form, Character Reference Form, etc.) using the document upload portal at
g. The IIA will send you an email confirming your application to the CIA program.

3. Register for an exam part.
a. Upon receipt of the application confirmation email, log in to the CCMS and click on the “Complete a Form” link in the menu bar on the left. From the New Forms tab (the default), choose the registration form for the exam part you wish to take (e.g., CIA – Part 1 Registration).
b. Fill out the payment information and submit your order. Paying by credit card will ensure the quickest processing time. The IIA will send you an “Order Completed” email.
c. When your order has been processed, The IIA will send you an “Authorization to Test” email authorizing you to schedule the part for which you registered. You must print out this email and bring it to the testing center with you when you take your exam. The email states that you need to wait at least 48 hours for your information to be processed, and then you can log into the Pearson VUE website ( to schedule your appointment to sit for the exam. You have 180 days from the day you registered for the exam to sit for it.

4. Create a profile at Pearson VUE if you do not already have one.
a. Go to Pearson VUE’s website ( and first select your Testing Program, which is the “Institute of Internal Auditors.” Then, click on the “Create Account” link. Fill out the form with the appropriate information. (You will need your IIA candidate number at this time.)
b. The screen will inform you that an email confirming your new account will be sent and that you can go ahead and schedule an exam now. Click “Schedule Exam Now” and proceed to step 5.b. below.
c. Pearson VUE will send you an email confirming your new account.

5. Schedule your exam at Pearson VUE.
a. Go to Pearson VUE’s website (, log in, and click on the “Schedule a Test” link in the menu on the right.
b. Follow the on-screen prompts to navigate through the following steps:
1) Selecting the exam part you want to schedule
2) Selecting the language in which you will take your exam
3) Locating and choosing a test center based on your home address
4) Choosing the date and time for your exam
c. Review your appointment details to ensure that you have the correct time, date, and location for your test before you finalize your payment.
d. Enter your payment information and click “Confirm Order.”
e. Print your receipt. Carefully read the Policies information below the receipt.
f. Pearson VUE will send you an email confirming your payment and restating your appointment details. The email also contains the rules and procedures of your testing center as well as directions to get there. Print out this email and bring it with you to the testing center on exam day.

Exam Syllabus: Part 1 – Internal Audit Basics

I. Mandatory Guidance (35-45%)

A.  Definition of Internal Auditing

  1. Define purpose, authority, and responsibility of the internal audit activity

B. Code of Ethics

  1. Abide by and promote compliance with The IIA Code of Ethics

C.  International Standards

  1.  Comply with The IIA’s Attribute Standards
    1.  Determine if the purpose, authority, and responsibility of the internal audit activity are documented in audit charter, approved by the Board and communicated to the engagement clients
    2.  Demonstrate an understanding of the purpose, authority, and responsibility of the internal audit activity
  2.  Maintain independence and objectivity
    1. Foster independence
      1. Understand organizational independence
      2. Recognize the importance of organizational independence
      3. Determine if the internal audit activity is properly aligned to achieve organizational independence
    2. Foster objectivity
      1. Establish policies to promote objectivity
      2. Assess individual objectivity
      3. Maintain individual objectivity
      4. Recognize and mitigate impairments to independence and objectivity
  3. Determine if the required knowledge, skills, and competencies are available
    1. Understand the knowledge, skills, and competencies that an internal auditor needs to possess
    2. Identify the knowledge, skills, and competencies required to fulfill the responsibilities of the internal audit activity
  4. Develop and/or procure necessary knowledge, skills and competencies collectively required by the internal audit activity
  5. Exercise due professional care
  6. Promote continuing professional development
    1. Develop and implement a plan for continuing professional development for internal audit staff
    2. Enhance individual competency through continuing professional development
  7. Promote quality assurance and improvement of the internal audit activity
    1. Monitor the effectiveness of the quality assurance and improvement program
    2. Report the results of the quality assurance and improvement program to the board or other governing body
    3. Conduct quality assurance procedures and recommend improvements to the performance of the internal audit activity

II. Internal Control / Risk (25-35%) – Awareness Level (A)

A. Types of Controls (e.g., preventive, detective, input, output, etc.)

B. Management Control Techniques

C. Internal Control Framework Characteristics and Use (e.g., COSO, Cadbury)

  1. Develop and implement an organization-wide risk and control framework

D. Alternative Control Frameworks

E. Risk Vocabulary and Concepts

F. Fraud Risk Awareness

  1. Types of fraud
  2. Fraud red flags

III. Conducting Internal Audit Engagements – Audit Tools and Techniques (25-35%)

A. Data Gathering (Collect and analyze data on proposed engagements):

  1. Review previous audit reports and other relevant documentation as part of a preliminary survey of the engagement area
  2. Develop checklists/internal control questionnaires as part of a preliminary survey of the engagement area
  3. Conduct interviews as part of a preliminary survey of the engagement area
  4. Use observation to gather data
  5. Conduct engagement to assure identification of key risks and controls
  6. Sampling  (non-statistical [judgmental] sampling method, statistical sampling, discovery sampling, and statistical analyses techniques)

B. Data Analysis and Interpretation:

  1. Use computerized audit tools and techniques (e.g., data mining and extraction, continuous monitoring, automated work papers, embedded audit modules)
  2. Conduct spreadsheet analysis
  3. Use analytical review techniques (e.g., ratio estimation, variance analysis, budget vs. actual, trend analysis, other reasonableness tests)
  4. Conduct benchmarking
  5. Draw conclusions

C. Data Reporting

  1. Report test results to auditor in charge
  2. Develop preliminary conclusions regarding controls

D. Documentation / Work Papers

  1. Develop work papers

E. Process Mapping, Including Flowcharting

F. Evaluate Relevance, Sufficiency, and Competence of Evidence

  1. Identify potential sources of evidence


I. Managing the Internal Audit Function (40-50%)

A. Strategic Role of Internal Audit

  1. Initiate, manage, be a change catalyst, and cope with change
  2. Build and maintain networking with other organization executives and the audit committee
  3. Organize and lead a team in mapping, analysis, and business process improvement
  4. Assess and foster the ethical climate of the board and management
    1. Investigate and recommend resolution for ethics/compliance complaints, and determine disposition of ethics violations
    2. Maintain and administer business conduct policy (e.g., conflict of interest), and report on compliance
  5. Educate senior management and the board on best practices in governance, risk management, control, and compliance
  6. Communicate internal audit key performance indicators to senior management and the board on a regular basis
  7. Coordinate IA efforts with external auditor, regulatory oversight bodies and other internal assurance functions
  8. Assess the adequacy of the performance measurement system, achievement of corporate objective – Awareness Level (A)

B.  Operational Role of IA

  1. Formulate policies and procedures for the planning, organizing, directing, and monitoring of internal audit operations
  2. Review the role of the internal audit function within the risk management framework
  3. Direct administrative activities (e.g., budgeting, human resources) of the internal audit department
  4. Interview candidates for internal audit positions
  5. Report on the effectiveness of corporate risk management processes to senior management and the board
  6. Report on the effectiveness of the internal control and risk management frameworks
  7. Maintain effective Quality Assurance Improvement Program

C.  Establish Risk-Based IA Plan

  1. Use market, product, and industry knowledge to identify new internal audit engagement opportunities
  2. Use a risk framework to identify sources of potential engagements (e.g., audit universe, audit cycle requirements, management requests, regulatory mandates)
  3. Establish a framework for assessing risk
  4. Rank and validate risk priorities to prioritize engagements in the audit plan
  5. Identify internal audit resource requirements for annual IA plan
  6. Communicate areas of significant risk and obtain approval from the board for the annual engagement plan
  7. Types of engagements
    1. Conduct assurance engagements
      a.1  Risk and control self-assessments
      a) Facilitated approach
      (1)  Client-facilitated
      (2)  Audit-facilitated
      b)  Questionnaire approach
      c)  Self-certification approach
      a.2  Audits of third parties and contract auditing
      a.3  Quality audit engagements
      a.4  Due diligence audit engagements
      a.5  Security audit engagements
      a.6  Privacy audit engagements
      a.7  Performance audit engagements (key performance indicators)
      a.8 Operational audit engagements (efficiency and effectiveness)
      a.9  Financial audit engagements
    2. Compliance audit engagements
    3. Consulting engagements
      c.1  Internal control training
      c.2  Business process mapping
      c.3  Benchmarking
      c.4  System development reviews
      c.5  Design of performance measurement systems

II. Managing Individual Engagements (40-50%)

A.  Plan Engagements

  1. Establish engagement objectives/criteria and finalize the scope of the engagement
  2. Plan engagement to assure identification of key risks and controls
  3. Complete a detailed risk assessment of each audit area (prioritize or evaluate risk/control factors)
  4. Determine engagement procedures and prepare engagement work program
  5. Determine the level of staff and resources needed for the engagement
  6. Construct audit staff schedule for effective use of time

B. Supervise Engagement

  1. Direct / supervise individual engagements
  2. Nurture instrumental relations, build bonds, and work with others toward shared goals
  3. Coordinate work assignments among audit team members when serving as the auditor-in-charge of a project
  4. Review work papers
  5. Conduct exit conference
  6. Complete performance appraisals of engagement staff

C. Communicate Engagement Results

  1. Initiate preliminary communication with engagement clients
  2. Communicate interim progress
  3. Develop recommendations when appropriate
  4. Prepare report or other communication
  5. Approve engagement report
  6. Determine distribution of the report
  7. Obtain management response to the report
  8. Report outcomes to appropriate parties

D. Monitor Engagement Outcomes

  1. Identify appropriate method to monitor engagement outcomes
  2. Monitor engagement outcomes and conduct appropriate follow-up by the internal audit activity
  3. Conduct follow-up and report on management’s response to internal audit recommendations
  4. Report significant audit issues to senior management and the board periodically

III. Fraud Risks and Controls (5-15%)

A. Consider the potential for fraud risks and identify common types of fraud associated with the engagement area during the engagement planning process

B.  Determine if fraud risks require special consideration when conducting an engagement

C.  Determine if any suspected fraud merits investigation

D. Complete a process review to improve controls to prevent fraud and recommend changes

E. Employ audit tests to detect fraud

F. Support a culture of fraud awareness, and encourage the reporting of improprieties

G.  Interrogation/investigative techniques – Awareness Level (A)

H. Forensic auditing – Awareness Level (A)


I. Governance / Business Ethics (5-15%)

A. Corporate/Organizational Governance Principles – Proficiency Level (P)

B. Environmental and Social Safeguards

C. Corporate Social Responsibility

II. Risk Management (10-20%)- Proficiency Level (P)

A.  Risk Management Techniques

B. Organizational Use of Risk Frameworks (e.g. COSO and ISO 31000 Risk Management)

III. Organizational Structure/Business Processes and Risks (15-25%)

A. Risk/Control Implications of Different Organizational Structures

B. Structure (e.g., centralized/decentralized)

C. Typical Schemes in Various Business Cycles (e.g., procurement, sales, knowledge, supply-chain management)

D.  Business Process Analysis (e.g., workflow analysis and bottleneck management, theory of constraints)

E. Inventory Management Techniques and Concepts

F.  Electronic Funds Transfer (EFT)/Electronic Data Interchange (EDI)/E-commerce

G. Business Development Life Cycles

H.  The International Organization for Standardization (ISO) Framework

I. Outsourcing Business Processes

IV.  Communication (5-10%)

A. Communication (e.g., the process, organizational dynamics, impact of computerization)

B. Stakeholder Relationships

V. Management / Leadership Principles (10-20%)

A.  Strategic Management

  1. Global analytical techniques
    1. Structural analysis of industries
    2. Competitive strategies (e.g., Porter’s model)
    3. Competitive analysis
    4. Market signals
    5. Industry evolution
  2. Industry environments
    1. Competitive strategies related to:
      1. Fragmented industries
      2. Emerging industries
      3. Declining industries
    2. Competition in global industries
      1. Sources/impediments
      2. Evolution of global markets
      3. Strategic alternatives
      4. Trends affecting competition
  3. Strategic decisions
    1. Analysis of integration strategies
    2. Capacity expansion
    3. Entry into new businesses
  4. Forecasting
  5. Quality management (e.g., TQM, Six Sigma)
  6. Decision analysis

B. Organizational Behavior

  1. Organizational theory (structures and configurations)
  2. Organizational behavior (e.g., motivation, impact of job design, rewards, schedules)
  3. Group dynamics (e.g., traits, development stages, organizational politics, effectiveness)
  4. Knowledge of human resource processes (e.g., individual performance management, supervision, personnel sourcing/staffing, staff development)
  5. Risk/control implications of different leadership styles
  6. Performance (productivity, effectiveness, etc.)

C.  Management Skills/Leadership Styles

  1. Lead, inspire, mentor, and guide people, building organizational commitment and entrepreneurial orientation
  2. Create group synergy in pursuing collective goals
  3. Team-building and assessing team performance

D. Conflict Management

  1. Conflict resolution (e.g., competitive, cooperative, and compromise)
  2. Negotiation skills
  3. Conflict management
  4. Added-value negotiating

E. Project Management / Change Management

  1. Change management
  2. Project management techniques

VI.  IT / Business Continuity (15-25%)

A.  Security

  1. Physical/system security (e.g., firewalls, access control)
  2. Information protection (e.g., viruses, privacy)
  3. Application authentication
  4. Encryption

B. Application Development

  1. End-user computing
  2. Change control (Proficiency Level)
  3. Systems development methodology (Proficiency Level)
  4. Application development (Proficiency Level)
  5. Information systems development

C. System Infrastructure

  1. Workstations
  2. Databases
  3. IT control frameworks (e.g., eSAC, COBIT)
  4. Functional areas of IT operations (e.g., data center operations)
  5. Enterprise-wide resource planning (ERP) software (e.g., SAP R/3)
  6. Data, voice, and network communications/connections (e.g., LAN, VAN, and WAN)
  7. Server
  8. Software licensing
  9. Mainframe
  10. Operating systems
  11. Web infrastructure

D.  Business Continuity

  1. IT contingency planning

VII. Financial Management (10-20%)

A.  Financial Accounting and Finance

  1. Basic concepts and underlying principles of financial accounting (e.g., statements, terminology, relationships)
  2. Intermediate concepts of financial accounting (e.g., bonds, leases, pensions, intangible assets, RandD)
  3. Advanced concepts of financial accounting (e.g., consolidation, partnerships, foreign currency transactions)
  4. Financial statement analysis (e.g., ratios)
  5. Types of debt and equity
  6. Financial instruments (e.g., derivatives)
  7. Cash management (e.g., treasury functions)
  8. Valuation models
  9. Business valuation
  10. Inventory valuation
  11. Capital budgeting (e.g., cost of capital evaluation)
  12. Taxation schemes (e.g., tax shelters, VAT)

B. Managerial Accounting

  1. General concepts
  2. Costing systems (e.g., activity-based, standard)
  3. Cost concepts (e.g., absorption, variable, fixed)
  4. Relevant cost
  5. Cost-volume-profit analysis
  6. Transfer pricing
  7. Responsibility accounting
  8. Operating budget

VIII. Global Business Environment (0-10%)

A. Economic / Financial Environments

  1. Global, multinational, international, and multi-local compared and contrasted
  2. Requirements for entering the global marketplace
  3. Creating organizational adaptability
  4. Managing training and development

B. Cultural / Political Environments

  1. Balancing global requirements and local imperatives
  2. Global mindsets (personal characteristics/competencies)
  3. Sources and methods for managing complexities and contradictions.
  4. Managing multicultural teams

C. Legal and Economics — General Concepts (e.g., contracts)

D. Impact of Government Legislation and Regulation on Business (e.g., trade legislation)

Apex Professional Training Institute