CIA Part 1 (2025 Global Standards)

1. Describe the Purpose of Internal Auditing according to the Global Internal Audit Standards
May include but is not limited to:
a. Explain the overall objectives and benefits of the internal audit function
b. Describe the conditions that contribute to the effectiveness of the internal audit function

2. Explain the internal audit mandate and responsibilities of the board and chief audit executive
May include but is not limited to:
a. Describe the authority, role, and responsibilities of the internal audit function
b. Explain the role of the chief audit executive in helping the board establish or update the internal audit mandate
c. Explain the role of the board and senior management in determining the authority, role, and responsibilities of the internal audit function

3. Recognize the requirements of an internal audit charter
May include but is not limited to:
a. Identify components required by the Global Internal Audit Standards
b. Recognize the importance of discussing the charter with the board and senior management
c. Recognize the importance of board approval

4. Interpret the differences between assurance services and advisory services provided by the internal audit function
May include but is not limited to:
a. Define assurance services
b. Differentiate between limited and reasonable assurance
c. Define advisory services
d. Describe how the nature and scope of advisory services are determined
e. Determine which type of service (assurance or advisory) is appropriate in a given context

5. Describe the types of assurance services performed by the internal audit function
May include but is not limited to:
a. Describe risk and control assessments
b. Describe third-party and contract compliance audits
c. Describe IT security and privacy audits
d. Describe performance and quality audits
e. Describe operational, financial, and regulatory compliance audits
f. Describe audits of organizational culture
g. Describe audits of the management reporting process

6. Describe the types of advisory services performed by the internal audit function
May include but is not limited to:
a. Describe the internal auditor’s role in providing risk and control training
b. Describe the internal auditor’s role in system design and development
c. Describe the internal auditor’s role in due diligence services
d. Describe the internal auditor’s role in maintaining data privacy
e. Describe the internal auditor’s role in benchmarking
f. Describe the internal auditor’s role in internal control assessments
g. Describe the internal auditor’s role in process mapping

7. Identify situations where the independence of the internal audit function may be impaired
May include but is not limited to:
a. Identify situations where the chief audit executive’s functional reporting line is not appropriate
b. Describe the board’s responsibility for protecting internal audit independence
c. Describe the chief audit executive’s responsibility for protecting and maintaining internal audit independence, including communicating to the board when an impairment or perceived impairment is identified
d. Identify situations where budget limitations may restrict internal audit operations
e. Describe the effects of scope limitations or restricted access

8. Recognize the internal audit function’s role in the organization’s risk management process
May include but is not limited to:
a. Describe The IIA’s Three Lines Model
b. Identify first and second line responsibilities that could impair the independence of the internal audit function
c. Describe safeguards to implement when internal auditors conduct or are perceived to be conducting first or second line responsibilities

1. Demonstrate integrity
May include but is not limited to:
a. Describe how to apply honesty and professional courage when confronted with ethical dilemmas or difficult situations
b. Describe how to practice legal and professional behavior in all situations

2. Assess whether an individual internal auditor has any impairments to objectivity
May include but is not limited to:
a. Evaluate the impact of self-review and familiarity bias on engagements
b. Analyze situations where conflicts of interest may arise

3. Analyze policies that promote objectivity and potential options to mitigate impairments
May include but is not limited to:
a. Assess situations where reassigning internal auditors may be warranted
b. Assess situations where it would be appropriate to outsource the performance or supervision of an engagement
c. Determine when it is necessary to disclose impairments
d. Recognize situations where it is inappropriate to accept a gift, reward, or favor

4. Apply the knowledge, skills, and competencies required (whether developed or procured) to fulfill the responsibilities of the internal audit function
May include but is not limited to:
a. Apply written and verbal communication skills to deliver effective messages, reports, meetings, and presentations
b. Apply critical thinking and problem-solving skills to address complex issues and identify innovative solutions
c. Apply research skills to collect information from a variety of resources and expand knowledge on various topics
d. Apply persuasion and negotiation skills to manage conflicts and collaborate effectively with teammates and stakeholders
e. Apply relationship-building skills to establish trust and credibility
f. Apply change management skills to thrive in evolving environments
g. Demonstrate curiosity to uncover new information and foster continuous learning
h. Evaluate situations that demonstrate a need for an internal auditor to pursue continuing professional development

5. Demonstrate due professional care
May include but is not limited to:
a. Recognize that due professional care involves assessment of the organization’s strategy and objectives
b. Recognize that due professional care involves assessment of the adequacy and effectiveness of governance, risk management, and control processes
c. Recognize that due professional care involves assessment of the costs relative to potential benefits of an engagement
d. Recognize that due professional care involves assessment of the probability of significant errors, fraud, noncompliance, and other risks
e. Recognize that professional skepticism involves maintaining an unbiased mental attitude and critical assessment of the reliability of information

6. Maintain confidentiality and use information appropriately during engagements
May include but is not limited to:
a. Apply relevant organizational policies, procedures, laws, and regulations
b. Apply internal audit methodologies
c. Demonstrate respect for privacy and ownership of information
d. Apply appropriate methods to protect information

1. Describe the concept of organizational governance
May include but is not limited to:
a. Describe the roles of the board, senior management, the internal audit function, and other assurance providers
b. Recognize governance frameworks, principles, and models

2. Recognize the impact of organizational culture on the overall control environment and individual engagement risks and controls
May include but is not limited to:
a. Define organizational culture and the control environment
b. Define engagement risks and controls
c. Recognize the impact of the organization’s decision-making processes on the organization’s governance, risk management, and control processes

3. Recognize ethical and compliance-related issues
May include but is not limited to:
a. Identify ethical, legal, and compliance requirements applicable to an organization
b. Recognize the internal auditor’s role in an organization’s ethical framework

4. Interpret fundamental concepts of risk type
May include but is not limited to:
a. Differentiate between the following types of risk: strategic, operational, financial, compliance, reputational, and environmental, sustainability and social responsibility
b. Compare and contrast inherent and residual risks

5. Interpret fundamental concepts of the risk management process
May include but is not limited to:
a. Define risk management
b. Recognize an organization’s risk appetite and risk tolerance
c. Assess the elements of the risk management cycle
d. Evaluate an organization’s responses to identified risks

6. Describe risk management within organizational processes and functions
May include but is not limited to:
a. Evaluate the design and effectiveness of risk management processes
b. Describe the purpose and benefit of using a risk management framework

7. Interpret internal control concepts and types of controls
May include but is not limited to:
a. Describe the purpose of internal controls
b. Describe and evaluate types of internal controls, such as preventive, detective, and corrective
c. Recommend appropriate controls to mitigate risks

8. Recognize the importance of the design, effectiveness, and efficiency of internal controls (financial and nonfinancial)
May include but is not limited to:
a. Review the design and effectiveness of internal controls
b. Describe the purpose and benefit of using an internal control framework.

1. Describe concepts of fraud risks and types of fraud
May include but is not limited to:
a. Describe the fraud triangle concepts: motivation, opportunity, and rationalization
b. Recognize fraud risks
c. Identify common fraud schemes

2. Determine whether fraud risks require special consideration during an engagement
May include but is not limited to:
a. Recognize fraud risks when planning an engagement
b. Assess processes that may have significant exposure to fraud risk

3. Evaluate the potential for fraud and how the organization detects and manages fraud risks
May include but is not limited to:
a. Evaluate an organization’s fraud risk management processes
b. Detect and assess red flags at the organizational level and process level
c. Recognize the internal auditor’s role in reporting red flags identified during an engagement

4. Describe controls to prevent and detect fraud
May include but is not limited to:
a. Recognize the impact that tone at the top has on the likelihood of fraud
b. Recognize the appropriate application of segregation of duties
c. Recognize how authority levels may prevent fraud
d. Recognize common controls to detect fraud such as whistleblower hotlines, reconciliations, and supervisory reviews

5. Recognize techniques and the internal audit function’s role related to fraud investigation
May include but is not limited to:
a. Define the internal audit function’s role related to fraud investigations
b. Describe interviewing techniques
c. Describe investigation techniques
d. Describe fraud testing methods
e. Recognize opportunities for internal auditors to coordinate with fraud investigators and review their risk assessments, prior investigations, investigation trends, and whistleblower complaints