- Why Exam Order Actually Matters for the CIA
- Understanding What Each Part Demands
- The Case for Starting with Part 1
- The Case for Starting with Part 2
- Why Part 3 Almost Always Goes Last
- A Decision Framework Based on Your Background
- Registration Mechanics and Fee Strategy
- Sample Sequencing Timeline
- Frequently Asked Questions
- The CIA exam parts can be taken in any order - but sequencing them strategically reduces rework, cost, and study fatigue.
- Part 1 covers four distinct domains including the newly added Fraud Risks domain under the 2025 syllabus, making it the conceptual anchor of the certification.
- Each part is registered and paid for separately: approximately $215 per part for IIA members, $340 for non-members.
- Candidates have a 3-year window from program acceptance to complete all three parts and exit requirements.
Why Exam Order Actually Matters for the CIA
One of the quieter advantages of the Certified Internal Auditor exam is that the Institute of Internal Auditors (IIA) allows candidates to sit for the three parts in any sequence they choose. No mandatory progression, no locked gates between parts. That freedom is genuinely useful - but it also means the burden of a smart sequencing decision falls entirely on you.
This isn't a trivial choice. The CIA is a three-part exam administered through Pearson VUE test centers worldwide, and each part carries its own registration fee. For IIA members, that's approximately $215 per part on top of a one-time application fee of roughly $115. Non-members pay closer to $340 per part. Failing a part and retaking it doesn't just cost time - it costs real money, potentially several hundred dollars per attempt. Sequencing your parts to maximize momentum and minimize the chance of an early failure is a financially smart strategy, not just an academic one.
There's also a knowledge-transfer argument. The three parts of the CIA don't exist in complete isolation. Foundational concepts from Part 1 - particularly governance, risk, and control frameworks - appear as implicit context in both Part 2 engagement planning scenarios and Part 3 business acumen questions. Building the right knowledge base early accelerates your later studies.
Understanding What Each Part Demands
Before deciding where to start, you need a clear-eyed view of what each part actually tests. The current version is the 2025 syllabus, aligned with the new Global Internal Audit Standards that went live in May 2025.
Part 1 - Foundations of Internal Auditing (125 Questions / 2.5 Hours)
Part 1 is the largest exam by question count and time allocation. It covers four domains:
- Domain 1 - Internal Audit Fundamentals: The purpose, authority, and responsibility of internal auditing, including the role of the chief audit executive and the internal audit charter.
- Domain 2 - Ethics and Professionalism: Independence, objectivity, due professional care, and the IIA's Code of Ethics. This domain is heavily standards-based.
- Domain 3 - Governance, Risk Management, and Control: The three lines model, enterprise risk management frameworks, control design and effectiveness - arguably the most conceptually dense domain in the entire CIA.
- Domain 4 - Fraud Risks: A distinct domain introduced in the 2025 syllabus. Covers fraud indicators, red flags, fraud examination concepts, and the auditor's responsibilities when fraud is suspected.
Part 2 - Internal Audit Practice (100 Questions / 2 Hours)
Part 2 shifts from conceptual knowledge to applied audit methodology. It spans four domains:
- Domain 5 - Managing the Internal Audit Function: Staffing, quality assurance and improvement programs, budgeting, and the CAE's relationship with the board and senior management.
- Domain 6 - Planning the Internal Audit Engagement: Audit universe development, risk-based planning, preliminary surveys, and engagement objectives.
- Domain 7 - Performing the Internal Audit Engagement: Fieldwork procedures, audit sampling, data analysis, documenting findings, and working paper standards.
- Domain 8 - Communicating Internal Audit Results and Monitoring Progress: Report writing, criteria for findings, management responses, and follow-up procedures.
Part 3 - Business Knowledge for Internal Auditing (100 Questions / 2 Hours)
Part 3 is the most technically diverse section, drawing on three broad domains:
- Domain 9 - Business Acumen: Organizational strategy, financial accounting, managerial accounting, operations, and the auditor's role in evaluating business performance.
- Domain 10 - Information Security: The 2025 syllabus increased emphasis here. Covers cybersecurity frameworks, access controls, data governance, and the auditor's responsibilities around IT security risk.
- Domain 11 - Information Technology: IT governance, systems development life cycle, cloud computing, and IT general controls. Candidates without an IT background routinely find this the most challenging domain in the entire certification.
Each part uses only multiple-choice questions - no simulations, no written responses. The passing threshold is a scaled score of 600 on a 250-750 scale. Understanding the weight and difficulty profile of each part is the first step toward a defensible sequencing decision. You can also practice with CIA-aligned questions at our main prep platform to quickly diagnose which domains feel familiar and which require the most work before you commit to a starting point.
The Case for Starting with Part 1
For the majority of candidates - and especially those new to formal internal audit frameworks - Part 1 is the correct starting point. Here's why the argument is compelling.
It Builds the Conceptual Infrastructure Everything Else Needs
Domain 3 (Governance, Risk Management, and Control) is not just a Part 1 topic. It is the lens through which virtually every Part 2 engagement activity is evaluated. When Part 2 asks you why an auditor adjusts an engagement scope during fieldwork, the correct reasoning traces back to risk-based concepts you first encounter in Part 1. Candidates who skip Part 1 and begin with Part 2 often describe studying the latter as trying to read the middle of a novel - technically possible, but disorienting.
Fraud Risks Is Now a Standalone Domain
The 2025 syllabus made a significant structural change: Fraud Risks became Domain 4 in Part 1, distinct from the broader governance and control content. This wasn't cosmetic. It signals that the IIA considers fraud awareness a foundational competency, not an advanced application. Getting this domain under your belt early means you'll recognize fraud-related context clues in Part 2 scenario questions without needing to backfill the knowledge.
Part 1 Has the Most Questions - Clearing It First Creates Psychological Momentum
At 125 questions over 2.5 hours, Part 1 is the heaviest single exam in the CIA program. Passing it first gives you a genuine confidence anchor. You've beaten the largest test in the series. Parts 2 and 3 each contain 100 questions in 2 hours - you're now working on a shorter format with existing conceptual momentum.
Key Takeaway
If you are early in your internal audit career or transitioning from an adjacent field like accounting or compliance, starting with Part 1 is almost always the right call. The domain structure builds directly toward Part 2 application and Part 3 context.
The Case for Starting with Part 2
There is one specific candidate profile for whom beginning with Part 2 makes genuine strategic sense: the experienced internal auditor who performs fieldwork daily.
If you are a staff or senior auditor actively conducting engagements - writing workpapers under Domain 7 standards, preparing planning memos that map to Domain 6, and drafting reports that reflect Domain 8 criteria - Part 2 topics are already embedded in your muscle memory. You don't need to learn what a preliminary survey is; you ran three of them last quarter.
For this candidate, starting with Part 2 leverages peak familiarity right now. Your on-the-job experience is most current and most relevant to this specific part. Translating lived practice into exam-ready precision is a shorter leap than building governance theory from scratch.
Even so, Part 2 candidates who skip Part 1 should plan to study Part 1 domains in parallel at a lighter intensity. The interconnection between risk frameworks (Part 1, Domain 3) and risk-based engagement planning (Part 2, Domain 6) means Part 1 blindspots will surface in Part 2 questions.
Why Part 3 Almost Always Goes Last
Across candidate communities and prep programs, there is near-universal consensus: take Part 3 last. The reasoning is straightforward and applies to almost everyone.
Part 3 is the most heterogeneous exam in the CIA program. Domain 9 requires you to understand financial statements, ratio analysis, managerial accounting concepts, supply chain operations, and corporate strategy. Domain 10 demands familiarity with cybersecurity frameworks and information security risk. Domain 11 covers IT governance models, database concepts, and systems development methodology. None of these topics link naturally to the audit methodology content in Parts 1 and 2 - each requires fresh domain knowledge.
The 2025 syllabus specifically increased the emphasis on information security and technology, making Domains 10 and 11 even more demanding than in prior versions. Candidates without IT backgrounds - the majority of internal auditors whose experience is in finance, operations, or compliance - consistently report spending the most study hours on Part 3.
Saving Part 3 for last also gives you the benefit of full CIA conceptual context. When Part 3 presents an IT governance scenario, having Part 1 and Part 2 knowledge allows you to frame it as an auditor rather than purely as a technology question. That framing matters on multiple-choice questions designed to test audit judgment, not technical IT expertise.
A Decision Framework Based on Your Background
| Candidate Profile | Recommended First Part | Rationale |
|---|---|---|
| New to internal audit (under 2 years experience) | Part 1 | Foundational domains build the vocabulary and framework for everything that follows. |
| Experienced staff/senior auditor in active fieldwork role | Part 2 | Daily work directly maps to Domains 6, 7, and 8; leverage current knowledge peak. |
| Audit manager or CAE-level candidate | Part 1 or Part 2 | Strong governance knowledge (Part 1) or audit function management (Part 2 Domain 5) depending on current gap. |
| IT auditor or technology-focused professional | Part 3 first (exception case) | Rare but valid: if Domains 10 and 11 are your professional wheelhouse, neutralize Part 3 while knowledge is fresh. |
| Anyone, regardless of background | Part 3 last (default) | Most breadth, most new-to-audit content; benefits from full conceptual grounding in Parts 1 and 2. |
Whichever path you choose, use our CIA practice test platform to take a diagnostic assessment before registering. Identifying your weakest domains before you pay a registration fee is always worth the time investment.
Registration Mechanics and Fee Strategy
The CIA operates on a pay-per-part registration model, which has meaningful implications for how you sequence your studies. You do not pay for all three parts upfront. After the IIA accepts your application, you register for each part individually through the Pearson VUE system when you're ready to schedule.
For IIA members, each part costs approximately $215 to register. For non-members, that rises to approximately $340 per part. The IIA membership itself carries a cost, but for candidates planning to sit all three parts, the math often favors joining. Across three parts, a member pays roughly $760 total in exam fees versus approximately $1,250 for a non-member - a difference that more than covers typical annual membership dues.
The exam is available year-round at Pearson VUE test centers in a large number of countries and is offered in 14 or more languages, so scheduling flexibility is real. That flexibility cuts both ways: it removes excuses for delaying registration, but it also means you don't need to rush a part before you're ready. Register when your practice test scores on a given domain set consistently put you in range of that 600 scaled score threshold.
For a deeper look at what comes after you earn the credential, the CIA CPE Requirements 2026: Maintaining Your Certification article covers the 40-hour annual continuing education requirement in detail - useful reading once you're planning beyond the exam itself.
Sample Sequencing Timeline
The following timeline assumes a candidate with moderate internal audit experience who is starting with Part 1 and targeting completion within 12-14 months. Adjust durations based on your domain-specific diagnostic results.
Part 1 - Domains 1 and 2
- Master the IIA Standards structure and the internal audit charter requirements (Domain 1)
- Work through independence, objectivity, and Code of Ethics scenario questions (Domain 2)
- Run 30-40 practice questions per session; identify missed concepts for re-study the following day
Part 1 - Domains 3 and 4
- Deep focus on the three lines model, COSO framework, and risk appetite concepts (Domain 3)
- Study fraud schemes, red flags, and auditor response protocols under the new 2025 Domain 4 structure
- Take a full 125-question timed mock exam before scheduling the real sitting
Part 2 - Domains 5 through 8
- Map your current job responsibilities against each domain; identify gaps between practice and exam expectations
- Prioritize Domain 5 (managing the function) if you lack management-level experience
- Drill report writing and findings criteria heavily - Domain 8 rewards precise language
Part 3 - Domains 9 through 11
- Allocate the most study time here if you lack IT or financial analysis background
- Use spaced repetition specifically for Domain 10 and 11 terminology (cybersecurity frameworks, SDLC stages, IT controls)
- Revisit Domain 9 business acumen topics through the lens of an auditor evaluating business risk, not a CFO solving finance problems
This timeline is a structural guide, not a rigid prescription. The most important variable is your practice test performance on each domain set. Use CIA practice exams regularly throughout this timeline to recalibrate your study focus rather than following a fixed schedule that ignores your actual score trajectory.
For more context on how this certification fits into the broader internal audit career landscape, the article on CIA Exam Order Strategy: Which Part to Take First also examines how different professional backgrounds interact with each part's domain structure - worth revisiting as you finalize your own approach.
Frequently Asked Questions
The IIA officially permits candidates to register for and take the three parts in any order. There is no mandatory sequence. The IIA does not publish an official recommended order, though many prep resources - and the domain architecture itself - point toward Part 1 first for most candidates due to its foundational content.
If you do not complete all three parts and the exit requirements (degree and experience documentation) within three years of your program acceptance date, you will need to reapply and repay the application fee. Any parts you passed do not automatically carry over, so exceeding the window is a significant setback both financially and in terms of lost study time.
The 2025 syllabus, aligned with the new Global Internal Audit Standards effective May 2025, introduced Fraud Risks as a standalone domain in Part 1 and increased emphasis on information security and technology in Part 3. This strengthens the argument for taking Part 1 first - the Fraud Risks domain (Domain 4) is now a discrete, testable topic rather than content embedded elsewhere, meaning it requires dedicated preparation time that benefits your overall CIA knowledge.
In practical terms, yes. The risk-based engagement planning in Domain 6 draws directly on the risk management and control frameworks in Domain 3. The fraud-related fieldwork scenarios in Domain 7 connect to the fraud risk awareness built in Domain 4. Candidates with a solid Part 1 foundation typically report that Part 2 concepts click into place more quickly, even when the specific procedures are new to them.
No - and waiting would be an inefficient use of your three-year program window. The IIA allows you to sit for all three parts while still accumulating your required 24 months of internal auditing experience. You simply cannot receive the CIA designation until both the exam and the experience requirement are fulfilled. Starting your exams early means your certification clock and your experience clock can run simultaneously.