CIA Exam Outline

The Certified Internal Auditor (CIA) exam tests a candidate's knowledge of current internal auditing practices and understanding of internal audit issues, risks and remedies. The CIA exam syllabi is changing, effective January 1, 2019. You can view the new syllabus here.


125 questions | 2.5 Hours (150 minutes)

The CIA exam Part 1 topics tested include aspects of mandatory guidance from the IPPF; internal control and risk concepts; as well as tools and techniques for conducting internal audit engagements. Note: All items in this section of the syllabus will be tested at the Proficiency knowledge level unless otherwise indicated below.

I. Mandatory Guidance (35-45%)

A.  Definition of Internal Auditing

B. Code of Ethics

C.  International Standards

II. Internal Control / Risk (25-35%) – Awareness Level (A)

A. Types of Controls (e.g., preventive, detective, input, output, etc.)

B. Management Control Techniques

C. Internal Control Framework Characteristics and Use (e.g., COSO, Cadbury)

D. Alternative Control Frameworks

E. Risk Vocabulary and Concepts

F. Fraud Risk Awareness

III. Conducting Internal Audit Engagements – Audit Tools and Techniques (25-35%)

A. Data Gathering (Collect and analyze data on proposed engagements):

B. Data Analysis and Interpretation:

C. Data Reporting

D. Documentation / Work Papers

E. Process Mapping, Including Flowcharting

F. Evaluate Relevance, Sufficiency, and Competence of Evidence


100 questions | 2.0 Hours (120 minutes)

The CIA exam Part 2 topics tested include managing the internal audit function via the strategic and operational role of internal audit and establishing a risk-based plan; the steps to manage individual engagements (planning, supervision, communicating results, and monitoring outcomes); as well as fraud risks and controls. Note: All items in this section of the syllabus will be tested at the Proficiency knowledge level unless otherwise indicated below.

I. Managing the Internal Audit Function (40-50%)

A. Strategic Role of Internal Audit

B.  Operational Role of IA

C.  Establish Risk-Based IA Plan

II. Managing Individual Engagements (40-50%)

A.  Plan Engagements

B. Supervise Engagement

C. Communicate Engagement Results

D. Monitor Engagement Outcomes

III. Fraud Risks and Controls (5-15%)

A. Consider the potential for fraud risks and identify common types of fraud associated with the engagement area during the engagement planning process

B.  Determine if fraud risks require special consideration when conducting an engagement

C.  Determine if any suspected fraud merits investigation

D. Complete a process review to improve controls to prevent fraud and recommend changes

E. Employ audit tests to detect fraud

F. Support a culture of fraud awareness, and encourage the reporting of improprieties

G.  Interrogation/investigative techniques – Awareness Level (A)

H. Forensic auditing – Awareness Level (A)


100 questions  | 2.0 Hours (120 minutes)

The CIA exam Part 3 topics tested include governance and business ethics; risk management; organizational structure, including business processes and risks; communication; management and leadership principles; information technology and business continuity; financial management; and the global business environment. Note: All items in this section of the syllabus will be tested at the Awareness knowledge level unless otherwise indicated below.

I. Governance / Business Ethics (5-15%)

A. Corporate/Organizational Governance Principles – Proficiency Level (P)

B. Environmental and Social Safeguards

C. Corporate Social Responsibility

II. Risk Management (10-20%)- Proficiency Level (P)

A.  Risk Management Techniques

B. Organizational Use of Risk Frameworks (e.g. COSO and ISO 31000 Risk Management)

III. Organizational Structure/Business Processes and Risks (15-25%)

A. Risk/Control Implications of Different Organizational Structures

B. Structure (e.g., centralized/decentralized)

C. Typical Schemes in Various Business Cycles (e.g., procurement, sales, knowledge, supply-chain management)

D.  Business Process Analysis (e.g., workflow analysis and bottleneck management, theory of constraints)

E. Inventory Management Techniques and Concepts

F.  Electronic Funds Transfer (EFT)/Electronic Data Interchange (EDI)/E-commerce

G. Business Development Life Cycles

H.  The International Organization for Standardization (ISO) Framework

I. Outsourcing Business Processes

IV.  Communication (5-10%)

A. Communication (e.g., the process, organizational dynamics, impact of computerization)

B. Stakeholder Relationships

V. Management / Leadership Principles (10-20%)

A.  Strategic Management

B. Organizational Behavior

C.  Management Skills/Leadership Styles

D. Conflict Management

E. Project Management / Change Management

VI.  IT / Business Continuity (15-25%)

A.  Security

B. Application Development

C. System Infrastructure

VII. Financial Management (10-20%)

A.  Financial Accounting and Finance

B. Managerial Accounting

VIII. Global Business Environment (0-10%)

A. Economic / Financial Environments

B. Cultural / Political Environments

C. Legal and Economics — General Concepts (e.g., contracts)

D. Impact of Government Legislation and Regulation on Business (e.g., trade legislation)