Free CIA Part 1 Cheat Sheet 2026: Azure Fundamentals Quick Reference

Foundations

35%of exam

PurposeMandateCharterAssurance vs Advisory Three Lines

Ethics + Professionalism

20%of exam

IntegrityObjectivityCompetencyDue CareConfidentiality

Governance Risk Control

30%of exam

GovernanceRisk TypesRisk ResponsesControls Control Picker

Fraud Risks

15%of exam

Fraud TriangleFraud SchemesRed FlagsFraud ControlsInvestigation Role

Quick Facts

Exam: CIA Part 1
Credential: Certified Internal Auditor
Part: Internal Audit Fundamentals
Questions: 125 MCQ
Time: 150 min
Pass: 600 scaled
Owner: The IIA
Delivery: Pearson VUE test center

Three Lines Model

Board -> Management -> IA

Board: oversightManagement: owns riskIA: independent assurance

Assurance vs Advisory

Assurance

Objective assessment
Auditor determines work
Opinion or conclusion

Advisory

Advice requested
Scope agreed
No management duty

Opinion vs advice

Service Picker

Need opinion→Assurance(Objective assessment)
Need advice→Advisory(No ownership)
Need process design→Advisory(Safeguards needed)
Need implementation→Management(Not audit)
Need external users→Charter(Define assurance)
Need scope agreement→Advisory(Client input)

Purpose + Mandate

Purpose: Improve GRC processes
Value: Assurance, advice, insight
Mandate: Board-authorized role
Authority: Access and scope
Responsibility: Expected audit services
CAE: Leads audit function
Board: Approves mandate

Internal Audit Charter

Charter: Formal mandate document
Position: Function placement
Scope: Service boundaries
Access: Records and personnel
Board approval: Final authority
Senior management: Discuss expectations
Update trigger: Mandate changes

Assurance + Advisory

Assurance: Objective assessment
Reasonable: Higher confidence
Limited: Narrower confidence
Advisory: Advice without ownership
Scope: Agreed with client
Design work: Advisory risk
Management duty: Never assume

Three Lines

Governing body: Stakeholder oversight
First line: Owns operations
Second line: Supports risk control
Third line: Independent assurance
External assurance: Outside assurance providers
Collaboration: Aligned responsibilities
Independence: Third-line safeguard

Independence Impairments

Functional line: Board reporting
Admin line: Operational support
Budget cut: Resource limitation
Scope limit: Audit boundary block
Access limit: Evidence restriction
CAE disclosure: Tell board
Safeguard: Reduce impairment

Ethics Five

I O C D C

IntegrityObjectivityCompetencyDue careConfidentiality

Independence vs Objectivity

Independence

Function-level freedom
Board access
Structural safeguard

Objectivity

Individual mindset
Unbiased judgment
Conflict free

Structure vs mindset

Impairment Picker

Own prior work→Reassign auditor
CAE owns area→Outside oversight
Gift offered→Refuse and disclose
Access blocked→Disclose limitation
Budget restricts work→Tell board
Skill missing→Obtain expertise

Ethics Principles

Integrity: Honesty and courage
Objectivity: Unbiased judgment
Competency: Needed skills
Due care: Prudent audit effort
Confidentiality: Protect information
Skepticism: Question evidence
CPD: Continual development

Objectivity Threats

Self-review: Auditing own work
Familiarity: Too close
Conflict: Competing interest
Gift: Appearance threat
Reassignment: Remove threat
Outsource: Independent performance
Disclosure: Report impairment

Professional Skills

Communication: Clear messages
Critical thinking: Analyze issues
Research: Find reliable data
Persuasion: Influence stakeholders
Negotiation: Resolve conflict
Relationship: Build trust
Curiosity: Seek insight

Risk Sequence

Inherent -> controls -> residual

Before controlsApply responsesRemaining risk

Appetite vs Tolerance

Appetite

Broad risk amount
Strategy aligned
Board-set boundary

Tolerance

Acceptable variation
Measured threshold
Operational limit

Amount vs range

Control Picker

Stop before occurrence→Preventive control
Find after occurrence→Detective control
Fix known issue→Corrective control
Set spending limits→Authorization
Catch cash mismatch→Reconciliation
Reduce fraud chance→Segregation

Governance

Governance: Oversight structures
Board: Ultimate oversight
Senior management: Executes strategy
Culture: Control tone
Ethics framework: Expected conduct
Compliance: Rules followed
Assurance map: Coverage view

Inherent vs Residual

Inherent

Before controls
Raw exposure
Initial risk

Residual

After controls
Remaining exposure
Acceptance decision

Before vs after

Risk Basics

Risk: Objective uncertainty
Strategic: Goal failure
Operational: Process failure
Financial: Money impact
Compliance: Rule breach
Reputation: Trust damage
ESG: Sustainability impact

Preventive vs Detective

Preventive

Blocks event
Before loss
Approval limits

Detective

Finds event
After activity
Reconciliations

Stop vs find

Risk Management

Appetite: Acceptable risk level
Tolerance: Allowed variation
Inherent: Before controls
Residual: After controls
Avoid: Exit activity
Reduce: Apply controls
Share: Transfer impact

Controls

Control: Risk response activity
Preventive: Stops event
Detective: Finds event
Corrective: Fixes event
Design: Control structure
Effectiveness: Works as designed
Efficiency: Cost-benefit balance

Fraud Triangle

M O R

MotivationOpportunityRationalization

Fraud Risk vs Investigation

Fraud risk

Plan consideration
Red flags
Control focus

Investigation

Fact finding
Specialist techniques
Coordinate experts

Assess vs investigate

Fraud Picker

Pressure cue→Motivation
Weak control cue→Opportunity
Excuse cue→Rationalization
Report received→Assess red flag
Specialist needed→Coordinate investigation
Prevent override→Authority levels

Fraud Basics

Fraud risk: Intentional deception exposure
Motivation: Pressure to act
Opportunity: Control weakness
Rationalization: Justifies misconduct
Scheme: Fraud method
Red flag: Warning indicator
Special risk: Extra attention

Fraud Response

Tone: Top-level example
SOD: Split incompatible duties
Authority levels: Approval boundaries
Hotline: Report channel
Reconciliation: Detect mismatch
Review: Supervisor check
Investigation: Specialist fact-finding

Common Traps

Old syllabus trap

2019 had six domains ≠ 2025 has four domains

Charter vs mandate

Mandate grants authority ≠ Charter documents mandate

Advice vs ownership

Audit may advise ≠ Management must own

Independence vs objectivity

Function is independent ≠ Auditor stays objective

Risk vs control

Risk threatens objectives ≠ Control mitigates risk

Fraud role trap

Audit assesses risk ≠ Specialists investigate facts

Conformance wording

Use conforms language ≠ Avoid casual compliance

Last Minute

1.Weights: 35 / 20 / 30 / 15
2.Part 1 = 125 MCQ
3.Time limit = 150 minutes
4.Assurance = opinion; advisory = advice
5.Independence = structure; objectivity = mindset
6.Mandate grants; charter documents
7.Inherent before controls
8.Residual after controls
9.Appetite broad; tolerance measured
10.Fraud = motivation opportunity rationalization
11.Audit advises; management owns

CIA Part 1

Practice Questions199 questions Study Guide Cheat Sheet Flashcards50 cards

1 blog

Certified Internal Auditor Exam Part 1 Secrets Study Guide: CIA Test Review for the Certified Internal Auditor Exam

$56.99 · Buy on Amazon

Take courses on Udemy

Study guide on Mometrix

Same family resources

Explore More IIA Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

More From This Family

Videos and articles for deeper review.

ArticleCIA Part 1 Exam Guide 2026: GIAS-Aligned Internal Audit Fundamentals28 min read

CIA Part 1 Cheat Sheet