2019 CIA Exam Syllabus, Part 3 – Business Knowledge for Internal Auditing
100 questions l 2.0 Hours (120 minutes)
The CIA exam Part 3 includes four domains focused on business acumen, information security, information technology, and financial management. Part 3 is designed to test candidates’ knowledge, skills, and abilities particularly as they relate to these core business concepts. |
|
-
I. Business Acumen (35%)
1. Organizational Objectives, Behavior, and Performance |
A |
Describe the strategic planning process and key activities (objective setting, globalization and competitive considerations, alignment to the organization's mission and values, etc.) |
Basic |
B |
Examine common performance measures (financial, operational, qualitative vs. quantitative, productivity, quality, efficiency, effectiveness, etc.) |
Proficient |
C |
Explain organizational behavior (individuals in organizations, groups, and how organizations behave, etc.) and different performance management techniques (traits, organizational politics, motivation, job design, rewards, work schedules, etc.) |
Basic |
D |
Describe management’s effectiveness to lead, mentor, guide people, build organizational commitment, and demonstrate entrepreneurial ability |
Basic |
2. Organizational Structure and Business Processes |
A |
Appraise the risk and control implications of different organizational configuration structures (centralized vs. decentralized, flat structure vs. traditional, etc.) |
Basic |
B |
Examine the risk and control implications of common business processes (human resources, procurement, product development, sales, marketing, logistics, management of outsourced processes, etc.) |
Proficient |
C |
Identify project management techniques (project plan and scope, time/team/resources/cost management, change management, etc.) |
Basic |
D |
Recognize the various forms and elements of contracts (formality, consideration, unilateral, bilateral, etc.) |
Basic |
3. Data Analytics |
A |
Describe data analytics, data types, data governance, and the value of using data analytics in internal auditing |
Basic |
B |
Explain the data analytics process (define questions, obtain relevant data, clean/normalize data, analyze data, communicate results) |
Basic |
C |
Recognize the application of data analytics methods in internal auditing (anomaly detection, diagnostic analysis, predictive analysis, network analysis, text analysis, etc.) |
Basic |
-
II. Information Security (25%)
1. Information Security |
A |
Differentiate types of common physical security controls (cards, keys, biometrics, etc.) |
Basic |
B |
Differentiate the various forms of user authentication and authorization controls (password, two-level authentication, biometrics, digital signatures, etc.) and identify potential risks |
Basic |
C |
Explain the purpose and use of various information security controls (encryption, firewalls, antivirus, etc.) |
Basic |
D |
Recognize data privacy laws and their potential impact on data security policies and practices |
Basic |
E |
Recognize emerging technology practices and their impact on security (bring your own device [BYOD], smart devices, internet of things [IoT], etc.) |
Basic |
F |
Recognize existing and emerging cybersecurity risks (hacking, piracy, tampering, ransomware attacks, phishing attacks, etc.) |
Basic |
-
III. Information Technology (20%)
1. Application and System Software |
A |
Recognize core activities in the systems development lifecycle and delivery (requirements definition, design, developing, testing, debugging, deployment, maintenance, etc.) and the importance of change controls throughout the process |
Basic |
B |
Explain basic database terms (data, database, record, object, field, schema, etc.) and internet terms (HTML, HTTP, URL, domain name, browser, click-through, electronic data interchange [EDI], cookies, etc.) |
Basic |
C |
Identify key characteristics of software systems (customer relationship management [CRM] systems; enterprise resource planning [ERP] systems; and governance, risk, and compliance [GRC] systems; etc.) |
Basic |
2. IT Infrastructure and IT Control Frameworks |
A |
Explain basic IT infrastructure and network concepts (server, mainframe, client-server configuration, gateways, routers, LAN, WAN, VPN, etc.) and identify potential risks |
Basic |
B |
Define the operational roles of a network administrator, database administrator, and help desk |
Basic |
C |
Recognize the purpose and applications of IT control frameworks (COBIT, ISO 27000, ITIL, etc.) and basic IT controls |
Basic |
3. Disaster Recovery |
A |
Explain disaster recovery planning site concepts (hot, warm, cold, etc.) |
Basic |
B |
Explain the purpose of systems and data backup |
Basic |
C |
Explain the purpose of systems and data recovery procedures |
Basic |
-
IV. Financial Management (20%)
1. Financial Accounting and Finance |
A |
Identify concepts and underlying principles of financial accounting (types of financial statements and terminologies such as bonds, leases, pensions, intangible assets, research and development, etc.) |
Basic |
B |
Recognize advanced and emerging financial accounting concepts (consolidation, investments, fair value, partnerships, foreign currency transactions, etc.) |
Basic |
C |
Interpret financial analysis (horizontal and vertical analysis and ratios related to activity, profitability, liquidity, leverage, etc.) |
Proficient |
D |
Describe revenue cycle, current asset management activities and accounting, and supply chain management (including inventory valuation and accounts payable) |
Basic |
E |
Describe capital budgeting, capital structure, basic taxation, and transfer pricing |
Basic |
2. Managerial Accounting |
A |
Explain general concepts of managerial accounting (cost-volume-profit analysis, budgeting, expense allocation, cost- benefit analysis, etc.) |
Basic |
B |
Differentiate costing systems (absorption, variable, fixed, activity-based, standard, etc.) |
Basic |
C |
Distinguish various costs (relevant and irrelevant costs, incremental costs, etc.) and their use in decision making |
Basic |
|
|
|
Additional noteworthy elements related to the revised CIA Part Three exam syllabus:
- The number of topics covered on the Part Three exam has been greatly refocused to the core areas that are most critical for internal auditors.
- The exam syllabus features a new subdomain on data analytics.
- The information security portion of the exam has been expanded to include additional topics such as cybersecurity risks and emerging technology practices.
- The largest domain is “Business Acumen,” which makes up 35% of the exam.
- A portion of the exam requires candidates to demonstrate a basic comprehension of concepts; another portion requires candidates to demonstrate proficiency in their knowledge, skills, and abilities.
CIA Part 3 Reference List
Most Relevant |
Additional Resources |
- The IIA’s International Professional Practices Framework
- Applying the International Professional Practices Framework, by Urton Anderson and Andrew J. Dahle
- Internal Auditing Assurance and Advisory Services, by Urton Anderson, Michael Head, and Sridhar Ramamoorti
- Sawyer's Guide for Internal Auditors, by Larry Sawyer
- Understanding Management, by Richard Daft and Dorothy Marcic
- Data Analytics: Elevating Internal Audit's Value, by Warren Stippich Jr. and Bradley Preber
- Data Analysis and Sampling Simplified: A Practical Guide for Internal Auditors, by Donald Dickie
- Rethinking Data Governance and Data Management, by ISACA
- Principles of Information Security, by Michael Whitman and Herbert Mattord
- IT Auditing: Using Controls to Protect Information Assets, by Chris Davis, Mike Schiller, and Kevin Wheeler
- Internal Audit of the Future: The Impact of Technology and Innovation, by A. Michael Smith
- Implementing the NIST Cybersecurity Framework, by ISACA
- Enterprise Risk Management Framework, by COSO
- Internal Control – Integrated Framework, by COSO
- “Managing Cyber Risk in a Digital Age,” by COSO
- Privacy and Data Protection: Internal Audit’s Role in Establishing a Resilient Framework, by IIA Foundation and Crowe
- Accounting Principles, by Jerry Weygandt, Paul Kimmel, and Donald Kieso
|
- Auditor Essentials: 100 Concepts, Tips, Tools, and Techniques for Success, by Hernan Murdock
- Ready and Relevant: Prepare to Audit What Matters Most, by Timothy Berichon
- Project Management Body of Knowledge (PMBOK) Guide, by Project Management Institute
- Contract and Commercial Management: The Operational Guide, by IACCM
- Performance Auditing: Measuring Inputs, Outputs, and Outcomes, by Stephen Morgan, Ronell Raaum, and Colleen Waring
- "Analytics: Good Practices for (smaller) IAFs," by IIA-Netherlands
- Data Analytics for Beginners: Practical Guide to Master Data Analytics, by TechWorld
- Auditing Social Media: A Governance and Risk Guide, by J. Mike Jacka and Peter Scott
- Auditing the Procurement Function by David O'Regan
- Information Technology Control and Audit, by Sandra Senft, Frederick Gallegos, and Aleksandra Davis
- Transfer Pricing Guidelines for Multinational Enterprises and Tax Administrations, by OECD
- Current resources on internal auditing and relevant topics
|
|
|
|
Candidates from the following countries must refer to their local IIA Institute web-site or contact their local representative for more information about local certification processes:
The information contained on this website pertains to all other countries.
|
|
|