How long does the CIA take?

Most candidates take several months to around two years across the three parts. You have three years from acceptance into the programme to complete every requirement.

What is the CIA passing score?

A scaled score of 600 on a 250-750 range, applied to each part. It is not a flat percentage - raw scores are converted to the scale.

Do I need experience for the CIA?

Yes, to be awarded the credential. A common route is a bachelor's degree plus two years of internal-audit experience; a master's reduces it to one year, and five years of experience can qualify without a degree. Students in their final year can sit the exam first.

Which CIA part should I take first?

Part 1, Essentials of Internal Auditing. It sets the foundations and vocabulary that Parts 2 and 3 assume, so taking it first makes the later parts easier.

How many CIA parts can I study at once?

There is no rule against registering for more than one, but most candidates take the parts one at a time and in order. Remember each part has its own 180-day scheduling window once you register, so do not open a window you cannot use.

Can I self-study for the CIA?

Yes. Many candidates self-study using the official syllabus and practice questions, especially working internal auditors who already know the field. Allow extra time for Part 3 if its business or IT topics are outside your day job.

Study guide · Finance & Accounting

CIA (Certified Internal Auditor): Study Guide

advanced

A practical, step-by-step plan to take CIA from "interested" to exam-ready - the mechanics, what to study in what order, how to practise, and how to know you are ready.

By The Exam Atlas Editorial Team · Verified 2026-06-07

Study plans by timeline

Part 1: 6-8 weeks	At ~10-12 hrs/week, cover the foundations in 4-5 weeks, then spend 2-3 weeks on timed multiple-choice practice. Part 1 is conceptual, so drill definitions and the governance, risk and control material hard.
Part 2: 5-7 weeks	At ~8-10 hrs/week, work through the engagement lifecycle, then practise scenario-style multiple-choice. Part 2 rewards understanding the order and purpose of audit steps, not memorising lists.
Part 3: 8-10 weeks	Part 3 has the widest scope (business, finance, IT, management), so budget the most time. Spend the first weeks shoring up your weakest area - often IT or financial management - before broad practice.
All three parts: ~6-9 months	A sustainable working pace: one part at a time, a few weeks of focused study plus practice for each, with a short gap between parts. This keeps each part fresh for its exam without burning out.
Accelerated: ~3-4 months	Possible for experienced internal auditors studying near full-time. Take the parts back to back, but only open each 180-day scheduling window when you are ready to sit that part.
Within the 3-year limit	You have three years from acceptance to complete all parts and requirements. Plan comfortably inside that, and log the qualifying experience you need in parallel through your job.

What to study, in order

Step 0 - Check eligibility and register	Before studying, confirm you meet the education-plus-experience route (or the student path) and apply to the CIA programme. You have three years from acceptance to finish, and 180 days to schedule each part once you register for it, so do not register for a part until you are ready to study it.
Step 1 - Part 1: Essentials of Internal Auditing	Start here. Part 1 (125 questions, 2.5 hours) covers the foundations: purpose and mandate, independence and objectivity, proficiency and due care, the quality programme, governance, risk and control, and fraud risk. It anchors the vocabulary used in Parts 2 and 3.
Step 2 - Part 2: Practice of Internal Auditing	Part 2 (100 questions, 2 hours) is the engagement lifecycle: managing the internal audit activity, planning and performing engagements, gathering evidence and communicating results. It builds directly on Part 1.
Step 3 - Part 3: Business Knowledge for Internal Auditing	Part 3 (100 questions, 2 hours) is the broadest: business acumen and financial management, information technology and information security, and management and leadership topics. Many candidates find it the widest in scope, so leave room for unfamiliar areas.
Throughout - Plan around scaled scoring	Each part is marked on a scaled score from 250 to 750 with a passing line of 600. Aim for confident, even coverage of every domain rather than betting on a single strong topic, because the conversion rewards broad correctness.

The CIA (Certified Internal Auditor) is the leading global credential for internal auditors, awarded by the Institute of Internal Auditors (IIA), and it is worth saying at the outset that it has nothing to do with any intelligence agency: it certifies skill in internal audit, risk, and control. It is not a memorisation exam. It tests whether you understand the purpose and discipline of internal auditing well enough to apply it to realistic situations, so the goal of studying is to grasp how the profession thinks (independent, objective, risk-focused, standards-based) and then to drill that understanding through large volumes of multiple-choice practice. This guide is a full, self-study course: it walks through the three parts in depth, explains the concepts the questions are built on, and turns all of it into a part-by-part plan. It is original teaching material and study guidance only. It contains no real or simulated exam questions. The IIA revised its professional framework recently (the Global Internal Audit Standards, effective for quality assessments from January 2025, with the exam updated in 2025), so you should always confirm the current part structure and domain weightings against The IIA’s own CIA exam syllabus before you book.

Chapter 1: Exam overview and how to use this guide

What the CIA actually measures

The CIA measures whether you can perform and understand internal auditing to a global professional standard: evaluating and improving an organisation’s governance, risk management, and control, independently and objectively. That definition is worth memorising because it is the lens for almost every question. Internal audit is an independent, objective assurance and consulting activity that adds value by helping an organisation accomplish its objectives, and the exam keeps testing whether you have internalised the consequences of that role: that the auditor must be free from conflicts, must base conclusions on evidence, and must focus effort where risk is greatest.

The qualification is three computer-based, multiple-choice parts, taken in a sensible order. Part 1, Essentials of Internal Auditing, sets the foundations and the professional framework. Part 2, Practice of Internal Auditing, covers how an audit is actually run, from managing the function to performing a single engagement. Part 3, Business Knowledge for Internal Auditing, covers the wider business context an auditor must understand, from finance to IT to leadership. The names and emphasis are aligned to the IIA’s standards, which were updated in 2025, so this course teaches the stable concepts and points you to the official syllabus for the current domain weightings.

The shape of the three papers

The parts differ in length. Part 1 is 125 questions in 2.5 hours; Parts 2 and 3 are 100 questions in 2 hours each. All three are entirely multiple-choice and delivered at Pearson VUE test centres. Scoring is on a scaled range from 250 to 750, and you need a scaled 600 to pass each part. The scaled score is not a simple percentage: raw scores are converted onto the scale so that 600 is a consistent passing line across parts and across different versions of the exam. The practical lesson from scaled scoring is that you should aim for confident, even coverage of every topic rather than betting on a single strong area, because the conversion rewards broad correctness.

How to use this course

Read the three part chapters (2 to 4) in order, because Part 1’s vocabulary underpins Parts 2 and 3. Treat the bold terms as a checklist: by the end you should be able to define each one and say how it shapes an auditor’s behaviour. Chapter 5 covers eligibility, scoring strategy, and keeping the credential active, and the last two chapters turn the content into a schedule and a description of exam day. Worked illustrations appear where a concept is easy to misread, but none of these are exam questions. They are teaching examples that show how the idea behaves. Throughout, remember that the framework was recently revised, so verify any specific weighting against the current IIA syllabus rather than older notes.

Chapter 2: Part 1 - Essentials of Internal Auditing

Part 1 establishes the professional foundations that the rest of the credential assumes, which is why it comes first and why its vocabulary repays careful study. It is conceptual rather than procedural, so the work here is understanding definitions and principles precisely, because the later parts use them constantly.

Independence, objectivity, and the mandate

The foundation of the whole profession is the pairing of independence and objectivity. Independence is an attribute of the audit function: it should be positioned in the organisation, typically reporting functionally to the board or its audit committee, so that it is free from interference in deciding what to audit and what to conclude. Objectivity is an attribute of the individual auditor: an unbiased mental attitude that avoids conflicts of interest. The two are distinct and the exam tests the distinction. You also study the internal audit mandate, the authority and responsibility granted to the function (historically expressed through an internal audit charter), and the requirements of proficiency and due professional care, meaning auditors must have the competence to do the work and must apply appropriate care and skill in doing it. As a teaching example of the independence-versus-objectivity distinction: an auditor asked to audit a process they themselves designed last year has an objectivity problem (a personal conflict) even if the function as a whole is independent, and a question may turn on recognising that the threat is to the individual’s objectivity, not the function’s independence.

Governance, risk management, and control

The largest conceptual block in Part 1 is the trio of governance, risk management, and control, because evaluating and improving these is internal audit’s core purpose. Governance is the combination of processes by which an organisation is directed and held accountable. Risk management is the process of identifying, assessing, and responding to the risks that could prevent objectives being met, and you should know the standard responses: an organisation can accept, avoid, reduce (mitigate), or share (transfer) a risk. Control is the set of activities that provide reasonable assurance objectives will be achieved. Two refinements recur: the difference between inherent risk (the risk before any controls) and residual risk (what remains after controls), and the idea of risk appetite, the amount of risk an organisation is willing to accept in pursuit of its goals. A widely used organising model here is the three lines view, which separates the roles of operational management (the first line), risk and compliance functions (the second line), and internal audit (the third, independent line). As a teaching example of why residual risk matters: internal audit’s interest is usually in whether residual risk sits within the organisation’s appetite, because a risk with strong controls may be perfectly acceptable while a minor-looking risk with no controls may not be, and a question that hands you inherent risk, controls, and appetite is testing whether you reason to residual risk.

The quality programme and fraud

Part 1 also covers the quality assurance and improvement programme, the requirement that the audit function assess and improve its own work through internal monitoring and periodic external assessments, so that its claim to professionalism is itself assured. And it covers fraud risk and the auditor’s role in relation to it: understanding how fraud occurs, the controls that deter it, and the auditor’s responsibility to be alert to fraud indicators, while recognising that detecting fraud is not the same as auditing for it. The unifying theme of Part 1 is that internal audit earns its assurance role by being independent, competent, risk-focused, and self-critical.

Chapter 3: Part 2 - Practice of Internal Auditing

Part 2 turns the principles of Part 1 into practice: how the internal audit function is run and how a single engagement is carried out from start to finish. It rewards understanding the order and purpose of audit steps rather than memorising lists, because the questions are often about what an auditor should do at a given point.

Managing the internal audit activity

Before any single audit, someone has to run the function, and Part 2 covers that management layer. This includes risk-based planning, building the audit plan around where the organisation’s risks are greatest rather than auditing everything equally, as well as resourcing the function, coordinating with other assurance providers, and reporting to senior management and the board. The principle that connects these is that audit effort is a scarce resource to be aimed at risk, which is the practical expression of the risk focus established in Part 1.

The engagement lifecycle

The heart of Part 2 is the engagement lifecycle, the sequence a single audit follows, and knowing this order cold is the most valuable thing you take from the part. Planning comes first: you understand the area, set the engagement’s objectives and scope, assess the risks specific to it, and design the work. Performing comes next: you gather audit evidence through testing and analysis sufficient to support your conclusions, and you document what you find in workpapers. Communicating comes last: you report results, with findings typically framed around a structure of criteria (what should be), condition (what is), cause (why the gap exists), and effect (why it matters), followed by recommendations. After reporting, the function monitors that management has acted on agreed issues. As a teaching example of why the order matters: an auditor who has not yet assessed the engagement’s risks cannot sensibly decide which tests to run, so a question asking what to do “next” after defining objectives points toward risk assessment and planning the procedures, not toward jumping straight to testing. Study Part 2 by being able to narrate an engagement end to end and explain the purpose of each step.

Chapter 4: Part 3 - Business Knowledge for Internal Auditing

Part 3 covers the wider business knowledge an internal auditor needs to audit competently across an organisation, and it is usually the widest-ranging part, which is why it typically deserves the most study time. The reason for its breadth is simple: an auditor may be asked to look at any part of a business, so they need working literacy in finance, technology, and how organisations run.

Business acumen and financial management

One major strand is business acumen and financial management: understanding organisational objectives and strategy, the basics of financial accounting and managerial accounting, and how to read the numbers a business produces. You are not expected to be an accountant, but you should understand financial statements well enough to spot what they imply, grasp budgeting and costing concepts, and connect financial measures to the risks they signal. This strand often draws on the same accounting ideas that appear in finance credentials, applied through an audit lens, namely asking what could go wrong and how it would show up.

Information technology and security

A second major strand is information technology and information security, reflecting how much of modern risk is technological. You study IT general controls, application controls, the basics of how systems and data are managed, cyber and information-security concepts, and business continuity and disaster recovery. The audit angle is constant: what are the controls over this technology, and do they give reasonable assurance the systems are reliable and secure? As a teaching example of the IT-control mindset: when looking at access to a financial system, an auditor focuses on whether controls enforce that people can only do what their role requires and that incompatible duties are separated, because weak access control is a classic route to error and fraud, and a question may test whether you identify that as the key risk.

Leadership, communication, and how to study the breadth

A third strand covers management, leadership, and communication: organisational structures, how people are managed and motivated, and how auditors communicate effectively, which matters because findings only create value if they are understood and acted upon. Because Part 3 is so broad, the efficient way to study it is to identify your weakest area first, often IT for those from a finance background or finance for those from an IT background, and shore it up before broad practice. The unifying idea is that an auditor must understand the business to audit it well, and Part 3 is where that understanding is tested.

Chapter 5: Eligibility, scoring strategy, and keeping the credential

The exam sits inside a wider set of requirements, and getting these right matters as much as the studying, because the credential is only awarded when both the exams and the experience are in place.

Eligibility and the experience requirement

The CIA combines education and experience. A common route is a bachelor’s degree plus two years of internal-audit experience; a master’s degree reduces the experience to one year, and five years of internal-audit experience can qualify without a degree. Final-year bachelor’s students and eligible graduate students may sit the exam before completing the education requirement, meeting it afterwards. The important consequence is that the credential is only awarded once the experience requirement is met, so if you pass as a student, plan how you will log qualifying internal-audit experience. You have three years from acceptance into the programme to complete all requirements, and 180 days to schedule each part once you register for it, so confirm the current rules with The IIA before you apply.

A scoring strategy that fits the exam

Because each part is scored on a scaled 250-750 range with a 600 pass line, the right strategy is broad, even competence rather than a single strong topic. Chasing a high percentage in your comfort area while leaving gaps elsewhere is risky, because the conversion to the scaled score rewards getting a solid share of questions right across the whole syllabus. This is also why covering every domain, and confirming the current domain weightings on the IIA syllabus, beats guessing where the marks are concentrated.

Keeping the credential active

The CIA does not expire on a fixed date, but it must be kept active through continuing professional education (CPE): 40 CPE hours per year if you are practising, including 2 hours of ethics, or 20 hours per year if non-practising, self-reported to The IIA each year. Letting it lapse triggers reinstatement steps, so build CPE into your routine from the start. Treating CPE as ongoing rather than a deadline keeps your knowledge current in a field whose standards and risks evolve.

Chapter 6: Study plan and timeline

With the content and requirements understood, the remaining work is pacing the three parts. Two facts drive the plan: the parts have a sensible order, and each has its own 180-day scheduling window once you register, so there is little benefit to opening several windows at once.

Sequence the parts and budget the hours

Take the parts in order: Part 1 first because it sets the vocabulary, Part 2 next for the engagement lifecycle, and Part 3 last because it is the broadest and usually needs the most time. In weeks, Part 1 (125 questions, 2.5 hours) suits roughly six to eight weeks of focused study; Part 2 (100 questions, 2 hours) is often a little shorter; and Part 3 (100 questions, 2 hours) typically needs the most time because of its business, finance, and IT breadth. Most candidates take several months to around two years across all three, depending on pace. Register for a part only when you are ready to study it, because the scheduling window starts at registration and a window opened too early is wasted. To turn this into dated weeks for your own start date, use the free study-plan generator. If you are still deciding between internal audit and US public accounting before you commit, the CIA vs CPA comparison covers scope, portability, and cost.

Practise broadly and review why

Reserve the final weeks of every part for timed multiple-choice practice, and review not just whether you got a question right but why each option is right or wrong, because that reasoning is the most useful preparation for an entirely multiple-choice exam. Cover every domain rather than betting on a strong topic, in line with how the scaled scoring works, and pay extra attention to Part 3’s weakest-for-you area. Run your qualifying internal-audit experience alongside the exams through your day job, so the credential can be awarded as soon as your parts are passed.

Chapter 7: Final preparation and exam day

Final preparation

In the last weeks before each part, shift from learning to full, timed multiple-choice sets at the real question count and time limit, so the pacing is automatic on the day. Use these sets as a diagnosis: note which domains leak marks and revise those, and aim to be answering confidently across the whole syllabus before you book, since the scaled 600 pass line rewards broad correctness rather than a single peak. Confirm the current syllabus and any domain-weighting updates on The IIA’s site, because the framework was revised in 2025 and you want no surprises about emphasis.

Exam day and format

On the day, each part is a computer-based, multiple-choice exam at a Pearson VUE test centre, by appointment, with most centres open year-round; online remote proctoring has been discontinued, so plan to attend a centre. Watch your pacing: Part 1 gives 2.5 hours for 125 questions, Parts 2 and 3 give 2 hours for 100, which is roughly a minute or so per question, so practise eliminating wrong options quickly and flag-and-return rather than stalling. Results for the multiple-choice parts are typically available on screen at the centre. Apply the discipline you built over the weeks of study: read each question for what it actually asks, reason from internal audit’s independent, risk-focused purpose, and choose the answer that reflects how a competent auditor behaves. Having practised at full length and confirmed the current syllabus against The IIA, the format will feel familiar rather than overwhelming, which is exactly the advantage the preparation was meant to buy.

Key concepts to master

Three parts: Essentials of Internal Auditing, Practice of Internal Auditing, and Business Knowledge for Internal Auditing.
Question counts: Part 1 has 125 questions; Parts 2 and 3 have 100 each. All multiple-choice.
Passing score: A scaled score of 600 (on a 250-750 range) is needed on each part.
Eligibility: A mix of education and internal-audit experience; final-year students can sit the exam early.
CPE: 40 CPE hours a year to stay active if practising (2 in ethics), or 20 if non-practising.

What you should be able to do

By exam day, you should be able to:

Explain the purpose, mandate, independence and objectivity of internal audit
Apply governance, risk management and control concepts
Recognise fraud risks and the auditor's role
Plan, perform and communicate an audit engagement
Apply business, financial and IT knowledge to audit scenarios
Pace and answer multiple-choice questions under time pressure

How to practise

Practise large banks of multiple-choice questions under timed conditions, and review why each option is right or wrong, not just the answer. The CIA is entirely multiple-choice, so question technique and pacing matter as much as content.

Practise actively from early on - recall and apply, don't just re-read.
Each week, review the previous week's weak spots before moving on.
Do at least one full-length, timed mock near the end, then a second after fixing weak areas.
Warm up with our original CIA practice questions (concept checks, not exam dumps).

We never publish exam dumps or "real" questions. Use official practice and reputable providers for question banks.

Are you ready? (readiness checklist)

You score at or above the pass mark (Scaled score of 600 (range 250-750) on each part) on full-length, timed mocks - consistently, not once.
No more than one or two weak domains remain, and you know exactly which.
You can explain why the wrong options are wrong, not just spot the right one.
You've completed at least one full-length mock under real time pressure.
You could pass next week, not only on the day you crammed.

On exam day

Computer-based multiple-choice at a Pearson VUE test centre, by appointment, with most centres open year-round. Online remote proctoring has been discontinued, so plan to attend a centre. You have 180 days to schedule each part after you register for it. Results for multiple-choice parts are typically available on screen at the centre.

Arrive early, or run the online-proctoring system check well ahead; have valid ID ready.
Budget your time per question and keep moving - don't sink minutes into one item.
Where the format allows, flag hard questions and return to them rather than stalling.
Read scenario and performance-based questions twice: work out what is actually asked first.
Taper in the final days - light review and rest beat an all-nighter.

Common mistakes to avoid

Registering for a part before you are ready, then losing the 180-day scheduling window.
Treating Part 3 as an afterthought - its business and IT scope is wide.
Chasing a percentage instead of broad coverage, when scoring is scaled to 600.
Forgetting the experience requirement, which is needed to be awarded the credential.

Resource stack

The IIA - CIA exam syllabus ↗

Start with the free and official resources above. Paid courses and question banks help if you want structure, but they are optional, not required to pass.

What to study next

The CIA is the global standard for internal audit. If you are weighing it against US public accounting, compare CIA vs CPA before committing.

FAQ

How long does the CIA take?: Most candidates take several months to around two years across the three parts. You have three years from acceptance into the programme to complete every requirement.
What is the CIA passing score?: A scaled score of 600 on a 250-750 range, applied to each part. It is not a flat percentage - raw scores are converted to the scale.
Do I need experience for the CIA?: Yes, to be awarded the credential. A common route is a bachelor's degree plus two years of internal-audit experience; a master's reduces it to one year, and five years of experience can qualify without a degree. Students in their final year can sit the exam first.
Which CIA part should I take first?: Part 1, Essentials of Internal Auditing. It sets the foundations and vocabulary that Parts 2 and 3 assume, so taking it first makes the later parts easier.
How many CIA parts can I study at once?: There is no rule against registering for more than one, but most candidates take the parts one at a time and in order. Remember each part has its own 180-day scheduling window once you register, so do not open a window you cannot use.
Can I self-study for the CIA?: Yes. Many candidates self-study using the official syllabus and practice questions, especially working internal auditors who already know the field. Allow extra time for Part 3 if its business or IT topics are outside your day job.