100+ Free IIA CRMA Practice Questions

Pass your Certification in Risk Management Assurance (CRMA) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Not publicly disclosed Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

Under the 2024 Global Internal Audit Standards, who has primary accountability for ensuring an organization has an effective risk management framework?

The chief audit executive (CAE)

The board of directors (or equivalent governing body)

The chief risk officer

Senior operating management

to track

2026 Statistics

Key Facts: IIA CRMA Exam

100 Qs

Exam Questions

2-hour time limit

600/750

Passing Score

IIA scaled scoring

5 Domains

2024 Standards

15 Principles, effective Jan 2025

5 + 20

COSO ERM 2017

Components and principles

8 Principles

ISO 31000:2018

Risk management standard

3 Lines

IIA Model (2020)

Replaced 'Lines of Defense'

CRMA is a 100-question, 2-hour add-on credential for internal auditors who provide assurance and advisory over risk management. The 2026 prep aligns with the 2024 Global Internal Audit Standards (effective 9 January 2025), COSO ERM 2017 (5 components, 20 principles), ISO 31000:2018, and the IIA Three Lines Model (2020). CRMA is delivered by Pearson VUE (test centers or OnVUE online proctoring) and uses the IIA's 250-750 scaled scoring with 600 to pass.

Sample IIA CRMA Practice Questions

Try these sample questions to test your IIA CRMA exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Under the 2024 Global Internal Audit Standards, who has primary accountability for ensuring an organization has an effective risk management framework?

A.The chief audit executive (CAE)

B.The board of directors (or equivalent governing body)

C.The chief risk officer

D.Senior operating management

Explanation: Standard 6.1 (Board Interaction) and Domain II of the 2024 Global Internal Audit Standards reaffirm that the governing body retains ultimate accountability for governance, risk management, and control. Senior management designs and operates the framework day to day; internal audit provides independent assurance over its effectiveness.

2The IIA's Three Lines Model (2020) replaced the Three Lines of Defense. Which statement best describes a key change introduced by the new model?

A.It eliminates the second line and merges its activities into internal audit

B.It emphasizes collaboration and value creation rather than rigid 'defense' against threats

C.It places internal audit in the first line for operational efficiency

D.It removes the governing body from the model entirely

Explanation: The 2020 Three Lines Model deliberately drops the word 'defense' to emphasize that risk management creates and protects value, not just defends against threats. It also makes the governing body explicit, clarifies the accountability/reporting relationships, and stresses alignment and collaboration across roles.

3How many components are in the COSO ERM 2017 'Enterprise Risk Management — Integrating with Strategy and Performance' framework?

A.5 components and 17 principles

B.5 components and 20 principles

C.8 components and 90 principles

D.4 components and 12 principles

Explanation: COSO ERM 2017 has five interrelated components — Governance & Culture; Strategy & Objective-Setting; Performance; Review & Revision; and Information, Communication & Reporting — supported by 20 principles. Candidates often confuse this with COSO Internal Control 2013, which has 5 components and 17 principles.

4ISO 31000:2018 defines risk as the:

A.Probability of a negative event occurring

B.Effect of uncertainty on objectives

C.Loss expected from operational failures

D.Difference between expected and actual outcomes

Explanation: ISO 31000:2018 (and its associated ISO Guide 73 vocabulary) defines risk as the 'effect of uncertainty on objectives.' This wording is intentional: 'effect' can be positive or negative, and risk is always tied to specific objectives. Internal audit testing routinely cites this exact phrase.

5An audit committee is reviewing the company's risk appetite statement. Which characteristic is MOST important for the statement to be useful in governance?

A.It is approved annually by external auditors

B.It is expressed exclusively in quantitative dollar limits

C.It is approved by the board and aligned with strategy and objectives

D.It is identical to the risk appetite of industry peers

Explanation: Risk appetite is a strategic governance concept: the board approves the appetite statement and ensures it aligns with the organization's strategy and objectives. COSO ERM 2017 and ISO 31000 both treat appetite as an expression of how much risk the organization is willing to take in pursuit of value creation.

6Which of the following BEST illustrates the 'tone at the top' driving risk culture?

A.Posting the code of conduct on the corporate intranet

B.Senior leaders publicly correcting their own behavior when it violates risk policies

C.Mandating annual ethics training for all employees

D.Including a risk management section in the annual report

Explanation: Tone at the top is demonstrated through observable leadership behavior, especially when leaders hold themselves accountable. When executives visibly correct their own conduct, employees see that risk policies apply equally and culture is reinforced. Posters, training, and disclosures help but do not on their own create culture.

7Per the IIA Three Lines Model, which group is responsible for designing and overseeing the risk management framework, including policies and risk monitoring?

A.First line — operational management

B.Second line — risk management, compliance, and similar functions

C.Third line — internal audit

D.External audit

Explanation: Second-line roles (risk management, compliance, quality, ethics) provide expertise, support, monitoring, and challenge for risk-related matters. They design frameworks and policies and monitor adherence. The first line owns and manages risks operationally, and the third line (internal audit) provides independent assurance.

8An organization's board has set a risk tolerance of 'no more than $5M aggregate operational loss per quarter.' This is BEST described as:

A.Risk appetite

B.Risk tolerance (a quantitative limit operationalizing appetite)

C.Risk capacity

D.Risk velocity

Explanation: Risk tolerance is the boundary of acceptable variation, typically expressed quantitatively, that operationalizes the broader risk appetite. Capacity is the absolute maximum the organization could absorb. Appetite is the strategic willingness to take risk. Velocity describes the speed at which risk events develop.

9A CAE is asked by the CFO to take direct responsibility for managing a newly identified compliance risk because 'audit knows it best.' What is the MOST appropriate response under the 2024 Global Internal Audit Standards?

A.Accept the role to support management

B.Decline the management role and document the impairment to objectivity if it had been accepted, while offering advisory support

C.Accept on a temporary basis with disclosure

D.Escalate to the external auditor for guidance

Explanation: Standard 2 (Independence) and Standard 7 (Positioning of Internal Audit) require the CAE to avoid taking on management responsibilities, which would impair independence and objectivity. The CAE may provide advisory or facilitative input. If such a role is accepted, the impairment must be disclosed; the better course is to decline.

10Which COSO ERM 2017 component most directly addresses how an entity identifies, assesses, and prioritizes risks that could affect achievement of strategy?

A.Governance and Culture

B.Strategy and Objective-Setting

C.Performance

D.Review and Revision

Explanation: The Performance component covers identifying risks, assessing severity, prioritizing, implementing responses, and developing a portfolio view. Strategy & Objective-Setting establishes the context (appetite, business context, strategy). Review & Revision evaluates how well ERM is functioning over time.

About the IIA CRMA Exam

The IIA's Certification in Risk Management Assurance (CRMA) validates an internal auditor's ability to provide assurance over the risk management processes that protect organizational value. Content covers organizational governance related to risk management (~25%), principles of risk management processes (~25%), assurance role of internal audit (~20%), consulting role of the internal auditor (~15%), and other specialized risk areas (~15%) including BCM, fraud, third-party, ESG, and IT/cyber risk.

Questions

100 scored questions

Time Limit

2 hours

Passing Score

600/750 (scaled)

Exam Fee

Per IIA member/non-member fee schedule (The Institute of Internal Auditors (IIA) / Pearson VUE)

IIA CRMA Exam Content Outline

25%

Organizational Governance Related to Risk Management

Board oversight, risk culture, Three Lines Model (2020), COSO ERM 2017, ISO 31000:2018, audit charter, risk appetite/tolerance

25%

Principles of Risk Management Processes

Risk identification, assessment (inherent/residual/velocity), response, monitoring, communication, KRIs, scenario/stress testing, NIST CSF/RMF

20%

Assurance Role of Internal Audit

2024 Global Internal Audit Standards, assurance mapping, evidence, sampling, follow-up, overall opinions on risk management

15%

Consulting Role of the Internal Auditor

Facilitation, advisory engagements, independence safeguards, communication of significant matters, competency

15%

Specialized Risk Areas

Fraud risk (triangle/diamond), third-party/TPRM, BCM/ISO 22301, ESG (IFRS S2/CSRD), IT/cyber, AML, privacy, AI risk, operational resilience

How to Pass the IIA CRMA Exam

What You Need to Know

Passing score: 600/750 (scaled)
Exam length: 100 questions
Time limit: 2 hours
Exam fee: Per IIA member/non-member fee schedule

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

IIA CRMA Study Tips from Top Performers

1Memorize the 5 Domains and 15 Principles of the 2024 Global Internal Audit Standards

2Distinguish COSO ERM 2017 (5 components, 20 principles) from COSO Internal Control 2013 (5 components, 17 principles)

3Know the IIA Three Lines Model (2020) — and why 'defense' was removed

4Practice ISO 31000:2018 process: scope/context/criteria → identify → analyze → evaluate → treat (with monitoring & consultation throughout)

5Be precise on inherent vs residual vs target risk; preventive vs detective vs corrective controls

6Memorize NIST CSF 2.0 Functions: Govern, Identify, Protect, Detect, Respond, Recover

7Know the four risk treatments: avoid, reduce, share/transfer, accept

8Apply Standards 11.4 and 14 to risk-acceptance escalation and engagement communications

Frequently Asked Questions

How many questions are on the CRMA exam and how long is it?

The CRMA exam is 100 multiple-choice questions delivered in a 2-hour window through Pearson VUE (test centers or OnVUE online proctoring). The IIA reports results on a 250-750 scaled scoring basis with 600 required to pass.

What are the CRMA exam domains?

The CRMA covers five content areas: organizational governance related to risk management (~25%), principles of risk management processes (~25%), assurance role of internal audit (~20%), consulting role of the internal auditor (~15%), and other specialized risk areas (~15%) such as BCM, fraud, third-party, ESG, and IT/cyber risk.

What standards does the CRMA reference?

Modern CRMA prep should align with the 2024 Global Internal Audit Standards (effective 9 January 2025, replacing the 2017 IPPF), COSO ERM 2017 (5 components, 20 principles), ISO 31000:2018 (8 principles), the IIA Three Lines Model (2020), NIST CSF 2.0, and ISO 22301:2019 for business continuity.

Who is eligible to take the CRMA?

The CRMA is available to active CIAs and to candidates who meet the IIA's CRMA-specific eligibility. Candidates apply through the IIA's CCMS portal and schedule the exam with Pearson VUE. Verify current eligibility on the IIA's CRMA certification page.

How is the CRMA different from the CIA or CRISC?

CIA is the foundational internal audit credential (three parts). CRMA is an IIA add-on focused specifically on risk management assurance and consulting. CRISC (ISACA) addresses risk and information systems control with a stronger IT focus. Many internal auditors hold CIA + CRMA, while CRISC is often pursued by IT-risk professionals.

How long should I study for the CRMA?

Most candidates plan 60-100 hours of study, depending on internal audit experience. Focus on the 2024 Global Internal Audit Standards (5 Domains, 15 Principles), COSO ERM 2017, ISO 31000:2018, the Three Lines Model, and applied scenarios across BCM, fraud, third-party, ESG, and IT/cyber assurance.