Certified Internal Auditor® (CIA®) Exam Syllabus

Part 1 – Essentials of Internal Auditing

125 questions | 2.5 Hours (150 minutes)

The CIA exam Part 1 is well aligned with The IIA’s International Professional Practices
Framework (IPPF) and includes six domains covering the foundation of internal auditing;
independence and objectivity; proficiency and due professional care; quality assurance and
improvement programs; governance, risk management, and control; and fraud risk. Part one
tests candidates’ knowledge, skills, and abilities related to the International Standards for
the Professional Practice of Internal Auditing, particularly the Attribute Standards (series
1000, 1100, 1200, and 1300) as well as Performance Standard 2100.

Part 2 – Practice of Internal Auditing

100 questions | 2.0 Hours (120 minutes)

The CIA exam Part 2 includes four domains focused on managing the internal audit activity,
planning the engagement, performing the engagement, and communicating engagement
results and monitoring progress. Part 2 tests candidates’ knowledge, skills, and abilities
particularly related to Performance Standards (series 2000, 2200, 2300, 2400, 2500, and
2600) and current internal audit practices.

Part 3 – Business Knowledge for Internal Auditing

100 questions | 2.0 Hours (120 minutes)

The CIA exam Part 3 includes four domains focused on business acumen, information
security, information technology, and financial management. Part Three is designed to test
candidates’ knowledge, skills, and abilities particularly as they relate to these core business
concepts.

CIA Exam syllabus (2019-12-03) 1

CIA Exam Syllabus, Part 1 – Essentials of Internal Auditing
I. Foundations of Internal Auditing (15%)
A. Interpret The IIA's Mission of Internal Audit, Definition of Internal Auditing, and
Core Principles for the Professional Practice of Internal Auditing, and the purpose, Proficient
authority, and responsibility of the internal audit activity
B. Explain the requirements of an internal audit charter (required components,
Basic
board approval, communication of the charter, etc.)
C. Interpret the difference between assurance and consulting services provided by
Proficient
the internal audit activity
D. Demonstrate conformance with the IIA Code of Ethics Proficient
II. Independence and Objectivity (15%)
A. Interpret organizational independence of the internal audit activity (importance
Basic
of independence, functional reporting, etc.)
B. Identify whether the internal audit activity has any impairments to its
Basic
independence
C. Assess and maintain an individual internal auditor's objectivity, including
determining whether an individual internal auditor has any impairments to his/her Proficient
objectivity
D. Analyze policies that promote objectivity Proficient
III. Proficiency and Due Professional Care (18%)
A. Recognize the knowledge, skills, and competencies required (whether developed
Basic
or procured) to fulfill the responsibilities of the internal audit activity

B. Demonstrate the knowledge and competencies that an internal auditor needs to

possess to perform his/her individual responsibilities, including technical skills and
Proficient
soft skills (communication skills, critical thinking, persuasion/negotiation and
collaboration skills, etc.)
C. Demonstrate due professional care Proficient
D. Demonstrate an individual internal auditor's competency through continuing
Proficient
professional development
IV. Quality Assurance and Improvement Program (7%)
A. Describe the required elements of the quality assurance and improvement
Basic
program (internal assessments, external assessments, etc.)
B. Describe the requirement of reporting the results of the quality assurance and
Basic
improvement program to the board or other governing body
C. Identify appropriate disclosure of conformance vs. nonconformance with The
Basic
IIA’s International Standards for the Professional Practice of Internal Auditing
V. Governance, Risk Management, and Control (35%)
A. Describe the concept of organizational governance Basic
B. Recognize the impact of organizational culture on the overall control
Basic
environment and individual engagement risks and controls
C. Recognize and interpret the organization's ethics and compliance-related issues,
Basic
alleged violations, and dispositions
D. Describe corporate social responsibility Basic
E. Interpret fundamental concepts of risk and the risk management process Proficient
F. Describe globally accepted risk management frameworks appropriate to the
Basic
organization (COSO - ERM, ISO 31000, etc.)

CIA Exam syllabus (2019-12-03) 2

 G. Examine the effectiveness of risk management within processes and functions Proficient

H. Recognize the appropriateness of the internal audit activity’s role in the

Basic
organization's risk management process
I. Interpret internal control concepts and types of controls Proficient
J. Apply globally accepted internal control frameworks appropriate to the
Proficient
organization (COSO, etc.)
K. Examine the effectiveness and efficiency of internal controls Proficient
VI. Fraud Risks (10%)
A. Interpret fraud risks and types of frauds and determine whether fraud risks
Proficient
require special consideration when conducting an engagement
B. Evaluate the potential for occurrence of fraud (red flags, etc.) and how the
Proficient
organization detects and manages fraud risks
C. Recommend controls to prevent and detect fraud and education to improve the
Proficient
organization's fraud awareness
D. Recognize techniques and internal audit roles related to forensic auditing
Basic
(interview, investigation, testing, etc.)

CIA Exam syllabus (2019-12-03) 3

CIA Exam Syllabus, Part 2 – Practice of Internal Auditing
I. Managing the Internal Audit Activity (20%)
1. Internal Audit Operations
A. Describe policies and procedures for the planning, organizing, directing, and
Basic
monitoring of internal audit operations
B. Interpret administrative activities (budgeting, resourcing, recruiting, staffing, etc.) of
Basic
the internal audit activity
2. Establishing a Risk-based Internal Audit Plan
A. Identify sources of potential engagements (audit universe, audit cycle requirements,
management requests, regulatory mandates, relevant market and industry trends, Basic
emerging issues, etc.)
B. Identify a risk management framework to assess risks and prioritize audit
Basic
engagements based on the results of a risk assessment

C. Interpret the types of assurance engagements (risk and control assessments, audits
of third parties and contract compliance, security and privacy, performance and quality
Proficient
audits, key performance indicators, operational audits, financial and regulatory
compliance audits)

D. Interpret the types of consulting engagements (training, system design, system

development, due diligence, privacy, benchmarking, internal control assessment, Proficient
process mapping, etc.) designed to provide advice and insight

E. Describe coordination of internal audit efforts with the external auditor, regulatory
oversight bodies, and other internal assurance functions, and potential reliance on Basic
other assurance providers
3. Communicating and Reporting to Senior Management and the Board
A. Recognize that the chief audit executive communicates the annual audit plan to
Basic
senior management and the board and seeks the board's approval
B. Identify significant risk exposures and control and governance issues for the chief
Basic
audit executive to report to the board
C. Recognize that the chief audit executive reports on the overall effectiveness of the
organization's internal control and risk management processes to senior management Basic
and the board
D. Recognize internal audit key performance indicators that the chief audit executive
Basic
communicates to senior management and the board periodically
II. Planning the Engagement (20%)
1. Engagement Planning
A. Determine engagement objectives, evaluation criteria, and the scope of the
Proficient
engagement
B. Plan the engagement to assure identification of key risks and controls Proficient
C. Complete a detailed risk assessment of each audit area, including evaluating and
Proficient
prioritizing risk and control factors

D. Determine engagement procedures and prepare the engagement work program Proficient

E. Determine the level of staff and resources needed for the engagement Proficient

CIA Exam syllabus (2019-12-03) 4

III. Performing the Engagement (40%)
1. Information Gathering
A. Gather and examine relevant information (review previous audit reports and data,
conduct walk-throughs and interviews, perform observations, etc.) as part of a Proficient
preliminary survey of the engagement area
B. Develop checklists and risk-and-control questionnaires as part of a preliminary survey
Proficient
of the engagement area
C. Apply appropriate sampling (nonstatistical, judgmental, discovery, etc.) and statistical
Proficient
analysis techniques
2. Analysis and Evaluation
A. Use computerized audit tools and techniques (data mining and extraction,
Proficient
continuous monitoring, automated workpapers, embedded audit modules, etc.)
B. Evaluate the relevance, sufficiency, and reliability of potential sources of evidence Proficient
C. Apply appropriate analytical approaches and process mapping techniques (process
identification, workflow analysis, process map generation and analysis, spaghetti maps, Proficient
RACI diagrams, etc.)

D. Determine and apply analytical review techniques (ratio estimation, variance

analysis, budget vs. actual, trend analysis, other reasonableness tests, benchmarking, Basic
etc.)
E. Prepare workpapers and documentation of relevant information to support
Proficient
conclusions and engagement results
F. Summarize and develop engagement conclusions, including assessment of risks and
Proficient
controls
3. Engagement Supervision
A. Identify key activities in supervising engagements (coordinate work assignments,
Basic
review workpapers, evaluate auditors' performance, etc.)
IV. Communicating Engagement Results and Monitoring Progress (20%)
1. Communicating Engagement Results and the Acceptance of Risk
A. Arrange preliminary communication with engagement clients Proficient
B. Demonstrate communication quality (accurate, objective, clear, concise, constructive,
complete, and timely) and elements (objectives, scope, conclusions, recommendations, Proficient
and action plan)
C. Prepare interim reporting on the engagement progress Proficient
D. Formulate recommendations to enhance and protect organizational value Proficient
E. Describe the audit engagement communication and reporting process, including
holding the exit conference, developing the audit report (draft, review, approve, and Basic
distribute), and obtaining management's response
F. Describe the chief audit executive's responsibility for assessing residual risk Basic
G. Describe the process for communicating risk acceptance (when management has
Basic
accepted a level of risk that may be unacceptable to the organization)
2. Monitoring Progress
A. Assess engagement outcomes, including the management action plan Proficient
B. Manage monitoring and follow-up of the disposition of audit engagement results
Proficient
communicated to management and the board

CIA Exam Syllabus, Part 3 – Business Knowledge for Internal Auditing

CIA Exam syllabus (2019-12-03) 5

I. Business Acumen (35%)
1. Organizational Objectives, Behavior, and Performance
A. Describe the strategic planning process and key activities (objective setting,
globalization and competitive considerations, alignment to the organization's Basic
mission and values, etc.)
B. Examine common performance measures (financial, operational, qualitative vs.
Proficient
quantitative, productivity, quality, efficiency, effectiveness, etc.)
C. Explain organizational behavior (individuals in organizations, groups, and how
organizations behave, etc.) and different performance management techniques
Basic
(traits, organizational politics, motivation, job design, rewards, work schedules,
etc.)
D. Describe management’s effectiveness to lead, mentor, guide people, build
Basic
organizational commitment, and demonstrate entrepreneurial ability
2. Organizational Structure and Business Processes
A. Appraise the risk and control implications of different organizational
configuration structures (centralized vs. decentralized, flat structure vs. traditional, Basic
etc.)
B. Examine the risk and control implications of common business processes (human
resources, procurement, product development, sales, marketing, logistics, Proficient
management of outsourced processes, etc.)
C. Identify project management techniques (project plan and scope,
Basic
time/team/resources/cost management, change management, etc.)
D. Recognize the various forms and elements of contracts (formality, consideration,
Basic
unilateral, bilateral, etc.)
3. Data Analytics
A. Describe data analytics, data types, data governance, and the value of using data
Basic
analytics in internal auditing
B. Explain the data analytics process (define questions, obtain relevant data,
Basic
clean/normalize data, analyze data, communicate results)
C. Recognize the application of data analytics methods in internal auditing (anomaly
detection, diagnostic analysis, predictive analysis, network analysis, text analysis, Basic
etc.)
II. Information Security (25%)
1. Information Security
A. Differentiate types of common physical security controls (cards, keys, biometrics,
Basic
etc.)
B. Differentiate the various forms of user authentication and authorization controls
(password, two-level authentication, biometrics, digital signatures, etc.) and Basic
identify potential risks
C. Explain the purpose and use of various information security controls (encryption,
Basic
firewalls, antivirus, etc.)
D. Recognize data privacy laws and their potential impact on data security policies
Basic
and practices
E. Recognize emerging technology practices and their impact on security (bring your
Basic
own device [BYOD], smart devices, internet of things [IoT], etc.)
F. Recognize existing and emerging cybersecurity risks (hacking, piracy, tampering,
Basic
ransomware attacks, phishing attacks, etc.)
G. Describe cybersecurity and information security-related policies Basic
III. Information Technology (20%)
1. Application and System Software

CIA Exam syllabus (2019-12-03) 6

 A. Recognize core activities in the systems development lifecycle and delivery
(requirements definition, design, developing, testing, debugging, deployment, Basic
maintenance, etc.) and the importance of change controls throughout the process
B. Explain basic database terms (data, database, record, object, field, schema, etc.)
and internet terms (HTML, HTTP, URL, domain name, browser, click-through, Basic
electronic data interchange [EDI], cookies, etc.)
C. Identify key characteristics of software systems (customer relationship
management [CRM] systems; enterprise resource planning [ERP] systems; and Basic
governance, risk, and compliance [GRC] systems; etc.)
2. IT Infrastructure and IT Control Frameworks
A. Explain basic IT infrastructure and network concepts (server, mainframe, client-
server configuration, gateways, routers, LAN, WAN, VPN, etc.) and identify potential Basic
risks
B. Define the operational roles of a network administrator, database administrator,
Basic
and help desk
C. Recognize the purpose and applications of IT control frameworks (COBIT, ISO
Basic
27000, ITIL, etc.) and basic IT controls
3. Disaster Recovery
A. Explain disaster recovery planning site concepts (hot, warm, cold, etc.) Basic
B. Explain the purpose of systems and data backup Basic
C. Explain the purpose of systems and data recovery procedures Basic
IV. Financial Management (20%)
1. Financial Accounting and Finance
A. Identify concepts and underlying principles of financial accounting (types of
financial statements and terminologies such as bonds, leases, pensions, intangible Basic
assets, research and development, etc.)
B. Recognize advanced and emerging financial accounting concepts (consolidation,
Basic
investments, fair value, partnerships, foreign currency transactions, etc.)
C. Interpret financial analysis (horizontal and vertical analysis and ratios related to
Proficient
activity, profitability, liquidity, leverage, etc.)
D. Describe revenue cycle, current asset management activities and accounting, and
Basic
supply chain management (including inventory valuation and accounts payable)
E. Describe capital budgeting, capital structure, basic taxation, and transfer pricing Basic
2. Managerial Accounting
A. Explain general concepts of managerial accounting (cost-volume-profit analysis,
Basic
budgeting, expense allocation, cost- benefit analysis, etc.)
B. Differentiate costing systems (absorption, variable, fixed, activity-based,
Basic
standard, etc.)
C. Distinguish various costs (relevant and irrelevant costs, incremental costs, etc.)
Basic
and their use in decision making

CIA Exam syllabus (2019-12-03) 7