Changes to the Certified Internal Auditor syllabus

By Jan Olivier, Chartered IIA Head of Education and Development

The introduction of the revised International Professional Practices Framework (IPPF) and the Global Internal Audit Standards means that the CIA syllabus was also updated. The aim of this blog is to help those students already enrolled on the CIA to understand the extent of the changes and so be able to prepare for the exam.

When updating the CIA syllabus, The IIA worked towards:

1. Create greater alignment with The IIA’s Global Internal Audit Standards.
2. Bring the exam up to date with the current global practice of internal auditing.
3. Clarify the competencies that candidates must possess to earn their CIA certifications.
4. Focus on concepts that are most relevant to the rapidly evolving practice of internal auditing.

In the exam, you are expected to demonstrate:

1. Current knowledge of The IIA’s IPPF, and demonstrate that you are able to use it effectively.
2. Be able to perform an audit engagement with minimal supervision.
3. Understand and use your personal judgement to apply the various concepts covered by the CIA exam.

In the section below we’ll go through the syllabus and look at how it aligns to the IPPF, and before considering the changes in detail. This guidance would be most beneficial to those students who are already registered on the CIA, and have perhaps already sat one exam. 

Syllabus

The IIA have a dedicated page on their site where you will find some insight into the changes, and where you can download the syllabus.  

Remember that you need to download the syllabus and keep it at hand as you are assessed in line with the syllabus and not the materials. 

Timelines

On 28 May the exams for the new CIA syllabus will go live. Up to then the 2019 version of the syllabus remains examinable. So if you have a exam schedule between today and 27 May it will be for the 2019 syllabus, and from 28 May will be for the new syllabus.

Support

The Chartered IIA have developed an online programme for all students preparing to sit the exams for the new syllabus.  The programme will provide you with access to materials published by Gleim, the undisputed market leaders.  On the programme you will be provided with all the support you need, including a tutor and the opportunity to attend 7 classes before attempting your exam. 

To book or for more details visit the Certified Internal Auditor page. 

Overall structure

The CIA continues to have three parts. Not that different from the previous syllabus, Part 1 focusses mainly on the standards, and Part 2 on the internal audit process.  Part 3 is a significant departure from the current syllabus and now covers managing the internal audit function.  We will discuss in more detail below.

Other than being updated to align to the new standards, the syllabus still includes Fraud Risk even though that falls outside the IPPF.  

For the exams, Part 1 continues be 125 questions to be answered in 150 minutes, with Parts 2 and 3 also unchanged at 100 questions in 120 minutes.  The pass mark remains 600/750, or 80%.

Standards

It is impossible to definitively align the parts of the CIA syllabus to the IPPF as there are too many interdependent elements. The IPPF, after all, is intended to be a single framework and it is important that you keep this in mind as you study the CIA and prepare for the exams.
Also remember that the Glossary forms part of the IPPF and so is also examinable as part of the CIA syllabus.

CIA Part 1: Internal Audit Fundamentals

These core knowledge areas are crucial for every internal auditor to understand in order to execute their duties proficiently.
Section A: Foundations of Internal Auditing draws on Domain I of the International Professional Practices Framework (IPPF), where the purpose statement of internal auditing is found. Section A then references Domain III, focusing on Principles 6, 7, and 8, though these areas are covered briefly and do not require an in-depth understanding.
Section B: Ethics and Professionalism encompasses the entirety of Domain II, covering integrity, objectivity, competency, due professional care, and confidentiality.
Section C: Governance, Risk Management, and Control reflects Standard 9.1 of Domain IV, rather than Domain III.
Section D: Fraud Risks is somewhat of an anomaly as it does not directly reflect the IPPF, given that fraud risks are not explicitly addressed in the standards. Nonetheless, this is essential knowledge for an internal auditor and thus included in the syllabus.

CIA Part 2: Internal Audit Engagement

The entire CIA Part 2 syllabus maps against Domain V: Performing Internal Audit Services.
Section A: Engagement Planning addresses Principle 13 of the standards. 
Section B: Information Gathering, Analysis, and Evaluation covers Principle 14.
Section C: Engagement Supervision and Communication covers Principle 15. 

CIA Part 3 Internal Audit Function

Part 3 covers the management of the internal audit function, and as expected is therefore closely aligned to Domain IV, the exception being 9.1 which was covered in Part 1. 
Section A: Internal Audit Operations aligns to Standards 9.2 and 9.3 of Domain IV. The resource requirements in the syllabus are aligned with Standard 13.5 and also references Principle 10.
Section B: Internal Audit Plan covers Standards 9.4 and 9.5.
Section C: Quality of the Internal Audit Function covers are aligned to Principle 12, while the responsibility of the CAE are set out in Standards 8.3 and 8.4.
Section D: Engagement Results and Monitoring address Principle 15. 

Comparisons

Having looked at how the two syllabi relate to the standards, in this section see how the two syllabi relate to each other to demonstrate which parts of the syllabi are similar and which changed. 

Learning outcomes

The new syllabus has fewer learning outcomes than the 2019 version, but these are grouped by topic. This is also good as it provides a lot of helpful insight  on how exam questions can be phrased  as the previous syllabus included very little detail. 
While there are fewer learning outcomes, it doesn’t mean that the 2025 exams will be easier, cover less content, or less demanding. 

Cognitive levels

You will notice that the 2025 syllabus no longer identifies a cognitive level against which the syllabus topic is assessed.  While no longer categorically stated, you can still identify the cognitive levels from the learning outcomes.

You will notice that each learning outcomes will start with a verb, for example ‘Recognize’, ‘Describe’, ‘Interpret’, ‘Identify’, and so on.  These were very specifically chosen and explain what you will be required to demonstrate in the exam and you should pay very close attention to whether you are asked to ‘explain’ or ‘describe’ something, or if you need to ‘analyse’ something.

If you found the cognitive levels handy, then you can classify these yourself.  Here is a short summary showing some common verbs and whether these would be lower or higher-level thinking. 

Examples of verbs indicating basic cognitive levels: recognise, identify, describe, summarise, calculate, demonstrate, apply, explain.

Examples of verbs indicating proficient cognitive levels: assess , critique, interpret, categorise, recommend, compare, contrast, analyse.

Part 1 has 27 learning outcomes and 20 (74%) are examined on the Basic level, while 14 (46%) of the 2019 syllabus assessed learning outcomes at the Basic level. This is likely to make the Part 1 exam less demanding.

Part 2 has 17 learning outcomes of which 7 (41%) are assessed on the Basic level.  This compares well to the 40% of the 2019 syllabus assessed at Basic level.

Part 3 has 18 learning outcomes, and these are all assessed on the Basic level, while 91% of the 2019 syllabus assessed learning outcomes on the Basic level.

CIA Part 1 Internal Audit Fundamentals

Among the three parts, this is indisputably the least altered exam. Section A now contributes more than double the amount of questions compared to the 2019 syllabus. Although the section now encompasses the internal audit mandate, as well as the role of the Chief Audit Executive (CAE) and the board in establishing the mandate, this alone cannot explain the increased exam coverage.

Section B elaborates on the knowledge, skills, and competencies outlined in the 2019 exam, however the overall size of this section is smaller than in the 2019 syllabus. This section now also addresses confidentiality when using information during engagements, and any ensuing privacy concerns. The section dealing with the Quality Improvement and Assurance Program (QIAP) moves to CIA Part 3.

Section C, which addresses Governance, Risk Management, and Control, sees a slight reduction in exam coverage. Nevertheless, this section now includes performance management and the use of Key Performance Indicators (KPIs) and metrics. Section D remains relatively unchanged, although the exam coverage increases slightly to incorporate a broader list of risk types and a focus on risk management processes within risk management frameworks.

CIA Part 2: Internal Audit Engagement

Managing the internal audit function and communicating recommendations will now be included in Part 3. This means that Part 2 will address the engagement process: how to plan the engagement, how to perform the engagement, and then how to supervise and communicate with stakeholders.

Some of the concepts that were previously covered in Part 3 now sits in Part 2. However, these are now dealt with very differently and are incorporated into the risk assessments for the different activities. For example, the risks associated with IT or Cybersecurity are part of the risk assessment. Similarly, you can think about financial risk as part of the risk assessment, or it can be included as part of the analytical review techniques.

Part 2 now includes two areas which weren't covered in the 2019 version: Appropriate approaches for engagements is included in Section A, and Section B now includes the difference between evaluation criteria and the existing conditions.

Also in Section A are a large number of that were previously in Part 3, and where the focus has shifted, and these include:

• Elements to be considered in the development of engagement objectives
• Strategic objectives when planning an engagement
• Impact of organisational culture
• Behavioural and management techniques
•  Organisational structure
• Project management concepts
• IT and Cybersecurity risk
• Identifying market and industry trends
• Risks related to business processes
• Business continuity
• Finance and accounting concepts and analytical review techniques

CIA Part 3: Internal Audit Function

The syllabus for Part 3 has been completely transformed and none of the areas that were previously in Part 3 have remained. The Part 3 syllabus now addresses the management of the internal audit function. From the old Part 2 syllabus, Managing the internal audit function has been moved to Part 3 and now forms the bulk of the Internal Audit Operations section, and Quality which was previously dealt with in Part 1 is now also included in Part 3. 

The following areas previously in Part 3 are no longer included in the syllabus:

• Managerial accounting concepts
• Costing systems
• Various costs
• Network administration
• IT infrastructure concepts
• Systems development

Happy studying, and good luck with your course.