What is Internal Audit?
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Performed by professionals with an in-depth understanding of the business culture, systems, and processes, the internal audit activity provides assurance that internal controls in place are adequate to mitigate the risks, governance processes are effective and efficient, and organizational goals and objectives are met.
Evaluating emerging technologies. Analyzing opportunities. Examining global issues. Assessing risks, controls, ethics, quality, economy, and efficiency. Assuring that controls in place are adequate to mitigate the risks. Communicating information and opinions with clarity and accuracy. Such diversity gives internal auditors a broad perspective on the organization. And that, in turn, makes internal auditors a valuable resource to executive management and boards of directors in accomplishing overall goals and objectives, as well as in strengthening internal controls and organizational governance.
I. Foundations Of Internal Auditing
Interpret The IIA`s Mission of Internal Audit, Definition of Internal Auditing, and Core Principles for the Professional Practice of Internal Auditing, and the purpose, authority, and responsibility of the internal audit activity
Explain the requirements of an internal audit charter (required components, board approval, communication of the charter, etc.)
Interpret the difference between assurance and consulting services provided by the internal audit activity
Demonstrate conformance with the IIA Code of Ethics
II. Independence And Objectivity
Interpret organizational independence of the internal audit activity (importance of independence, functional reporting, etc.)
Identify whether the internal audit activity has any impairments to its independence
Assess and maintain an individual internal auditor`s objectivity, including determining whether an individual internal auditor has any impairments to his/her objectivity
Analyze policies that promote objectivity
III. Proficiency And Due Professional Care
Recognize the knowledge, skills, and competencies required (whether developed or procured) to fulfill the responsibilities of the internal audit activity
Demonstrate the knowledge and competencies that an internal auditor needs to possess to perform his/her individual responsibilities, including technical skills and soft skills (communication skills, critical thinking, persuasion/negotiation and collaboration skills, etc.)
Demonstrate due professional care
Demonstrate an individual internal auditor`s competency through continuing professional development
IV. QUALITY ASSURANCE AND IMPROVEMENT PROGRAM
Describe the required elements of the quality assurance and improvement program (internal assessments, external assessments, etc.)
Describe the requirement of reporting the results of the quality assurance and improvement program to the board or other governing body
Identify appropriate disclosure of conformance vs. nonconformance with The IIA’s International Standards for the Professional Practice of Internal Auditing
V. Governance, Risk Management, And Control
Describe the concept of organizational governance
Recognize the impact of organizational culture on the overall control environment and individual engagement risks and controls
Recognize and interpret the organization`s ethics and compliance-related issues, alleged violations, and dispositions
Describe corporate social responsibility
Interpret fundamental concepts of risk and the risk management process
Describe globally accepted risk management frameworks appropriate to the organization (COSO - ERM, ISO 31000, etc.)
Examine the effectiveness of risk management within processes and functions
Recognize the appropriateness of the internal audit activity’s role in the organization`s risk management process
Interpret internal control concepts and types of controls
Apply globally accepted internal control frameworks appropriate to the organization (COSO, etc.)
Examine the effectiveness and efficiency of internal controls
VI. Fraud Risks
Interpret fraud risks and types of frauds and determine whether fraud risks require special consideration when conducting an engagement
Evaluate the potential for occurrence of fraud (red flags, etc.) and how the organization detects and manages fraud risks
Recommend controls to prevent and detect fraud and education to improve the organization`s fraud awareness
Recognize techniques and internal audit roles related to forensic auditing (interview, investigation, testing, etc.)
1. Internal Audit Operations
Describe policies and procedures for the planning, organizing, directing, and monitoring of internal audit operations
Interpret administrative activities (budgeting, resourcing, recruiting, staffing, etc.) of the internal audit activity
2. Establishing a Risk-based Internal Audit Plan
Identify sources of potential engagements (audit universe, audit cycle requirements, management requests, regulatory mandates, relevant market and industry trends, emerging issues, etc.)
Identify a risk management framework to assess risks and prioritize audit engagements based on the results of a risk assessment
Interpret the types of assurance engagements (risk and control assessments, audits of third parties and contract compliance, security and privacy, performance and quality audits, key performance indicators, operational audits, financial and regulatory compliance audits)
Interpret the types of consulting engagements (training, system design, system development, due diligence, privacy, benchmarking, internal control assessment, process mapping, etc.) designed to provide advice and insight
Describe coordination of internal audit efforts with the external auditor, regulatory oversight bodies, and other internal assurance functions, and potential reliance on other assurance providers
3. Communicating and Reporting to Senior Management and the Board
Recognize that the chief audit executive communicates the annual audit plan to senior management and the board and seeks the board`s approval
Identify significant risk exposures and control and governance issues for the chief audit executive to report to the board
Recognize that the chief audit executive reports on the overall effectiveness of the organization`s internal control and risk management processes to senior management and the board
Recognize internal audit key performance indicators that the chief audit executive communicates to senior management and the board periodically
1. Engagement Planning
Determine engagement objectives, evaluation criteria, and the scope of the engagement
Plan the engagement to assure identification of key risks and controls
Complete a detailed risk assessment of each audit area, including evaluating and prioritizing risk and control factors
Determine engagement procedures and prepare the engagement work program
Determine the level of staff and resources needed for the engagement
1. Information Gathering
Gather and examine relevant information (review previous audit reports and data, conduct walk-throughs and interviews, perform observations, etc.) as part of a preliminary survey of the engagement area
Develop checklists and risk-and-control questionnaires as part of a preliminary survey of the engagement area
Apply appropriate sampling (nonstatistical, judgmental, discovery, etc.) and statistical analysis techniques
2. Analysis and Evaluation
Use computerized audit tools and techniques (data mining and extraction, continuous monitoring, automated workpapers, embedded audit modules, etc.)
Evaluate the relevance, sufficiency, and reliability of potential sources of evidence
Apply appropriate analytical approaches and process mapping techniques (process identification, workflow analysis, process map generation and analysis, spaghetti maps, RACI diagrams, etc.)
Determine and apply analytical review techniques (ratio estimation, variance analysis, budget vs. actual, trend analysis, other reasonableness tests, benchmarking, etc.)
Prepare workpapers and documentation of relevant information to support conclusions and engagement results
Summarize and develop engagement conclusions, including assessment of risks and controls
Engagement Supervision
Identify key activities in supervising engagements (coordinate work assignments, review workpapers, evaluate auditors` performance, etc.)
Arrange preliminary communication with engagement clients
Demonstrate communication quality (accurate, objective, clear, concise, constructive, complete, and timely) and elements (objectives, scope, conclusions, recommendations, and action plan)
Prepare interim reporting on the engagement progress
Formulate recommendations to enhance and protect organizational value
Describe the audit engagement communication and reporting process, including holding the exit conference, developing the audit report (draft, review, approve, and distribute), and obtaining management`s response
Describe the chief audit executive`s responsibility for assessing residual risk
Describe the process for communicating risk acceptance (when management has accepted a level of risk that may be unacceptable to the organization)
Describe the audit engagement communication and reporting process, including holding the exit conference, developing the audit report (draft, review, approve, and distribute), and obtaining management`s response
Describe the chief audit executive`s responsibility for assessing residual risk
Describe the process for communicating risk acceptance (when management has accepted a level of risk that may be unacceptable to the organization)
Internal AuditQuality AssuranceRisk ManagementAudit/Assessment/DisciplinesComplianceExternal AuditInternal Control
Entry Requirements
To be approved into the CIA program, the candidate must either:
Hold a Bachelor’s degree or higher.
Hold an active Internal Audit Practitioner designation.
Possess five years of internal audit experience.
Be an active student in your final year of college.
Be an active student with an approved Internal Audit Education Partnership (IAEP) school.
Acceptable Documents:
Copy of your degree or official transcripts (If your name has changed since you earned your degree, you must also include your legal name change document.)
Letter from university confirming degree.
Letter from evaluation services confirming degree level.
Character Reference
Candidates must exhibit high moral and professional character and must submit a Character Reference signed by a CIA, CGAP, CCSA, CFSA, CRMA, QIAL, or the candidate's supervisor. The character reference is completed electronically via the CCMS.
Proof of Identification
Proof of identity is required to apply to all IIA certification programs. The identification submitted must be current and valid. Refer to the proof of identification in the certification handbook for additional details. When you are ready to sit for your exam(s), you will be required to show your identification. Please note that the identification you present on the date of your exam(s) must match the information in your CCMS profile.
Exit Requirements
CIA Exam
Once candidates have been accepted into the CIA program, they must pass all three CIA exam parts within the program eligibility period.
Work Experience
Candidates may apply to the certification program and sit for exams prior to obtaining the required work experience. However, candidates will not be certified until unless the experience requirement is met within the program eligibility period. Experience for the CIA’s certification program is based on the entry method (refer to the program requirements table above).
Internal Audit
Quality Assurance
Risk Management
Audit/Assessment/Disciplines
Compliance
External Audit
Internal Control
Supporting Requirement Exemptions
The Professional Certification Board (PCB) has approved work experience and education exemptions for Association of Chartered Certified Accountants (ACCA) qualified members and an education exemption for U.S. Certified Public Accountant (CPA) active license holders pursuing the CIA certification. The supporting requirement exemptions were granted by the PCB because the experience and education requirements for ACCA members and education requirements for U.S. CPAs meet and/or exceed these requirements for the CIA program
High School Diploma, Associates Degree, GCE, A-Level or their equivalent
Experience can be in any of the following: Internal Audit, Quality Assurance, Risk Management, Audit/Assessment/Disciplines, Compliance, External Audit, Internal Control
Candidates in the CIA program agree to accept the conditions of the program, including eligibility requirements, exam confidentiality, Code of Ethics, and Continuing Professional Education (CPE), along with other conditions enacted by The IIA's Professional Certification Board (PCB).
125 questions | 2.5 hours (150 minutes)
The revised CIA exam Part 1 is well aligned with The IIA’s International Professional Practices Framework (IPPF) and includes six domains covering the foundation of internal auditing; independence and objectivity; proficiency and due professional care; quality assurance and improvement programs; governance, risk management, and control; and fraud risk.
Part one tests candidates’ knowledge, skills, and abilities related to the International Standards for the Professional Practice of Internal Auditing, particularly the Attribute Standards (series 1000, 1100, 1200, and 1300) as well as Performance Standard 2100.
100 questions | 2.0 hours (120 minutes)
The CIA exam Part 2 includes four domains focused on managing the internal audit activity, planning the engagement, performing the engagement, and communicating engagement results and monitoring progress. Part 2 tests candidates’ knowledge, skills, and abilities particularly related to Performance Standards (series 2000, 2200, 2300, 2400, 2500, and 2600) and current internal audit practices.
100 questions | 2.0 Hours (120 minutes)
The CIA exam Part 3 includes four domains focused on business acumen, information security, information technology, and financial management. Part Three is designed to test candidates’ knowledge, skills, and abilities, particularly as they relate to these core business concepts.