Certification Risk Management Assurance

More business experience and a deeper level of risk management knowledge are required in order to provide holistic and effective risk management assurance. As such, the The Certification Risk Management Assurance (CRMA) is positioned as a career pathway for internal auditors after achieving the CIA designation. It is the only risk management assurance certification for internal auditors.

«The CRMA is one more mark of professional distinction for internal audit practitioners. «

Earning the CRMA helps address the impact of risk and demonstrates you have the ability to:

  • Provide assurance on core business processes in risk management and governance.
  • Educate management and the audit committee on risk and risk management concepts.
  • Offer quality assurance and control self-assessment.
  • Add value for your organization as a trusted advisor.


CRMA candidates must have an active Certified Internal Auditor® (CIA®) designation prior to being approved into the CRMA program. If you have any questions, submit a case via your profile in the Certification Candidate Management System (CCMS).

Active CIA DesignationCRMA Examination
Government Issued ID5 year of internal audit and/or risk management experience

*Work experience is an “exit” requirement for the CRMA program. Candidates with less experience may apply for the CRMA program and sit for the exam. However, to obtain the designation, the experience requirement must be met before the two-year program window expires.

Eligibility Period

The CRMA program window is two years, meaning that candidates have two years from the date they are accepted into the program to complete the program requirements (i.e., pass the exam and provide evidence that they have obtained five years of internal audit and/or risk management experience).

Candidates in the CRMA program agree to accept the conditions of the program, including eligibility requirements, exam confidentiality, Code of Ethics, and Continuing Professional Education (CPE), along with other conditions enacted by The IIA’s Professional Certification Board (PCB).

IIA Membership

In most cases, you do not have to be a member of The IIA to take the CRMA exam or become a CRMA, but we encourage you to consider its advantages. IIA members receive discounts on CRMA review materials and courses. View available study resources.


You pay by credit card when applying for the program or register for an exam. The pricing structure is as follows:

                        MEMBERS           NON-MEMBERS
Application Fee         USD  95              USD 210
Exam Fee                USD 445              USD 580

Exam Content

The syllabus sets out to ensure that all concepts are assessed at a proficient cognitive level. In other words, the exam does not require candidates to simply memorize or demonstrate basic comprehension of concepts. Instead, it is designed to test candidates’ application of concepts and their ability to analyze and evaluate data, make sound judgments, and formulate conclusions and recommendations.

Exam TopicsI. Internal audit roles and responsibilities (20 %)
II. Risk management governance (25 %)
III. Risk management assurance (55 %)
Seat Time150 minutes
Length120 questions
Question TypesVariety of question types

Domain I: Internal audit roles and responsibilities (20 %)

  1. Roles and Competencies
    1. Determine appropriate assurance and consulting services for the internal audit activity with regard to risk management.
    2. Determine the knowledge, skills, and competencies required (whether developed or procured) to provide risk management assurance and consulting services.
    3. Evaluate organizational independence of the internal audit activity and report impairments to appropriate parties.
  2. Coordination
    1. Recommend establishing an organizationwide risk management strategy and processes, or contribute to the improvement of the existing strategy and processes.
    2. Coordinate risk assurance efforts and determine whether to rely on the work of other internal and external assurance providers.
    3. Assist the organization with creating or updating an organizationwide risk assurance map to ensure proper risk coverage and minimize duplication of efforts.

Domain II: Risk management governance (25 %)

  1. Governance, Risk Management, and Control Frameworks
    1. Evaluate the organization’s governance structure and application of risk management concepts found in governance frameworks.
    2. Assess the organization’s application of concepts and principles found within risk and control frameworks appropriate to the organization.
    3. Assess key elements of the organization’s risk governance and risk culture (e.g., risk oversight, risk management, tone at the top, etc.) and  the impact of organizational culture on the overall control environment and risk management strategy.
  2. Risk Management Integration
    1. Evaluate management’s commitment to risk management and analyze the integration of risk management into the organization’s objectives, strategy setting, performance management, and operational management systems.
    2. Evaluate the organization’s ability to identify and respond to changes and emerging risks that may affect the organization’s achievement of strategy and objectives.
    3. Examine the effectiveness of integrated risk management reporting (e.g., risk, risk response, performance, and culture, etc.) to key stakeholders.

Domain III: Risk management assurance (55 %)

  1. Risk Management Approach
    1. Evaluate various approaches and processes for assessing risk (e.g., relevant measures, control self-assessment, continuous monitoring, maturity models, etc.).
    2. Select data analytics techniques (e.g., ratio estimation, variance analysis, budget vs. actual, trend analysis, other reasonableness tests, benchmarking, etc.) to support risk management and assurance processes.
  2. Assurance Processes
    1. Evaluate the design and application of management’s risk identification and assessment processes.
    2. Utilize a risk management framework to assess organizationwide risks from various sources (e.g., audit universe, regulatory requirements and changes, management requests, relevant market and industry trends, emerging issues, etc.).
    3. Prioritize audit engagements based on the results of the organizationwide risk assessment to establish a risk-based internal audit plan.
    4. Manage internal audit engagements to ensure audit objectives are achieved, quality is assured, and staff is developed.
    5. Evaluate the effectiveness and efficiency of risk management at all levels (i.e., process level, business unit level, and organizationwide).
    6. Analyze the results of multiple internal audit engagements, the work of other internal and external assurance providers, and management’s risk remediation activities to support the internal audit activity’s overall assessment of the organization’s risk management processes.
    7. Assess risk management, project management, and change controls throughout the systems development lifecycle.
    8. Evaluate data privacy, cybersecurity, IT controls, and information security policies and practices.
    9. Evaluate risk management monitoring processes (e.g., risk register, risk database, risk mitigation plans, etc.).
  3. Communication
    1. Manage the audit engagement communication and reporting process (e.g., holding the exit conference, developing the audit report, obtaining management responses, etc.) to deliver engagement results.
    2. Evaluate management responses regarding key organizational risks, and communicate to the board when management has accepted a level of risk that may be unacceptable to the organization.
    3. Formulate and deliver communications on the effectiveness of the organization’s risk management processes at multiple levels and organizationwide.

CRMA Study Material

The CRMA Exam Study Guide and Practice Questions, 2nd Edition, is the comprehensive review material you need to prepare for the Certification in Risk Management Assurance (CRMA) exam. Visit the CRMA Exam Preparation Resources page for a list of resources and study material.

Apply and register online

The IIA’s Certification Candidate Management System (CCMS) is a powerful, user-friendly application to help you apply for, complete, and maintain your certifications and related information, while keeping you connected to and informed about The IIA’s certification programs.

After you log in, you’ll be able to:

  • Apply for IIA certification programs.
  • Register for IIA certification examinations.
  • Review your certification status.
  • View your exam score report.
  • Review your next steps in the certification process.
  • Update your personal information.
  • Review your credential and exam history.

CCMS User Guide and FAQ
If you have any difficulty using the Certification Candidate Management System (CCMS), please reference the CCMS User Guide

Computer-based Testing

The CRMA exam is available through computer-based testing, allowing you to test year-round at more than 500 locations worldwide. Candidates are able to sit for exams at any IIA-authorized Pearson VUE testing center worldwide, regardless of whether the testing center is located in your hometown or country. To locate the testing centers nearest you, visit the Pearson VUE website. You must apply and register in The IIA’s Certification Candidate Management System (CCMS) prior to scheduling an exam.

Certification Online Testing

Online testing allows candidates to take an IIA certification exam using their own computer in their home, their office, or remotely in other acceptable locations. Visit the Pearson VUE online proctoring page for system requirements and additional information. More information about online testing HERE.

Cancelations and Reschedule Fee

Cancelations and Reschedule Fees Reinstated subtext: If you would like to cancel and reschedule your examination, PearsonVUE charges a $75 USD fee per occurrence (may be subject to additional local tax). If the test center is closed and the exam appointment is canceled by Pearson VUE the cancelation fee will be waived automatically.

Candidates whose programs will expire within the next 60 days must make an extension request by submitting a new case in the CCMS. For expirations greater than 60 days, an extension may be purchased in CCMS for an additional fee. All cases will be reviewed and approved on an individual basis. Please refer to the Certification Candidate Handbook for additional details.

The IIA Certification Registry

The IIA Certification Registry is an up-to-date record of individuals who have earned an IIA certification and maintain it by reporting continuing professional education (CPE) to keep their credential active. All IIA active certification holders who choose to voluntarily opt-in will be included in the registry. The IIA Certification Registry allows you to provide evidence of your accomplishments and provides an opportunity for employers and recruiters to verify your IIA designations.

The IIA Standards require continuing professional education (CPE) of all internal auditors. The IIA’s Professional Certification Board requires all certification holders to complete and report CPE annually so their certifications remain in good standing. Individuals who do not meet the annual CPE requirement will not be included in The IIA Certification Registry nor can they claim the certification status.

Inclusion in the registry is voluntary and individuals can opt-in at the following points of time:

  • Upon completion of the certification program.
  • When the certification holder reports required CPE annually.
  • Submit a support case from CCMS and request to opt-in.

What information is included in The IIA Certification Registry?

The certification registry will only include the following information:

  • Certification holder’s first and last name
  • Certificate ID
  • Certification status
  • Country of residence

No personal contact information, such as email, physical address, or phone number, will be included in the registry. Inclusion in the registry is voluntary. If you have an active certification and choose not to be listed in the certification registry, your information will not be included.

How to Renew Your Certification

As an IIA certification holder, you are required to participate in a program of learning designed to sustain professional competency and to earn continuing professional education (CPE) hours annually to maintain an active certification.

The certification renewal year runs from January 1–December 31. CPE must be earned and attested to by December 31 each year. You do not need to wait until December 31 to renew your certification(s). Once you have completed all your CPE, renew your certification through the Certification Candidate Management System (CCMS).

Reporting is free for members of IIA Norway. For non-members the reporting fee is USD 120 – 240 depending on the certificate and status. Learn more HERE.

Annual Renewal Period

The number of annual CPE hours required varies depending on the certification held and whether the certified individual is practicing or nonpracticing.

  • CIA: 40 hours CPE for practicing and 20 CPE for nonpracticing
  • CRMA: 20 hours CPE for practicing and 10 for nonpracticing

Any surplus of CPE acquired during a calendar year may be used for the following calendar year reporting cycle (20 hours max for CIA and 10 hours for CRMA can be rolled over).

For newly certified individuals, the initial renewal period begins on the date of certification and ends 31. December of the following year. For example, an individual who obtains a new certification 20. February 2022 may begin earning CPE in 2022, but does not need to renew their certification until 31. December 2023.

For the steps on the certification renewal process, please select your certification status below:

Certification Renewal for Certified Individuals

As an active IIA certification holder, you are required to renew your certification(s) by December 31 of the current year.

  1. Log into CCMS.
  2. Select “Renew” for the certification you wish to Renew.
  3. Follow the onscreen instructions and select “Submit” when prompted.

Certification Renewal for Grace Status Certification Holders

Individuals whose certification is currently in a Grace status are required to complete the renewal for both the current period and the previous year. If a certification holder enters into grace status, the holder may no longer use their designation. They may begin using the designation again when their status is returned to active. One can be in a Grace status for 2 years.

  1. Log into CCMS.
  2. Select the “Renew” link for the program you wish to renew.
  3. If your program is in Grace Period, you will be prompted to select “Renew Prior Year” or “Renew Current and Prior Year.”
  4. Follow the onscreen instructions and select “Submit” when prompted.

Recertification for Revoked Certification Holders

Individuals with an IIA certification in a Revoked status have not renewed their certification for three consecutive prior years. To recertify, you are required to reapply, retake all necessary exams, and pay the associated fees. Recertification is only available for CIA and CRMA.  To begin the recertification process, follow the below steps.

  1. Log into CCMS.
  2. Select the “Recertify” link for the program you wish to restore to Active status.
  3. Follow the onscreen instructions and select “Submit” when prompted.
  4. You will be required to register for, and successfully completed all required exams.

Retired status

A designation must be in Active status to be moved to Retired status. You need to inform about your Retired status through CCMS. Individuals remaining in Retired status for more than two years will be required to recertify to restore their CIA or CRMA designation to an Active status.

CPE Audit

Each year, a percentage of certified individuals will be contacted by The IIA and required to submit a complete record of CPE for the previous reporting period as part of an ongoing audit process. If you are selected for an audit, you will receive an immediate notification with additional details.

What Counts as an Ethics Course?

The PCB has set forth an ethics component to be included in CPE requirements, with a minimum of two hours of ethics training each year. There is flexibility in fulfilling this obligation. An ethics course meeting the CPE requirements could cover a variety of topics within the broader concept of ethics, such as conflicts of interest, transparency, or ethical leadership. 

If you have any questions, please submit a case in CCMS.

Qualifying CPE Activities

The IIA expects certified individuals to maintain the high standards of the internal audit profession when selecting quality educational programs to fulfill their CPE requirements. It is the certified individual’s responsibility to ensure that their CPE hours conform to the guidelines established by the PCB.

Qualifying activities

  • Educational Programs
  • Passing examinations
  • Authoring or contributing to publications
  • Translating publications
  • Delivering oral presentations
  • Participating as a subject matter expert volunteer
  • Performing external quality assessments

The Annual Certification Renewal Policy explains in further details how much and how CPE’s are rewarded for the different categories.