Certification Risk Management Assurance

More business experience and a deeper level of risk management knowledge are required in order to provide holistic and effective risk management assurance. As such, the The Certification Risk Management Assurance (CRMA) is positioned as a career pathway for internal auditors after achieving the CIA designation. It is the only risk management assurance certification for internal auditors.

«The CRMA is one more mark of professional distinction for internal audit practitioners. «

Earning the CRMA helps address the impact of risk and demonstrates you have the ability to:

  • Provide assurance on core business processes in risk management and governance.
  • Educate management and the audit committee on risk and risk management concepts.
  • Offer quality assurance and control self-assessment.
  • Add value for your organization as a trusted advisor.


CRMA candidates must have an active Certified Internal Auditor® (CIA®) designation prior to being approved into the CRMA program. If you have any questions, submit a case via your profile in the Certification Candidate Management System (CCMS).

Active CIA DesignationCRMA Examination
Government Issued ID5 year of internal audit and/or risk management experience

*Work experience is an “exit” requirement for the CRMA program. Candidates with less experience may apply for the CRMA program and sit for the exam. However, to obtain the designation, the experience requirement must be met before the two-year program window expires.

Eligibility Period

The CRMA program window is two years, meaning that candidates have two years from the date they are accepted into the program to complete the program requirements (i.e., pass the exam and provide evidence that they have obtained five years of internal audit and/or risk management experience).

If you applied to the original CRMA program (before March 31, 2021), your program window expires on the expiration date you were originally given or December 22, 2022, whichever occurs first. Please refer to the “CRMA Program: Why and How It’s Changing” handbook for more information about how the recent CRMA program update may affect you.

Candidates in the CRMA program agree to accept the conditions of the program, including eligibility requirements, exam confidentiality, Code of Ethics, and Continuing Professional Education (CPE), along with other conditions enacted by The IIA’s Professional Certification Board (PCB).

Continuing Professional Education (CPE)

Each year, practicing CRMA holders must report that they completed their required annual 20 hours of continuing professional education (CPE). It is the responsibility of the certified individual to assure that the CPE hours claimed conform to the CPE Policy established by The IIA’s Professional Certification Board (PCB). CPE reporting, which must be completed via CCMS no later than 31 December each year, serves as a signed statement that all applicable CPE requirements have been met.

For complete information regarding CPE requirements for CRMA designation holders, please review the CPE Policy. Click the link for more information on CPE reporting steps for both active and inactive CRMAs.

Newly Certified?

New CRMAs are awarded 40 CPE hours. Half of the awarded CPE hours (20) are for the year in which the exam is passed, and the other half is for the subsequent year.

IIA Membership

In most cases, you do not have to be a member of The IIA to take the CRMA exam or become a CRMA, but we encourage you to consider its advantages. IIA members receive discounts on CRMA review materials and courses. View available study resources.

CRMA Study Material

The CRMA Exam Study Guide and Practice Questions, 2nd Edition, is the comprehensive review material you need to prepare for the Certification in Risk Management Assurance (CRMA) exam. Visit the CRMA Exam Preparation Resources page for a list of resources and study material.


You pay by credit card when applying for the program or register for an exam. The pricing structure is as follows:

                        MEMBERS           NON-MEMBERS
Application Fee         USD  95              USD 210
Exam Fee                USD 445              USD 580


The syllabus sets out to ensure that all concepts are assessed at a proficient cognitive level. In other words, the exam does not require candidates to simply memorize or demonstrate basic comprehension of concepts. Instead, it is designed to test candidates’ application of concepts and their ability to analyze and evaluate data, make sound judgments, and formulate conclusions and recommendations.

Exam TopicsI. Internal audit roles and responsibilities (20 %)
II. Risk management governance (25 %)
III. Risk management assurance (55 %)
Seat Time150 minutes
Length120 questions
Question TypesVariety of question types

Domain I: Internal audit roles and responsibilities (20 %)

  1. Roles and Competencies
    1. Determine appropriate assurance and consulting services for the internal audit activity with regard to risk management.
    2. Determine the knowledge, skills, and competencies required (whether developed or procured) to provide risk management assurance and consulting services.
    3. Evaluate organizational independence of the internal audit activity and report impairments to appropriate parties.
  2. Coordination
    1. Recommend establishing an organizationwide risk management strategy and processes, or contribute to the improvement of the existing strategy and processes.
    2. Coordinate risk assurance efforts and determine whether to rely on the work of other internal and external assurance providers.
    3. Assist the organization with creating or updating an organizationwide risk assurance map to ensure proper risk coverage and minimize duplication of efforts.

Domain II: Risk management governance (25 %)

  1. Governance, Risk Management, and Control Frameworks
    1. Evaluate the organization’s governance structure and application of risk management concepts found in governance frameworks.
    2. Assess the organization’s application of concepts and principles found within risk and control frameworks appropriate to the organization.
    3. Assess key elements of the organization’s risk governance and risk culture (e.g., risk oversight, risk management, tone at the top, etc.) and  the impact of organizational culture on the overall control environment and risk management strategy.
  2. Risk Management Integration
    1. Evaluate management’s commitment to risk management and analyze the integration of risk management into the organization’s objectives, strategy setting, performance management, and operational management systems.
    2. Evaluate the organization’s ability to identify and respond to changes and emerging risks that may affect the organization’s achievement of strategy and objectives.
    3. Examine the effectiveness of integrated risk management reporting (e.g., risk, risk response, performance, and culture, etc.) to key stakeholders.

Domain III: Risk management assurance (55 %)

  1. Risk Management Approach
    1. Evaluate various approaches and processes for assessing risk (e.g., relevant measures, control self-assessment, continuous monitoring, maturity models, etc.).
    2. Select data analytics techniques (e.g., ratio estimation, variance analysis, budget vs. actual, trend analysis, other reasonableness tests, benchmarking, etc.) to support risk management and assurance processes.
  2. Assurance Processes
    1. Evaluate the design and application of management’s risk identification and assessment processes.
    2. Utilize a risk management framework to assess organizationwide risks from various sources (e.g., audit universe, regulatory requirements and changes, management requests, relevant market and industry trends, emerging issues, etc.).
    3. Prioritize audit engagements based on the results of the organizationwide risk assessment to establish a risk-based internal audit plan.
    4. Manage internal audit engagements to ensure audit objectives are achieved, quality is assured, and staff is developed.
    5. Evaluate the effectiveness and efficiency of risk management at all levels (i.e., process level, business unit level, and organizationwide).
    6. Analyze the results of multiple internal audit engagements, the work of other internal and external assurance providers, and management’s risk remediation activities to support the internal audit activity’s overall assessment of the organization’s risk management processes.
    7. Assess risk management, project management, and change controls throughout the systems development lifecycle.
    8. Evaluate data privacy, cybersecurity, IT controls, and information security policies and practices.
    9. Evaluate risk management monitoring processes (e.g., risk register, risk database, risk mitigation plans, etc.).
  3. Communication
    1. Manage the audit engagement communication and reporting process (e.g., holding the exit conference, developing the audit report, obtaining management responses, etc.) to deliver engagement results.
    2. Evaluate management responses regarding key organizational risks, and communicate to the board when management has accepted a level of risk that may be unacceptable to the organization.
    3. Formulate and deliver communications on the effectiveness of the organization’s risk management processes at multiple levels and organizationwide.

Interactive Exam Questions

CRMA Reference Resources

CRMA exam questions are derived from the body of knowledge for risk management assurance, which includes — but is not limited to — the following key references:

  • Applying the IPPF, by Urton Anderson and Andrew Dahle
  • Assessing and Managing Strategic Risks: What, Why, How for Internal Auditors, by Richard J. Anderson and Mark L. Frigo
  • COSO frameworks and guidance
  • Data Analytics: A Road Map for Expanding Analytics Capabilities, by Richard Cline, Ward Melhuish, and Meredith Murphy
  • Fundamentals of Risk Management, by Paul Hopkin
  • IRM’s “Risk Appetite & Tolerance Guidance Paper”
  • IRM’s “Risk Culture: Resources for Practitioners”
  • ISO 31000
  • King IV Report on Risk Management
  • Managing Risk in Uncertain Times: Leveraging COSO’s New ERM Framework, by Paul Sobel
  • NIST Privacy Framework V1.0
  • OECD Risk Management and Corporate Governance
  • Practical Enterprise Risk Management: Getting to the Truth, by Larry Baker
  • Sawyer’s Internal Auditing, 7th Edition, by Internal Audit Foundation
  • The IIA’s International Professional Practices Framework (IPPF)
  • The Internal Auditor’s Guide to Risk Assessment, by Rick A. Wright Jr.
  • Current resources on risk management assurance and relevant topics

Please note that periodically, new references are added and outdated references are removed from the reference list.

Apply and register online

The IIA’s Certification Candidate Management System (CCMS) is a powerful, user-friendly application to help you apply for, complete, and maintain your certifications and related information, while keeping you connected to and informed about The IIA’s certification programs.

After you log in, you’ll be able to:

  • Apply for IIA certification programs.
  • Register for IIA certification examinations.
  • Review your certification status.
  • View your exam score report.
  • Review your next steps in the certification process.
  • Update your personal information.
  • Review your credential and exam history.

CCMS User Guide and FAQ
If you have any difficulty using the Certification Candidate Management System (CCMS), please reference the CCMS User Guide

Computer-based Testing

The CCSA exam is available through computer-based testing, allowing you to test year-round at more than 500 locations worldwide. Candidates are able to sit for exams at any IIA-authorized Pearson VUE testing center worldwide, regardless of whether the testing center is located in your hometown or country. To locate the testing centers nearest you, visit the Pearson VUE website. You must apply and register in The IIA’s Certification Candidate Management System (CCMS) prior to scheduling an exam.

During Covid you can also opt in to sit for the exam via online testing, which allows candidates to take an IIA certification exam using their own computer in their home, their office, or remotely in other acceptable locations. Visit the Pearson VUE online proctoring page for system requirements and additional information. 

The IIA Certification Registry

The IIA Certification Registry is an up-to-date record of individuals who have earned an IIA certification and maintain it by reporting continuing professional education (CPE) to keep their credential active. All IIA active certification holders who choose to voluntarily opt-in will be included in the registry. The IIA Certification Registry allows you to provide evidence of your accomplishments and provides an opportunity for employers and recruiters to verify your IIA designations.

The IIA Standards require continuing professional education (CPE) of all internal auditors. The IIA’s Professional Certification Board requires all certification holders to complete and report CPE annually so their certifications remain in good standing. Individuals who do not meet the annual CPE requirement will not be included in The IIA Certification Registry nor can they claim the certification status.

Inclusion in the registry is voluntary and individuals can opt-in at the following points of time:

  • Upon completion of the certification program.
  • When the certification holder reports required CPE annually.
  • Submit a support case from CCMS and request to opt-in.

What information is included in The IIA Certification Registry?

The certification registry will only include the following information:

  • Certification holder’s first and last name
  • Certificate ID
  • Certification status
  • Country of residence

No personal contact information, such as email, physical address, or phone number, will be included in the registry. Inclusion in the registry is voluntary. If you have an active certification and choose not to be listed in the certification registry, your information will not be included.

Qualifying CPE Activities

It is anticipated that CRMAs will maintain the high standards of the profession in selecting quality educational programs to fulfill the CPE requirements.  The following general subjects are acceptable as long as they meet other CPE program criteria:

1. Assessing/assurance of risk management activities.
2. Risk management fundamentals.
3. Elements of risk.
4. Control theory and application.
5. Business objectives and organizational performance.

Activities other than those listed in this guidance may be deemed acceptable if the CRMA can demonstrate that they contribute to professional competence. Substantiating that a particular activity qualifies as acceptable and meets the requirements is the responsibility of the CRMA.

CPE credit will be awarded for whole hours only with a minimum of 50 minutes constituting one hour. As an example, 100 minutes of continuous instruction would count for two hours; however, more than 50 minutes but less than 100 minutes of continuous instruction would count for only one hour. Only class contact or acceptable self-study hours are allowable. For chapter meetings throughout the reporting period or continuous conferences/conventions when individual segments are less than 50 minutes, the sum of the segments should be considered one total program. For example, five 30-minute presentations would equal 150 minutes and should be counted as three contact hours.

A maximum of 20 CPE hours may be awarded in the education category each year. At least five of the 20 CPE hours required must be in this category. Educational activities include:

1. Professional education and development programs, such as seminars and conferences, provided by national/federal, state, and local auditing and accounting organizations.
2. Technical sessions at meetings of national/federal, state, and local auditing and accounting organizations and chapters.
3. Formal in-house training programs.
4. Programs of other sponsors (industrial, professional societies, etc.).
5. College or university courses passed (credit and non-credit courses).

  • Fifteen hours of CPE credit are awarded for each semester hour of college/university credit earned.
  • Ten hours of CPE credit are awarded for each quarter hour of college/university credit earned.

6. Other certification examinations passed.

  • A maximum of 20 hours may be awarded in the year passed.
  • 10 CPE hours are awarded for passing each part of another appropriate professional certification examination.

7. Formal correspondence and self-study programs relevant to risk management assurance that include evidence of completion.

A maximum of 10 hours may be awarded in the publications category each year for books, articles, research papers, and training materials. Generally, one full journal page of single-spaced print is equal to two hours of CPE credit.

Books: 12 hours
Articles: 6 hours
Research papers: 6 hours

Contributions to publications should pertain to risk management assurance audit disciplines related to the CRMA Examination Topic Outline. Published articles or books not related directly to risk management assurance are acceptable if CRMAs are able to demonstrate that these activities contribute to their professional proficiency.

The IIA’s CPE program also allows certified individuals to earn CPE hours by reading Internal Auditor magazine articles and answering questions about them.

A maximum of 10 hours may be awarded in the publications category each year. Generally one full journal page of single-spaced print is equal to two hours of CPE credit, with the following limits on one translation:

Books: 12 hours
Articles: 6 hours
Research papers: 6 hours

Translations of publications should pertain to certification domains or disciplines related to the Common Body of Knowledge, and/or the specialty examination topic outlines. Translations of published articles or books not related directly to internal auditing are acceptable if the certified individual is able to demonstrate that these activities contribute to their professional audit proficiency.

Oral Presentations
A maximum of 10 CPE hours may be awarded in the oral presentation category each year.

The hours reported for the first presentation will be based on the presentation time, plus credit for preparation time equivalent to three times the presentation time.

Subsequent presentations of the same material may be reported as presentation time only, up to a maximum of five CPE hours each year.

A maximum of 10 CPE hours may be awarded in the participation category each year for participation as an officer or committee member in a professional industry organization related to risk management assurance. One CPE hour for each hour of qualifying participation will be awarded.

External Quality Assessments
A maximum of 10 CPE hours may be awarded each year in the category of external quality assurance review activities. One CPE hour will be awarded for each hour spent on site, with the following limits on any one quality assurance review activity:

1. Independent (external) validation of an internal audit activity’s self-assessment (as defined in the IPPF): maximum of five CPE hours per review.
2. One-week external quality assurance review: maximum of five hours per review.
3. Two-week external quality assurance review: maximum of 10 hours.

No CPE hours will be awarded for activities such as preparation time and writing the report.

CPE Audit

The IIA will verify on a test basis the records of CRMAs and/or course sponsors in a manner deemed appropriate to determine compliance with the requirements set forth in this guidance. The potential penalty for submitting false information will be determined in accordance with the administrative directive, Disciplinary Policies and Procedures.