Skip Ribbon Commands
Skip to main content
Global Institute of Internal AuditorsBreadcrumb SeparatorCertificationBreadcrumb SeparatorCIA CertificationBreadcrumb SeparatorCIA Exam Syllabus, Part 2

CIA Exam Syllabus, Part 2 – Internal Audit Practice

100 questions | 2.0 Hours (120 minutes)

The new CIA exam Part 2 topics tested include managing the internal audit function via the strategic and operational role of internal audit and establishing a risk-based plan; the steps to manage individual engagements (planning, supervision, communicating results, and monitoring outcomes); as well as fraud risks and controls. Note: All items in this section of the syllabus will be tested at the Proficiency knowledge level unless otherwise indicated below.

I. Managing the Internal Audit Function (40-50%)

A. Strategic Role of Internal Audit

  1. Initiate, manage, be a change catalyst, and cope with change
  2. Build and maintain networking with other organization executives and the audit committee
  3. Organize and lead a team in mapping, analysis, and business process improvement
  4. Assess and foster the ethical climate of the board and management
    1. Investigate and recommend resolution for ethics/compliance complaints, and determine disposition of ethics violations
    2. Maintain and administer business conduct policy (e.g., conflict of interest), and report on compliance
  5. Educate senior management and the board on best practices in governance, risk management, control, and compliance
  6. Communicate internal audit key performance indicators to senior management and the board on a regular basis
  7. Coordinate IA efforts with external auditor, regulatory oversight bodies and other internal assurance functions
  8. Assess the adequacy of the performance measurement system, achievement of corporate objective – Awareness Level (A)

B.  Operational Role of IA

  1. Formulate policies and procedures for the planning, organizing, directing, and monitoring of internal audit operations
  2. Review the role of the internal audit function within the risk management framework
  3. Direct administrative activities (e.g., budgeting, human resources) of the internal audit department
  4. Interview candidates for internal audit positions
  5. Report on the effectiveness of corporate risk management processes to senior management and the board
  6. Report on the effectiveness of the internal control and risk management frameworks
  7. Maintain effective Quality Assurance Improvement Program

C.  Establish Risk-Based IA Plan

  1. Use market, product, and industry knowledge to identify new internal audit engagement opportunities
  2. Use a risk framework to identify sources of potential engagements (e.g., audit universe, audit cycle requirements, management requests, regulatory mandates)
  3. Establish a framework for assessing risk
  4. Rank and validate risk priorities to prioritize engagements in the audit plan
  5. Identify internal audit resource requirements for annual IA plan
  6. Communicate areas of significant risk and obtain approval from the board for the annual engagement plan
  7. Types of engagements
    1. Conduct assurance engagements
      a.1  Risk and control self-assessments
              a) Facilitated approach
                   (1)  Client-facilitated
                   (2)  Audit-facilitated
               b)  Questionnaire approach
               c)  Self-certification approach
        a.2  Audits of third parties and contract auditing
        a.3  Quality audit engagements
        a.4  Due diligence audit engagements
        a.5  Security audit engagements
        a.6  Privacy audit engagements
        a.7  Performance audit engagements (key performance indicators)
        a.8 Operational audit engagements (efficiency and effectiveness)
        a.9  Financial audit engagements
    2. Compliance audit engagements
    3. Consulting engagements
      c.1  Internal control training
      c.2  Business process mapping
      c.3  Benchmarking
      c.4  System development reviews
      c.5  Design of performance measurement systems

II. Managing Individual Engagements (40-50%)

A.  Plan Engagements

  1. Establish engagement objectives/criteria and finalize the scope of the engagement
  2. Plan engagement to assure identification of key risks and controls
  3. Complete a detailed risk assessment of each audit area (prioritize or evaluate risk/control factors)
  4. Determine engagement procedures and prepare engagement work program
  5. Determine the level of staff and resources needed for the engagement
  6. Construct audit staff schedule for effective use of time

B. Supervise Engagement

  1. Direct / supervise individual engagements
  2. Nurture instrumental relations, build bonds, and work with others toward shared goals
  3. Coordinate work assignments among audit team members when serving as the auditor-in-charge of a project
  4. Review work papers
  5. Conduct exit conference
  6. Complete performance appraisals of engagement staff

C. Communicate Engagement Results

  1. Initiate preliminary communication with engagement clients
  2. Communicate interim progress
  3. Develop recommendations when appropriate
  4. Prepare report or other communication
  5. Approve engagement report
  6. Determine distribution of the report
  7. Obtain management response to the report
  8. Report outcomes to appropriate parties

D. Monitor Engagement Outcomes

  1. Identify appropriate method to monitor engagement outcomes
  2. Monitor engagement outcomes and conduct appropriate follow-up by the internal audit activity
  3. Conduct follow-up and report on management's response to internal audit recommendations
  4. Report significant audit issues to senior management and the board periodically

III. Fraud Risks and Controls (5-15%)

A. Consider the potential for fraud risks and identify common types of fraud associated with the engagement area during the engagement planning process

B.  Determine if fraud risks require special consideration when conducting an engagement

C.  Determine if any suspected fraud merits investigation

D. Complete a process review to improve controls to prevent fraud and recommend changes

E. Employ audit tests to detect fraud

F. Support a culture of fraud awareness, and encourage the reporting of improprieties

G.  Interrogation/investigative techniques – Awareness Level (A)

H. Forensic auditing – Awareness Level (A)

Candidates from the following countries must refer to their local IIA Institute web-site or contact their local representative for more information about local certification processes:


The information contained on this website pertains to all other countries.