Three Certifications, Three Different Career Paths
The CIA, CPA, and CISA are three of the most recognised professional certifications in accounting and audit. They often come up together in conversations about career development, and they do overlap in a few ways: all three are internationally recognised, all three signal technical competence to employers, and all three require passing a multi-part exam. Beyond that, they point in quite different directions.
Understanding what each certification actually covers will help you decide which one fits where you are now and where you want to be.
The CIA (Certified Internal Auditor)
The CIA is awarded by the IIA (Institute of Internal Auditors) and is the only globally recognised certification specifically for internal auditors. It covers the theory and practice of internal auditing, including professional standards, independence, engagement planning, risk management, and business knowledge.
Exam: Three parts sat separately at Pearson VUE. Part 1 covers the foundations and professional standards, Part 2 covers audit engagement practice, and Part 3 covers broader business and IT knowledge. Each part is multiple-choice with four answer options.
Eligibility: You need an IIA membership, relevant educational qualifications, and internal audit experience (the amount depends on your education level). The IIA requires 24 months of internal audit experience for candidates with a bachelor's degree, or 12 months with a master's degree or higher.
Who it is for: Internal auditors, risk managers, and finance professionals working in or moving into internal audit roles. The CIA is recognised by employers globally, with particularly strong uptake in the United States, the Middle East (UAE, Saudi Arabia, Qatar), and Asia-Pacific markets.
Career impact: The CIA is effectively the professional standard for senior internal audit roles. CAEs (Chief Audit Executives) and internal audit managers at large organisations are usually CIA-qualified. In markets with high internal audit activity (financial services, the public sector, and Big 4 advisory practices), holding the CIA often makes the difference between reaching senior roles and plateauing at an intermediate level.
The CPA (Certified Public Accountant)
The CPA is primarily a US qualification, administered by AICPA and the National Association of State Boards of Accountancy (NASBA). It is the standard credential for public accounting in the United States and is well regarded internationally, particularly in jurisdictions where US GAAP and SEC reporting are relevant.
Exam: Four sections: Auditing and Attestation (AUD), Business Environment and Concepts (BEC), Financial Accounting and Reporting (FAR), and Regulation (REG). All four sections use multiple-choice questions alongside task-based simulations. You must pass all four within 30 months.
Eligibility: Requirements vary by state, but typically include 150 semester hours of education (which in many states requires a 5th year of study beyond a standard bachelor's degree) and a period of supervised public accounting experience.
Who it is for: Accountants in public practice (audit, tax, advisory), finance professionals in the US, and those working with US-listed companies globally. The CPA has less direct relevance outside the US regulatory environment than it has within it.
Career impact: For a career in US public accounting (Big 4, mid-tier firms, corporate finance in US-headquartered companies), the CPA is largely non-negotiable. For internal audit roles, it is useful but less targeted than the CIA. Many internal auditors hold both, having started in public accounting and then moved into industry.
The CISA (Certified Information Systems Auditor)
The CISA is awarded by ISACA (formerly the Information Systems Audit and Control Association) and is the leading credential for IT audit professionals. It covers the audit and control of information systems, cybersecurity, and IT governance.
Exam: A single exam with 150 multiple-choice questions across five domains: Information System Auditing Process, Governance and Management of IT, Information Systems Acquisition and Development, Information Systems Operations and Business Resilience, and Protection of Information Assets.
Eligibility: You need five years of professional experience in IS audit, control, assurance, or security (with some substitutions allowed for education and other certifications). The CISA experience requirement is one of the most substantial of the three certifications discussed here.
Who it is for: IT auditors, cybersecurity professionals, IS compliance managers, and internal auditors who specialise in technology risk. The CISA has strong global recognition and is particularly valued in financial services, where technology audit is a significant area of audit plan activity.
Career impact: In organisations with substantial IT infrastructure, CISA holders typically command a premium. Combined with the CIA, a CISA is a strong credential set for internal auditors who want to lead technology-focused audit work or progress to Head of IT Audit roles.
How They Compare
| Factor | CIA | CPA | CISA |
|---|---|---|---|
| Awarding body | IIA | AICPA / NASBA | ISACA |
| Exam parts | 3 (sat separately) | 4 (sat separately) | 1 |
| Question format | MCQ (4 options) | MCQ and simulations | MCQ |
| Experience required | 12–24 months internal audit | Varies by state | 5 years IS audit/control |
| Primary audience | Internal auditors | Public accountants | IT/IS auditors |
| Geographic focus | Global | US-centric | Global |
| Typical study time | 12–24 months (all 3 parts) | 12–18 months (all 4 sections) | 4–6 months |
| Approximate exam cost | $1,000–1,500 (IIA member) | $900–1,100 | $575–760 |
The cost figures are approximate and vary by region, IIA membership level, and state (for the CPA). Check the IIA, AICPA, and ISACA websites for current fees before you register.
How to Choose
If you are working in internal audit now and want the credential that most directly reflects what you do and opens the most doors in the profession, the CIA is the logical starting point. It is purpose-built for internal auditors and is recognised globally.
If you are in public accounting in the US or want to work with US-listed companies in an accounting or assurance capacity, the CPA should come first. Many internal auditors in the US who began in public accounting hold both the CPA and the CIA, having earned the CPA while in practice and added the CIA when they moved into industry.
If your internal audit work is heavily focused on IT and technology risk, the CISA complements the CIA well. Some candidates pursue the CIA first for the foundational credential and add the CISA later to specialise. Others do the reverse if they are coming from an IT background.
If you are undecided between a career in internal audit and public accounting, your employer's preferences and the industry you work in are the most practical guide. Most large organisations with internal audit functions value the CIA. US public accounting firms hire almost exclusively CPA-qualified candidates for their assurance practices.
Can You Hold All Three?
Many senior internal audit professionals hold more than one of these certifications. CIA + CPA is a common combination in the US, particularly among internal audit leaders who began in public accounting. CIA + CISA is common among IT audit specialists. The question of which to pursue first is largely about which opens the most relevant doors given where you are in your career now.
Starting with the CIA gives you a globally recognised credential that is specifically valued in internal audit and positions you to add the CISA if IT audit becomes a focus, or the CPA if you want US public accounting credibility.
Start practising CIA Part 1 questions to see what the exam covers before committing to a study plan.