Content of the Certified Internal Auditor Exam - 2025

The CIA exam is undergoing major changes in May 2025. The information in this page is aligned with the version of the CIA exam that will be valid starting May 2025. If you are planning to sit for the exams before May 2025, check out the current exam outline here.

CIA Exam 2025 Parts

Part 1
Internal Audit Fundamentals

  1. Foundations of Internal Auditing (35%)
  2. IEthics and Professionalism (20%)
  3. Governance, Risk Management, and Control (30%)
  4. Fraud Risks (15%)

Part 2
Internal Audit Engagement

  1. Engagement Planning (50%)
  2. Information Gathering, Analysis, and Evaluation (40%)
  3. Engagement Supervision and Communication (10%)

Part 3

Internal Audit Function

  1. Internal Audit Operations (25%)
  2. Internal Audit Plan (15%)
  3. Quality of the Internal Audit Function (15%)
  4. Engagement Results and Monitoring (45%)

CIA Exam Structure

The 3 exams are administered as follows:

Part Exam duration (minutes) Number of questions

Part 1

150

125

Part 2

120

100

Part 3

120

100
  • All questions are Multiple Choice Questions (MCQ).
  • Time management and MCQ solving skills are essential in passing the CIA exams. Check out our study tips here.
  • Not all topics are equally important; check out the detailed exam content below.

Detailed Outline of the CIA Exams

The IIA regularly updates the content of the CIA exam to make sure the content is always up-to-date and relevant for the practicing internal auditor.

Part 1 - Internal Audit Fundamentals

Section A. Foundations of Internal Auditing (35%)
  1. Describe the Purpose of Internal Auditing according to the Global Internal Audit Standards May include but is not limited to:
    a. Explain the overall objectives and benefits of the internal audit function.
    b. Describe the conditions that contribute to the effectiveness of the internal audit function.
  2. Explain the internal audit mandate and responsibilities of the board and chief audit executive May include but is not limited to:
    a. Describe the authority, role, and responsibilities of the internal audit function.
    b. Explain the role of the chief audit executive in helping the board establish or update the internal audit mandate.
    c. Explain the role of the board and senior management in determining the authority, role, and responsibilities of the internal audit function.
  3. Recognize the requirements of an internal audit charter May include but is not limited to:
    a. Identify components required by the Global Internal Audit Standards.
    b. Recognize the importance of discussing the charter with the board and senior management.
    c. Recognize the importance of board approval.
  4. Interpret the differences between assurance services and advisory services provided by the internal audit function. May include but is not limited to:
    a. Define assurance services.
    b. Differentiate between limited and reasonable assurance.
    c. Define advisory services.
    d. Describe how the nature and scope of advisory services are determined.
    e. Determine which type of service (assurance or advisory) is appropriate in a given context.
  5. Describe the types of assurance services performed by the internal audit function May include but is not limited to:
    a. Describe risk and control assessments.
    b. Describe third-party and contract compliance audits.
    c. Describe IT security and privacy audits.
    d. Describe performance and quality audits.
    e. Describe operational, financial, and regulatory compliance audits.
    f. Describe audits of organizational culture.
    g. Describe audits of the management reporting process.
  6. Describe the types of advisory services performed by the internal audit function May include but is not limited to:
    a. Describe the internal auditor’s role in providing risk and control training.
    b. Describe the internal auditor’s role in system design and development.
    c. Describe the internal auditor’s role in due diligence services.
    d. Describe the internal auditor’s role in maintaining data privacy.
    e. Describe the internal auditor’s role in benchmarking.
    f. Describe the internal auditor’s role in internal control assessments.
    g. Describe the internal auditor’s role in process mapping.
  7. Identify situations where the independence of the internal audit function may be impaired May include but is not limited to:
    a. Identify situations where the chief audit executive’s functional reporting line is not appropriate.
    b. Describe the board’s responsibility for protecting internal audit independence.
    c. Describe the chief audit executive’s responsibility for protecting and maintaining internal audit independence, including communicating to the board when an impairment or perceived impairment is identified.
    d. Identify situations where budget limitations may restrict internal audit operations.
    e. Describe the effects of scope limitations or restricted access.
  8. Recognize the internal audit function's role in the organization's risk management process May include but is not limited to:
    a. Describe The IIA’s Three Lines Model.
    b. Identify first and second line responsibilities that could impair the independence of the internal audit function.
    c. Describe safeguards to implement when internal auditors conduct or are perceived to be conducting first or second line responsibilities.
Section B. Ethics and Professionalism (20%)
  1. Demonstrate integrity May include but is not limited to:
    a. Describe how to apply honesty and professional courage when confronted with ethical dilemmas or difficult situations.
    b. Describe how to practice legal and professional behavior in all situations.
  2.  Assess whether an individual internal auditor has any impairments to objectivity May include but is not limited to:
    a. Evaluate the impact of self-review and familiarity bias on engagements.
    b. Analyze situations where conflicts of interest may arise.
  3. Analyze policies that promote objectivity and potential options to mitigate impairments May include but is not limited to:
    a. Assess situations where reassigning internal auditors may be warranted.
    b. Assess situations where it would be appropriate to outsource the performance or supervision of an engagement.
    c. Determine when it is necessary to disclose impairments.
    d. Recognize situations where it is inappropriate to accept a gift, reward, or favour.
  4. Apply the knowledge, skills, and competencies required (whether developed or procured) to fulfill the responsibilities of the internal audit function May include but is not limited to:
    a. Apply written and verbal communication skills to deliver effective messages, reports, meetings, and presentations
    b. Apply critical thinking and problem-solving skills to address complex issues and identify innovative solutions
    c. Apply research skills to collect information from a variety of resources and expand knowledge on various topics
    d. Apply persuasion and negotiation skills to manage conflicts and collaborate effectively with teammates and stakeholders e. Apply relationship-building skills to establish trust and credibility
    f. Apply change management skills to thrive in evolving environments
    g. Demonstrate curiosity to uncover new information and foster continuous learning
    h. Evaluate situations that demonstrate a need for an internal auditor to pursue continuing professional development
  5. Demonstrate due professional care May include but is not limited to:
    a. Recognize that due professional care involves assessment of the organization’s strategy and objectives.
    b. Recognize that due professional care involves assessment of the adequacy and effectiveness of governance, risk management, and control processes.
    c. Recognize that due professional care involves assessment of the costs relative to potential benefits of an engagement.
    d. Recognize that due professional care involves assessment of the probability of significant errors, fraud, noncompliance, and other risks.
    e. Recognize that professional skepticism involves maintaining an unbiased mental attitude and critical assessment of the reliability of information.
  6. Maintain confidentiality and use information appropriately during engagements May include but is not limited to:
    a. Apply relevant organizational policies, procedures, laws, and regulations.
    b. Apply internal audit methodologies.
    c. Demonstrate respect for privacy and ownership of information.
    d. Apply appropriate methods to protect information.
Section C. Governance, Risk Management, and Control (30%) 
  1. Describe the concept of organizational governance May include but is not limited to:
    a. Describe the roles of the board, senior management, the internal audit function, and other assurance providers.
    b. Recognize governance frameworks, principles, and models.
  2. Recognize the impact of organizational culture on the overall control environment and individual engagement risks and controls May include but is not limited to:
    a. Define organizational culture, and the control environment.
    b. Define engagement risks and controls.
    c. Recognize the impact of the organization’s decision-making processes on the organization’s governance, risk management, and control processes
  3. Recognize ethical and compliance-related issues May include but is not limited to:
    a. Identify ethical, legal, and compliance requirements applicable to an organization.
    b. Recognize the internal auditor’s role in an organization’s ethical framework.
  4. Interpret fundamental concepts of risk type May include but is not limited to:
    a. Differentiate between the following types of risk: strategic, operational, financial, compliance, reputational, and environmental, sustainability and social responsibility.
    b. Compare and contrast inherent and residual risks.
  5. Interpret fundamental concepts of the risk management process May include but is not limited to:
    a. Define risk management.
    b. Recognize an organization’s risk appetite and risk tolerance.
    c. Assess the elements of the risk management cycle.
    d. Evaluate an organization’s responses to identified risks.
  6. Describe risk management within organizational processes and functions May include but is not limited to:
    a. Evaluate the design and effectiveness of risk management processes.
    b. Describe the purpose and benefit of using a risk management framework.
  7. Interpret internal control concepts and types of controls May include but is not limited to:
    a. Describe the purpose of internal controls.
    b. Describe and evaluate types of internal controls, such as preventive, detective, and corrective.
    c. Recommend appropriate controls to mitigate risks.
  8. Recognize the importance of the design, effectiveness, and efficiency of internal controls (financial and nonfinancial) May include but is not limited to:
    a. Review the design and effectiveness of internal controls.
    b. Describe the purpose and benefit of using an internal control framework.
Section D. Fraud Risks (15%)
  1. Describe concepts of fraud risks and types of fraud May include but is not limited to:
    a. Describe the fraud triangle concepts: motivation, opportunity, and rationalization.
    b. Recognize fraud risks c. Identify common fraud schemes.
  2. Determine whether fraud risks require special consideration during an engagement May include but is not limited to:
    a. Recognize fraud risks when planning an engagement.
    b. Assess processes that may have significant exposure to fraud risk.
  3. Evaluate the potential for fraud and how the organization detects and manages fraud risks May include but is not limited to: a. Evaluate an organization’s fraud risk management processes b. Detect and assess red flags at the organizational level and process level.
    c. Recognize the internal auditor’s role in reporting red flags identified during an engagement.
  4. Describe controls to prevent and detect fraud May include but is not limited to:
    a. Recognize the impact that tone at the top has on the likelihood of fraud.
    b. Recognize the appropriate application of segregation of duties.
    c. Recognize how authority levels may prevent fraud.
    d. Recognize common controls to detect fraud such as whistleblower hotlines, reconciliations, and supervisory reviews.
  5. Recognize techniques and the internal audit function's role related to fraud investigation May include but is not limited to:
    a. Define the internal audit function’s role related to fraud investigations.
    b. Describe interviewing techniques.
    c. Describe investigation techniques.
    d. Describe fraud testing methods.
    e. Recognize opportunities for internal auditors to coordinate with fraud investigators and review their risk assessments, prior investigations, investigation trends, and whistleblower complaints.

Part 2 - Internal Audit Engagement

Section A. Engagement Planning (50%)
  1. Determine engagement objectives and scope May include but is not limited to:
    a. Recognize how to apply Topical Requirements when determining objectives and scope.
    b. Recognize elements to be considered in the development of engagement objectives, including regulatory requirements; the organization’s strategy and objectives; governance, risk management, and control processes; risk appetite and tolerance; internal policies; previous audit reports; work of other assurance providers; and whether the engagement is intended to provide assurance or advisory services.
    c. Identify and document relevant scope limitations during planning.
    d. Evaluate approaches for managing and documenting stakeholder requests e. Identify effective methods for addressing changes in objectives and scope.
  2. Determine evaluation criteria based on relevant information gathered May include but is not limited to:
    a. Identify the most relevant criteria for evaluating the activity under review.
    b. Determine whether a set of evaluation criteria is specific, practical, relevant, aligned with the objectives of the organization and the activity under review, and produces reliable comparisons.
  3. Plan the engagement to assess key risks and controls May include but is not limited to:
    a. Recognize how to apply Topical Requirements when planning an engagement.
    b. When planning an engagement, recognize the strategic objectives of the activity under review and their integration with risk management, business performance measures, and performance management techniques.
    c. When planning an engagement, recognize existing and emerging cybersecurity risks, common information security and IT controls, IT general controls, the purpose and benefits of using an IT control framework, principles of data privacy, and data security policies and practices.
    d. When planning an engagement, recognize business continuity and disaster recovery readiness concepts such as business resilience, incident management, business impact analysis, and backup and recovery testing.
    e. When planning an engagement, recognize finance and accounting concepts related to the activity under review such as current and fixed assets, short-term and long-term liabilities, capital, and investments.
    f. When planning an engagement, recognize key risks and controls related to common business processes such as asset management, supply chain management, inventory management, accounts payable, procurement, compliance, third-party processes, customer relationship management systems, enterprise resource planning systems, and governance, risk, and compliance systems.
  4. Determine the appropriate approach for an engagement May include but is not limited to:
    a. Evaluate various approaches such as agile, traditional, integrated, and remote auditing to determine the most suitable approach.
    b. Describe project management concepts as they relate to planning and conducting an engagement.
  5. Complete a detailed risk assessment of each activity under review May include but is not limited to:
    a. Recognize how to apply Topical Requirements when completing a risk assessment.
    b. Recognize the pervasive financial, operational, IT, cybersecurity, and regulatory risks as they relate to the activity under review.
    c. Recognize the impact of emerging risks on the organization.
    d. Determine appropriate methods and criteria to evaluate and prioritize identified risks and controls.
    e. Recognize the impacts of change of people, processes, and systems on risk.
    f. Recognize the impact of different organizational structures and environments on the risk assessment, including centralized versus decentralized, flat versus traditional, and in-person versus remote work.
    g. Recognize the impact of organizational culture on the control environment, including individual and group behaviors and tone at the top.
  6. Determine engagement procedures and prepare the engagement work program May include but is not limited to:
    a. Determine procedures to evaluate control design.
    b. Identify procedures to test the effectiveness of controls.
    c. Identify procedures to test the efficiency of controls.
    d. Evaluate the adequacy of the engagement work program.
    e. Identify testing methodologies for an engagement that includes accounting, finance, IT systems, business operations, or cybersecurity.
  7. Determine the level of resources and skills needed for the engagement May include but is not limited to:
    a. Determine financial resources required for the engagement.
    b. Determine human resources required for the engagement.
    c. Determine technological resources required for the engagement.
    d. Evaluate implications of resource limitations Section.
Section B. Information Gathering, Analysis, and Evaluation (40%)
  1. Identify sources of information to support engagement objectives and procedures May include but is not limited to:
    a. Determine suitable methods for obtaining information, including interviews, observations, walk-throughs, and data analyses.
    b. Determine suitable documents for obtaining information, including policies, checklists, risk and control questionnaires, and self-assessment surveys.
  2. Evaluate the relevance, sufficiency, and reliability of evidence gathered to support engagement objectives May include but is not limited to:
    a. Apply suitable criteria in evaluating the quality of evidence.
    b. Recognize factors that impact the reliability of evidence, such as obtaining the evidence directly from an independent source, obtaining corroborated evidence, and gathering evidence from a system with effective governance, risk management, and control processes.
    c. Describe evidence that would allow an informed and competent person to reach the same conclusions as the internal auditor.
  3. Evaluate technology options that internal auditors may use to develop and support engagement findings and conclusions May include but is not limited to:
    a. Recognize efficient and effective solutions, including artificial intelligence, machine learning, robotic process automation, continuous monitoring, dashboards, and embedded audit modules.
  4. Apply appropriate analytical approaches and process mapping techniques May include but is not limited to:
    a. Define process workflow segments.
    b. Analyze process workflows through process mapping, walk-throughs, and responsibility assignment matrices.
    c. Explain data types, including structured and non-structured.
    d. Explain data analytics processes, including defining objectives, obtaining relevant data, normalizing data, analyzing data, and communicating results.
    e. Determine when to use various data analysis methods, such as diagnostic analysis, prescriptive analysis, predictive analysis, anomaly detection, and text analysis.
  5. Apply analytical review techniques May include but is not limited to:
    a. Analyze ratios, variances, trends, financial and nonfinancial information, and benchmarking results.
    b. Determine appropriate analytical techniques to achieve engagement objectives.
  6. Determine whether there is a difference between evaluation criteria and existing conditions and evaluate the significance of each finding May include but is not limited to:
    a. Analyze existing conditions and compare to evaluation criteria.
    b. Identify root causes and potential effects of deviations from evaluation criteria.
    c. Appraise factors to establish the significance of findings.
  7. Prepare workpapers, including relevant information to support conclusions and engagement results May include but is not limited to:
    a. Organize information in workpapers.
    b. Identify elements of workpapers that are complete and include sufficient evidence.
    c. Analyze the link between workpapers and the engagement results.
    d. Determine factors to be considered when organizing and retaining engagement documentation, including regulatory requirements and internal policies.
  8. Summarize and develop engagement conclusions May include but is not limited to:
    a. Determine the significance of aggregated findings by applying professional judgement.
    b. Determine elements to be considered when developing engagement conclusions, such as the effectiveness of governance, risk management, and control processes.
Section C. Engagement Supervision and Communication (10%)
    1. Apply appropriate supervision throughout the engagement May include but is not limited to:
      a. Describe how supervision applies throughout engagements, including during engagement planning.
      b. Describe supervisor responsibilities related to coordinating work assignments.
      c. Describe supervisor responsibilities related to reviewing workpapers and engagement conclusions d. Describe supervisor responsibilities related to evaluating auditors' performance.
    2. Apply appropriate communication with stakeholders throughout the engagement May include but is not limited to:
      a. Determine effective communication methods (formal or informal, written or oral) during planning, fieldwork, and reporting.
      b. Identify situations that require escalation.
      c. Determine appropriate stakeholders for engagement communication

    Part 3- Internal Audit Function

    Section A. Internal Audit Operations (25%)
    1. Describe methodologies for the planning, organizing, directing, and monitoring of internal audit operations May include but is not limited to:
      a. Describe methods for managing external providers of internal audit services.
      b. Describe methods for monitoring internal audit operations.
      c. Describe methods for balancing assurance and advisory engagements.
      d. Identify the conditions that warrant the review and possible revision of internal audit methodologies.
    2. Describe key activities for managing financial, human, and IT resources within the internal audit function May include but is not limited to:
      a. Outline the key steps and considerations of the budgeting process b. Recognize the steps and considerations involved in recruiting resources.
      c. Identify the roles and responsibilities of various internal audit team members.
      d. Describe strategies to train, develop, and retain internal auditors.
      e. Describe the internal audit function’s performance management techniques.
      f. Explain key considerations for technological resources to perform engagements.
      g. Recognize behavioral and management techniques that would enhance the internal audit function, including job design, rewards, work schedules, mentoring, coaching, and constructive feedback.
    3. Describe the key elements required to align internal audit strategy to stakeholder expectations May include but is not limited to:
      a. Describe how internal audit strategy supports the organization’s business strategy and risk management practices.
      b. Explain the purpose of the internal audit function’s mission and vision statements.
      c. Describe how internal audit resource planning is aligned with the internal audit strategy.
      d. Identify the conditions that warrant the review and revision of internal audit strategy.
    4. Recognize the chief audit executive's responsibilities for building relationships and communicating with senior management and the board about various matters May include but is not limited to:
      a. Explain the importance of formal and informal communication with stakeholders.
      b. Describe the protocol for communicating the audit plan and any subsequent changes and how it links to the organization’s overall strategy.
      c. Describe the protocol for communicating independence concerns and significant risk exposures.
      d. Describe the chief audit executive's responsibility to report timely the overall effectiveness of the organization's risk management and control processes and to identify themes based on multiple engagements.
      e. Describe the chief audit executive's responsibility for communicating quality assessment results, performance metrics, and any necessary remediation plans.
    Section B. Internal Audit Plan (15%)
      1. Identify sources of potential engagements May include but is not limited to:
        a. Describe the process for defining the audit universe.
        b. Identify key components of the audit universe.
        c. Recognize applicability of Topical Requirements.
        d. Describe the process for considering board and management requests.
        e. Describe the process for identifying applicable laws and regulatory mandates.
        f. Describe the process for identifying relevant market and industry trends, organizational changes, emerging issues, and emerging technologies such as the internet of things, artificial intelligence, blockchain, digital currency and assets, and robotic process automation.
        g. Explain the reasons for audit cycle requirements.
      2. Describe the processes to develop a risk-based audit plan May include but is not limited to:
        a. Describe the risk assessment methodology and risk prioritization.
        b. Describe the process for maintaining the audit plan’s alignment with the organization's strategy, the internal audit strategy, and stakeholder expectations.
        c. Recognize circumstances that may trigger the need to make timely updates to maintain a dynamic audit plan.
      3. Recognize the importance for internal auditors to coordinate with other assurance providers and leverage their work May include but is not limited to:
        a. Identify internal and external assurance providers.
        b. Identify examples of, and methods for, coordinating assurance coverage.
        c. Identify the criteria for evaluating assurance providers to determine the ability to rely on their work.
      Section C. Quality of the Internal Audit Function (15%)
        1. Describe the required elements of the quality assurance and improvement program May include but is not limited to:
          a. Recognize the key components of quality assurance.
          b. Recognize the applicability of Topical Requirements.
          c. Explain the purpose of a quality assurance and improvement program.
          d. Recognize the chief audit executive’s responsibility for communicating to the board the results of the quality assurance and improvement program e. Compare the elements of internal and external assessments.
          f. Recognize acceptable qualifications of quality assessors.
          g. Describe key components of ongoing monitoring and periodic selfassessments.
        2. Identify appropriate disclosure of nonconformance with The IIA's Global Internal Audit Standards May include but is not limited to:
          a. Identify the information that must be communicated, such as the circumstances, actions taken, impact, and rationale for nonconformance.
          b. Describe the key steps for communicating nonconformance to senior management and the board.
        3. Recognize practical methods for establishing internal audit key performance indicators or scorecard metrics that the chief audit executive communicates to senior management and the board May include but is not limited to:
          a. Identify the objectives of key performance indicators.
          b. Identify key considerations when establishing performance indicators and the need to establish the target.
          c. Recognize the merit of both qualitative and quantitative performance indicators.
          d. Analyze the internal audit function’s performance measures, including financial, operational, quality, productivity, efficiency, and effectiveness.
        Section D. Engagement Results and Monitoring (45%)
          1. Recognize attributes of effective engagement results communication May include but is not limited to:
            a. Define the following terms in the context of final results communication: accurate, objective, clear, concise, constructive, complete, and timely.
            b. Recognize application of these attributes in the communication of engagement results c. Identify effective communication methodologies.
          2. Demonstrate effective communication of engagement results May include but is not limited to:
            a. Describe the key components of audit reports, including objectives, scope, conclusions, recommendations, and action plans.
            b. Recognize when it is acceptable to include “conducted in accordance with the Global Internal Audit Standards” in the final communication of engagement results.
            c. Identify when it is necessary to document scope limitation.
          3. Determine whether to develop recommendations, request action plans from management, or collaborate with management to agree on actions May include but is not limited to:
            a. Recognize the appropriate protocol for internal auditors when there are disagreements with management about engagement findings or action plans.
            b. Recognize the purpose of recommendations and action plans, including cost-benefit considerations c. Determine whether the action plan adequately addresses the root cause of a finding.
          4. Describe the engagement closing communication and reporting process May include but is not limited to:
            a. Describe the purpose and parties involved in the closing communication (exit conference).
            b. Recognize the chief audit executive’s responsibility for distributing the final communication and reporting to stakeholders.
            c. Recognize the various purposes of communicating with different stakeholders, such as management of the activity under review, senior management, the board, the risk management function, external auditors, regulators, and the general public d. Recognize the appropriate protocol for reporting on a finding that management has already resolved.
            e. Describe the chief audit executive’s responsibility and protocol for correcting significant errors and omissions in the final communication.
          5. Describe the chief audit executive's responsibility for assessing residual risk for the engagement May include but is not limited to: a. Recognize methodologies to assess the existing controls for design adequacy and effectiveness and determine the level of residual risk.
            b. Describe the purpose of aggregating and prioritizing findings.
            c. Describe the purpose of using a rating scale to reflect the overall assessment of controls for the engagement.
          6. Describe the process for communicating risk acceptance (when management has accepted a level of risk that may be unacceptable to the organization) May include but is not limited to:
            a. Recognize the method for determining whether a risk is unacceptable to the organization.
            b. Recognize the appropriate parties involved in communicating risk acceptance.
            c. Recognize the proper sequence of steps for communicating risk acceptance.
          7. Describe the process for monitoring and confirming the implementation of management action plans May include but is not limited to:
            a. Recognize the internal audit function’s responsibility for follow-up and tracking of management actions.
            b. Distinguish the key steps for monitoring and confirming management action plans.
          8. Describe the escalation process if management has not adequately implemented an action plan May include but is not limited to:
            a. Recognize the appropriate parties involved in the escalation process.
            b. Recognize the proper sequence of steps for the escalation process.

           

          New - 2025 Version

          2025 CIA Exam Bundle Image
          Explore 2025 Bundles

          Sign up for our newsletter!