Certified Internal Auditor

Certified Internal Auditor® (CIA®) Exam
Syllabus
The Certified Internal Auditor (CIA) exam tests a candidate's knowledge of current internal
auditing practices and understanding of internal audit issues, risks and remedies. The exam is
offered in four parts, each part consisting of 90 multiple-choice questions. The testing period is
two hours and twenty-five minutes.
Parts 1, 2, and 3 are considered the core global syllabus of the CIA exam — offering a strong
focus on corporate governance and risk issues and exhibiting alignment with The IIA's
International Professional Practices Framework (IPPF). Part 4 of the CIA exam is designed to be
modified for regional and audit specialization testing. Hence, The IIA offers Professional
Recognition Credit for Part 4 (PRC4) for qualified professional certifications.
Exam Non-disclosure
The CIA exam is a non-disclosed examination, which means that current exam questions and
answers will not be published or divulged.
NOTE: Exam topics and/or format are subject to change as approved by The IIA's Professional
Certification Board (PCB).
Syllabus
The CIA exam tests your knowledge of current internal auditing practices, risks and controls, and
much more. Just the process of preparing for the exam will enhance your professional insight and
strengthen your grasp of The IIA’s International Standards for the Professional Practice of
Internal Auditing (Standards).
The CIA exam is offered in four parts, each consisting of 90 multiple-choice questions.
Part 1: The Internal Audit Activity’s Role in Governance, Risk, and Control
CIA exam Part 1 topics tested include aspects of the IPPF, responsibilities of the internal audit
activity, independence and objectivity, governance concepts, risk identification and management,
management controls, and audit planning.
Part 2: Conducting the Internal Audit Engagement
CIA exam Part 2 topics tested include steps for conducting audit engagements, types of
engagements (such as technology, financial, or operational), fraud elements, audit engagement
tools, audit documentation and reporting, and follow-up procedures.
Part 3: Business Analysis and Information Technology
CIA exam Part 3 topics tested include business process analysis, quality management, balanced
scorecard, financial accounting, managerial accounting, regulatory and economic impacts on
business, and information technology concepts.
Part 4: Business Management Skills*
CIA exam Part 4 topics tested include strategic decision-making, competitive analysis and
strategies, product and industry life cycles, managing in a global business environment,
organizational behavior, team building, negotiation, and leadership skills.
*Candidates with certain approved certifications may apply for Professional Recognition Credit
for Part 4 of the CIA exam, based on their area of specialization, rather than testing on the
general business concepts in Part 4. No other parts may be waived.

Syllabus —
Part 1
The Internal Audit Activity’s Role in Governance, Risk, and
Control
Topics tested include aspects of The IIA’s International Professional Practices Framework
(IPPF), responsibilities of the internal audit activity, independence and objectivity, governance
concepts, risk identification and management, management controls, and audit planning.
(P) = Candidates must exhibit proficiency (thorough understanding and ability to apply concepts)
in these topic areas.
(A) = Candidates must exhibit awareness (knowledge of terminology and fundamentals) in these
topic areas.
A. Comply with the IIA's Attribute Standards (15-25%) (P)
1. Define purpose, authority, and responsibility of the internal audit activity

1. Determine if the purpose, authority, and responsibility of the internal audit
activity are clearly documented and approved
2. Determine if the purpose, authority, and responsibility of the internal audit
activity are communicated to the engagement clients
3. Demonstrate an understanding of the purpose, authority, and responsibility of the
internal audit activity
2. Maintain independence and objectivity

1. Foster independence
1. Understand organizational independence
2. Recognize the importance of organizational independence
3. Determine if the internal audit activity is properly aligned to achieve
organizational independence
2. Foster objectivity
1. Establish policies to promote objectivity
2. Assess individual objectivity
3. Maintain individual objectivity
4. Recognize and mitigate impairments to independence and objectivity
3. Determine if the required knowledge, skills, and competencies are available
1. Understand the knowledge, skills, and competencies that an internal auditor needs
to possess
2. Identify the knowledge, skills, and competencies required to fulfill the
responsibilities of the internal audit activity
4. Develop and/or procure necessary knowledge, skills and competencies collectively

required by the internal audit activity
5. Exercise due professional care
6. Promote continuing professional development
1. Develop and implement a plan for continuing professional development for
internal audit staff
2. Enhance individual competency through continuing professional development
7. Promote quality assurance and improvement of the internal audit activity
a. Establish and maintain a quality assurance and improvement program

b. Monitor the effectiveness of the quality assurance and improvement program
c. Report the results of the quality assurance and improvement program to the board
or other governing body
d. Conduct quality assurance procedures and recommend improvements to the
performance of the internal audit activity
8. Abide by and promote compliance with The IIA Code of Ethics
B. Establish a Risk-based Plan to Determine the Priorities of the Internal Audit Activity
(15-25%) (P)
1. Establish a framework for assessing risk

2. Use the framework to:
1. Identify sources of potential engagements (e.g., audit universe, management
request, regulatory mandate)
2. Assess organization-wide risk
3. Solicit potential engagement topics from various sources
4. Collect and analyze data on proposed engagements
5. Rank and validate risk priorities
3. Identify internal audit resource requirements

4. Coordinate the internal audit activity's efforts with:
1. External auditor
2. Regulatory oversight bodies
3. Other internal assurance functions (e.g., health and safety department)
5. Select engagements
1. Participate in the engagement selection process
2. Select engagements
3. Communicate and obtain approval of the engagement plan from board
C. Understand the Internal Audit Activity's Role in Organizational Governance (10-20%)

(P)
1. Obtain board's approval of audit charter

2. Communicate plan of engagements
3. Report significant audit issues
4. Communicate key performance indicators to board on a regular basis
5. Discuss areas of significant risk
6. Support board in enterprise-wide risk assessment
7. Review positioning of the internal audit function within the risk management framework
within the organization
8. Monitor compliance with the corporate code of conduct/business practices
9. Report on the effectiveness of the control framework
10. Assist board in assessing the independence of the external auditor
11. Assess ethical climate of the board
12. Assess ethical climate of the organization
13. Assess compliance with policies in specific areas (e.g., derivatives)
14. Assess organization's reporting mechanism to the board
15. Conduct follow-up and report on management response to regulatory body reviews
16. Conduct follow-up and report on management response to external audit
17. Assess the adequacy of the performance measurement system, achievement of corporate
objective
18. Support a culture of fraud awareness and encourage the reporting of improprieties
D. Perform Other Internal Audit Roles and Responsibilities (0-10%) (P)
1. Ethics/Compliance
1. Investigate and recommend resolution for ethics/compliance complaints
2. Determine disposition of ethics violations
3. Foster healthy ethical climate
4. Maintain and administer business conduct policy (e.g., conflict of interest)
5. Report on compliance
2. Risk Management
1. Develop and implement an organization-wide risk and control framework
2. Coordinate enterprise-wide risk assessment
3. Report corporate risk assessment to board
4. Review business continuity planning process
3. Privacy
1. Determine privacy vulnerabilities
4. Information or physical security

1. Determine security vulnerabilities
2. Determine disposition of security violations
E. Governance, Risk, and Control Knowledge Elements (15-25%)
1. Corporate governance principles (A)

2. Alternative control frameworks (A)
3. Risk vocabulary and concepts (P)
4. Risk management techniques (P)
5. Risk/control implications of different organizational structures (P)
6. Risk/control implications of different leadership styles (A)
7. Change management (A)
8. Conflict management (A)
9. Management control techniques (P)
10. Types of control (e.g., preventive, detective, input, output) (P)
F. Plan Engagements (15-25%) (P)
1. Initiate preliminary communication with engagement client

2. Conduct a preliminary survey of the area of engagement
1. Obtain input from engagement client
2. Perform analytical reviews
3. Perform benchmarking
4. Conduct interviews
5. Review prior audit reports and other relevant documentation
6. Map processes
7. Develop checklists
3. Complete a detailed risk assessment of the area (prioritize or evaluate risk/control factors)
4. Coordinate audit engagement efforts with:
1. External auditor
2. Regulatory oversight bodies
5. Establish/refine engagement objectives and identify/finalize the scope of engagement

6. Identify or develop criteria for assurance engagements (criteria against which to audit)
7. Consider the potential for fraud when planning an engagement
1. Be knowledgeable of the risk factors and red flags of fraud
2. Identify common types of fraud associated with the engagement area
3. Determine if risk of fraud requires special consideration when conducting an
engagement
8. Determine engagement procedures

9. Determine the level of staff and resources needed for the engagement
10. Establish adequate planning and supervision of the engagement
11. Prepare engagement work program

Syllabus —
Part 2
Conducting the Internal Audit Engagement
Topics tested include steps for conducting audit engagements, types of engagements (such as
technology, financial, or operational), fraud elements, audit engagement tools, audit
documentation and reporting, and follow-up procedures.
topic areas.
A. Conduct Engagements (25-35%) (P)
1. Research and apply appropriate standards:

1. IIA International Professional Practices Framework (Code of Ethics, Standards,
Practice Advisories)
2. Other professional, legal, and regulatory standards
2. Maintain an awareness of the potential for fraud when conducting an engagement

1. Notice indicators or symptoms of fraud
2. Design appropriate engagement steps to address significant risk of fraud
3. Employ audit tests to detect fraud
4. Determine if any suspected fraud merits investigation
3. Collect data
4. Evaluate the relevance, sufficiency, and competence of evidence
5. Analyze and interpret data
6. Develop work papers
7. Review work papers
8. Communicate interim progress
9. Draw conclusions
10. Develop recommendations when appropriate
11. Report engagement results
1. Conduct exit conference
2. Prepare report or other communication
3. Approve engagement report
4. Determine distribution of report
5. Obtain management response to report
12. Conduct client satisfaction survey

13. Complete performance appraisals of engagement staff
B. Conduct Specific Engagements (25-35%) (P)
1. Conduct assurance engagements

1. Fraud investigation
1. Determine appropriate parties to be involved with the investigation
2. Establish facts and extent of fraud (e.g., interviews, interrogations, and
data analysis)
3. Report outcomes to appropriate parties
4. Complete a process review to improve controls to prevent fraud and
recommend changes
2. Risk and control self-assessment
1. Facilitated approach
1. Client-facilitated
2. Audit-facilitated
2. Questionnaire approach
3. Self-certification approach
2. Audits of third parties and contract auditing
3. Quality audit engagements
4. Due diligence audit engagements
5. Security audit engagements
6. Privacy audit engagements
7. Performance (key performance indicators) audit engagements
8. Operational (efficiency and effectiveness) audit engagement
9. Financial audit engagements
10. Information technology (IT) audit engagements
1. Operating systems
1. Mainframe
2. Workstations
3. Server
2. Application development
1. Application authentication
2. Systems development methodology
3. Change control
4. End user computing
3. Data and network communications/connections (e.g., LAN, VAN, and
WAN)
4. Voice communications
5. System security (e.g., firewalls, access control)
6. Contingency planning
7. Databases
8. Functional areas of IT operations (e.g., data center operations)
9. Web infrastructure
10. Software licensing
11. Electronic funds transfer (EFT)/Electronic data interchange (EDI)
12. e-Commerce
13. Information protection (e.g., viruses, privacy)
14. Encryption
15. Enterprise-wide resource planning (ERP) software (e.g., SAP R/3)
2. Compliance audit engagements
2. Conduct consulting engagements
1. Internal control training
2. Business process review
3. Benchmarking
4. Information technology (IT) and systems development
5. Design of performance measurement systems
C. Monitor Engagement Outcomes (5-15%) (P)

1. Determine appropriate follow-up activity by the internal audit activity
2. Identify appropriate method to monitor engagement outcomes
3. Conduct follow-up activity
4. Communicate monitoring plan and results
D. Fraud Knowledge Elements (5-15%)
1. Discovery sampling (A)

2. Interrogation techniques (A)
3. Forensic auditing (A)
4. Use of computers in analyzing data (P)
5. Red flag (P)
6. Types of fraud (P)
E. Engagement Tools (15-25%)
1. Sampling (A)
1. Nonstatistical (judgmental)
2. Statistical
2. Statistical analyses (process control techniques) (A)

3. Data gathering tools (P)
1. Interviewing
2. Questionnaires
3. Checklists
4. Analytical review techniques (P)

1. Ratio estimation
2. Variance analysis (e.g., budget vs. actual)
3. Other reasonableness tests
5. Observation (P)
6. Problem solving (P)
7. Risk and control self-assessment (CSA) (A)
8. Computerized audit tools and techniques (P)
1. Embedded audit modules
2. Data extraction techniques
3. Generalized audit software (e.g., ACL, IDEA)
4. Spreadsheet analysis
5. Automated work papers (e.g., Lotus Notes, Auditor Assistant)
9. Process mapping including flowcharting (P)

Syllabus —
Part 3
Business Analysis and Information Technology
Topics tested include business process analysis, quality management, balanced scorecard,
financial accounting, managerial accounting, regulatory and economic impacts on business, and
information technology concepts.
topic areas.
A. Business Processes (15-25%)
1. Quality management (e.g., TQM) (A)

2. The International Organization for Standardization (ISO) framework (A)
3. Forecasting (A)
4. Project management techniques (P)
5. Business process analysis (e.g., workflow analysis and bottleneck management, theory of
constraints) (P)
6. Inventory management techniques and concepts (P)
7. Marketing - pricing objectives and policies (A)
8. Marketing - supply chain management (A)
9. Human Resources (Individual performance management and measurement; supervision;
environmental factors that affect performance; facilitation techniques; personnel
sourcing/staffing; training and development; safety) (P)
10. Balanced scorecard (A)
B. Financial Accounting and Finance (15-25%)
1. Basic concepts and underlying principles of financial accounting (e.g., statements,

terminology, relationships) (P)
2. Intermediate concepts of financial accounting (e.g., bonds, leases, pensions, intangible
assets, R&D) (A)
3. Advanced concepts of financial accounting (e.g., consolidation, partnerships, foreign
currency transactions) (A)
4. Financial statement analysis (P)
5. Cost of capital evaluation (A)
6. Types of debt and equity (A)
7. Financial instruments (e.g., derivatives) (A)
8. Cash management (treasury functions) (A)
9. Valuation models (A)
1. Inventory valuation
2. Business valuation
10. Business development life cycles (A)
C. Managerial Accounting (10-20%)
1. Cost concepts (e.g., absorption, variable, fixed) (P)

2. Capital budgeting (A)
3. Operating budget (P)
4. Transfer pricing (A)
5. Cost-volume-profit analysis (A)
6. Relevant cost (A)
7. Costing systems (e.g., activity-based, standard) (A)
8. Responsibility accounting (A)
D. Regulatory, Legal, and Economics (5-15%) (A)
1. Impact of government legislation and regulation on business

2. Trade legislation and regulations
3. Taxation schemes
4. Contracts
5. Nature and rules of legal evidence
6. Key economic indicators
E. Information Technology - IT (30-40%) (A)
1. Control frameworks (e.g., COBIT)

2. Data and network communications/connections (e.g., LAN, VAN, and WAN)
3. Electronic funds transfer (EFT)
4. e-Commerce
5. Electronic data interchange (EDI)
6. Functional areas of IT operations (e.g., data center operations)
7. Encryption
8. Information protection (e.g. viruses, privacy)
9. Evaluate investment in IT (cost of ownership)
10. Enterprise-wide resource planning (ERP) software (e.g., SAP R/3)
11. Operating systems
12. Application development
13. Voice communications
14. Contingency planning
15. Systems security (e.g. firewalls, access control)
16. Databases
17. Software licensing
18. Web infrastructure
Syllabus —
Part 4
Business Management Skills*
Topics tested include strategic decision-making, competitive analysis and strategies, product and
industry life cycles, managing in a global business environment, organizational behavior, team
building, negotiation, and leadership skills.
*Candidates with certain approved certifications may apply for Professional Recognition Credit
(PRC4) for Part 4 of the CIA exam, based on their area of specialization, rather than testing on
the general business concepts in Part 4. No other parts may be waived.
topic areas.
A. Strategic Management (20-30%) (A)
1. Global analytical techniques

1. Structural analysis of industries
2. Competitive strategies (e.g., Porter's model)
3. Competitive analysis
4. Market signals
5. Industry evolution
2. Industry environments
1. Competitive strategies related to:
1. Fragmented industries
2. Emerging industries
3. Declining industries
2. Competition in global industries
1. Sources/impediments
2. Evolution of global markets
3. Strategic alternatives
4. Trends affecting competition
3. Strategic decisions
1. Analysis of integration strategies
2. Capacity expansion
3. Entry into new businesses
4. Portfolio techniques of competitive analysis

5. Product life cycles
B. Global Business Environments (15-25%) (A)
1. Cultural/legal/political environments
1. Balancing global requirements and local imperatives
2. Global mindsets (personal characteristics/competencies)
3. Sources and methods for managing complexities and contradictions
4. Managing multicultural teams
2. Economic/financial environments
1. Global, multinational, international, and multilocal compared and contrasted
2. Requirements for entering the global market place
3. Creating organizational adaptability
4. Managing training and development
C. Organizational Behavior (15-25%) (A)
1. Motivation
1. Relevance and implication of various theories
2. Impact of job design, rewards, work schedules, etc.
2. Communication
1. The process
2. Organizational dynamics
3. Impact of computerization
3. Performance
1. Productivity
2. Effectiveness
4. Structure
1. Centralized/decentralized
2. Departmentalization
3. New configurations (e.g., hourglass, cluster, network)
D. Management Skills (20-30%) (A)
1. Group dynamics
1. Traits (e.g., cohesiveness, roles, norms, groupthink)
2. Stages of group development
3. Organizational politics
4. Criteria and determinants of effectiveness
2. Team building
1. Methods used in team building
2. Assessing team performance
3. Leadership skills
1. Theories compared and contrasted
2. Leadership grid (topology of leadership styles)
3. Mentoring
4. Personal time management
E. Negotiating (5-15%) (A)
1. Conflict resolution
1. Competitive/cooperative
2. Compromise, forcing, smoothing, etc.
2. Added-value negotiating
1. Description
2. Specific steps
Certified Internal Auditor®

(CIA®) Sample Exam
Questions
Part 1 Sample Exam Questions Expand All

 According to the International Professional Practices Framework, the independence of
the internal audit activity is achieved through:
A. Staffing and supervision.
B. Continuing professional development and due professional care.
C. Human relations and communications.
D. Organizational status and objectivity.
View answer
 Two internal auditors left the internal audit department who cannot be immediately
replaced due to budget constraints. Which of the following is the least desirable option
for efficiently completing future engagements, given this reduction in resources?
A. Using self-assessment questionnaires to address audit objectives.
B. Employing information technology in audit planning, sampling, and
documentation.
C. Eliminating consulting engagements from the engagement work schedule.
D. Filling vacancies with personnel from operating departments that are not being
audited.
View answer
 Which of the following fraudulent entries is most likely to be made to conceal the theft
of an asset?
A. Debit expenses, and credit the asset.
B. Debit the asset, and credit another asset account.
C. Debit revenue, and credit the asset.
D. Debit another asset account, and credit the asset.
View answer
 A company’s accounts receivable turnover rate decreased from 7.3 to 4.3 over the last
three years. What is the most likely cause for the decrease?
A. An increase in the discount offered for early payment.
B. A more liberal credit policy.
C. A change in net payment due from 30 to 25 days.
D. Increased cash sales.
View answer
 An important difference between a statistical and a judgmental sample is that with a
statistical sample:
A. No judgment is required because everything is computed according to a formula.
B. A smaller sample can be used.
C. More accurate results are obtained.
D. Population estimates with measurable reliability can be made.
View answer
 Which of the following statements is correct regarding audit engagement work paper
documentation for a fraud investigation?
I. All incriminating evidence should be included in the work papers.

II. All important testimonial evidence should be reviewed to ensure that it provides
sufficient basis for the conclusions reached.
III. If interviews are held with a suspected perpetrator, written transcripts or
statements should be included in the work papers.

A. I only.
B. II only.
C. II and III only.
D. I, II, and III.
View answer
 A means of limiting production delays caused by equipment breakdown and repair is to:
A. Schedule production based on capacity planning.

B. Plan maintenance activity based on an analysis of equipment repair work orders.
C. Pre-authorize equipment maintenance and overtime pay.
D. Establish a preventive maintenance program for all production equipment.
View answer
 If a country uses trade quotas to overcome chronic trade deficits, the most likely
outcome would be that:
A. Unemployment and productivity rates will rise.
B. Unemployment rates will rise and productivity rates will decline.
C. Unemployment rates will decline and productivity rates will rise.
D. Unemployment and productivity rates will decline.
View answer
 The difference between the required rate of return on a given risky investment and that
of a risk-free investment with the same expected return is the:
A. Risk premium.
B. Coefficient of variation.
C. Standard error of measurement.
D. Beta coefficient.
View answer
 Which of the following would be of greatest concern to an auditor reviewing a policy

regarding the sale of a company’s used personal computers to outside parties?
A. Whether deleted files on the hard disk drive have been completely erased.
B. Whether the computer has viruses.
C. Whether all software on the computer is properly licensed.
D. Whether there is terminal emulation software on the computer.
View answer
 In the Boston Consulting Group (BCG) growth-share matrix, which strategy in the
matrix describes large generation of cash and heavy investment needed to grow and
maintain competitive positioning but net cash flow is usually modest?
A. Cash cows.
B. Question marks.
C. Dogs.
D. Stars.
View answer
 In which of the following industry environments are franchising and horizontal mergers
commonly used strategies?
A. Emerging industries.
B. Declining industries.
C. Fragmented industries.
D. Mature industries.
View answer
 Which of the following costs does management need to consider when introducing a
new product or substituting a new product for an existing one?
I. Costs of retraining employees.

II. Costs of acquiring new ancillary equipment.
III. Write-offs due to undepreciated investment in old technology.
IV. Capital requirements for changeover.
A. I and III only.

B. I, II, and IV only.
C. II, III, and IV only.
D. I, II, III, and IV.
View answer
 Which of the following theories includes the assertion that employees may be motivated
by achievement of acceptance or esteem in the workplace?
A. Equity theory.
B. Expectancy theory.
C. Needs hierarchy theory.
D. Goal-setting theory.
View answer

Certified Internal Auditor

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Certified Internal Auditor

Caricato da

Copyright:

Formati disponibili

Certified Internal Auditor® (CIA®) Exam

Part 2: Conducting the Internal Audit Engagement

Part 4: Business Management Skills*