CIA Exam Format: Parts 1, 2, and 3 Explained

The Three-Part Structure

The Certified Internal Auditor (CIA) exam is administered in three separate parts. You sit each part individually at a Pearson VUE test centre, which means you can schedule them at your own pace and focus your study on one part at a time. Most candidates spend three to six months preparing for each part, putting the full certification timeline at one to two years for a working professional.

Each part is scored separately. You need to pass all three to earn the CIA designation. There is no fixed order required, though most candidates and preparation providers recommend starting with Part 1, since it covers the foundational concepts that underpin the other two.

Part 1: Essentials of Internal Auditing

Questions: 125 multiple-choice questions Time allowed: 2.5 hours IIA exam weight: approximately 35% of the overall CIA programme

Part 1 covers the foundations of internal auditing as a professional discipline. The content is drawn from the IIA's International Professional Practices Framework (IPPF) and the Global Internal Audit Standards (GIAS), which the IIA issued in 2024.

The domain breakdown for Part 1 is:

• Domain I — Foundations of Internal Auditing (15%): The purpose, authority, and responsibility of internal auditing, including the IPPF and the Code of Ethics.
• Domain II — Independence and Objectivity (15%): Organisational independence, individual objectivity, and managing impairments.
• Domain III — Proficiency and Due Professional Care (18%): The knowledge, skills, and competencies required of internal auditors.
• Domain IV — Quality Assurance and Improvement Programme (12%): How internal audit functions assess and improve their own performance.
• Domain V — Governance, Risk Management, and Control (20%): Core concepts including the Three Lines Model, risk appetite, and internal control frameworks.
• Domain VI — Fraud Risks (20%): Recognising indicators of fraud, the auditor's role in fraud detection, and relevant investigation concepts.

Part 1 is widely regarded as the most conceptual of the three parts. It tests whether you understand the professional standards and ethical obligations that govern internal auditing, rather than technical audit methodology. Candidates with a background in internal audit will find much of the material familiar; those coming from finance or accounting may need more time to build familiarity with the IPPF.

Practice Part 1 questions to test your knowledge across all six domains.

Part 2: Practice of Internal Auditing

Questions: 100 multiple-choice questions Time allowed: 2 hours IIA exam weight: approximately 35% of the overall CIA programme

Part 2 shifts from theory to practice. It tests how you would plan, execute, and communicate an internal audit engagement. This is the most directly practical part of the CIA exam and draws heavily on what internal auditors do day to day.

The domain breakdown for Part 2 is:

• Domain I — Managing the Internal Audit Activity (35%): Strategic planning, staffing, budgeting, and coordinating with external auditors.
• Domain II — Planning the Engagement (25%): Risk assessment, engagement objectives, scope, and resource allocation.
• Domain III — Performing the Engagement (25%): Collecting and evaluating evidence, documenting findings, and applying sampling techniques.
• Domain IV — Communicating Engagement Results (15%): Drafting audit reports, communicating findings to management, and following up on action plans.

Part 2 has a pass rate that is broadly similar to Part 1 (both hover around 40–50%), but candidates who have been working in internal audit for several years often find it the most intuitive of the three parts. The questions are grounded in realistic audit scenarios, and experience in a functioning internal audit department is a meaningful advantage.

Practice Part 2 questions and focus on engagement planning and evidence evaluation, which together account for half the exam weight.

Part 3: Business Knowledge for Internal Auditing

Questions: 100 multiple-choice questions Time allowed: 2 hours IIA exam weight: approximately 30% of the overall CIA programme

Part 3 covers the broader business and technical knowledge that internal auditors are expected to bring to their engagements. It has the most diverse content of the three parts, covering financial management, information technology, and quantitative methods alongside business analysis concepts.

The domain breakdown for Part 3 is:

• Domain I — Business Acumen (35%): Organisational structures, business models, financial ratios, data analytics, and strategic management.
• Domain II — Information Security (25%): IT risks, cybersecurity concepts, data governance, and the auditor's role in reviewing IT controls.
• Domain III — Information Technology (20%): System development, IT infrastructure, application controls, and emerging technologies.
• Domain IV — Financial Management (20%): Financial accounting, management accounting, cost behaviour, and capital investment appraisal.

Part 3 draws on a broader knowledge base than the other two parts, and candidates whose background is outside finance or IT sometimes find it the most challenging. Conversely, finance professionals who have moved into internal audit often find Part 3 the most accessible. The key is identifying which domains are weaker for your particular background and allocating study time accordingly.

Practice Part 3 questions to identify which domains need the most attention before your exam.

The Exam Experience at Pearson VUE

All three CIA parts are delivered as computer-based tests at Pearson VUE test centres worldwide. You can book online directly through the IIA's candidate management system, which connects to the Pearson VUE scheduling portal.

On the day, you will be asked to present two forms of identification, and the test centre will take a biometric record before you enter the testing room. You sit at a workstation with a computer and scratch paper provided. The timer is visible on screen throughout.

The questions are all multiple-choice with four answer choices (A, B, C, D). There is no penalty for incorrect answers, so you should always attempt every question. If you are unsure of an answer, use the flagging feature to mark questions for review and return to them before submitting.

Scheduling and Eligibility

To register for the CIA exam, you need to be a member of the IIA and meet the eligibility requirements (educational background and internal audit experience). Exam fees vary by IIA membership type and region; candidates who are IIA members pay lower fees than non-members.

Once registered, you have 18 months from the date of your first exam pass to complete all three parts. If you do not complete all three within that window, your previously passed parts expire and you must retake them.

The 18-month clock is a practical reason to plan your sitting order before you register rather than after. Candidates who sit Part 1 first and pass, then spend a year on Part 2, may find they are running short of time for Part 3.

A Practical Starting Point

For most candidates, the recommended approach is:

1. Sit Part 1 first to build familiarity with the IPPF and the professional standards.
2. Sit Part 2 next, which builds on the foundational knowledge from Part 1 and covers practical audit methodology.
3. Sit Part 3 last, which requires the broadest knowledge base and is most manageable once you have the conceptual and practical foundations from Parts 1 and 2.

All three parts use multiple-choice questions exclusively, which means your preparation strategy should be built around practising under exam conditions. Passive reading of study materials is a useful start, but the candidates who pass most efficiently are those who spend the majority of their preparation time answering practice questions and reviewing the reasoning behind both correct and incorrect answers.