The Certification Risk Management Assurance (CRMA) is designed for internal auditors and risk management professionals with responsibility for and experience in providing risk assurance, governance processes, quality assurance, or control self-assessment (CSA). It demonstrates an individual’s ability to evaluate the dynamic components that comprise an organization’s governance and enterprise risk management program and provide advice and assurance around these issues.
«The CRMA is one more mark of professional distinction for internal audit practitioners. «
Earning the CRMA will assist you in demonstrating your ability to:
- Provide assurance on core business processes in risk management and governance.
- Educate management and the audit committee on risk and risk management concepts.
- Focus on strategic organizational risks.
- Add value for your organization.
CRMA candidates must meet the following eligibility requirements:
Education: The candidate must have successfully completed the requirements and passed Part 1 of the CIA exam. This can be done before, during, or after completion of the CRMA exam, but must be completed before the certification is granted. Review the requirements for the CIA exam Part 1.
CRMA candidates must hold a 3- or 4-year post-secondary degree (or higher). The Global Board of Directors has approved an alternate path to eligibility for the CRMA for those candidates who do not possess a Bachelor’s degree from an accredited university. Candidates may now become eligible for the CRMA, subject to approval, who possess:
- Two years post-secondary education and five years verified experience in internal audit or its equivalent, OR
- Seven years verified experience in internal audit or its equivalent.
For further details, please see the Certification Candidate Handbook.
Character Reference: The candidates must exhibit high moral and professional character and must submit a Character Reference Form signed by a CIA, CCSA, CFSA, CRMA, or the candidate’s supervisor.
Work Experience: CRMA candidates must obtain 24 months of auditing experience or controls-related business experience such as risk management, quality assurance, or CSA. A completed Experience Verification Form is required. Candidates may apply to the program and sit for the exam prior to satisfying the professional experience requirement, but will not be certified until all program requirements have been met.
Proof of Identification: Candidates must provide proof of identification in the form of a copy of the candidate’s official passport or national identity card. These must indicate current status; expired documents will not be accepted.
Eligibility Period: Candidates may apply to the program and sit for the exam prior to satisfying the professional experience requirement, but will not be certified until all program requirements have been met. The certification program’s eligibility requires candidates to complete the program certification process within four years of application approval. If a candidate has not completed the certification process within four years, all fees and exam parts will be forfeited.
All documentation must be sent to firstname.lastname@example.org for verification while you need to apply for admission by loggin in to the CCMS-system.
The CRMA exam includes two sections: Part 1 of the CIA exam and a separate CRMA exam, which consists of 100 multiple-choice questions covering four domains. The CRMA exam requires a completion time of two hours. Candidates who have already passed Part 1 of the CIA exam may advance directly to the CRMA core exam, having fulfilled that eligibility requirement.
All content covered in the four domains of the CRMA exam will be tested at the proficiency level (P). This means that candidates must exhibit proficiency (thorough understanding and the ability to apply concepts) in these topic areas.
Standards tested on the CRMA exam:
- CIA exam Part 1 topics tested include aspects of the IPPF, responsibilities of the internal audit activity, independence and objectivity, governance concepts, risk identification and management, management controls, and audit planning.
- The CRMA exam topics tested include governance aspects and principles of risk management assurance in addition to appropriate assurance and consulting roles for internal audit professionals.
CRMA Exam Domains
The CRMA exam core content covers four domains:
Domain I: Organizational governance related to risk management (25-30%)
Domain II: Principles of risk management processes (25-30%)
Domain III: Assurance role of the Internal Auditor (20-25%)
Domain IV: Consulting role of the Internal Auditor (20-25%)
CRMA Reference Resources
Follow the link for a list of references that encompass the body of knowledge for the CRMA exam: Reference Resources
Apply and register online
The IIA’s Certification Candidate Management System (CCMS) is a powerful, user-friendly application to help you apply for, complete, and maintain your certifications and related information, while keeping you connected to and informed about The IIA’s certification programs.
After you log in, you’ll be able to:
- Apply for IIA certification programs.
- Register for IIA certification examinations.
- Review your certification status.
- View your exam score report.
- Review your next steps in the certification process.
- Update your personal information.
- Review your credential and exam history.
The CCSA exam is available through computer-based testing, allowing you to test year-round at more than 500 locations worldwide. Candidates are able to sit for exams at any IIA-authorized Pearson VUE testing center worldwide, regardless of whether the testing center is located in your hometown or country. To locate the testing centers nearest you, visit the Pearson VUE website. You must apply and register in The IIA’s Certification Candidate Management System (CCMS) prior to scheduling an exam.
You pay by credit card when applying for the program or register for an exam. The pricing structure is as follows:
MEMBERS NON-MEMBERS Application Fee USD 200 USD 300 Exam Fee USD 350 USD 450
The CRMA exam is a self-study exam and does not require a prescribed curriculum. Candidates may choose their own method of preparing for the exam. Follow the link for a list of references that encompass the body of knowledge for the CRMA exam: Reference Resources.
CRMA Study Guide Book and Exam Study Questions
With current information and trends, explanatory examples, and useful figures and tables, the CRMA® Exam Study Guide will not only serve as an aid to taking the exam but will also enhance your knowledge of risk management assurance for audit-related activity.
The Certification in Risk Management Assurance® (CRMA®) Exam Practice Questions is designed to be a helpful tool in preparing for the CRMA exam. Included are practical, scenario-based questions as well as those of a theoretical nature.
Press HERE to learn more.
Continuing Professional Education (CPE) Requirements
Certificate holders are required to self-certify as to the completion of the required continuing education hours. It is the CRMA’s responsibility to assure that the CPE hours claimed conform to the guidelines established by the PCB. Forms are submitted by CRMAs on a annual basis and serve as signed statements that all applicable continuing professional development requirements have been met.
This page contains the mandatory CPE requirements for CRMAs. It also specifies the method of reporting by CRMAs who wish to keep their designation in good standing.
NOTE: If you are a Certified Internal Auditor® (CIA®), the CPE reporting that you complete for the CIA program satisfies the CPE reporting requirements for the CRMA and all other IIA specialty certifications. CPE reporting for specialty certifications requires that 25% of the hours earned must be in the specialty area of expertise.
CRMA professionals are responsible for:
- Maintaining their knowledge and skills.
- Updating their knowledge and skills related to improvements and current developments in internal auditing standards, procedures, and techniques.
CPE Requirement Regarding IIA International Standards
1. In order to encourage understanding of and compliance with The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards), The IIA’s Professional Certification Board (PCB) has instated a requirement that CRMAs stay abreast of the Standards as part of their CPE.
2. CRMAs must review or receive training on the Standards at some point during their CPE reporting period.
3. If you are completing your CPE reporting form and have not already met this requirement, please take a moment to review the Standards before submitting your form.
4. While there, we also encourage you to review the Practice Advisories (accessible with an IIA member password) and other sections of The IIA’s International Professional Practices Framework (IPPF).
CPE Reporting Requirements for CRMAs
CRMAs may submit CPE reporting forms in The IIA’s Certification Candidate Management System (CCMS). The reporting deadline is 31 December each year. Reporting is free for members of IIA Norway. Non-members pay USD 100 by credit card when reporting.
In order to facilitate reporting, CRMAs who also hold the CIA designation can satisfy the requirements of both programs by reporting appropriate CPE for the CIA designation only. The Institute will issue an acknowledgment of compliance to each CRMA meeting the requirements of this guidance. The Institute will keep information on the active/inactive status of CRMAs. The PCB, upon request, may grant partial or complete exemption from CPE requirements for individuals when good cause exists, such as military service or individual hardship.
Each CRMA should submit an appropriate CPE reporting form to The Institute, without supporting documentation, in compliance with CPE requirements. Each CRMA should maintain a copy of the CPE reporting form, along with all supporting documentation, for at least three years after the records no longer apply to filed CPE reports. Records must be made available to The Institute or its designee at The Institute’s request. The records maintained by the CRMA in support of the reporting form filed with The Institute should include, as appropriate, the following information:
1. Title of program and/or description of content
2. Dates attended
3. Location of course or program
4. Sponsoring organization
5. Contact hours of credit as recommended by the course sponsor
6. A letter, certificate, or other written independent attestation of course completion
7. Documentation supporting publications, oral presentations, and committee or other participation
CRMA Reporting Categories
A CRMA who is practicing risk management assurance must complete a total of 20 hours of acceptable CPE every year.
A CRMA who is not practicing risk management assurance may request non-practicing status by notifying The IIA’s Certification Department in writing. Non-practicing CRMAs must complete a total of 10 hours of acceptable CPE every year. As long as their CPE requirements are met, non-practicing CCSAs may use the CRMA designation; however, if they resume practicing risk management assurance, they must report as a practicing CRMA.
A CRMA who is not practicing risk management assurance because of retirement may request retired status by notifying The IIA’s Certification Department in writing. Retired CRMAs are not responsible for completing CPE requirements. Retired CRMAs may use the CRMA designation; however, if they resume employment, they must report as a practicing or non-practicing CRMA, as appropriate.
Inactive (Grace Period) Status
A CRMA is automatically placed in inactive status by The IIA’s Certification Department when the CRMA fails to meet established CPE requirements. CRMAs with an inactive status may not use the CRMA designation. Any wrongful use of the CRMA designation will be reported to The IIA’s Ethics Committee for disciplinary action. The Individual must submit the prior year CPE report for the appropriate number of CPE hours.
Reinstatement to Active Status
If an individual is inactive longer than 12 months, the individual will be required to report CPE hours at the status level that applies to their situation. In addition, inactive CIAs will be required to pay the applicable reinstatement fee at the time of reporting.
Qualifying CPE Activities
It is anticipated that CRMAs will maintain the high standards of the profession in selecting quality educational programs to fulfill the CPE requirements. The following general subjects are acceptable as long as they meet other CPE program criteria:
1. Assessing/assurance of risk management activities.
2. Risk management fundamentals.
3. Elements of risk.
4. Control theory and application.
5. Business objectives and organizational performance.
Activities other than those listed in this guidance may be deemed acceptable if the CRMA can demonstrate that they contribute to professional competence. Substantiating that a particular activity qualifies as acceptable and meets the requirements is the responsibility of the CRMA.
CPE credit will be awarded for whole hours only with a minimum of 50 minutes constituting one hour. As an example, 100 minutes of continuous instruction would count for two hours; however, more than 50 minutes but less than 100 minutes of continuous instruction would count for only one hour. Only class contact or acceptable self-study hours are allowable. For chapter meetings throughout the reporting period or continuous conferences/conventions when individual segments are less than 50 minutes, the sum of the segments should be considered one total program. For example, five 30-minute presentations would equal 150 minutes and should be counted as three contact hours.
Hours are awarded for the year in which the CRMA certification is earned. (Candidates receive 20 hours in the year the certification is awarded and 20 hours the subsequent year). The 40 CPE hours awarded for the CRMA certification are based on earning the certification, and are not NASBA-approved.
A maximum of 20 CPE hours may be awarded in the education category each year. At least five of the 20 CPE hours required must be in this category. Educational activities include:
1. Professional education and development programs, such as seminars and conferences, provided by national/federal, state, and local auditing and accounting organizations.
2. Technical sessions at meetings of national/federal, state, and local auditing and accounting organizations and chapters.
3. Formal in-house training programs.
4. Programs of other sponsors (industrial, professional societies, etc.).
5. College or university courses passed (credit and non-credit courses).
- Fifteen hours of CPE credit are awarded for each semester hour of college/university credit earned.
- Ten hours of CPE credit are awarded for each quarter hour of college/university credit earned.
6. Other certification examinations passed.
- A maximum of 20 hours may be awarded in the year passed.
- 10 CPE hours are awarded for passing each part of another appropriate professional certification examination.
7. Formal correspondence and self-study programs relevant to risk management assurance that include evidence of completion.
A maximum of 10 hours may be awarded in the publications category each year for books, articles, research papers, and training materials. Generally, one full journal page of single-spaced print is equal to two hours of CPE credit.
Books: 12 hours
Articles: 6 hours
Research papers: 6 hours
Contributions to publications should pertain to risk management assurance audit disciplines related to the CRMA Examination Topic Outline. Published articles or books not related directly to risk management assurance are acceptable if CRMAs are able to demonstrate that these activities contribute to their professional proficiency.
The IIA’s CPE program also allows certified individuals to earn CPE hours by reading Internal Auditor magazine articles and answering questions about them.
A maximum of 10 hours may be awarded in the publications category each year. Generally one full journal page of single-spaced print is equal to two hours of CPE credit, with the following limits on one translation:
Books: 12 hours
Articles: 6 hours
Research papers: 6 hours
Translations of publications should pertain to certification domains or disciplines related to the Common Body of Knowledge, and/or the specialty examination topic outlines. Translations of published articles or books not related directly to internal auditing are acceptable if the certified individual is able to demonstrate that these activities contribute to their professional audit proficiency.
A maximum of 10 CPE hours may be awarded in the oral presentation category each year.
The hours reported for the first presentation will be based on the presentation time, plus credit for preparation time equivalent to three times the presentation time.
Subsequent presentations of the same material may be reported as presentation time only, up to a maximum of five CPE hours each year.
A maximum of 10 CPE hours may be awarded in the participation category each year for participation as an officer or committee member in a professional industry organization related to risk management assurance. One CPE hour for each hour of qualifying participation will be awarded.
External Quality Assessments
A maximum of 10 CPE hours may be awarded each year in the category of external quality assurance review activities. One CPE hour will be awarded for each hour spent on site, with the following limits on any one quality assurance review activity:
1. Independent (external) validation of an internal audit activity’s self-assessment (as defined in the IPPF): maximum of five CPE hours per review.
2. One-week external quality assurance review: maximum of five hours per review.
3. Two-week external quality assurance review: maximum of 10 hours.
No CPE hours will be awarded for activities such as preparation time and writing the report.
The IIA will verify on a test basis the records of CRMAs and/or course sponsors in a manner deemed appropriate to determine compliance with the requirements set forth in this guidance. The potential penalty for submitting false information will be determined in accordance with the administrative directive, Disciplinary Policies and Procedures.