Skip Ribbon Commands
Skip to main content
The Institute of Internal Auditors North AmericaBreadcrumb SeparatorCertificationBreadcrumb SeparatorCIA CertificationBreadcrumb SeparatorCIA Exam Syllabus, Part 2

​2019 CIA Exam Syllabus, Part 2 – Practice of Internal Auditing

100 questions l 2.0 Hours (120 minutes)

The CIA exam Part 2 includes four domains focused on managing the internal audit activity, planning the engagement, performing the engagement, and communicating engagement results and monitoring progress. Part 2 tests candidates’ knowledge, skills, and abilities particularly related to Performance Standards (series 2000, 2200, 2300, 2400, 2500, and 2600) and current internal audit practices.​

Domains
  •   I. Managing the Internal Audit Activity (20%)​
    Cognitive Level
    ​​1. Internal Audit Operations
    A​ ​​​Describe policies and procedures for the planning, organizing, directing, and monitoring of internal audit operations Basic
    ​B ​Interpret administrative activities (budgeting, resourcing, recruiting, staffing, etc.) of the internal audit activity Basic
    2. Establishing a Risk-based Internal Audit Plan
    A ​Identify sources of potential engagements (audit universe, audit cycle requirements, management requests, regulatory mandates, relevant market and industry trends, emerging issues, etc.) Basic​
    ​B ​Identify a risk management framework to assess risks and prioritize audit engagements based on the results of a risk assessment Basic
    ​C ​Interpret the types of assurance engagements (risk and control assessments, audits of third parties and contract compliance, security and privacy, performance and quality audits, key performance indicators, operational audits, financial and regulatory compliance audits) ​Proficient
    ​D ​Interpret the types of consulting engagements (training, system design, system development, due diligence, privacy, benchmarking, internal control assessment, process mapping, etc.) designed to provide advice and insight Proficient
    ​E ​Describe coordination of internal audit efforts with the external auditor, regulatory oversight bodies, and other internal assurance functions, and potential reliance on other assurance providers Basic
    3. Communicating and Reporting to Senior Management and the Board
    ​A ​Recognize that the chief audit executive communicates the annual audit plan to senior management and the board and seeks the board's approval ​Basic
    ​B ​Identify significant risk exposures and control and governance issues for the chief audit executive to report to the board ​Basic
    ​C Recognize that the chief audit executive reports on the overall effectiveness of the organization's internal control and risk management processes to senior management and the board​ ​Basic
    ​D ​Recognize internal audit key performance indicators that the chief audit executive communicates to senior management and the board periodically Basic
  •   II. Planning the Engagement (20%)​
    Cognitive Level
    ​​1. Engagement Planning
    A​ ​​​Determine engagement objectives, evaluation criteria, and the scope of the engagement Proficient
    ​B ​Plan the engagement to assure identification of key risks and controls Proficient
    C​ ​Complete a detailed risk assessment of each audit area, including evaluating and prioritizing risk and control factors ​Proficient
    D​ ​Determine engagement procedures and prepare the engagement work program ​Proficient
    ​E ​Determine the level of staff and resources needed for the engagement ​Proficient
  •   III. Performing the Engagement (40%)
    Cognitive Level
    ​​1. Information Gathering
    A​ Gather and examine relevant information (review previous audit reports and data, conduct walk-throughs and interviews, perform observations, etc.) as part of a preliminary survey of the engagement area Proficient
    ​B Develop checklists and risk-and-control questionnaires as part of a preliminary survey of the engagement area Proficient
    C​ ​Apply appropriate sampling (nonstatistical, judgmental, discovery, etc.) and statistical analysis techniques ​Proficient
    2. Analysis and Evaluation
    A Use computerized audit tools and techniques (data mining and extraction, continuous monitoring, automated workpapers, embedded audit modules, etc.) Proficient
    ​B Evaluate the relevance, sufficiency, and reliability of potential sources of evidence Proficient
    ​C Apply appropriate analytical approaches and process mapping techniques (process identification, workflow analysis, process map generation and analysis, spaghetti maps, RACI diagrams, etc.) ​Proficient
    ​D Determine and apply analytical review techniques (ratio estimation, variance analysis, budget vs. actual, trend analysis, other reasonableness tests, benchmarking, etc.) Basic
    ​E Prepare workpapers and documentation of relevant information to support conclusions and engagement results Proficient
    ​F ​Summarize and develop engagement conclusions, including assessment of risks and controls Proficient
    3. Engagement Supervision
    ​A Identify key activities in supervising engagements (coordinate work assignments, review workpapers, evaluate auditors' performance, etc.) ​Basic
  •   IV. Communicating Engagement Results and Monitoring Progress (20%)
    Cognitive Level
    ​​1. Communicating Engagement Results and the Acceptance of Risk
    A​ Arrange preliminary communication with engagement clients Proficient
    ​B Demonstrate communication quality (accurate, objective, clear, concise, constructive, complete, and timely) and elements (objectives, scope, conclusions, recommendations, and action plan) Proficient
    ​C ​Prepare interim reporting on the engagement progress Proficient
    ​D ​​Formulate recommendations to enhance and protect organizational value Proficient
    ​E ​​Describe the audit engagement communication and reporting process, including holding the exit conference, developing the audit report (draft, review, approve, and distribute), and obtaining management's response Basic
    ​F ​​Describe the chief audit executive's responsibility for assessing residual risk Basic
    ​G ​​Describe the process for communicating risk acceptance (when management has accepted a level of risk that may be unacceptable to the organization) Basic
    2. Monitoring Progress
    A ​Assess engagement outcomes, including the management action plan Proficient
    ​B ​Manage monitoring and follow-up of the disposition of audit engagement results communicated to management and the board Proficient

Additional noteworthy elements related to the revised CIA Part Two exam syllabus:

  • The syllabus features greater alignment with The IIA’s Performance Standards.
  • The exam covers the chief audit executive’s responsibility for assessing residual risk and communicating risk acceptance.
  • The largest domain is “Performing the Engagement,” which makes up 40% of the exam.
  • A portion of the exam requires candidates to demonstrate a basic comprehension of concepts; another portion requires candidates to demonstrate proficiency in their knowledge, skills, and abilities.

CIA Part 2 Reference List

  • IPPF – Mission, Definition of Internal Auditing, Core Principles, Code of Ethics, Standards, Implementation Guides, and Practice Guides (including GTAGs), by The IIA
  • Internal Auditing Assurance and Advisory Services, by Urton Anderson, Michael Head, and Sridhar Ramamoorti
  • Sawyer's Guide for Internal Auditors, by Larry Sawyer
  • Position Paper “The Role of Internal Auditing in Resourcing the Internal Audit Activity,” by The IIA
  • Current textbooks on internal auditing and relevant topics

Candidates from the following countries must refer to their local IIA Institute web-site or contact their local representative for more information about local certification processes:


The information contained on this website pertains to all other countries.