20 October 2013
Understanding Changes to the Certified Internal Auditor® Program for 2013
2013 Program Changes To The CIA® Program 1 Certified Internal Auditor® (CIA®) 2013 Content Change Overview: This document is provided by IIA Global Headquarters to explain the impending changes to the Certified Internal Auditor® (CIA®) program scheduled for 2013. In 2011, as part of the ongoing examination processes, The IIA conducted a Job Analysis Study (JAS) for the CIA. The JAS determined that the body of knowledge related to the profession of internal auditing has changed since the last exam content update in 2004, and therefore needs to be adjusted to reflect those changes. As a result of these findings, the Professional Certifications Board (PCB) and the Board of Directors of The IIA have approved key changes to the program: ■■ A new three-part exam structure. ■■ Elimination of recognition credit previously applicable to Part 4. ■■ The realignment of the exam content outline and question count for each part. Entry and Experience Requirements: At the present time, there are no changes to the entry and experience requirements for the CIA exam. Two years of professional experience are still required to obtain the Certified Internal Auditor designation. However, candidates may sit for the exam before meeting the experience requirement and receive their CIAs upon completion of the two-year experience period, provided that the experience is acquired during the program eligibility window. New Exam Availability: The new exam is expected to be made available in English during the latter half of 2013. Our plan is to roll out the new exam in additional languages using a phased approach. A more detailed timeline will be made available upon launch of the English version. Exam Content: The three-part exam structure allows for the alignment of content in three segments: Internal Auditing Basics, Internal Audit Practice, and Internal Audit Knowledge Elements. The participation of more than 40,000 internal audit practitioners worldwide in the JAS allowed the Exam Development Committee (EDC) to evaluate the knowledge, competency, and skills required by today’s internal auditors as addressed in more than 100 knowledge statements. The data examined included the frequency and importance of tasks performed by internal auditors, and the findings were incorporated into the development and realignment of exam content. A detailed outline of the new three-part exam content is provided at the end of this brochure. Individuals interested in viewing a mapping of content from the current four-part exam to the 2013 three-part exam may do so by visiting www.globaliia.org/certification. CIA Exam Preparation Materials: The development of materials by review providers is independent of the exam development process. The IIA provided current review providers with the final content outline in October 2011. Review providers have been made aware of a mid-2013 projected release for the new three-part exam. Information on exam preparation resources can be found on The IIA’s Global (www.globaliia.org/certification) and North American (www.theiia.org/certification) websites. 2013 Program Changes To The CIA® Program 2 CIA Candidate Transition Plan: In recognition of the varying lengths of time spent by candidates earning their CIAs and the level of exam rigor, The IIA has developed the transition plan below to assist candidates who are in the process of earning their CIA at the time of the new exam structure’s implementation. The table communicates the equivalency of items completed in the previous four-part structure and their relation to the new three-part exam. Candidates who have completed: Will receive credit under the new structure for: Additional requirements for receiving identified credit: Application Application None Part 1 Part 1 None Part 2 Part 2 None Part 3 (without Part 4) Part 3 Within six months of the new structure implementation, you must complete one of the following items: • Pass Part 4 of the previous exam • Apply and receive PRC 4 Credit through the previous exam process • Apply for and receive Professional Experience Recognition (PER) Candidates who do not complete one of these three options within the six-month transition window will be required to take the new Part 3 exam. Part 4 (without Part 3) No credit given Must complete new Part 3 Both Part 3 and Part 4 Part 3 None Experience Form Experience Form None Character Reference Character Reference None Education Verification Education Verification None The new exam content and format will be as rigorous and complex as the current exam. Candidates currently in the process of earning their CIAs are encouraged to continue their path toward certification in the current exam format. Doing so will ensure that any adjustments to the implementation schedule will not affect their ability to earn the only globally recognized internal audit credential in a reasonable time frame. 2013 Program Changes To The CIA® Program 3 CIA 2013 Exam Syllabus The CIA exam tests a candidate’s knowledge of current internal auditing practices and understanding of internal audit issues, risks and remedies. The redesigned exam will be offered in three parts, with Part 1 consisting of 125 questions and Parts 2 and 3 consisting of 100 questions each. Exam Non-disclosure The CIA exam is a non-disclosed examination, which means current exam questions and answers will not be published or released. Note: Exam topics and/or formats are subject to change as approved by The IIA’s Professional Certification Board (PCB). Part 1 – Internal Audit Basics 125 questions | 2.5 Hours (150 minutes) The new CIA exam Part 1 topics tested include aspects of mandatory guidance from the IPPF; internal control and risk concepts; as well as tools and techniques for conducting internal audit engagements. Note: All items in this section of the syllabus will be tested at the Proficiency knowledge level unless otherwise indicated below. I. Mandatory Guidance (35–45%) A. Definition of Internal Auditing 1. Define purpose, authority, and responsibility of the internal audit activity B. Code of Ethics 1. Abide by and promote compliance with The IIA Code of Ethics C. International Standards 1. Comply with The IIA’s Attribute Standards a. Determine if the purpose, authority, and responsibility of the internal audit activity are documented in the audit charter, approved by the Board and communicated to the engagement clients b. Demonstrate an understanding of the purpose, authority, and responsibility of the internal audit activity 2. Maintain independence and objectivity a. Foster independence 1) Understand organizational independence 2) Recognize the importance of organizational independence 3) Determine if the internal audit activity is properly aligned to achieve organizational independence b. Foster objectivity 1) Establish policies to promote objectivity 2) Assess individual objectivity 3) Maintain individual objectivity 4) Recognize and mitigate impairments to independence and objectivity 3. Determine if the required knowledge, skills, and competencies are available a. Understand the knowledge, skills, and competencies that an internal auditor needs to possess b. Identify the knowledge, skills, and competencies required to fulfill the responsibilities of the internal audit activity 4. Develop and/or procure necessary knowledge, skills, and competencies collectively required by the internal audit activity 5. Exercise due professional care 6. Promote continuing professional development a. Develop and implement a plan for continuing professional development for internal audit staff b. Enhance individual competency through continuing professional development 2013 Program Changes To The CIA® Program 4 7. Promote quality assurance and improvement of the internal audit activity a. Monitor the effectiveness of the quality assurance and improvement program b. Report the results of the quality assurance and improvement program to the board or other governing body c. Conduct quality assurance procedures and recommend improvements to the performance of the internal audit activity II. Internal Control / Risk (25–35%) – Awareness Level (A) A. Types of Controls (preventive, detective, input, output, etc.) B. Management Control Techniques C. Internal Control Framework Characteristics and Use (eg., COSO, Cadbury) 1. Develop and implement an organization-wide risk and control framework D. Alternative Control Frameworks E. Risk Vocabulary and Concepts F. Fraud Risk Awareness 1. Types of fraud 2. Fraud red flags III. Conducting Internal Audit Engagements – Audit Tools and Techniques (25–35%) A. Data Gathering (Collect and analyze data on proposed engagements) 1. Review previous audit reports and other relevant documentation as part of a preliminary survey of the engagement area 2. Develop checklists/internal control questionnaires as part of a preliminary survey of the engagement area 3. Conduct interviews as part of a preliminary survey of the engagement area 4. Use observation to gather data 5. Conduct engagement to assure identification of key risks and controls 6. Sampling (non-statistical [judgmental] sampling method, statistical sampling, discovery sampling, and statistical analyses techniques) B. Data Analysis and Interpretation 1. Use computerized audit tools and techniques (eg., data mining and extraction, continuous monitoring, automated work papers, embedded audit modules) 2. Conduct spreadsheet analysis 3. Use analytical review techniques (eg., ratio estimation, variance analysis, budget vs. actual, trend analysis, other reasonableness tests) 4. Conduct benchmarking 5. Draw conclusions C. Data Reporting 1. Report test results to auditor in charge 2. Develop preliminary conclusions regarding controls D. Documentation / Work Papers 1. Develop work papers E. Process Mapping, Including Flowcharting F. Evaluate Relevance, Sufficiency, and Competence of Evidence 1. Identify potential sources of evidence 2013 Program Changes To The CIA® Program 5 Part 2 – Internal Audit Practice 100 questions | 2.0 Hours (120 minutes) The new CIA exam Part 2 topics tested include managing the internal audit function via the strategic and operational role of internal audit and establishing a risk-based plan; the steps to manage individual engagements (planning, supervision, communicating results, and monitoring outcomes); as well as fraud risks and controls. Note: All items in this section of the syllabus will be tested at the Proficiency knowledge level unless otherwise indicated below. I. M anaging the Internal Audit Function (40–50%) A. Strategic Role of Internal Audit 1. Initiate, manage, be a change catalyst, and cope with change 2. Build and maintain networking with other organization executives and the audit committee 3. Organize and lead a team in mapping, analysis, and business process improvement 4. Assess and foster the ethical climate of the board and management a. Investigate and recommend resolution for ethics/compliance complaints, and determine disposition of ethics violations b. Maintain and administer business conduct policy (eg., conflict of interest), and report on compliance 5. Educate senior management and the board on best practices in governance, risk management, control, and compliance 6. Communicate internal audit key performance indicators to senior management and the board on a regular basis 7. Coordinate IA efforts with external auditor, regulatory oversight bodies and other internal assurance functions 8. Assess the adequacy of the performance measurement system, achievement of corporate objective – Awareness Level (A) B. Operational Role of IA 1. Formulate policies and procedures for the planning, organizing, directing, and monitoring of internal audit operations 2. Review the role of the internal audit function within the risk management framework 3. Direct administrative activities (eg., budgeting, human resources) of the internal audit department 4. Interview candidates for internal audit positions 5. Report on the effectiveness of corporate risk management processes to senior management and the board 6. Report on the effectiveness of the internal control and risk management frameworks 7. Maintain effective Quality Assurance Improvement Program C. Establish Risk-Based IA Plan 1. Use market, product, and industry knowledge to identify new internal audit engagement opportunities 2. Use a risk framework to identify sources of potential engagements (eg., audit universe, audit cycle requirements, management requests, regulatory mandates) 3. Establish a framework for assessing risk 4. Rank and validate risk priorities to prioritize engagements in the audit plan 5. Identify internal audit resource requirements for annual IA plan 6. Communicate areas of significant risk and obtain approval from the board for the annual engagement plan 7. Types of engagements a. Conduct assurance engagements a.1 Risk and control self-assessments a) Facilitated approach (1) Client-facilitated (2) Audit-facilitated b) Questionnaire approach c) Self-certification approach a.2 Audits of third parties and contract auditing a.3 Quality audit engagements a.4 Due diligence audit engagements a.5 Security audit engagements a.6 Privacy audit engagements 2013 Program Changes To The CIA® Program 6 a.7 Performance audit engagements (key performance indicators) a.8 Operational audit engagements (efficiency and effectiveness) a.9 Financial audit engagements b. Compliance audit engagements c. Consulting engagements c.1 Internal control training c.2 Business process mapping c.3 Benchmarking c.4 System development reviews c.5 Design of performance measurement systems II. Managing Individual Engagements (40–50%) A. Plan Engagements 1. Establish engagement objectives/criteria and finalize the scope of the engagement 2. Plan engagement to assure identification of key risks and controls 3. Complete a detailed risk assessment of each audit area (prioritize or evaluate risk/control factors) 4. Determine engagement procedures and prepare engagement work program 5. Determine the level of staff and resources needed for the engagement 6. Construct audit staff schedule for effective use of time B. Supervise Engagement 1. Direct / supervise individual engagements 2. Nurture instrumental relations, build bonds, and work with others toward shared goals 3. Coordinate work assignments among audit team members when serving as the auditor-in-charge of a project 4. Review work papers 5. Conduct exit conference 6. Complete performance appraisals of engagement staff C. Communicate Engagement Results 1. Initiate preliminary communication with engagement clients 2. Communicate interim progress 3. Develop recommendations when appropriate 4. Prepare report or other communication 5. Approve engagement report 6. Determine distribution of the report 7. Obtain management response to the report 8. Report outcomes to appropriate parties D. Monitor Engagement Outcomes 1. Identify appropriate method to monitor engagement outcomes 2. Monitor engagement outcomes and conduct appropriate follow-up by the internal audit activity 3. Conduct follow-up and report on management’s response to internal audit recommendations 4. Report significant audit issues to senior management and the board periodically III. F raud Risks and Controls (5–15%) A. Consider the potential for fraud risks and identify common types of fraud associated with the engagement area during the engagement planning process B. Determine if fraud risks require special consideration when conducting an engagement C. Determine if any suspected fraud merits investigation D. Complete a process review to improve controls to prevent fraud and recommend changes E. Employ audit tests to detect fraud F. Support a culture of fraud awareness, and encourage the reporting of improprieties G. Interrogation / investigative techniques – Awareness Level (A) H. Forensic auditing – Awareness Level (A) 2013 Program Changes To The CIA® Program 7 Part 3 – Internal Audit Knowledge Elements 100 questions | 2.0 Hours (120 minutes) The new CIA exam Part 3 topics tested include governance and business ethics; risk management; organizational structure, including business processes and risks; communication; management and leadership principles; information technology and business continuity; financial management; and the global business environment. Note: All items in this section of the syllabus will be tested at the Awareness knowledge level unless otherwise indicated below. I. Governance / Business Ethics (5–15%) A. Corporate / Organizational Governance Principles – Proficiency Level (P) B. Environmental and Social Safeguards C. Corporate Social Responsibility II. Risk Management (10–20%) – Proficiency Level (P) A. Risk Management Techniques B. Organizational Use of Risk Frameworks III. Organizational Structure / Business Processes and Risks (15–25%) A. Risk / Control Implications of Different Organizational Structures B. Structure (e.g., centralized / decentralized) C. Typical Schemes in Various Business Cycles (eg., procurement, sales, knowledge, supply-chain management) D. Business Process Analysis (eg., workflow analysis and bottleneck management, theory of constraints) E. Inventory Management Techniques and Concepts F. Electronic Funds Transfer (EFT) / Electronic Data Interchange (EDI) / E-commerce G. Business Development Life Cycles H. The International Organization for Standardization (ISO) Framework I. Outsourcing Business Processes IV. Communication (5–10%) A. Communication (eg., the process, organizational dynamics, impact of computerization) B. Stakeholder Relationships V. Management / Leadership Principles (10–20%) A. Strategic Management 1. Global analytical techniques a. Structural analysis of industries b. Competitive strategies (eg., Porter’s model) c. Competitive analysis d. Market signals e. Industry evolution 2. Industry environments a. Competitive strategies related to: 1) Fragmented industries 2) Emerging industries 3) Declining industries b. Competition in global industries 1) Sources / impediments 2) Evolution of global markets 3) Strategic alternatives 4) Trends affecting competition 2013 Program Changes To The CIA® Program 8 3. Strategic decisions a. Analysis of integration strategies b. Capacity expansion c. Entry into new businesses 4. Forecasting 5. Quality management (eg., TQM, Six Sigma) 6. Decision analysis B. Organizational Behavior 1. Organizational theory (structures and configurations) 2. Organizational behavior (eg., motivation, impact of job design, rewards, schedules) 3. Group dynamics (eg., traits, development stages, organizational politics, effectiveness) 4. Knowledge of human resource processes (eg. individual performance management, supervision, personnel sourcing / staffing, staff development) 5. Risk / control implications of different leadership styles 6. Performance (productivity, effectiveness, etc.) C. Management Skills / Leadership Styles 1. Lead, inspire, mentor, and guide people, building organizational commitment and entrepreneurial orientation 2. Create group synergy in pursuing collective goals 3. Team-building and assessing team performance D. Conflict Management 1. Conflict resolution (eg., competitive, cooperative, and compromise) 2. Negotiation skills 3. Conflict management 4. Added-value negotiating E. Project Management / Change Management 1. Change management 2. Project management techniques VI. IT / Business Continuity (15–25%) A. Security 1. Physical / system security (eg., firewalls, access control) 2. Information protection (eg., viruses, privacy) 3. Application authentication 4. Encryption B. Application Development 1. End-user computing 2. Change control 3. Systems development methodology 4. Application development 5. Information systems development C. System Infrastructure 1. Workstations 2. Databases 3. IT control frameworks (eg., eSAC, COBIT.) 4. Functional areas of IT operations (eg., data center operations) 5. Enterprise-wide resource planning (ERP) software (eg., SAP R / 3) 6. Data, voice, and network communications / connections (eg., LAN, VAN, and WAN) 7. Server 8. Software licensing 9. Mainframe 2013 Program Changes To The CIA® Program 9 10. Operating systems 11. Web infrastructure D. Business Continuity 1. IT contingency planning VII. F inancial Management (10–20%) A. Financial Accounting and Finance 1. Basic concepts and underlying principles of financial accounting (eg., statements, terminology, relationships) 2. Intermediate concepts of financial accounting (eg., bonds, leases, pensions, intangible assets, R & D) 3. Advanced concepts of financial accounting (eg., consolidation, partnerships, foreign currency transactions) 4. Financial statement analysis (eg., ratios) 5. Types of debt and equity 6. Financial instruments (eg., derivatives) 7. Cash management (eg., treasury functions) 8. Valuation models 9. Business valuation 10. Inventory valuation 11. Capital budgeting (eg., cost of capital evaluation) 12. Taxation schemes (eg., tax shelters, VAT) B. Managerial Accounting 1. General concepts 2. Costing systems (eg., activity-based, standard) 3. Cost concepts (eg., absorption, variable, fixed,) 4. Relevant cost 5. Cost-volume-profit analysis 6. Transfer pricing 7. Responsibility accounting 8. Operating budget VIII. Global Business Environment (0–10%) A. Economic / Financial Environments 1. Global, multinational, international, and multi-local compared and contrasted 2. Requirements for entering the global marketplace 3. Creating organizational adaptability 4. Managing training and development B. Cultural / Political Environments 1. Balancing global requirements and local imperatives 2. Global mindsets (personal characteristics/competencies) 3. Sources and methods for managing complexities and contradictions. 4. Managing multicultural teams C. Legal and Economics — General Concepts (eg., contracts) D. Impact of Government Legislation and Regulation on Business (eg., trade legislation) Individuals interested in viewing a mapping of content from the current four-part exam to the 2013 three-part exam may do so by visiting www.globaliia.org/certification. 2/120228/CS/BT Global Headquarters 247 Maitland Avenue Altamonte Springs, Florida 32701 USA T +1-407-937-1111 F +1-407-937-1101 W www.globaliia.org