Is CIA Part 1 aligned to GIAS or IPPF in 2026?

The 2026 CIA Part 1 exam is fully aligned to the Global Internal Audit Standards (GIAS), which the IIA released on January 9, 2024 and made effective January 9, 2025, replacing the International Professional Practices Framework (IPPF). The 2025 CIA syllabus (testable in English from May 28, 2025) reorganizes Part 1 into four sections mapped to GIAS Domains I-V. Study materials printed before mid-2024 use IPPF language and outdated Standard citations (e.g., 1100, 1130, 2010). Use only GIAS-aligned materials referencing the five Domains and 15 Principles.

What are the four sections of the 2025 CIA Part 1 syllabus?

The 2025 syllabus renames Part 1 to Internal Audit Fundamentals and consolidates the former six sections into four weighted sections: Section A Foundations of Internal Auditing (35%), Section B Ethics and Professionalism (20%), Section C Governance, Risk Management, and Control (30%), and Section D Fraud Risks (15%). Independence/Objectivity and QAIP are now absorbed into Foundations; Proficiency and Due Professional Care content moves into Ethics and Professionalism.

How hard is the CIA Part 1 exam?

The latest IIA-published Part 1 pass rate is approximately 44% — the lowest of the three CIA parts (Part 2 is ~48%, Part 3 is ~56%). The difficulty comes from scenario-based questions that require applying GIAS Domains, COSO ERM 2017, COSO IC 2013, and the Three Lines Model to novel situations, rather than pure recall. Candidates who pass typically log 80 to 120 hours of study over 8 to 12 weeks and complete at least 2,000 practice questions. The IIA recommends a minimum of 40 hours for Part 1.

How much does CIA Part 1 cost in 2026?

The Part 1 exam fee is $310 USD for IIA members and $445 USD for non-members (student $245), plus a one-time CIA program application fee of $120 member / $240 non-member / $65 student. Total first-attempt cost for all three parts plus application is approximately $990 for members, $1,515 for non-members, and $740 for students. IIA membership is $290/year; the 20% May promo can reduce fees further. Regional pricing varies.

What is the difference between CIA Part 1 and Part 2?

Under the 2025 syllabus, Part 1 — Internal Audit Fundamentals — is conceptual (GIAS foundations, ethics, governance/risk/control, fraud). Part 2 — renamed Internal Audit Engagement — is execution-focused with three sections: Engagement Planning (50%), Information Gathering/Analysis/Evaluation (40%), and Engagement Supervision/Communication (10%). Part 2 is 100 questions in 120 minutes. Most candidates pass Part 1 first because Parts 2 and 3 assume Part 1 GIAS vocabulary.

Do I need a CPA to sit the CIA?

No. The CIA has its own eligibility pathway. A four-year bachelor's degree plus two years of internal audit or equivalent experience qualifies you. A master's requires only one year. Candidates without degrees can qualify with seven years of internal audit experience. Active US CPAs and ACCA qualified members may be eligible for the CIA Challenge Exam — a single unified exam (effective June 1, 2026) that replaces the three-part CIA for qualified candidates. Challenge Exam fees: $150/$380 application and $845/$1,245 exam.

Can I take CIA Part 1 online?

Yes. Pearson VUE offers both test-center and online-proctored delivery for the CIA in most countries. Online proctoring requires a quiet private space, a compliant webcam/microphone, and government-issued ID. Test-center delivery is still preferred by many candidates for fewer technical disruptions, but the online option is equivalent in content, question bank, and scoring.

What happens if I fail CIA Part 1?

You must wait 60 days (the IIA cooling-off period) before retesting. As of April 1, 2026, the IIA no longer provides a preliminary score at the testing center — you receive only one official exam result within three weeks via the Certification Candidate Management System (CCMS). Use the 60-day window to target weak sections, redo focused practice questions, and complete at least one new timed mock. The IIA does not cap total retake attempts, but each retake requires a fresh exam fee.

Is the CIA Part 1 worth it for a CPA already in internal audit?

Yes, for most CPAs in internal audit roles. The CIA is the only globally recognized internal audit credential and is often required or strongly preferred for audit manager, director, and CAE positions. For CPAs, the CIA adds approximately 10-15% pay premium at the manager level and is often a CAE prerequisite. Active US CPAs should also evaluate the CIA Challenge Exam pathway (effective June 1, 2026) — one exam instead of three. Expect 60-80 study hours for Part 1 if your CPA AUD knowledge is fresh.

What is the CIA Challenge Exam in 2026?

Effective June 1, 2026, the IIA consolidates the CIA Challenge Exam into a single unified exam for all qualifying candidates (CPA, ACCA, and other eligible pathways) regardless of route. The exam is fully aligned with GIAS. Application pilot runs April 1 through September 30, 2026; testing windows are June, September, and November 2026. Fees: $150 member / $380 non-member application; $845 member / $1,245 non-member for the exam itself. Members save $400 on the exam fee.

How do I maintain my CIA after passing?

Practicing CIAs must complete 40 CPE (Continuing Professional Education) hours per year; non-practicing CIAs (retired, between roles, or academic) complete 20 CPE hours per year. CPE must include at least 2 hours of ethics training annually. Report CPE via CCMS. Annual renewal fees apply. Failure to report or earn CPE results in inactive status — you cannot represent yourself as a CIA until reinstated.

How is the CIA Part 1 exam scored from April 2026?

Under the new scoring policy effective April 1, 2026, candidates no longer receive a preliminary unofficial score at the Pearson VUE test center. Instead, the IIA releases a single, official exam result within three weeks of your exam date via CCMS, with email notification. Raw scores on the 125 questions are scaled to a 250-750 point scale; a scaled score of 600 or higher passes. Failed candidates receive a topic-level indicator report to guide retake preparation.

FREE CIA Part 1 Guide 2026: GIAS Syllabus, 44% Pass Rate

CIA Part 1 in 2026: The Only Guide That Reflects the 2025 GIAS-Aligned Syllabus

If you started studying for the Certified Internal Auditor (CIA) Part 1 exam from a book printed before 2025, you are studying outdated material. The Institute of Internal Auditors (IIA) released the Global Internal Audit Standards (GIAS) on January 9, 2024, with mandatory effectiveness on January 9, 2025, replacing the legacy International Professional Practices Framework (IPPF). On May 28, 2025, the IIA rolled out the new 2025 CIA exam syllabus — and Part 1 was renamed from Essentials of Internal Auditing to Internal Audit Fundamentals, collapsed from six sections into four, and fully re-mapped onto GIAS Domains I-V.

In 2026 the exam tests GIAS language, GIAS domain structure, and GIAS-era ethics wording. Study the wrong framework and your scenario answers will look almost-right to a test bank author and completely wrong to the IIA's scoring engine.

This guide is written from the 2025 syllabus forward. It walks through every weighted section, decodes the GIAS transition, explains the new April 1, 2026 scoring policy (no more preliminary scores at the test center), highlights the June 1, 2026 unified CIA Challenge Exam, and gives you a realistic eight-to-twelve week study plan that most working auditors can complete alongside a 40-hour job. Everything is free. No email gate, no upsell.

CIA Part 1 At-a-Glance (2026)

Component	2026 Detail
Official name (2025 syllabus)	Internal Audit Fundamentals (formerly Essentials of Internal Auditing)
Framework	Global Internal Audit Standards (GIAS), effective January 9, 2025
Syllabus version	2025 CIA syllabus (testable in English from May 28, 2025)
Questions	125 multiple choice
Time limit	2 hours 30 minutes (150 minutes)
Passing score	Scaled 600 out of 750 (approximately 75% raw)
Exam fee (IIA member)	$310 USD
Exam fee (non-member)	$445 USD
Application fee	$120 member / $240 non-member (one-time)
Vendor	Pearson VUE (center or online proctored)
Eligibility	4-year degree + 2 yrs experience, or alternative pathways
CPE to maintain	40 CPE/year practicing, 20 CPE/year non-practicing
Program eligibility window	3 years from application acceptance
Global Part 1 pass rate (latest IIA)	Approximately 44%
Score reporting (from 1 April 2026)	Single official result within 3 weeks — no preliminary score at center
Languages	English, Arabic, Simplified/Traditional Chinese, French, German, Japanese, Korean, Polish, Portuguese, Russian, Spanish, Thai, Turkish

Start FREE CIA Part 1 Prep

No credit card, no 7-day trial that ends in a charge. Just free practice questions aligned to the 2026 GIAS syllabus, with an AI tutor that explains every miss in the language of the new standards.

Start FREE CIA Part 1 PracticePractice questions with detailed explanations

What the CIA Actually Is (And Why Employers Care)

The Certified Internal Auditor is the only globally recognized certification for internal auditors. It is issued by The Institute of Internal Auditors (IIA), the profession's standard-setter, and it signals to employers, audit committees, and regulators that the holder has demonstrated command of governance, risk, control, and the Global Internal Audit Standards.

Three things make the CIA different from adjacent credentials:

It is globally portable. The same exam is administered in more than 100 countries. A CIA in Dubai, Johannesburg, Frankfurt, or Toronto means the same thing as a CIA in Chicago.
It is the IIA's credential. Unlike CPA (state boards) or CFA (a third-party institute), the CIA comes directly from the body that writes the Standards you are tested on. When GIAS changed, the exam changed with it — on the IIA's own timeline.
It is required or strongly preferred at Big 4 internal audit practices, Fortune 500 internal audit departments, and public-sector audit functions. Many job descriptions for senior internal auditor, audit manager, and Chief Audit Executive (CAE) list CIA as required.

The Big Change in 2025 — GIAS Replaced IPPF

From 1978 until January 9, 2025, the profession ran on the IPPF, a layered architecture of Core Principles, Definition of Internal Auditing, Code of Ethics, Standards, Implementation Guidance, and Supplemental Guidance. The IPPF had more than 50 individual Standards numbered in the 1000s and 2000s (for example, Standard 1100 Independence and Objectivity, Standard 2010 Planning).

The GIAS consolidates all of that into one integrated framework with five Domains:

GIAS Domain	Title	What It Covers
Domain I	Purpose of Internal Auditing	The role, value, and mission of internal audit
Domain II	Ethics and Professionalism	Principles (Integrity, Objectivity, Competency, Due Professional Care, Confidentiality)
Domain III	Governing the Internal Audit Function	Board oversight, CAE responsibilities, internal audit mandate
Domain IV	Managing the Internal Audit Function	Strategic planning, resources, quality, performance
Domain V	Performing Internal Audit Services	Engagement planning, conducting, communicating, monitoring

Every domain contains Principles, each Principle contains Standards, and each Standard has Requirements and Considerations for Implementation. The CIA Part 1 exam now cites Principles and Standards by number (for example, Principle 1 under Domain II, or Standard 8.1 under Domain IV) instead of the old IPPF 1000/2000 numbering.

What this means for exam candidates: any study material printed before mid-2024 is using IPPF language. Answer choices that sound familiar but cite "Standard 1130" (impairment to independence under IPPF) will be distractors. You need the GIAS-era wording: "Principle 2 — Maintain Objectivity," Standard 2.2 Safeguarding Objectivity. More on this in the Domain Deep Dive below.

The Three-Part CIA Structure (2025 Syllabus)

The CIA is a three-exam credential. You can sit them in any order, but most candidates take them sequentially because later parts assume earlier content. As part of the 2025 syllabus refresh, all three parts were renamed and re-scoped to better reflect GIAS-era practice.

Part	2025 Title (formerly)	Questions	Time	Focus
Part 1	Internal Audit Fundamentals (was: Essentials of Internal Auditing)	125	2h 30m	GIAS foundations, ethics and professionalism, governance/risk/control, fraud
Part 2	Internal Audit Engagement (was: Practice of Internal Auditing)	100	2h	Engagement planning; information gathering, analysis, and evaluation; supervision and communication
Part 3	Internal Audit Function (was: Business Knowledge for Internal Auditing)	100	2h	Internal audit operations, internal audit plan, quality of the IA function, engagement results and monitoring

Part 1 is the conceptual foundation. It is the shortest to study if you are already a practicing internal auditor, the longest to study if you are coming from external audit or a non-audit background, because it introduces GIAS vocabulary that will feel alien if you are used to PCAOB, AICPA, or ISA frameworks.

The June 2026 Unified CIA Challenge Exam

Effective June 1, 2026, the IIA consolidates the CIA Challenge Exam into a single unified exam administered to all Challenge-pathway candidates regardless of eligibility route (CPA, ACCA, etc.), fully aligned with GIAS. The application pilot runs April 1 through September 30, 2026, with testing windows in June, September, and November 2026. If you qualify for the Challenge path, evaluate whether the one-exam Challenge route ($845 member / $1,245 non-member) fits your timeline better than the standard three-part CIA.

Who Should Take the CIA

The CIA is deliberately broad. The IIA designs it for anyone performing assurance or consulting work over governance, risk management, or control processes. In practice, the audiences who get the strongest ROI are:

Current internal auditors at any level (staff, senior, manager, director, CAE). In many departments it is an unspoken requirement for promotion past senior.
External auditors transitioning to industry internal audit. CPA-qualified candidates often pick up CIA within 18 months of moving into a corporate IA role.
Risk, compliance, and SOX professionals who want to formalize their understanding of the Three Lines Model and COSO frameworks.
Financial analysts and accountants rotating into internal audit as part of a finance leadership development program.
Government auditors, inspectors general staff, and public-sector risk professionals — GIAS is the reference framework for most supreme audit institutions.
Consulting staff at Big 4 internal audit outsourcing or co-sourcing practices (Deloitte, PwC, EY, KPMG, Protiviti, Grant Thornton, BDO, RSM).

Who Should Not Pursue the CIA

If you are a career external auditor with no plans to move into internal audit or IA consulting, the CIA is probably not the best use of study time — focus on CPA, CA, or ACCA. If you are heading into IT audit or cybersecurity audit as a long-term specialty, CISA may be a better primary credential (though many IT auditors hold both CIA and CISA).

Eligibility, Application, and the CIA Program Ethics

Education and Experience

The IIA accepts multiple pathways. You must meet one of the following:

Education	Experience Required
Master's degree or equivalent	1 year internal audit or equivalent
Four-year degree (Bachelor's) or equivalent	2 years internal audit or equivalent
Active Internal Audit Practitioner designation	5 years internal audit or equivalent
No degree	7 years internal audit or equivalent

"Equivalent experience" means assurance, compliance, risk, external audit, QA, fraud investigation, or information systems audit. You can sit the exam before you complete the experience requirement — you just cannot be certified until you do.

Application Steps

Create an account on the IIA Certification Candidate Management System (CCMS).
Submit your education documentation (degree certificate or transcript) and proof of character.
Get a character reference signed by an active CIA, CCSA, CGAP, CFSA, CRMA, or a supervisor (at IIA's discretion).
Pay the program application fee ($120 IIA member / $240 non-member — confirm regional pricing).
Once approved, you enter the three-year program window during which you must pass all three parts.
Register for Part 1, schedule via Pearson VUE, and pay the exam fee ($310 member / $445 non-member).
Watch for the May 2026 promo — The IIA historically offers a 20% member discount on new application and exam registration fees (code varies, e.g. "May20%") for a limited window. Excluded countries apply.

CIA Program Ethics — Do Not Overlook This

When you apply you sign the IIA Code of Ethics and commit to the CIA Candidate Code of Conduct. The IIA takes violations seriously, including posting questions on forums after the exam, discussing exam content, using brain dumps, or misrepresenting experience. Reports of these have ended candidate eligibility.

The Code of Ethics itself is testable on Part 1. Memorize the four principles: Integrity, Objectivity, Confidentiality, Competency. You will see them again in the Foundations and Ethics content.

Part 1 Syllabus Deep Dive (2025 Syllabus, GIAS-Aligned)

The 2025 CIA syllabus (testable from May 28, 2025 and fully rolled out globally by Q3 2026) compresses Part 1 from six sections into four weighted sections. Weights are approximate and the IIA reserves the right to adjust annually.

#	Content Area (2025 Syllabus)	Weight	GIAS Anchor	2019-Syllabus Origin
A	Foundations of Internal Auditing	~35%	Domain I + Domain III Principles 6-8	Old Foundations (15%) + Independence/Objectivity + QAIP
B	Ethics and Professionalism	~20%	Domain II (Principles 1-5 entirely)	Old Proficiency/Due Care + Code of Ethics
C	Governance, Risk Management, and Control	~30%	Domain IV Standard 9.1 + Domain V	Old GRC (35%)
D	Fraud Risks	~15%	Domain V engagement-level + COSO Fraud	Old Fraud (10%)

Under the 2025 syllabus, Foundations is now the single largest section at 35% — a dramatic shift from 15% under the 2019 syllabus. The IIA pulled Independence, Objectivity, and QAIP topics UP into Foundations and Ethics/Professionalism, effectively doubling Foundations weight. The 2019-syllabus sections titled Independence and Objectivity, Proficiency and Due Professional Care, and Quality Assurance and Improvement Program no longer exist as separate Part 1 sections — but the underlying content is still testable inside the new four sections.

Important: If you use materials still labelled "Essentials of Internal Auditing" with six weighted sections (15/15/18/7/35/10), you have the OLD syllabus. The 2026 exam (in English) is the 2025 syllabus — four sections (35/20/30/15). Confirm with Gleim, HOCK, Wiley, or Becker that your course is the 2025 version.

Section A. Foundations of Internal Auditing (~35%)

This is now the exam's dominant section — roughly 44 of 125 questions. It absorbed content from three prior 2019-syllabus sections (Foundations, Independence and Objectivity, and QAIP), so it covers the conceptual gateway AND the structural-independence and quality-program content.

Core recall items:

Purpose of Internal Auditing (GIAS Domain I): "Internal auditing strengthens the organization's ability to create, protect, and sustain value…" — know the GIAS wording verbatim; it replaces the older IPPF Mission statement.
GIAS Structure: 5 Domains → 15 Principles → 52 Standards. Each Standard has Requirements, Considerations for Implementation, and Examples of Evidence of Conformance. Standards are NOT divided into Attribute (1000-series) and Performance (2000-series) categories anymore.
Internal Audit Mandate (formerly called the Internal Audit Charter): a formal document defining the function's authority, roles, and responsibilities. Approved by the board, discussed with senior management, reviewed at least annually.
Assurance vs. Advisory Services. GIAS no longer maintains separate assurance/consulting Standards — both are in the main body. Know: limited vs. reasonable assurance, nature and scope of advisory services, when each is appropriate.
Independence vs. Objectivity (now tested inside Foundations + Ethics sections):
- Independence is organizational — a property of the audit function's position. CAE has a dual reporting relationship: functionally to the audit committee/board, administratively to the CEO.
- Objectivity is individual — a mental attitude of each auditor to perform work without subordinating judgment.
- Impairments include functional reporting issues, scope limitations, budget reductions, restricted access, and prior operational responsibility (cooling-off expectation of at least one year).
Quality Assurance and Improvement Program (QAIP) is required for the entire internal audit function (not a subset). Two halves: internal assessments (ongoing monitoring + periodic self-assessments) and external assessments (at least once every five years by a qualified, independent reviewer from outside the organization).
Conformance language: "conforms with the Standards," "partially conforms," or "does not conform" — memorize the exact phrases. Nonconformance disclosure must include circumstances, actions taken, impact, and rationale.
Topical Requirements (mandatory component of the 2024 IPPF alongside GIAS) — risk-area specific: Cybersecurity, Third-Party Management, etc. Recognize their applicability.
Global Guidance — recommended (non-mandatory) component.

Section B. Ethics and Professionalism (~20%)

This section covers the entirety of GIAS Domain II. Expect roughly 25 of 125 questions. Scenario-heavy: you will see an auditor action and be asked which Principle or Standard it reflects, violates, or requires.

Domain II contains five Principles, each with supporting Standards:

Demonstrate Integrity — honesty and professional courage (1.1), organization's ethical expectations (1.2), legal and ethical behavior (1.3).
Maintain Objectivity — individual objectivity (2.1), safeguarding objectivity (2.2), disclosing impairments to objectivity (2.3).
Demonstrate Competency — knowledge, skills, and abilities to fulfill roles. CAE ensures collective KSAs match engagement types. Competencies obtained through Continuing Professional Development (CPD / CPE) — 40 hours per year for practicing CIAs, 20 hours per year for non-practicing (retired, between roles, academic).
Exercise Due Professional Care — the care and skill expected of a reasonably prudent and competent internal auditor. Includes exercising professional skepticism — a questioning mind and critical assessment of evidence.
Maintain Confidentiality — use information appropriately during engagements, per organizational policies and IA methodologies.

Code of Ethics: The four classic Principles (Integrity, Objectivity, Confidentiality, Competency) continue under GIAS as part of Domain II's ethical foundation. Memorize each Principle and its associated Rules of Conduct.

Evidence criteria (still testable here and in Fraud section): sufficient (factually supports conclusions), reliable (best obtainable via appropriate technique), relevant (supports observations and recommendations), and useful (helps achieve engagement objectives). Mnemonic: SRRU.

Section C. Governance, Risk Management, and Control (~30%)

Roughly 38 of 125 questions — still one of the two dominant sections. Under the 2025 syllabus GRC anchors to Domain IV Standard 9.1 (managing the IA function in the context of governance) and Domain V (engagement-level governance, risk, and control assessment).

Governance

Governance structures — board, audit committee, risk committee, senior management.
The internal audit function's role in assessing and reporting on governance processes (ethics, objectives, performance management, communication).
IT governance — the IA function evaluates whether IT governance supports the organization's strategies. COBIT (Control Objectives for Information and Related Technologies) is the leading framework.
Internal Audit Governance — a stronger emphasis under GIAS: board oversight, CAE appointment/removal, budget authorization, performance evaluation of the IA function.

Risk Management

COSO ERM 2017 (Enterprise Risk Management — Integrating with Strategy and Performance). Five components: Governance & Culture, Strategy & Objective-Setting, Performance, Review & Revision, Information/Communication/Reporting. These replaced the older 8-component COSO ERM 2004 cube — do not answer with the old components.
Risk appetite vs. risk tolerance — appetite is aggregate risk willing to accept; tolerance is acceptable variation around specific objectives.
Inherent risk vs. residual risk — pre-control vs. post-control.
Risk-based audit planning — the annual audit plan reflects the entity's risk profile.

Control

COSO Internal Control — Integrated Framework (2013). Five components: Control Environment, Risk Assessment, Control Activities, Information and Communication, Monitoring Activities. 17 underlying principles.
Control types: preventive, detective, corrective; manual vs. automated; key vs. non-key.
Control deficiencies: deficiency, significant deficiency, material weakness (SOX AS 2201 cross-reference).

The Three Lines Model (replaced "Three Lines of Defense" in 2020)

Line	Roles	Responsibilities
First line	Management owners of processes	Deliver products/services, manage risk
Second line	Risk, compliance, control functions	Expertise, support, monitoring, challenge
Third line	Internal audit	Independent, objective assurance to governing body
Governing body	Board / audit committee	Oversight and accountability
External assurance	External auditors, regulators	Additional assurance (outside the three lines)

Answer choices that reference "Three Lines of Defense" are wrong in 2026. Use "Three Lines Model."

Section D. Fraud Risks (~15%)

Roughly 19 of 125 questions — weight INCREASED from 10% (2019 syllabus) to 15% (2025 syllabus), reflecting the IIA's emphasis on fraud resilience in GIAS-era practice.

The Fraud Triangle (Donald Cressey): Pressure (incentive), Opportunity, Rationalization. Know each vertex.
Fraud Diamond (extension of Fraud Triangle): adds Capability — the fraudster has the skills/position to commit the fraud. Some review providers still reference this.
COSO Fraud Risk Management Guide (2016, updated 2023) — five principles covering fraud governance, fraud risk assessment, fraud control activities, investigation and corrective action, and monitoring.
Fraud deterrence — prevention via control design, tone at the top, ethics training, and whistleblower mechanisms.
Types of fraud — fraudulent financial reporting, misappropriation of assets, corruption (bribery, conflicts of interest, illegal gratuities, economic extortion per ACFE classification).
Red flags — lifestyle changes, control overrides, missing documentation, unusual journal entries at period-end.
Whistleblower protections — hotlines, anonymity, anti-retaliation (cross-reference Sarbanes-Oxley Section 806 and Dodd-Frank Section 922 for U.S.-context questions).
Internal auditor's fraud responsibility — internal audit is NOT responsible for preventing fraud (that is management's job), but IS responsible for evaluating the potential for fraud and how the organization manages fraud risk (GIAS Domain V engagement-level Standards).

GIAS Domains I Through V — All 15 Principles for Part 1

You need to internalize all five Domains and all 15 Principles. Part 1 leans hardest on Domains I and II, but knowing the structure end-to-end earns points across scenario questions.

Domain I — Purpose of Internal Auditing

Short domain, concept-heavy. Covers the Purpose Statement — "Internal auditing strengthens the organization's ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight." Typical question: "Which of the following best describes the purpose of internal auditing according to GIAS?" — pick the one aligned with the Purpose Statement.

Domain II — Ethics and Professionalism (5 Principles)

#	Principle	Standards
1	Demonstrate Integrity	1.1 Honesty and Professional Courage; 1.2 Organization's Ethical Expectations; 1.3 Legal and Ethical Behavior
2	Maintain Objectivity	2.1 Individual Objectivity; 2.2 Safeguarding Objectivity; 2.3 Disclosing Impairments to Objectivity
3	Demonstrate Competency	3.1 Competency; 3.2 Continuing Professional Development
4	Exercise Due Professional Care	4.1 Conformance with Standards; 4.2 Due Professional Care; 4.3 Professional Skepticism
5	Maintain Confidentiality	5.1 Use of Information; 5.2 Protection of Information

Domain III — Governing the Internal Audit Function (3 Principles)

#	Principle	Theme
6	Authorized by the Board	Board sponsorship, CAE appointment/removal, authority
7	Positioned Independently	Organizational independence, reporting relationships, budget
8	Overseen by the Board	Board oversight, annual assessment of IA function, communication

The Internal Audit Mandate (formerly called the Internal Audit Charter under IPPF) lives here — approved by the board, defining purpose, authority, responsibility, and position of the IA function. Reviewed at least annually.

Domain IV — Managing the Internal Audit Function (4 Principles)

#	Principle	Theme
9	Plan Strategically	IA strategy; Standard 9.1 (GRC-anchor for Part 1 Section C)
10	Manage Resources	Financial, human, technological resources for IA
11	Communicate Effectively	Building relationships, external and internal communication
12	Enhance Quality	QAIP, internal + external assessments, performance measurement

Part 2 and Part 3 test Domain IV deeply. Part 1 tests conceptual basics, especially QAIP (under Principle 12) and Standard 9.1 (under Principle 9, anchoring the GRC section).

Domain V — Performing Internal Audit Services (3 Principles)

#	Principle	Theme
13	Plan Engagements Effectively	Engagement communication, risk assessment, objectives/scope, evaluation criteria, resources, work program
14	Conduct Engagement Work	Implement work program, evidence collection, evaluation
15	Communicate Engagement Results and Monitor Action Plans	Reporting, follow-up, action plan monitoring

Part 2 tests execution-level detail; Part 1 tests awareness of structure (e.g., "what are the phases of an engagement per GIAS?" and engagement-level fraud responsibility under Domain V).

COSO Frameworks — The High-Yield Appendix

Two COSO frameworks appear repeatedly on Part 1. Memorize both.

COSO Internal Control — Integrated Framework (2013)

Component	Principles
Control Environment	1. Commitment to integrity and ethical values; 2. Board exercises oversight; 3. Management establishes structure, authority, responsibility; 4. Commitment to competence; 5. Accountability
Risk Assessment	6. Specifies objectives; 7. Identifies and analyzes risk; 8. Assesses fraud risk; 9. Identifies and assesses change
Control Activities	10. Selects and develops control activities; 11. Selects and develops technology controls; 12. Deploys through policies/procedures
Information and Communication	13. Uses relevant information; 14. Communicates internally; 15. Communicates externally
Monitoring Activities	16. Ongoing and separate evaluations; 17. Evaluates and communicates deficiencies

COSO ERM — Integrating with Strategy and Performance (2017)

Replaced the 2004 cube. Five components / 20 principles:

Governance and Culture (5 principles)
Strategy and Objective-Setting (4 principles)
Performance (5 principles)
Review and Revision (3 principles)
Information, Communication, and Reporting (3 principles)

You are not tested on all 20 principles verbatim, but you should recognize each component by name and be able to match typical activities (for example, "setting risk appetite" → Strategy and Objective-Setting).

Pass Rate and Difficulty

The IIA releases CIA pass rates periodically. The most recent data shows:

Year	Overall CIA Pass Rate	Part 1 Pass Rate
2021	48-49%	48-49%
2022	49%	~45%
2023	45%	~44%
2024	45%	~44%
2025	44%	44%
2026	Not yet released	Expected similar range

Per the latest IIA data (via Gleim and iPass analyses), Part 1 pass rate is 44%, Part 2 is 48%, and Part 3 is 56%. Part 1 is consistently the hardest of the three parts in terms of first-time pass rate because it now absorbs the former Independence/Objectivity and QAIP content inside a heavier Foundations section.

Why the sub-50% first-time rate?

Recency of GIAS and the 2025 syllabus shift. Candidates studying from 2022-2024 materials walk into 2026 exam rooms and see unfamiliar Principle-and-Standard references AND the new four-section weighting.
Scaled scoring confusion. 600 out of 750 is not 80% — it's a scaled conversion that typically lands near 75% raw correct. Candidates aim too low thinking "600/750 is about 80%."
Scenario questions reward frameworks, not memorization. Candidates who memorize definitions but cannot apply Three Lines Model, COSO ERM 2017, or GIAS Principles to a novel situation fail scenario-heavy halves.
Time pressure. 150 minutes divided by 125 questions is 72 seconds per question. Flagging more than 20 for review eats the buffer.
New April 1, 2026 scoring policy. Candidates no longer receive a preliminary score at the testing center; official results arrive within three weeks via CCMS. This removes the psychological feedback loop some candidates relied on.

Candidates who pass usually report 80 to 120 hours of dedicated study (the IIA recommends 40 hours for Part 1 minimum), 2,000+ practice questions worked, and at least one full-length timed mock exam.

Ready to Test Yourself?

Before you read another chapter of any textbook, try timed practice questions on the GIAS-aligned syllabus. It is the fastest way to see which domains you actually understand.

Start FREE CIA Part 1 PracticePractice questions with detailed explanations

Unlimited GIAS-aligned questions, AI explanations on every miss, mapped to the 2026 syllabus.

The Proven 8-to-12 Week CIA Part 1 Study Plan

Pick the intensity that matches your weekly availability.

8-Week Plan (12-15 hours/week; intensive) — 2025 Syllabus Aligned

Week	Focus	Hours	Syllabus Section
1	Purpose of IA + GIAS structure (5 Domains, 15 Principles, 52 Standards) + Internal Audit Mandate	12	A (35%)
2	Assurance vs Advisory + Independence + Objectivity + reporting relationships	14	A (35%)
3	QAIP + internal/external assessments + conformance language + Topical Requirements	12	A (35%)
4	Domain II Principles 1-5: Integrity, Objectivity, Competency, Due Professional Care, Confidentiality	15	B (20%)
5	CPE rules + professional skepticism + evidence sufficiency (SRRU)	13	B (20%)
6	Governance + Three Lines Model + COBIT + COSO IC 2013 (17 principles)	15	C (30%)
7	COSO ERM 2017 (5 components) + risk appetite/tolerance + risk-based planning + Fraud Triangle + COSO Fraud 2016	15	C + D
8	Full timed mock + targeted review of weak sections + Rules of Conduct recap + GIAS Domain V engagement fraud	14	All

12-Week Plan (8-10 hours/week; working full-time)

Weeks	Focus	Hours/Week	Syllabus Section
1-2	Purpose + GIAS structure + Internal Audit Mandate + assurance vs advisory	8	A
3-4	Independence + Objectivity + QAIP + conformance	9	A
5	Domain II Principle 1 (Integrity) + Principle 2 (Objectivity)	9	B
6	Domain II Principle 3 (Competency) + Principle 4 (Due Care) + Principle 5 (Confidentiality)	9	B
7-8	Governance + COSO IC 2013 + Three Lines Model + COBIT	10	C
9	COSO ERM 2017 + risk appetite + risk-based planning	10	C
10	Fraud Triangle + Fraud Diamond + COSO Fraud 2016 + red flags	9	D
11	Whistleblower protections + SOX 806 + Dodd-Frank 922 + engagement-level fraud	9	D
12	Timed mocks + rapid review + ethics re-read + GIAS domain integration	10	All

Total: approximately 100-110 hours either path. Working auditors tend to finish closer to 120 hours because domain application takes longer when you are reconciling textbook concepts with real audit files. The IIA's own minimum recommendation is 40 hours for Part 1, but Gleim, HOCK, and Wiley all report that passing candidates average 80-100+ hours.

Recommended Resources

Use no more than two review providers. Mixing three or more creates conflict between question bank logic and wastes time. Pair a primary review system with one secondary question bank.

Primary Review Systems (pick one)

Becker — The IIA's CIA Exam Review — in 2025-2026 The IIA migrated its official CIA Exam Review to the Becker platform, with curriculum experts working alongside the IIA team that writes the exam itself. Strongest alignment to the 2025 syllabus wording.
Gleim CIA Review — widely used, large question bank (4,000+ questions), detailed explanations, SmartAdapt adaptive practice. Strong on governance/risk/control. Fully updated to the 2025 syllabus.
HOCK International CIA Review — lean, clear text, international candidate focus. HOCK was one of the first to publish GIAS-aligned material.
Wiley CIAexcel Exam Review — textbook-style, strong for candidates who learn by reading.
UWorld CIA Review — newer entrant, mobile-first UX, engaging question explanations.
Surgent CIA Review — adaptive technology (A.S.A.P.), shorter study times for exam-experienced candidates.
Miles Education CIA — popular among candidates in the Middle East and South Asia; competitive pricing.

Free and Official Supplements

IIA Global Internal Audit Standards — read the actual standards. Free. This is the primary source.
IIA Code of Ethics — memorize the four Principles and Rules of Conduct.
COSO.org — download the executive summaries of COSO IC 2013 and COSO ERM 2017. Free.
IIA Topical Requirements and Global Guidance — accessible to IIA members.
OpenExamPrep CIA Part 1 Practice — free AI-tutored question bank.

Paid Add-Ons Only If Needed

Mock exams from Gleim or HOCK ($50-$150 each) — do at least one timed.
Flashcards on Anki or Brainscape — useful for Principles, Standards, COSO components.

Do not buy three review courses. Diminishing returns after one primary + one supplement.

Test-Taking Strategies for CIA Part 1

The CIA exam style rewards careful readers. It punishes speed-readers.

Distinguish "best practice" from "GIAS Standards." Answer choices often include industry best-practice language that is not a GIAS requirement. The exam asks what GIAS requires, not what is a good idea in general.
Watch for "always" and "never." These are often distractor language. Internal audit does not always do anything uniformly — the mandate, charter, and risk profile dictate scope.
In scenarios, identify the GIAS Domain first. If the scenario is about a CAE's reporting relationship, you are in Domain III. If it is about evidence sufficiency, you are in Domain V / Part 1 Proficiency area. Anchoring to the Domain narrows answer choices.
Objectivity vs. Independence. When in doubt: independence = structure, objectivity = mental state. Independence is about where the function sits, objectivity is about how the individual thinks.
COSO components recall. For IC 2013: CRIME (Control environment, Risk assessment, Information & communication, Monitoring activities, control activitiEs — mnemonic). For ERM 2017 know the 5 components by name.
No computation required. CIA Part 1 is not a calculation exam. If a question feels like it needs math, re-read it — it is testing concept.
Flag and move. You get 150 minutes for 125 questions. Do not spend more than 90 seconds on any single question on the first pass. Flag, move, return.
Answer every question. There is no penalty for wrong answers. Blank = 0, guess = 25% chance.

Cost, Retakes, and Program Extension

Cost Breakdown (2026 — Confirmed from theiia.org)

Item	IIA Member	Non-Member	Student
IIA membership (annual, optional)	$290	—	—
CIA program application (one-time)	$120	$240	$65
Part 1 exam fee	$310	$445	$245
Part 2 exam fee	$280	$415	$215
Part 3 exam fee	$280	$415	$215
Total exam + application (first attempt)	$990	$1,515	$740
CIA Challenge Exam application (one-time)	$150	$380	—
CIA Challenge Exam (single unified exam)	$845	$1,245	—
75-day exam registration extension	Fee applies	Fee applies	Fee applies
12-month program eligibility extension (one-time per program)	Fee applies	Fee applies	Fee applies
Pearson VUE reschedule (>48 hrs)	$75	$75	$75

Member math: If you are not an IIA member, joining ($290/year) saves you $525 across all three parts and application ($120 app + $135 × 3 exams = $525 in exam savings) — net saving ~$235 in year one, plus access to free Topical Requirements, chapter events, and Internal Auditor magazine.

Discounts to watch: The IIA typically runs a 20% member discount in May on new CIA/CRMA/IAP application and exam registration fees (code e.g. "May20%"). Excluded countries apply.

Retake Policy

If you do not pass, you can retake — but the IIA requires a 60-day cooling-off period before you can re-sit. Use the 60 days: review the score report (the IIA provides topic-level indicators), target weak areas, and do fresh mocks. From April 1, 2026, you receive only one official exam result within three weeks of your test date (no preliminary score at the center).

Program Extension

You have three years from application acceptance to pass all three parts AND meet the experience requirement. If the window closes, you lose all passed parts and restart. The IIA grants a one-time 12-month program eligibility extension (per certification program, for a fee) — do not rely on this as a primary plan.

Salary and Career Outlook for CIA Holders

IIA Global Salary Study and industry data (Robert Half, Hays, and IIA chapter surveys) place U.S. CIA compensation in this range as of late 2025:

Role	U.S. Base (with CIA)	Typical Range
Internal Audit Staff	~$75,000	$65,000-$90,000
Senior Internal Auditor	~$95,000	$85,000-$115,000
Internal Audit Manager	~$125,000	$110,000-$150,000
Senior Manager / Director	~$165,000	$140,000-$200,000
Chief Audit Executive (CAE)	~$225,000+	$175,000-$400,000+

Big 4 internal audit practices (Deloitte, PwC, EY, KPMG) and Protiviti pay similar to or slightly above industry at the staff and senior levels.

Holding the CIA typically carries a 10-15% pay premium over non-certified peers at the same level, and opens the ladder to CAE roles where a certification is virtually required. Sector matters — financial services, energy, and pharma IA pay above healthcare and retail IA.

Common Mistakes That Sink CIA Part 1 Candidates

Using the 2019 six-section syllabus in 2026. The 2025 syllabus has four sections (Foundations 35%, Ethics 20%, GRC 30%, Fraud 15%). Materials labelled "Essentials of Internal Auditing" with 6 sections (15/15/18/7/35/10) are OUTDATED for the English exam from May 28, 2025 onward.
Using IPPF-era standard numbers. Answer choices citing "Standard 1130.A1" or "2010 Planning" are distractors. Study GIAS Principles (1-15) and Standards (1.1, 2.2, 9.1, etc.).
Confusing objectivity with independence. Organizational independence = structural property. Individual objectivity = mental attitude. They do not substitute for each other.
Memorizing old COSO ERM 2004 (the cube with 8 components). Retired. Use COSO ERM 2017 (5 components).
Saying "Three Lines of Defense." Retired in 2020. Use "Three Lines Model."
Confusing conformance language. Standards use conforms / partially conforms / does not conform. They do NOT use compliance / non-compliance / exception in the conformance context.
Calling the mandate a "charter." Under GIAS, it is the Internal Audit Mandate (though Gleim and IIA documents still sometimes use "charter" interchangeably; recognize both on the exam).
Treating CPE requirements as optional. 40 CPE/year is the rule for practicing CIAs; failure to earn or report results in inactive status.
Ignoring the CIA Candidate Code of Conduct. Posting questions post-exam or using brain dumps has ended candidacies.
Skipping COSO readings. Part 1 without COSO IC 2013 and COSO ERM 2017 study is a guaranteed fail on the 30% GRC section and the 15% Fraud section.
Cramming the week before. Part 1 rewards repetition over 6-12 weeks. Intense one-week study leaves no time for spaced retrieval.
Over-buying review courses. One primary + one free supplement is enough.
Expecting a preliminary score at the testing center. As of April 1, 2026, the IIA no longer releases a preliminary unofficial score. Single official result arrives within 3 weeks via CCMS.
Assuming the Challenge Exam is easier. The June 1, 2026 unified Challenge Exam is GIAS-aligned and still rigorous — evaluate carefully.

CIA Part 1 vs. Adjacent Credentials

Candidates often debate CIA against CPA, CMA, or CISA. Here is how Part 1 compares.

Feature	CIA Part 1	CPA AUD	CMA Part 1	CISA
Issuing body	IIA	AICPA / state boards	IMA	ISACA
Focus of this part	Internal audit essentials (GIAS)	External audit + attestation	Financial planning + performance	IS audit + assurance
Questions	125 MC	75 MC + 7 TBS	100 MC + 2 essays	150 MC
Time	150 min	240 min	180 MC + 60 essay	240 min
Framework	GIAS + COSO	GAAS / PCAOB	IMA ethics + managerial acct	ISACA IS audit framework + COBIT
Typical first-time pass	~44%	~45-50%	~35-45%	~50-60%
Best fit	Internal auditors, IA consultants	Public accountants	Corporate finance + management accountants	IT / cybersecurity auditors

Rule of thumb: if your career is internal audit, CIA wins. If your career is external audit, CPA wins. If your career is IT audit, CISA wins. Many senior internal auditors hold CIA and CPA, or CIA and CISA — stacking is common once you are post-manager.

Next Steps After CIA Part 1

Immediately schedule Part 2. Part 2 — Practice of Internal Auditing — uses the same GIAS vocabulary you just learned. Studying within 60-90 days of passing Part 1 is optimal retention.
Start logging CPE if you are already CIA program-approved and working in IA. The clock does not wait.
Plan Part 3 around your weakest subject. Part 3 — Business Knowledge for Internal Auditing — covers business acumen, IT, financial management, and leadership. Candidates from a non-business background typically need the longest prep window here.
Network through your local IIA chapter. Chapter CPE events are cheap, often free for members, and count toward your 40-hour annual requirement.

Start Your CIA Journey Today

Everything on OpenExamPrep is 100% free — GIAS-aligned practice questions, AI tutoring, and explanations written for the 2026 syllabus.

Begin FREE CIA Part 1 Practice NowPractice questions with detailed explanations

No credit card. No trial. No upsell. Just practice until you pass.

Official Sources

The Institute of Internal Auditors (IIA) — theiia.org
Global Internal Audit Standards (GIAS, effective January 9, 2025) — theiia.org standards
IIA Code of Ethics — published on theiia.org
COSO.org — Internal Control Integrated Framework (2013) and ERM Framework (2017)
Pearson VUE — official CIA exam delivery vendor — pearsonvue.com/iia
IIA Certification Candidate Management System (CCMS) — registration and scheduling portal

Confirm all fees and policies at theiia.org before you apply — regional pricing varies and the IIA updates fees periodically.

✓Key Facts