100 questions | 2.0 Hours (120 minutes)
The CIA exam Part 3 includes four domains focused on business acumen, information security, information technology, and financial management. Part 3 is designed to test candidates’ knowledge, skills, and abilities particularly as they relate to these core business concepts.
Cognitive Learning 1. Organizational Objectives, Behavior, and Performance A Describe the strategic planning process and key activities (objective setting, globalization and competitive considerations, alignment to the organization's mission and values, etc.) Basic B Examine common performance measures (financial, operational, qualitative vs. quantitative, productivity, quality, efficiency, effectiveness, etc.) Proficient C Explain organizational behavior (individuals in organizations, groups, and how organizations behave, etc.) and different performance management techniques (traits, organizational politics, motivation, job design, rewards, work schedules, etc.) Basic D Describe management’s effectiveness to lead, mentor, guide people, build organizational commitment, and demonstrate entrepreneurial ability Basic 2. Organizational Structure and Business Processes A Appraise the risk and control implications of different organizational configuration structures (centralized vs. decentralized, flat structure vs. traditional, etc.) Basic B Examine the risk and control implications of common business processes (human resources, procurement, product development, sales, marketing, logistics, management of outsourced processes, etc.) Proficient C Identify project management techniques (project plan and scope, time/team/resources/cost management, change management, etc.) Basic D Recognize the various forms and elements of contracts (formality, consideration, unilateral, bilateral, etc.) Basic 3. Data Analytics A Describe data analytics, data types, data governance, and the value of using data analytics in internal auditing Basic B Explain the data analytics process (define questions, obtain relevant data, clean/normalize data, analyze data, communicate results) Basic C Recognize the application of data analytics methods in internal auditing (anomaly detection, diagnostic analysis, predictive analysis, network analysis, text analysis, etc.) Basic
Cognitive Learning 1. Information Security A Differentiate types of common physical security controls (cards, keys, biometrics, etc.) Basic B Differentiate the various forms of user authentication and authorization controls (password, two-level authentication, biometrics, digital signatures, etc.) and identify potential risks Basic C Explain the purpose and use of various information security controls (encryption, firewalls, antivirus, etc.) Basic D Recognize data privacy laws and their potential impact on data security policies and practices Basic E Recognize emerging technology practices and their impact on security (bring your own device [BYOD], smart devices, internet of things [IoT], etc.) Basic F Recognize existing and emerging cybersecurity risks (hacking, piracy, tampering, ransomware attacks, phishing attacks, etc.) Basic G Describe cybersecurity and information security-related policies Basic
Cognitive Learning 1. Application and System Software A Recognize core activities in the systems development lifecycle and delivery (requirements definition, design, developing, testing, debugging, deployment, maintenance, etc.) and the importance of change controls throughout the process Basic B Explain basic database terms (data, database, record, object, field, schema, etc.) and internet terms (HTML, HTTP, URL, domain name, browser, click-through, electronic data interchange [EDI], cookies, etc.) Basic C Identify key characteristics of software systems (customer relationship management [CRM] systems; enterprise resource planning [ERP] systems; and governance, risk, and compliance [GRC] systems; etc.) Basic 2. IT Infrastructure and IT Control Frameworks A Explain basic IT infrastructure and network concepts (server, mainframe, client-server configuration, gateways, routers, LAN, WAN, VPN, etc.) and identify potential risks Basic B Define the operational roles of a network administrator, database administrator, and help desk Basic C Recognize the purpose and applications of IT control frameworks (COBIT, ISO 27000, ITIL, etc.) and basic IT controls Basic 3. Disaster Recovery A Explain disaster recovery planning site concepts (hot, warm, cold, etc.) Basic B Explain the purpose of systems and data backup Basic C Explain the purpose of systems and data recovery procedures Basic
Cognitive Learning 1. Financial Accounting and Finance A Identify concepts and underlying principles of financial accounting (types of financial statements and terminologies such as bonds, leases, pensions, intangible assets, research and development, etc.) Basic B Recognize advanced and emerging financial accounting concepts (consolidation, investments, fair value, partnerships, foreign currency transactions, etc.) Basic C Interpret financial analysis (horizontal and vertical analysis and ratios related to activity, profitability, liquidity, leverage, etc.) Proficient D Describe revenue cycle, current asset management activities and accounting, and supply chain management (including inventory valuation and accounts payable) Basic E Describe capital budgeting, capital structure, basic taxation, and transfer pricing Basic 2. Managerial Accounting A Explain general concepts of managerial accounting (cost-volume-profit analysis, budgeting, expense allocation, cost- benefit analysis, etc.) Basic B Differentiate costing systems (absorption, variable, fixed, activity-based, standard, etc.) Basic C Distinguish various costs (relevant and irrelevant costs, incremental costs, etc.) and their use in decision making Basic
Additional noteworthy elements related to the revised CIA Part Three exam syllabus:
- The number of topics covered on the Part Three exam has been greatly refocused to the core areas that are most critical for internal auditors.
- The exam syllabus features a new subdomain on data analytics.
- The information security portion of the exam has been expanded to include additional topics such as cybersecurity risks and emerging technology practices.
- The largest domain is “Business Acumen,” which makes up 35% of the exam.
- A portion of the exam requires candidates to demonstrate a basic comprehension of concepts; another portion requires candidates to demonstrate proficiency in their knowledge, skills, and abilities.
CIA Part 3 Reference List
- The IIA’s International Professional Practices Framework
- Applying the International Professional Practices Framework, 4th edition, by Urton Anderson and Andrew J. Dahle (2018)
- Internal Auditing Assurance and Advisory Services, by Urton Anderson et. al., 5th edition (2022)
- Sawyer's Guide for Internal Auditors, 7th edition (2019)
- COSO frameworks and whitepapers
- Understanding Management, by Richard Daft and Dorothy Marcic, 12th ed (2022)
- Data Analysis and Sampling Simplified: A Practical Guide for Internal Auditors, by Donald Dickie (2019)
- ISACA framework and guidance
- Principles of Information Security, by Michael Whitman and Herbert Mattord (2021)
- IT Auditing: Using Controls to Protect Information Assets, by Chris Davis, Mike Schiller, and Kevin Wheeler (2019)
- Internal Audit of the Future: The Impact of Technology and Innovation, by A. Michael Smith (2019)
- Fundamentals of IT Audit for Operational Auditors (2022)
- National Institute of Standards and Technology (NIST) framework
- Privacy and Data Protection: Internal Audit’s Role in Establishing a Resilient Framework, by IIA Foundation and Crowe (2020)
- Accounting Principles, by Jerry Weygandt, Paul Kimmel, and Donald Kieso, 14th edition (2020)
- IIA Position Papers
- Ready and Relevant: Prepare to Audit What Matters Most, by Timothy Berichon (2020)
- Project Management Body of Knowledge (PMBOK) Guide, by Project Management Institute
- Performance Auditing: Measuring Inputs, Outputs, and Outcomes, by Stephen Morgan, Ronell Raaum, and Colleen Waring
- "Analytics: Good Practices for (smaller) IAFs," by IIA-Netherlands
- Auditing Social Media: A Governance and Risk Guide, by J. Mike Jacka and Peter Scott (2019)
- Auditing the Procurement Function by David O'Regan
- Current resources on internal auditing and relevant topics