6.2 Last-Week Review Map

Study by weight, not by chapter order

With one week left, spend your hours where the points are. CIA Part 1 is built on four sections, and their exam weights are unequal. Reviewing them in proportion to weight — and starting with your weakest high-weight section — is the highest-return use of the final week.

Note the imbalance: Section A (Foundations) is the largest at 35% — more than one in three questions — followed closely by Section C (Governance, Risk Management, and Control) at 30%. Together they account for nearly two-thirds of the exam, so they deserve the most review minutes. The content is aligned to the IIA's Global Internal Audit Standards (effective 9 January 2025), which reframed the prior Standards into a principles-based structure; the exam still tests the same core concepts of purpose, ethics, competency, quality, and governance.

High-yield recap: Section A — Foundations (35%)

The internal audit charter is the formal document that establishes the function's purpose, authority, and responsibility; it is approved by the board (or audit committee). Know the definition of internal auditing — an independent, objective assurance and consulting activity designed to add value and improve operations — and the difference between assurance engagements (three parties: auditor, auditee, user) and consulting engagements (two parties, scope agreed with the client).

Foundations now also absorbs much of the former independence material. Independence is organizational (freedom from conditions that threaten the function's ability to carry out responsibilities); the defining tested fact is that the Chief Audit Executive (CAE) reports functionally to the board and administratively to senior management. Functional oversight includes approving the charter, the risk-based plan, the budget, and CAE appointment or removal. Proficiency is the collective knowledge, skills, and competencies the function needs — an individual auditor need not have every skill if the function as a whole does.

High-yield recap: Section B — Ethics and Professionalism (20%)

This section carries the objectivity, due professional care, and quality material. Objectivity is the individual auditor's unbiased mental attitude, free from conflicts of interest. Due professional care means the care and skill of a reasonably prudent and competent auditor; it is not a guarantee that all risks or errors will be found. Auditors maintain proficiency through continuing professional development (CPD/CPE).

The most-tested quality rule lives here too: a Quality Assurance and Improvement Program (QAIP) has internal assessments (ongoing monitoring plus periodic self-assessments) and external assessments, and an external assessment must be conducted at least once every five years by a qualified, independent assessor from outside the organization. Only a function that conforms with the Standards and Code of Ethics may state it is conducted "in conformance with the Global Internal Audit Standards."

High-yield recap: Section C — Governance, Risk Management, and Control (30%)

Master two frameworks. COSO publishes the Internal Control – Integrated Framework (five components: control environment, risk assessment, control activities, information and communication, monitoring) and Enterprise Risk Management. All five components must be present and functioning for a system of internal control to be considered effective. The Three Lines Model (IIA, 2020) replaces the old "three lines of defense": first line = operational management owning and managing risk; second line = risk and compliance functions; third line = internal audit providing independent assurance to the governing body.

Know risk responses: avoid, accept, reduce/mitigate, and share/transfer; and control types: preventive, detective, and corrective. Be precise about a few distinctions the exam loves. Risk appetite is the broad amount of risk an organization is willing to accept in pursuit of value; risk tolerance is the narrower acceptable variation around a specific objective. Inherent risk is the risk before controls; residual risk is what remains after controls operate.

The board sets the tone and owns oversight, management owns and operates the controls, and internal audit provides independent assurance — never owning the controls it audits.

High-yield recap: Section D — Fraud Risks (15%)

The fraud triangle explains why fraud occurs through three conditions: pressure (a financial or personal incentive or motive), opportunity (weak controls that let it happen), and rationalization (the offender justifying the act). Separate the auditor's role from management's: management is responsible for establishing controls to prevent and detect fraud, while internal audit must have sufficient knowledge to evaluate the risk of fraud but is not primarily responsible for detecting it. Know red flags and the auditor's duty to exercise professional skepticism.

Final-week discipline

Use short mixed-section sets rather than re-reading one chapter end to end, so your brain practices switching context the way the real exam forces you to. Stop adding new resources in the last few days — a calm review of your error log beats a frantic new course outline. Finally, hold the line that due professional care does not mean infallibility: an auditor who applies reasonable care can still miss an irregularity and remain in conformance.

Weight your final hours toward the two largest sections, Foundations (35%) and Governance/Risk/Control (30%), without neglecting the fraud triangle and the five-year external assessment rule.