Skip Ribbon Commands
Skip to main content
Global Institute of Internal AuditorsBreadcrumb SeparatorCertificationBreadcrumb SeparatorCIA CertificationBreadcrumb SeparatorCIA Exam Syllabus, Part 3

2019 ​CIA Exam Syllabus, Part 3 – Business Knowledge for Internal Auditing

100 questions l 2.0 Hours (120 minutes)

The CIA exam Part 3 includes four domains focused on business acumen, information security, information technology, and financial management. Part 3 is designed to test candidates’ knowledge, skills, and abilities particularly as they relate to these core business concepts.​

  •   I. Business Acumen (35%)
    Cognitive Level
    ​​1. Organizational Objectives, Behavior, and Performance
    A​ ​Describe the strategic planning process and key activities (objective setting, globalization and competitive considerations, alignment to the organization's mission and values, etc.) Basic
    ​B ​Examine common performance measures (financial, operational, qualitative vs. quantitative, productivity, quality, efficiency, effectiveness, etc.) Proficient
    ​C ​​Explain organizational behavior (individuals in organizations, groups, and how organizations behave, etc.) and different performance management techniques (traits, organizational politics, motivation, job design, rewards, work schedules, etc.) ​Basic
    ​D ​​Describe management’s effectiveness to lead, mentor, guide people, build organizational commitment, and demonstrate entrepreneurial ability ​Basic
    2. Organizational Structure and Business Processes
    A ​Appraise the risk and control implications of different organizational configuration structures (centralized vs. decentralized, flat structure vs. traditional, etc.) Basic​
    ​B ​Examine the risk and control implications of common business processes (human resources, procurement, product development, sales, marketing, logistics, management of outsourced processes, etc.) Proficient
    ​C ​Identify project management techniques (project plan and scope, time/team/resources/cost management, change management, etc.) ​Basic
    ​D Recognize the various forms and elements of contracts (formality, consideration, unilateral, bilateral, etc.) Basic
    3. Data Analytics
    ​A ​Describe data analytics, data types, data governance, and the value of using data analytics in internal auditing ​Basic
    ​B ​Explain the data analytics process (define questions, obtain relevant data, clean/normalize data, analyze data, communicate results) ​Basic
    ​C Recognize the application of data analytics methods in internal auditing (anomaly detection, diagnostic analysis, predictive analysis, network analysis, text analysis, etc.) ​Basic
  •   II. Information Security (25%)
    Cognitive Level
    ​​1. Information Security
    A​ ​Differentiate types of common physical security controls (cards, keys, biometrics, etc.) Basic
    ​B ​Differentiate the various forms of user authentication and authorization controls (password, two-level authentication, biometrics, digital signatures, etc.) and identify potential risks Basic
    ​C ​​Explain the purpose and use of various information security controls (encryption, firewalls, antivirus, etc.) Basic
    D​ ​Recognize data privacy laws and their potential impact on data security policies and practices Basic
    ​E ​​Recognize emerging technology practices and their impact on security (bring your own device [BYOD], smart devices, internet of things [IoT], etc.) Basic
    ​F ​Recognize existing and emerging cybersecurity risks (hacking, piracy, tampering, ransomware attacks, phishing attacks, etc.) Basic
    G​ ​​Describe cybersecurity and information security-related policies Basic
  •   III. Information Technology (20%)
    Cognitive Level
    ​​1. Application and System Software
    A​ Recognize core activities in the systems development lifecycle and delivery (requirements definition, design, developing, testing, debugging, deployment, maintenance, etc.) and the importance of change controls throughout the process Basic
    ​B ​Explain basic database terms (data, database, record, object, field, schema, etc.) and internet terms (HTML, HTTP, URL, domain name, browser, click-through, electronic data interchange [EDI], cookies, etc.) Basic
    ​C ​​Identify key characteristics of software systems (customer relationship management [CRM] systems; enterprise resource planning [ERP] systems; and governance, risk, and compliance [GRC] systems; etc.) Basic
    2. IT Infrastructure and IT Control Frameworks
    A ​Explain basic IT infrastructure and network concepts (server, mainframe, client-server configuration, gateways, routers, LAN, WAN, VPN, etc.) and identify potential risks Basic​
    ​B Define the operational roles of a network administrator, database administrator, and help desk Basic
    ​C Recognize the purpose and applications of IT control frameworks (COBIT, ISO 27000, ITIL, etc.) and basic IT controls ​Basic
    3. Disaster Recovery
    ​A Explain disaster recovery planning site concepts (hot, warm, cold, etc.) ​Basic
    ​B Explain the purpose of systems and data backup ​Basic
    ​C ​Explain the purpose of systems and data recovery procedures ​Basic
  •   IV. Financial Management (20%)
    Cognitive Level
    ​​1. Financial Accounting and Finance
    A​ ​Identify concepts and underlying principles of financial accounting (types of financial statements and terminologies such as bonds, leases, pensions, intangible assets, research and development, etc.) Basic
    ​B ​Recognize advanced and emerging financial accounting concepts (consolidation, investments, fair value, partnerships, foreign currency transactions, etc.) Basic
    C​ ​​Interpret financial analysis (horizontal and vertical analysis and ratios related to activity, profitability, liquidity, leverage, etc.) Proficient
    D​ ​​Describe revenue cycle, current asset management activities and accounting, and supply chain management (including inventory valuation and accounts payable) Basic
    ​E ​​Describe capital budgeting, capital structure, basic taxation, and transfer pricing Basic
    2. Managerial Accounting
    A ​Explain general concepts of managerial accounting (cost-volume-profit analysis, budgeting, expense allocation, cost- benefit analysis, etc.) Basic​
    ​B ​Differentiate costing systems (absorption, variable, fixed, activity-based, standard, etc.) Basic
    ​C ​Distinguish various costs (relevant and irrelevant costs, incremental costs, etc.) and their use in decision making ​Basic

Additional noteworthy elements related to the revised CIA Part Three exam syllabus:

  • The number of topics covered on the Part Three exam has been greatly refocused to the core areas that are most critical for internal auditors.
  • The exam syllabus features a new subdomain on data analytics.
  • The information security portion of the exam has been expanded to include additional topics such as cybersecurity risks and emerging technology practices.
  • The largest domain is “Business Acumen,” which makes up 35% of the exam.
  • A portion of the exam requires candidates to demonstrate a basic comprehension of concepts; another portion requires candidates to demonstrate proficiency in their knowledge, skills, and abilities.

CIA Part 3 Reference List

​Most Relevant ​Additional Resources
  • The IIA’s International Professional Practices Framework
  • Applying the International Professional Practices Framework, by Urton Anderson and Andrew J. Dahle
  • Internal Auditing Assurance and Advisory Services, by Urton Anderson, Michael Head, and Sridhar Ramamoorti
  • Sawyer's Guide for Internal Auditors, by Larry Sawyer
  • Understanding Management, by Richard Daft and Dorothy Marcic
  • Data Analytics: Elevating Internal Audit's Value, by Warren Stippich Jr. and Bradley Preber
  • Data Analysis and Sampling Simplified: A Practical Guide for Internal Auditors, by Donald Dickie
  • Rethinking Data Governance and Data Management, by ISACA
  • Principles of Information Security, by Michael Whitman and Herbert Mattord
  • IT Auditing: Using Controls to Protect Information Assets, by Chris Davis, Mike Schiller, and Kevin Wheeler
  • Internal Audit of the Future: The Impact of Technology and Innovation, by A. Michael Smith
  • Implementing the NIST Cybersecurity Framework, by ISACA
  • Enterprise Risk Management Framework, by COSO
  • Internal Control – Integrated Framework, by COSO
  • “Managing Cyber Risk in a Digital Age,” by COSO
  • Privacy and Data Protection: Internal Audit’s Role in Establishing a Resilient Framework, by IIA Foundation and Crowe
  • Accounting Principles, by Jerry Weygandt, Paul Kimmel, and Donald Kieso
  • Auditor Essentials: 100 Concepts, Tips, Tools, and Techniques for Success, by Hernan Murdock
  • Ready and Relevant: Prepare to Audit What Matters Most, by Timothy Berichon
  • Project Management Body of Knowledge (PMBOK) Guide, by Project Management Institute
  • Contract and Commercial Management: The Operational Guide, by IACCM
  • Performance Auditing: Measuring Inputs, Outputs, and Outcomes, by Stephen Morgan, Ronell Raaum, and Colleen Waring
  • "Analytics: Good Practices for (smaller) IAFs," by IIA-Netherlands
  • Data Analytics for Beginners: Practical Guide to Master Data Analytics, by TechWorld
  • Auditing Social Media: A Governance and Risk Guide, by J. Mike Jacka and Peter Scott
  • Auditing the Procurement Function by David O'Regan
  • Information Technology Control and Audit, by Sandra Senft, Frederick Gallegos, and Aleksandra Davis
  • Transfer Pricing Guidelines for Multinational Enterprises and Tax Administrations, by OECD
  • Current resources on internal auditing and relevant topics

Candidates from the following countries must refer to their local IIA Institute web-site or contact their local representative for more information about local certification processes:

The information contained on this website pertains to all other countries.