IIA

The Institute of Internal Auditors sets global standards for the auditing profession. Its certifications cover governance, risk management, internal audit processes, business analysis, information technology, and financial services.

6Exams
3,557Questions

Available Exams

IIA-CIA-Part2

Certified Internal Auditor - Part 2 Conducting the Internal Audit Engagement

956 questions
IIA-CIA-Part3

Certified Internal Auditor - Part 3 Business Analysis and Information Technology

642 questions
IIA-CIA-Part1

Certified Internal Auditor - Part 1 The Internal Audit Activitys Role in Governance Risk and Control

1175 questions
IIA-CHAL-QISA

Qualified Info Systems Auditor CIA Challenge

150 questions
CIA-Part1-2025

CIA Part 1 - Internal Audit Fundamentals

125 questions
IIA-CFSA

Certified Financial Services Auditor

509 questions

The IIA as a Global Standard

The Institute of Internal Auditors (IIA) established its first chapters in New York City in 1941. Operating from its global headquarters in Lake Mary, Florida, the organization now serves over 260,000 members across 170 countries. It is the definitive international standard-setter for the internal auditing profession.

Unlike vendor-specific IT certifications that validate technical configuration skills, IIA certifications validate a professional’s ability to evaluate governance, risk management, and control processes. Hiring managers in corporate finance, compliance, and IT audit departments look to the IIA to ensure a candidate understands the systematic, disciplined approach required to evaluate an organization's operations.

Continue Reading

More than 200,000 professionals worldwide hold the IIA’s flagship credential: the Certified Internal Auditor (CIA).

The Certified Internal Auditor Framework

The CIA is the only globally accepted designation for internal auditors. Earning it requires passing a rigorous three-part exam series. Candidates have a three-year window to complete all three parts and fulfill the associated experience requirements.

The exams use a scaled scoring system ranging from 250 to 750, with 600 set as the passing baseline. The exams are entirely multiple-choice and are not adaptive. Each question carries equal weight, and there is no penalty for guessing. Pass rates historically hover between 41% and 53% across the different parts, reflecting the difficulty of the material.

The first exam in the sequence is IIA-CIA-Part1: Certified Internal Auditor - Part 1 The Internal Audit Activitys Role in Governance Risk and Control. This exam tests foundational principles. Candidates face 125 questions over 150 minutes. The content focuses heavily on independence, objectivity, due professional care, and the core concepts of governance and risk management. It also includes specific domains dedicated to identifying fraud risks.

Once candidates establish their baseline knowledge, they move to the practical execution phase. IIA-CIA-Part2: Certified Internal Auditor - Part 2 Conducting the Internal Audit Engagement shifts the focus to the lifecycle of an audit. You have 120 minutes to answer 100 questions. This exam proves you can manage the internal audit activity, plan an engagement, gather and evaluate information, and communicate the results to stakeholders.

The final hurdle broadens the scope to organizational operations. IIA-CIA-Part3: Certified Internal Auditor - Part 3 Business Analysis and Information Technology expects candidates to understand the environment in which the audit function operates. This 100-question, 120-minute exam covers strategic planning, business acumen, and the critical intersection of internal auditing and IT infrastructure. Candidates must prove they can evaluate IT general controls, understand cybersecurity risks, and audit data analytics processes. It is often considered the most difficult part of the sequence for auditors without a technical background, as it requires fluency in both financial management and enterprise IT architecture.

Accelerated Pathways for IT Auditors

The IIA recognizes that experienced auditors often cross over from adjacent disciplines, particularly information systems auditing. For professionals who already hold specific qualifying credentials, the IIA offers an accelerated route to the CIA designation.

If you are an active Certified Information Systems Auditor (CISA), you can bypass the standard three-part sequence by taking the IIA-CHAL-QISA: Qualified Info Systems Auditor CIA Challenge.

This single-part exam tests the gaps between standard IT audit practices and the broader internal audit framework defined by the IIA. It condenses the material from the standard three parts, focusing heavily on the International Professional Practices Framework (IPPF), risk management, and financial controls. It allows specialized IT risk professionals to prove their competence in general governance without redundant testing. Employers value this dual-credentialed profile, as it bridges the technical depth of IT security with the business alignment of internal audit.

IIA Specialty Credentials in the Financial Sector

While the CIA serves as a generalist baseline, the IIA has historically offered specialized tracks for specific industries. The financial services sector, with its heavy regulatory burden, requires auditors who understand banking, insurance, and securities at a deep level.

The IIA-CFSA: Certified Financial Services Auditor was designed specifically for this environment. It validates competence in auditing financial institutions and understanding strict regulatory compliance structures.

The IIA transitioned the CFSA from a standalone certification program to an assessment-based certificate model at the end of 2018. However, many established professionals in the financial sector continue to maintain their active CFSA status through annual continuing professional education (CPE) credits. The credential remains a strong indicator of specialized expertise for auditors working inside banks, insurance firms, and investment houses. For hiring managers in the financial sector, a candidate holding an active CFSA possesses proven, verifiable experience navigating the specific risks associated with financial products and institutional governance.

Career Value and Market Demand

IIA credentials act as a universal filtering mechanism for senior audit and compliance roles.

When a company goes public, expands internationally, or faces new regulatory oversight, the internal audit department scales up. Chief Audit Executives (CAEs) rely on the CIA to establish a baseline of competence across their teams. In heavily regulated industries like banking and healthcare, holding a CIA often dictates eligibility for promotion to audit manager or director levels.

Because the IIA updates its exams to align with actual job analysis surveys of practicing auditors, the credentials track closely with market needs. Hiring managers know that a candidate who passes the CIA exams understands how to execute a risk-based audit plan, not just check compliance boxes. The exams demand active application of concepts, forcing candidates to interpret audit scenarios and select the most appropriate course of action based on IIA standards.

The internal audit function rarely operates in a silo. Auditors frequently collaborate with information security officers and compliance directors. Holding a CIA proves to these stakeholders that you speak their language. It shows you understand how to design controls that satisfy regulatory requirements without disrupting business operations.

In January 2025, the IIA implemented its new Global Internal Audit Standards, replacing the previous International Professional Practices Framework. Candidates who pass the current exams are proving their alignment with these revised international standards, demonstrating their readiness to evaluate the complex risk environments organizations face.