100 questions | 2.0 Hours (120 minutes)
The CIA exam Part 2 includes four domains focused on managing the internal audit activity, planning the engagement, performing the engagement, and communicating engagement results and monitoring progress. Part 2 tests candidates’ knowledge, skills, and abilities particularly related to Performance Standards (series 2000, 2200, 2300, 2400, 2500, and 2600) and current internal audit practices.
Cognitive Learning 1. Internal Audit Operations A Describe policies and procedures for the planning, organizing, directing, and monitoring of internal audit operations Basic B Interpret administrative activities (budgeting, resourcing, recruiting, staffing, etc.) of the internal audit activity Basic 2. Establishing a Risk-based Internal Audit Plan A Identify sources of potential engagements (audit universe, audit cycle requirements, management requests, regulatory mandates, relevant market and industry trends, emerging issues, etc.) Basic B Identify a risk management framework to assess risks and prioritize audit engagements based on the results of a risk assessment Basic C Interpret the types of assurance engagements (risk and control assessments, audits of third parties and contract compliance, security and privacy, performance and quality audits, key performance indicators, operational audits, financial and regulatory compliance audits) Proficient D Interpret the types of consulting engagements (training, system design, system development, due diligence, privacy, benchmarking, internal control assessment, process mapping, etc.) designed to provide advice and insight Proficient E Describe coordination of internal audit efforts with the external auditor, regulatory oversight bodies, and other internal assurance functions, and potential reliance on other assurance providers Basic 3. Communicating and Reporting to Senior Management and the Board A Recognize that the chief audit executive communicates the annual audit plan to senior management and the board and seeks the board's approval Basic B Identify significant risk exposures and control and governance issues for the chief audit executive to report to the board Basic C Recognize that the chief audit executive reports on the overall effectiveness of the organization's internal control and risk management processes to senior management and the board Basic D Recognize internal audit key performance indicators that the chief audit executive communicates to senior management and the board periodically Basic
Cognitive Learning 1. Engagement Planning A Determine engagement objectives, evaluation criteria, and the scope of the engagement Proficient B Plan the engagement to assure identification of key risks and controls Proficient C Complete a detailed risk assessment of each audit area, including evaluating and prioritizing risk and control factors Proficient D Determine engagement procedures and prepare the engagement work program Proficient E Determine the level of staff and resources needed for the engagement Proficient
Cognitive Learning 1. Information Gathering A Gather and examine relevant information (review previous audit reports and data, conduct walk-throughs and interviews, perform observations, etc.) as part of a preliminary survey of the engagement area Proficient B Develop checklists and risk-and-control questionnaires as part of a preliminary survey of the engagement area Proficient C Apply appropriate sampling (nonstatistical, judgmental, discovery, etc.) and statistical analysis techniques Proficient 2. Analysis and Evaluation A Use computerized audit tools and techniques (data mining and extraction, continuous monitoring, automated workpapers, embedded audit modules, etc.) Proficient B Evaluate the relevance, sufficiency, and reliability of potential sources of evidence Proficient C Apply appropriate analytical approaches and process mapping techniques (process identification, workflow analysis, process map generation and analysis, spaghetti maps, RACI diagrams, etc.) Proficient D Determine and apply analytical review techniques (ratio estimation, variance analysis, budget vs. actual, trend analysis, other reasonableness tests, benchmarking, etc.) Basic E Prepare workpapers and documentation of relevant information to support conclusions and engagement results Proficient F Summarize and develop engagement conclusions, including assessment of risks and controls Proficient 3. Engagement Supervision A Identify key activities in supervising engagements (coordinate work assignments, review workpapers, evaluate auditors' performance, etc.) Basic
Cognitive Learning 1. Communicating Engagement Results and the Acceptance of Risk A Arrange preliminary communication with engagement clients Proficient B Demonstrate communication quality (accurate, objective, clear, concise, constructive, complete, and timely) and elements (objectives, scope, conclusions, recommendations, and action plan) Proficient C Prepare interim reporting on the engagement progress Proficient D Formulate recommendations to enhance and protect organizational value Proficient E Describe the audit engagement communication and reporting process, including holding the exit conference, developing the audit report (draft, review, approve, and distribute), and obtaining management's response Basic F Describe the chief audit executive's responsibility for assessing residual risk Basic G Describe the process for communicating risk acceptance (when management has accepted a level of risk that may be unacceptable to the organization) Basic 2. Monitoring Progress A Assess engagement outcomes, including the management action plan Proficient B Manage monitoring and follow-up of the disposition of audit engagement results communicated to management and the board Proficient
Additional noteworthy elements related to the revised CIA Part Two exam syllabus:
- The syllabus features greater alignment with The IIA’s Performance Standards.
- The exam covers the chief audit executive’s responsibility for assessing residual risk and communicating risk acceptance.
- The largest domain is “Performing the Engagement,” which makes up 40% of the exam.
- A portion of the exam requires candidates to demonstrate a basic comprehension of concepts; another portion requires candidates to demonstrate proficiency in their knowledge, skills, and abilities.
CIA Part 2 Reference List
- The IIA’s International Professional Practices Framework
- Applying the International Professional Practices Framework, 4th edition, by Urton Anderson and Andrew J. Dahle (2018)
- Internal Auditing Assurance and Advisory Services, by Urton Anderson et. al., 5th edition (2022)
- Sawyer's Guide for Internal Auditors, 7th edition (2019)
- IIA Position Papers
- “Managing Cyber Risk in a Digital Age,” by COSO (2019)
- New Auditor’s Guide to Internal Auditing, by Bruce Turner (2019)
- Auditing Social Media: A Governance and Risk Guide, by J. Mike Jacka and Peter Scott (2019)
- Data Analysis and Sampling Simplified: A Practical Guide for Internal Auditors, by Donald Dickie (2019)
- Ready and Relevant: Prepare to Audit What Matters Most, by Timothy Berichon (2020)
- Current resources on internal auditing and relevant topics