CIA Part 2 Syllabus 2026: What Changed & How to Study

CIA Part 2 Syllabus Changes 2026

Why the CIA Part 2 Syllabus Changed in 2026

The IIA's Global Internal Audit Standards™ (GIAS) — the most comprehensive rewrite of internal audit professional standards in decades — came into effect in January 2025 and the CIA exam was fully realigned as of 2026. Every content area in Part 2 is now mapped to specific GIAS Principles and Standards rather than generic competency statements. The practical result: exam questions are scenario-driven and test whether you can apply a standard inside a live engagement, not simply recall a definition. If you are deciding which CIA part to sit first, understanding this shift is essential for sequencing your study correctly.

CIA Part 2 Exam Structure at a Glance (2026)

CIA Part 2 — Internal Audit Engagement — is 100 questions in 120 minutes, structured across three content areas. Your study hours should mirror these weightings directly.

Source: IIA CIA certification page — exam specifications aligned with GIAS, January 2026.

Old vs New CIA Part 2 Syllabus: Side-by-Side Comparison

The most important change is that technology, accounting depth, and business-process knowledge — once treated as background knowledge or tested in Part 3 — are now embedded directly into engagement planning scenarios. The table below shows every major topic: what moved, what stayed, and what is brand new.

Legend: ✅ Retained | 🔼 Expanded | 🆕 New addition | ⚠️ Previously limited. Based on the IIA GIAS-aligned 2026 CIA exam content specifications.

Technology Topics: What's New in CIA Part 2

Technology risk is now tested in engagement context — every IT topic appears as a planning or scoping scenario, not a definition question. The 2026 syllabus (Section 2133) requires candidates to assess cybersecurity risks holistically across all organisational functions, not just the IT department. Key additions include:

• Cybersecurity: Attack vectors (phishing, ransomware, SQL injection, zero-day), IDS vs IPS, encryption types, authentication factors, audit trails, system logs, and six IT control frameworks (NIST CSF v2.0, ISO/IEC 27001:2022, NIST SP 800-53, CIS Controls v8, COBIT 2019, PCI DSS).
• Artificial Intelligence: Machine learning, NLP, computer vision — plus six AI risks: data privacy, bias & discrimination, lack of transparency (black-box), automation displacement, over-reliance, and inadequate AI governance.
• Internet of Things: IoT features and risk profile — botnet attacks (e.g., Mirai), misconfiguration, device authentication failures, and how IoT environments affect engagement scope.
• Big Data & Data Privacy: The 5 Vs (Volume, Velocity, Variety, Veracity, Value), GDPR applicability, data minimisation, and full data-lifecycle protection from collection through disposal.

For a broader look at how technology is reshaping the profession, see our guide on CIA Part 3: Risk, IT, and Analytics — many of the same frameworks appear across both parts.

Accounting & Business Processes: Why So Much Detail?

The most surprising expansion for many candidates is the depth of accounting and business-process content now embedded in Engagement Planning (50%). The logic is straightforward: an auditor who cannot identify risks embedded in a lease arrangement or an inventory cycle cannot set appropriate engagement objectives. This is not financial accounting for its own sake — every topic is tested as a risk identification or scoping exercise.

Accounting, Investment & Capital Financing (Section 2135)

• Bonds: Premium/discount amortisation, effective interest method, fair value
• Leases (IFRS 16 / ASC 842): Right-of-use assets, lease liabilities, operating vs. finance lease classification
• Pensions: Defined benefit vs. defined contribution, actuarial assumptions
• Business Combinations: Acquisition method, goodwill, intangibles recognition

Business Processes (Section 2136)

Information Gathering, Analysis & Evaluation (40%): The Modern Toolkit

This section (Section 2200 series) tests how internal auditors collect, evaluate, and analyse audit evidence. The 2026 update significantly expands the range of analytical tools candidates must apply. The old exam tested basic analytical review; the new exam tests proficiency with modern, technology-driven audit methods alongside traditional techniques.

• Technology in internal auditing (2230): RPA for repetitive tasks, continuous auditing and monitoring, CAAT, real-time dashboards
• Analytical approaches & process mapping (2240): BPMN, Value Stream Maps, process mining, workflow analysis, data types and methods
• Analytical review techniques (2250): Ratio analysis, variance analysis, trend analysis, simple and multiple linear regression, Benford's Law, statistical sampling, Pareto analysis, 5 Whys, FMEA
• Workpapers & conclusions (2270–2280): Organising, linking, retaining, aggregating findings into engagement conclusions — stable but mapped to GIAS

Understanding how many MCQs to practise and in what pattern is critical — read our guide on CIA MCQ practice targets for each part to build a realistic weekly plan.

How to Study Differently for the New CIA Part 2 Syllabus

The biggest mindset shift for the 2026 exam: stop studying topics in isolation — practise application in context. Every technology topic, accounting method, and business-process cycle will appear as an engagement scenario requiring an auditor's decision.

1. Prioritise by weight. Engagement Planning is 50% — spend at least half your study time on Sections 2110–2173. Section 2133 (Cybersecurity, AI, IoT, Data Privacy) alone warrants 15–20 hours.
2. Build an IT frameworks reference card. One-page comparison of NIST CSF, ISO 27001, NIST SP 800-53, CIS Controls, COBIT 2019, PCI DSS — developer, purpose, structure, and best-fit scenario for each.
3. Master the inventory error matrix. Trace every error type through COGS = BI + NP − EI to its effect on net income, current ratio, working capital, and ROA across both the current and subsequent year.
4. Practise engagement approach decisions. Use the mnemonic TRAI — Traditional, Remote, Agile, Integrated — and map each to the risk context and GIAS Standard it references.
5. MCQ-first study. Answer questions, identify gaps, then use reference materials to close them. See our complete CIA study plan for a week-by-week schedule.

Also review the common mistakes that derail candidates — these failure patterns from Part 1 apply equally to Part 2 when candidates under-allocate time to Engagement Planning.

Why Use Surgent CIA Review for the 2026 Syllabus?

Surgent CIA Review — available through Eduyush — is built on an AI-driven adaptive learning engine that tracks every question you answer and focuses your remaining study time on the gaps most likely to affect your score. For the expanded 2026 GIAS-aligned syllabus, this targeted approach matters more than ever.

• ✅ 2026 GIAS-aligned MCQ bank — questions mapped to every new sub-topic including Topical Requirements, AI risk, and NIST CSF
• ✅ Reference Guide (PDF + LMS) — structured as a gap-filling resource linked directly to MCQ explanations, not a textbook to read cover-to-cover
• ✅ Video lectures — covering new cybersecurity, accounting, and analytics sections with worked examples
• ✅ Adaptive study plan — AI-generated daily schedule that adjusts as your readiness scores improve
• ✅ Proven pass rates — Surgent candidates consistently outperform the global CIA first-attempt average

Frequently Asked Questions: CIA Part 2 Syllabus Changes