2019 CIA Exam Syllabus Part 3 – Business Knowledge for Internal Auditing

100 questions | 2.0 Hours (120 minutes)

The CIA exam Part 3 includes four domains focused on business acumen, information security, information technology, and financial management. Part 3 is designed to test candidates’ knowledge, skills, and abilities particularly as they relate to these core business concepts.

Domains

		Cognitive Learning
1. Organizational Objectives, Behavior, and Performance
A	Describe the strategic planning process and key activities (objective setting, globalization and competitive considerations, alignment to the organization's mission and values, etc.)	Basic
B	Examine common performance measures (financial, operational, qualitative vs. quantitative, productivity, quality, efficiency, effectiveness, etc.)	Proficient
C	Explain organizational behavior (individuals in organizations, groups, and how organizations behave, etc.) and different performance management techniques (traits, organizational politics, motivation, job design, rewards, work schedules, etc.)	Basic
D	Describe management’s effectiveness to lead, mentor, guide people, build organizational commitment, and demonstrate entrepreneurial ability	Basic
2. Organizational Structure and Business Processes
A	Appraise the risk and control implications of different organizational configuration structures (centralized vs. decentralized, flat structure vs. traditional, etc.)	Basic
B	Examine the risk and control implications of common business processes (human resources, procurement, product development, sales, marketing, logistics, management of outsourced processes, etc.)	Proficient
C	Identify project management techniques (project plan and scope, time/team/resources/cost management, change management, etc.)	Basic
D	Recognize the various forms and elements of contracts (formality, consideration, unilateral, bilateral, etc.)	Basic
3. Data Analytics
A	Describe data analytics, data types, data governance, and the value of using data analytics in internal auditing	Basic
B	Explain the data analytics process (define questions, obtain relevant data, clean/normalize data, analyze data, communicate results)	Basic
C	Recognize the application of data analytics methods in internal auditing (anomaly detection, diagnostic analysis, predictive analysis, network analysis, text analysis, etc.)	Basic

		Cognitive Learning
1. Information Security
A	Differentiate types of common physical security controls (cards, keys, biometrics, etc.)	Basic
B	Differentiate the various forms of user authentication and authorization controls (password, two-level authentication, biometrics, digital signatures, etc.) and identify potential risks	Basic
C	Explain the purpose and use of various information security controls (encryption, firewalls, antivirus, etc.)	Basic
D	Recognize data privacy laws and their potential impact on data security policies and practices	Basic
E	Recognize emerging technology practices and their impact on security (bring your own device [BYOD], smart devices, internet of things [IoT], etc.)	Basic
F	Recognize existing and emerging cybersecurity risks (hacking, piracy, tampering, ransomware attacks, phishing attacks, etc.)	Basic
G	Describe cybersecurity and information security-related policies	Basic

		Cognitive Learning
1. Application and System Software
A	Recognize core activities in the systems development lifecycle and delivery (requirements definition, design, developing, testing, debugging, deployment, maintenance, etc.) and the importance of change controls throughout the process	Basic
B	Explain basic database terms (data, database, record, object, field, schema, etc.) and internet terms (HTML, HTTP, URL, domain name, browser, click-through, electronic data interchange [EDI], cookies, etc.)	Basic
C	Identify key characteristics of software systems (customer relationship management [CRM] systems; enterprise resource planning [ERP] systems; and governance, risk, and compliance [GRC] systems; etc.)	Basic
2. IT Infrastructure and IT Control Frameworks
A	Explain basic IT infrastructure and network concepts (server, mainframe, client-server configuration, gateways, routers, LAN, WAN, VPN, etc.) and identify potential risks	Basic
B	Define the operational roles of a network administrator, database administrator, and help desk	Basic
C	Recognize the purpose and applications of IT control frameworks (COBIT, ISO 27000, ITIL, etc.) and basic IT controls	Basic
3. Disaster Recovery
A	Explain disaster recovery planning site concepts (hot, warm, cold, etc.)	Basic
B	Explain the purpose of systems and data backup	Basic
C	Explain the purpose of systems and data recovery procedures	Basic

		Cognitive Learning
1. Financial Accounting and Finance
A	Identify concepts and underlying principles of financial accounting (types of financial statements and terminologies such as bonds, leases, pensions, intangible assets, research and development, etc.)	Basic
B	Recognize advanced and emerging financial accounting concepts (consolidation, investments, fair value, partnerships, foreign currency transactions, etc.)	Basic
C	Interpret financial analysis (horizontal and vertical analysis and ratios related to activity, profitability, liquidity, leverage, etc.)	Proficient
D	Describe revenue cycle, current asset management activities and accounting, and supply chain management (including inventory valuation and accounts payable)	Basic
E	Describe capital budgeting, capital structure, basic taxation, and transfer pricing	Basic
2. Managerial Accounting
A	Explain general concepts of managerial accounting (cost-volume-profit analysis, budgeting, expense allocation, cost- benefit analysis, etc.)	Basic
B	Differentiate costing systems (absorption, variable, fixed, activity-based, standard, etc.)	Basic
C	Distinguish various costs (relevant and irrelevant costs, incremental costs, etc.) and their use in decision making	Basic

Additional noteworthy elements related to the revised CIA Part Three exam syllabus:

The number of topics covered on the Part Three exam has been greatly refocused to the core areas that are most critical for internal auditors.
The exam syllabus features a new subdomain on data analytics.
The information security portion of the exam has been expanded to include additional topics such as cybersecurity risks and emerging technology practices.
The largest domain is “Business Acumen,” which makes up 35% of the exam.
A portion of the exam requires candidates to demonstrate a basic comprehension of concepts; another portion requires candidates to demonstrate proficiency in their knowledge, skills, and abilities.

CIA Part 3 Reference List

Most Relevant

The IIA’s International Professional Practices Framework
Applying the International Professional Practices Framework, by Urton Anderson and Andrew J. Dahle
Internal Auditing Assurance and Advisory Services, by Urton Anderson, Michael Head, and Sridhar Ramamoorti
Sawyer's Guide for Internal Auditors, by Larry Sawyer
Understanding Management, by Richard Daft and Dorothy Marcic
Data Analytics: Elevating Internal Audit's Value, by Warren Stippich Jr. and Bradley Preber
Data Analysis and Sampling Simplified: A Practical Guide for Internal Auditors, by Donald Dickie
Rethinking Data Governance and Data Management, by ISACA
Principles of Information Security, by Michael Whitman and Herbert Mattord
IT Auditing: Using Controls to Protect Information Assets, by Chris Davis, Mike Schiller, and Kevin Wheeler
Internal Audit of the Future: The Impact of Technology and Innovation, by A. Michael Smith
Implementing the NIST Cybersecurity Framework, by ISACA
Enterprise Risk Management Framework, by COSO
Internal Control – Integrated Framework, by COSO
“Managing Cyber Risk in a Digital Age,” by COSO
Privacy and Data Protection: Internal Audit’s Role in Establishing a Resilient Framework, by IIA Foundation and Crowe
Accounting Principles, by Jerry Weygandt, Paul Kimmel, and Donald Kieso

Additional Resources

Auditor Essentials: 100 Concepts, Tips, Tools, and Techniques for Success, by Hernan Murdock
Ready and Relevant: Prepare to Audit What Matters Most, by Timothy Berichon
Project Management Body of Knowledge (PMBOK) Guide, by Project Management Institute
Contract and Commercial Management: The Operational Guide, by IACCM
Performance Auditing: Measuring Inputs, Outputs, and Outcomes, by Stephen Morgan, Ronell Raaum, and Colleen Waring
"Analytics: Good Practices for (smaller) IAFs," by IIA-Netherlands
Data Analytics for Beginners: Practical Guide to Master Data Analytics, by TechWorld
Auditing Social Media: A Governance and Risk Guide, by J. Mike Jacka and Peter Scott
Auditing the Procurement Function by David O'Regan
Information Technology Control and Audit, by Sandra Senft, Frederick Gallegos, and Aleksandra Davis
Transfer Pricing Guidelines for Multinational Enterprises and Tax Administrations, by OECD
Current resources on internal auditing and relevant topics