Skip Ribbon Commands
Skip to main content
Sign In
The Institute of Internal Auditors North AmericaBreadcrumb SeparatorCertificationBreadcrumb SeparatorCIA CertificationBreadcrumb SeparatorExam Syllabus Part 1
IIARF Icon

Certified Internal Auditor® (CIA®) Exam Syllabus —
Part 1

The Internal Audit Activity’s Role in Governance, Risk, and Control

Topics tested include aspects of The IIA’s International Professional Practices Framework (IPPF), responsibilities of the internal audit activity, independence and objectivity, governance concepts, risk identification and management, management controls, and audit planning.

(P) = Candidates must exhibit proficiency (thorough understanding and ability to apply concepts) in these topic areas.

(A) = Candidates must exhibit awareness (knowledge of terminology and fundamentals) in these topic areas.

A. Comply with The IIA's Attribute Standards (15-25%) (P)

  1. Define purpose, authority, and responsibility of the internal audit activity
    1. Determine if the purpose, authority, and responsibility of the internal audit activity are clearly documented and approved
    2. Determine if the purpose, authority, and responsibility of the internal audit activity are communicated to the engagement clients
    3.  Demonstrate an understanding of the purpose, authority, and responsibility of the internal audit activity
  2. Maintain independence and objectivity
    1. Foster independence
      1. Understand organizational independence
      2. Recognize the importance of organizational independence
      3. Determine if the internal audit activity is properly aligned to achieve organizational independence
    2. Foster objectivity
      1. Establish policies to promote objectivity
      2. Assess individual objectivity
      3. Maintain individual objectivity
      4. Recognize and mitigate impairments to independence and objectivity
  3. Determine if the required knowledge, skills, and competencies are available
    1. Understand the knowledge, skills, and competencies that an internal auditor needs to possess
    2. Identify the knowledge, skills, and competencies required to fulfill the responsibilities of the internal audit activity
  4. Develop and/or procure necessary knowledge, skills and competencies collectively required by the internal audit activity
  5. Exercise due professional care
  6. Promote continuing professional development
    1. Develop and implement a plan for continuing professional development for internal audit staff
    2. Enhance individual competency through continuing professional development
  7. Promote quality assurance and improvement of the internal audit activity
    1. Establish and maintain a quality assurance and improvement program
    2. Monitor the effectiveness of the quality assurance and improvement program
    3. Report the results of the quality assurance and improvement program to the board or other governing body
    4. Conduct quality assurance procedures and recommend improvements to the performance of the internal audit activity
  8. Abide by and promote compliance with The IIA Code of Ethics

B. Establish a Risk-based Plan to Determine the Priorities of the Internal Audit Activity (15-25%) (P)

  1. Establish a framework for assessing risk
  2. Use the framework to:
    1. Identify sources of potential engagements (e.g., audit universe, management request, regulatory mandate)
    2. Assess organization-wide risk
    3. Solicit potential engagement topics from various sources
    4. Collect and analyze data on proposed engagements
    5. Rank and validate risk priorities
  3. Identify internal audit resource requirements
  4. Coordinate the internal audit activity's efforts with:
    1. External auditor
    2. Regulatory oversight bodies
    3. Other internal assurance functions (e.g., health and safety department)
  5. Select engagements
    1. Participate in the engagement selection process
    2. Select engagements
    3. Communicate and obtain approval of the engagement plan from board

C. Understand the Internal Audit Activity's Role in Organizational Governance (10-20%) (P)

  1. Obtain board's approval of audit charter
  2. Communicate plan of engagements
  3. Report significant audit issues
  4. Communicate key performance indicators to board on a regular basis
  5. Discuss areas of significant risk
  6. Support board in enterprise-wide risk assessment
  7. Review positioning of the internal audit function within the risk management framework within the organization
  8. Monitor compliance with the corporate code of conduct/business practices
  9. Report on the effectiveness of the control framework
  10. Assist board in assessing the independence of the external auditor
  11. Assess ethical climate of the board
  12. Assess ethical climate of the organization
  13. Assess compliance with policies in specific areas (e.g., derivatives)
  14. Assess organization's reporting mechanism to the board
  15. Conduct follow-up and report on management response to regulatory body reviews
  16. Conduct follow-up and report on management response to external audit
  17. Assess the adequacy of the performance measurement system, achievement of corporate objective
  18. Support a culture of fraud awareness and encourage the reporting of improprieties

D. Perform Other Internal Audit Roles and Responsibilities (0-10%) (P)

  1. Ethics/Compliance
    1. Investigate and recommend resolution for ethics/compliance complaints
    2. Determine disposition of ethics violations
    3. Foster healthy ethical climate
    4. Maintain and administer business conduct policy (e.g., conflict of interest)
    5. Report on compliance
  2. Risk Management
    1. Develop and implement an organization-wide risk and control framework
    2. Coordinate enterprise-wide risk assessment
    3. Report corporate risk assessment to board
    4. Review business continuity planning process
  3. Privacy
    1. Determine privacy vulnerabilities
    2. Report on compliance
  4. Information or physical security
    1. Determine security vulnerabilities
    2. Determine disposition of security violations
    3. Report on compliance

E. Governance, Risk, and Control Knowledge Elements (15-25%)

  1. Corporate governance principles (A)
  2. Alternative control frameworks (A)
  3. Risk vocabulary and concepts (P)
  4. Risk management techniques (P)
  5. Risk/control implications of different organizational structures (P)
  6. Risk/control implications of different leadership styles (A)
  7. Change management (A)
  8. Conflict management (A)
  9. Management control techniques (P)
  10. Types of control (e.g., preventive, detective, input, output) (P)

F. Plan Engagements (15-25%) (P)

  1. Initiate preliminary communication with engagement client
  2. Conduct a preliminary survey of the area of engagement
    1. Obtain input from engagement client
    2. Perform analytical reviews
    3. Perform benchmarking
    4. Conduct interviews
    5. Review prior audit reports and other relevant documentation
    6. Map processes
    7. Develop checklists
  3. Complete a detailed risk assessment of the area (prioritize or evaluate risk/control factors)
  4. Coordinate audit engagement efforts with:
    1. External auditor
    2. Regulatory oversight bodies
  5. Establish/refine engagement objectives and identify/finalize the scope of engagement
  6. Identify or develop criteria for assurance engagements (criteria against which to audit)
  7. Consider the potential for fraud when planning an engagement
    1. Be knowledgeable of the risk factors and red flags of fraud
    2. Identify common types of fraud associated with the engagement area
    3. Determine if risk of fraud requires special consideration when conducting an engagement
  8. Determine engagement procedures
  9. Determine the level of staff and resources needed for the engagement
  10. Establish adequate planning and supervision of the engagement
  11. Prepare engagement work program

Part 2 >

Candidates from the following countries must refer to their local IIA Institute web-site or contact their local representative for more information about local certification processes:


The information contained on this website pertains to all other countries.

Access CCMS