- What Are the CIA CPE Requirements?
- Breaking Down the 40-Hour Annual Requirement
- What Counts as Qualifying CPE Activity
- The 20-Hour Internal Audit Core: What Exactly Qualifies
- Reporting, Renewal Fees, and the IIA Membership Connection
- CPE for Newly Certified CIAs: Your First Reporting Period
- What Happens If You Miss the Requirement
- Aligning Your CPE to the 2025 CIA Syllabus Domains
- Practical System for Tracking and Documenting Hours
- Frequently Asked Questions
- CIAs must complete exactly 40 CPE hours every year, with at least 20 hours directly in internal audit topics.
- In North America, certification renewal fees are bundled with IIA membership-no separate renewal invoice.
- The 2025 CIA syllabus elevated Fraud Risks and Information Security as distinct domains, making both prime CPE targets.
- Noncompliance with CPE requirements can result in suspension or revocation of your CIA credential.
What Are the CIA CPE Requirements?
Earning the Certified Internal Auditor credential is a rigorous achievement-passing three exam parts across Domains 1 through 11 on a 250-750 scaled scoring system, with a pass mark of 600 on each part. But the credential does not end at certification. The Institute of Internal Auditors (IIA), the sole global body that administers the CIA, requires every certificant to maintain active status through ongoing continuing professional education.
The core rule is straightforward: 40 CPE hours per calendar year, with a mandatory minimum of 20 of those hours in internal audit-related topics. The remaining 20 hours may come from adjacent professional disciplines-finance, technology, risk management, governance, or business ethics-provided they contribute meaningfully to your effectiveness as an internal auditor.
Unlike some certifications that allow multi-year carryover banking, the CIA CPE requirement resets annually. Hours completed beyond 40 in one year do not roll forward to offset the next year's requirement. This structure deliberately encourages sustained, year-round professional development rather than a last-minute binge.
Breaking Down the 40-Hour Annual Requirement
The 40-hour framework divides into two distinct buckets, and understanding that division is essential before you plan your learning calendar.
| Bucket | Minimum Hours | Topic Scope | Example Activities |
|---|---|---|---|
| Internal Audit Core | 20 hours | Topics directly aligned with internal audit practice | IIA webinars, audit methodology courses, fraud examination training |
| Related Professional Topics | Up to 20 hours | Adjacent disciplines that enhance audit competency | Cybersecurity certifications content, data analytics, leadership, financial accounting |
| Total Required | 40 hours | - | - |
The distinction matters practically: attending a generic leadership seminar counts toward your "related" bucket, not your internal audit core. If you spend all 40 hours on management communication and project planning, you will technically fall short of the 20-hour internal audit minimum even though your total looks complete on paper.
What Counts as Qualifying CPE Activity
The IIA accepts a wide range of learning formats, which gives certificants genuine flexibility in how they accumulate hours. Qualifying activities generally include:
- Formal education: College or university courses in relevant disciplines
- IIA-sponsored events: Annual conferences, chapter events, Audit & Beyond seminars, and IIA-delivered webinars
- Other professional conferences: ISACA, ACFE, or AICPA events where content is relevant to your audit work
- Self-directed learning: Online courses, structured reading programs, and e-learning platforms when accompanied by verifiable completion documentation
- Instructor or facilitator roles: Teaching qualifying content typically earns credit, often at a multiplied rate for preparation time
- Published articles and research: Writing substantive content in relevant audit and risk fields may qualify under IIA guidelines
What does not count: on-the-job work experience (however valuable), reading news articles without a structured program, or attending events with no verifiable content component. The standard for qualifying CPE is organized learning with a defined educational objective.
The 20-Hour Internal Audit Core: What Exactly Qualifies
This is where many CIAs encounter ambiguity. The IIA defines internal audit-related CPE as content aligned with the Global Internal Audit Standards and the domains tested in the CIA exam itself. Given the 2025 syllabus update, the eleven domains provide a direct map for what the IIA considers core subject matter:
Part 1 Domains - Foundation for Core CPE
Content in these domains directly satisfies the internal audit core requirement:
- Domain 1 - Internal Audit Fundamentals: Standards interpretation, charter development, independence requirements
- Domain 2 - Ethics and Professionalism: IIA Code of Ethics application, objectivity, conflicts of interest
- Domain 3 - Governance, Risk Management, and Control: Enterprise risk frameworks, control design, three lines model
- Domain 4 - Fraud Risks: Fraud schemes, red flags, investigation protocols - elevated to a standalone domain in the 2025 syllabus
Part 2 Domains - Engagement-Level CPE
Practical audit execution topics that qualify as internal audit core hours:
- Domain 5 - Managing the Internal Audit Function: Quality assurance, resource planning, stakeholder alignment
- Domain 6 - Planning the Internal Audit Engagement: Risk-based scoping, audit universe prioritization
- Domain 7 - Performing the Internal Audit Engagement: Testing procedures, sampling, evidence evaluation
- Domain 8 - Communicating Results and Monitoring Progress: Report writing, recommendation tracking, remediation follow-up
Part 3 Domains - Technology and Business CPE
These domains straddle the core/related boundary depending on content depth:
- Domain 9 - Business Acumen: Organizational strategy, financial statement analysis, process improvement
- Domain 10 - Information Security: Cybersecurity frameworks, access controls, incident response - significantly expanded in the 2025 update
- Domain 11 - Information Technology: IT governance, cloud computing, data integrity, system development life cycle
If you are still building your exam knowledge or preparing for a specific part, exploring CIA Exam Order Strategy: Which Part to Take First can help you sequence your study in a way that also front-loads your CPE planning around the domains you cover first.
Reporting, Renewal Fees, and the IIA Membership Connection
The IIA operates on a calendar-year CPE reporting cycle. Certificants self-report completed hours through the IIA's online portal, and the deadline aligns with the end of the reporting year. Keeping your records organized throughout the year rather than reconstructing them in December makes this process far less stressful.
One aspect of CIA maintenance that surprises many new certificants: in North America, there is no separate certification renewal fee. Renewal costs are embedded in your IIA membership dues. This is a meaningful financial distinction from certifications that charge annual or biennial renewal fees on top of membership. Maintaining your IIA membership is effectively maintaining your certification financially-though the CPE requirement exists independently of fee payment.
Key Takeaway
Letting your IIA membership lapse is not just a networking inconvenience-it directly affects your certification status. Keep membership current and your renewal fees are already covered in North America.
Non-members who hold the CIA credential outside the standard membership structure should verify their specific renewal fee structure directly with the IIA, as arrangements vary by region and membership category.
CPE for Newly Certified CIAs: Your First Reporting Period
If you passed your final CIA exam part recently, your CPE obligation does not necessarily begin on January 1 of your first full year. The IIA typically assigns your first CPE reporting period based on your certification date, and a prorated or partial-year arrangement may apply. This detail catches many new CIAs off guard when they receive their first compliance notice.
Practical steps for new certificants:
- Log into your IIA certification portal immediately after receiving your CIA credential and confirm the start and end date of your first CPE reporting period.
- Identify whether the IIA has assigned you a prorated hour requirement for a partial year.
- Begin logging CPE activities from your certification date-do not assume you have a "grace year."
- Plan your 20 internal audit core hours first; they are the harder constraint to satisfy compared to the flexible related hours.
The CIA practice exam resources available on this site can also support your early CPE activities-structured test preparation and domain review often aligns with self-study CPE formats depending on how they are documented and submitted.
What Happens If You Miss the Requirement
The IIA enforces CPE requirements seriously, and the consequences scale with the severity of noncompliance. Missing the annual 40-hour threshold-or failing to meet the 20-hour internal audit core minimum even with 40 total hours logged-can trigger the following outcomes:
- Warning notice: First-instance noncompliance typically results in a formal notice and an opportunity to remediate.
- Certification suspension: Unresolved noncompliance moves to suspended status, which means you cannot use the CIA designation or represent yourself as certified.
- Revocation: Persistent or fraudulent reporting of CPE hours can result in permanent revocation, which requires a full reinstatement process if you wish to reclaim the credential.
The CIA is the only globally recognized internal audit certification, administered exclusively by the IIA. Losing it-even temporarily-carries professional consequences that far outweigh the inconvenience of logging 40 hours of legitimate professional development annually.
Aligning Your CPE to the 2025 CIA Syllabus Domains
The May 2025 syllabus update introduced two shifts that should directly inform your CPE planning going forward. Fraud Risks became Domain 4 in Part 1-a standalone domain rather than a subtopic embedded in governance or risk content. This signals that the IIA considers fraud examination a core competency for all CIAs, not just those in forensic or financial services roles. CPE courses from the Association of Certified Fraud Examiners (ACFE) or IIA fraud-specific seminars directly map to this domain.
Simultaneously, Information Security (Domain 10) and Information Technology (Domain 11) received expanded emphasis. Technology-focused CPE from ISACA-including CISA-aligned content-directly addresses these domains and qualifies at minimum as related professional CPE, with many technology audit-specific courses qualifying as internal audit core hours.
You can also reinforce domain knowledge strategically by working through CIA exam practice questions organized by domain-even post-certification, testing yourself against the current question formats keeps domain knowledge sharp and can serve as structured self-study CPE.
Practical System for Tracking and Documenting Hours
A simple tracking system prevents the annual scramble of reconstructing CPE documentation. Rather than prescribing a rigid methodology, the key principle is log at the time of completion, not at the time of reporting.
A workable approach:
- Maintain a dedicated folder (digital or physical) sorted by year where all certificates and attendance confirmations are stored immediately after completing each activity.
- Use a simple spreadsheet with columns for: date, activity title, provider, hours claimed, bucket (core vs. related), and documentation file reference.
- Review your running total quarterly-at the end of March, June, September, and December. This lets you identify gaps before the year-end deadline, not after.
- For self-directed learning, document the learning objective, materials used, time invested, and a brief summary of what you learned. The IIA expects structured learning, not incidental reading.
If you are simultaneously preparing for remaining CIA exam parts while maintaining an already-earned part, your structured study time may contribute to CPE depending on format and documentation. Review CIA CPE Requirements 2026: Maintaining Your Certification for the most current guidance on what study formats the IIA accepts in a given reporting year.
Frequently Asked Questions
No. The IIA does not permit carryover of excess CPE hours. If you complete 55 hours in one year, the extra 15 hours do not reduce your 40-hour obligation for the following year. Each reporting period resets to zero.
IIA chapter meetings with a defined educational program and verifiable attendance typically qualify. Social or networking-only events without structured educational content do not. Confirm with your chapter that a formal CPE certificate or attendance record is issued for qualifying sessions.
The 2025 update elevated Fraud Risks (Domain 4) and expanded Information Security (Domain 10). CPE directly addressing these topics-fraud examination methodology, cybersecurity audit techniques, IT general controls-more clearly qualifies as internal audit core hours than it did under the previous syllabus framework.
Potentially, yes. If an activity qualifies under both the IIA's CPE standards and another certification body's requirements, you may claim the same hours with both organizations-provided the content genuinely meets each body's subject matter criteria. You are not prohibited from counting the same learning event toward multiple certifications.
The IIA's CPE requirement is tied to your certification status, not your employment status. Being between positions or on extended leave does not suspend your annual CPE obligation. If maintaining the credential during a career gap is a concern, many low-cost or free IIA webinars and chapter events exist specifically to help certificants meet requirements without significant expense.