Skip Ribbon Commands
Skip to main content

Certification in Risk Management Assurance® (CRMA®) Exam Syllabus – Updated 2021

The official launch of the enhanced CRMA exam is October 1, 2021, and candidates may begin applying for the updated CRMA program April 1, 2021.

CRMA Beta Test

From May 1, 2021 to June 30, 2021, approved candidates will have an opportunity to sit for the CRMA Beta Test and earn their CRMA for a significantly reduced fee. Learn more about beta testing for the new CRMA.

Updated CRMA Exam

​Application Fee
Exam Topics I. Internal audit roles and responsibilities (20%)
II. Risk management governance (25%)
III. Risk management assurance (55%)
Seat Time 150 minutes
Length 125 questions
Question Types Variety of question types
Language English

The CRMA exam is designed to test candidates’ ability to:

  • Provide assurance on core business processes in risk management and governance.
  • Educate management and the audit committee on risk and risk management concepts.
  • Offer quality assurance and control self-assessment.
  • Focus on strategic organizational risks.
  • Add value to their organization as a trusted advisor.

The revised syllabus sets out to achieve this purpose by ensuring that all concepts are assessed at a proficient cognitive level. In other words, the exam does not require candidates to simply memorize or demonstrate basic comprehension of concepts. Instead, it is designed to test candidates’ application of concepts and their ability to analyze and evaluate data, make sound judgments, and formulate conclusions and recommendations.

Updated CRMA Syllabus

Note: Candidates who were approved into the CRMA program (four exam content areas) prior to April 1, 2021 should refer to the former CRMA exam syllabus.

View Updated CRMA Exam Syllabus in printable format.

2021 CRMA Syllabus Weight
I. Internal Audit Roles and Responsibilities ​20%
​1. ​Roles and Competencies
​A Determine appropriate assurance and consulting services for the internal audit activity with regard to risk management.​
​B Determine the knowledge, skills, and competencies required (whether developed or procured) to provide risk management assurance and consulting services.
​C ​Evaluate organizational independence of the internal audit activity and report impairments to appropriate parties.
​2. ​Coordination
​A ​Recommend establishing an organizationwide risk management strategy and processes, or contribute to the improvement of the existing strategy and processes.
​B Coordinate risk assurance efforts and determine whether to rely on the work of other internal and external assurance providers.
​C ​Assist the organization with creating or updating an organizationwide risk assurance map to ensure proper risk coverage and minimize duplication of efforts.
II. Risk Management Governance ​25%
​1. Governance, Risk Management, and Control Frameworks​
​A Evaluate the organization's governance structure and application of risk management concepts found in governance frameworks.​
​B Assess the organization's application of concepts and principles found within risk and control frameworks appropriate to the organization.​
​C Assess key elements of the organization's risk governance and risk culture (e.g., risk oversight, risk management, tone at the top, etc.) and the impact of organizational culture on the overall control environment and risk management strategy.​
​2. Risk Management Integration​
​A Evaluate management’s commitment to risk management and analyze the integration of risk management into the organization's objectives, strategy setting, performance management, and operational management systems.​
​B ​Evaluate the organization’s ability to identify and respond to changes and emerging risks that may affect the organization’s achievement of strategy and objectives.
​C Examine the effectiveness of integrated risk management reporting (e.g., risk, risk response, performance, and culture, etc.) to key stakeholders.​
III. Risk Management Assurance ​55%
​1. Risk Management Approach
​A Evaluate various approaches and processes for assessing risk (e.g., relevant measures, control self-assessment, continuous monitoring, maturity models, etc.).​
​B Select data analytics techniques (e.g., ratio estimation, variance analysis, budget vs. actual, trend analysis, other reasonableness tests, benchmarking, etc.) to support risk management and assurance processes.​
​2. Assurance Processes​
​A Evaluate the design and application of management’s risk identification and assessment processes.​
​B Utilize a risk management framework to assess organizationwide risks from various sources (e.g., audit universe, regulatory requirements and changes, management requests, relevant market and industry trends, emerging issues, etc.).​
​C Prioritize audit engagements based on the results of the organizationwide risk assessment to establish a risk-based internal audit plan.​
​D Manage internal audit engagements to ensure audit objectives are achieved, quality is assured, and staff is developed.​
​E Evaluate the effectiveness and efficiency of risk management at all levels (i.e., process level, business unit level, and organizationwide).​
​F Analyze the results of multiple internal audit engagements, the work of other internal and external assurance providers, and management's risk remediation activities to support the internal audit activity’s overall assessment of the organization’s risk management processes.​
​G Assess risk management, project management, and change controls throughout the systems development lifecycle.​
H Evaluate data privacy, cybersecurity, IT controls, and information security policies and practices.​
​I Evaluate risk management monitoring processes (e.g., risk register, risk database, risk mitigation plans, etc.).​
​3. Communication
​A Manage the audit engagement communication and reporting process (e.g., holding the exit conference, developing the audit report, obtaining management responses, etc.) to deliver engagement results.​
​B Evaluate management responses regarding key organizational risks, and communicate to the board when management has accepted a level of risk that may be unacceptable to the organization.​
​C Formulate and deliver communications on the effectiveness of the organization’s risk management processes at multiple levels and organizationwide.​

CRMA Exam Preparation Resources

Visit the CRMA Exam Preparation Resources page for a list of resources and study material.

Exam Nondisclosure

The CRMA exam is a nondisclosed examination, which means that current exam questions and answers will not be published or divulged.

Access CCMS

Candidates from the following countries must refer to their local IIA Institute web-site or contact their local representative for more information about local certification processes:


The information contained on this website pertains to all other countries.