CIA Part 3 Exam 2026: Syllabus, Study Guide & Domain Breakdown

CIA Part 3—Business Knowledge for Internal Auditing—covers strategic management, financial accounting, technology, and leadership. Updated in 2025 to align with the Global Internal Audit Standards (GIAS), Part 3 now tests four domains across 100 multiple-choice questions in 150 minutes.

What Is CIA Part 3 and Who Should Take It?

CIA Part 3, titled Business Knowledge for Internal Auditing, is the final of three exams required to earn the Certified Internal Auditor (CIA) designation. It tests whether candidates can apply business concepts—strategy, finance, technology, and governance—within an internal audit context.

While Part 1 focuses on internal audit fundamentals and Part 2 on audit practice, Part 3 broadens the lens to the business environment in which auditors operate. Candidates must understand how organisations set strategy, manage financial resources, deploy technology, and communicate results.

Part 3 is administered by The Institute of Internal Auditors (IIA) and is available year-round at Pearson VUE test centres globally. To sit for the exam, you must meet the CIA eligibility requirements, which include a bachelor’s degree (or equivalent), a character reference, and payment of the CIA exam fees.

What Is the CIA Part 3 Syllabus & Domain Breakdown for 2025/2026?

The CIA Part 3 syllabus was significantly restructured in January 2025 to align with the new Global Internal Audit Standards (GIAS). The exam now tests four domains instead of the previous three, with Technology & Data Analytics and Leadership & Communication each carrying 30% weight.

Domain I: Strategic Management (20%)

This domain assesses understanding of organisational governance, strategic planning, and risk management at the enterprise level. Key topics include:

• Corporate governance structures – Board responsibilities, committee structures, and the role of the Chief Audit Executive (CAE) in governance.
• Strategic planning and performance – SWOT analysis, balanced scorecards, KPIs, and competitive analysis frameworks.
• Enterprise risk management (ERM) – Risk identification, assessment, and the distinction between risk appetite and risk tolerance.
• Organisational behaviour – Change management, organisational structures, and ethical culture.

Domain II: Financial Management & Accounting (20%)

This domain tests financial literacy essential for auditors evaluating an organisation’s financial health. Topics include:

• Financial accounting and reporting – Balance sheets, income statements, cash flow statements, and IFRS vs GAAP concepts.
• Managerial accounting – Cost-volume-profit analysis, budgeting, variance analysis, and transfer pricing.
• Financial management – Capital budgeting (NPV, IRR), working capital management, and capital structure decisions.
• Tax and regulatory considerations – Tax compliance, transfer pricing implications, and regulatory reporting obligations.

Domain III: Technology & Data Analytics (30%)

Carrying the highest weight, this domain reflects the IIA’s emphasis on technology in modern audit. It covers:

• IT governance and infrastructure – IT frameworks (COBIT, ITIL), network architecture, cloud computing, and IT general controls (ITGCs).
• Cybersecurity and data privacy – Threat landscapes, incident response, data protection regulations, and the audit of cybersecurity controls.
• Data analytics for auditing – Continuous auditing and monitoring, data visualisation, sampling techniques, and use of CAATs.
• Emerging technology – Artificial intelligence, blockchain, robotic process automation, and the risks of AI-enabled fraud.

Domain IV: Leadership & Communication (30%)

This domain, new in the 2025 restructure, evaluates leadership competencies and communication effectiveness. Topics include:

• Leadership principles – Leadership styles, emotional intelligence, team dynamics, and talent management.
• Communication strategies – Internal audit reporting, stakeholder management, presentation skills, and persuasion techniques.
• Quality assurance and improvement – Internal audit quality frameworks, peer reviews, and performance metrics.
• Change and conflict management – Negotiation techniques, managing resistance, and organisational transformation.

How Has the CIA Part 3 Syllabus Changed? Old (2019) vs New (2025)

The IIA overhauled the CIA exam syllabus effective January 2025 to reflect the updated Global Internal Audit Standards. For Part 3, the changes are substantial—the old three-domain structure has been replaced by four domains, with new emphasis on technology and leadership. For a full overview of changes across all three parts, see our CIA syllabus changes guide.

What Is the CIA Part 3 Exam Format, Difficulty & Pass Rate?

CIA Part 3 consists of 100 multiple-choice questions to be answered in 150 minutes. The exam is computer-based and delivered at Pearson VUE centres worldwide. Scores range from 250 to 750, with a passing score of 600.

Part 3 generally has the highest pass rate among the three parts, but this does not mean it is easy. The breadth of content—from financial accounting to cybersecurity to leadership—makes preparation challenging. Most candidates find the technology and data analytics domain the most difficult, especially those without an IT background. For historical pass rate trends, see our CIA pass rates analysis.

How Should You Study for CIA Part 3?

A structured study plan is essential for CIA Part 3 success. Given the breadth of four distinct domains, most candidates need 100–150 hours of focused preparation over 8–12 weeks. Here is a recommended approach:

If you hold a professional qualification like CA, CPA, or ACCA, you may find Domain II (Financial Management) relatively straightforward, allowing you to redirect study hours to technology and leadership. Candidates eligible for the CIA Challenge Exam can skip Parts 1 and 2 entirely and focus solely on Part 3.

Domain-by-Domain Topic Guide: What to Study in Each Area

Below is a deeper look at key topics within each domain, informed by the IIA’s official content outline and leading review course materials. Use this as a checklist to ensure complete coverage.

Domain I: Strategic Management – Key Study Topics

• Corporate governance models and board structures
• Strategic planning frameworks (Porter’s Five Forces, PESTLE, SWOT)
• Balanced scorecard methodology and KPI setting
• Enterprise risk management (COSO ERM) and risk appetite vs risk tolerance
• Organisational ethics and culture
• Mergers, acquisitions, and due diligence considerations
• Global business environment and regulatory compliance

Domain II: Financial Management & Accounting – Key Study Topics

• Financial statement analysis (ratio analysis, trend analysis)
• Revenue recognition and inventory valuation methods
• Cost accounting: absorption vs variable costing
• Capital budgeting techniques: NPV, IRR, payback period
• Working capital management (cash conversion cycle)
• Debt vs equity financing and cost of capital (WACC)
• Taxation principles and transfer pricing

Domain III: Technology & Data Analytics – Key Study Topics

• IT governance frameworks: COBIT 2019, ITIL
• Network security, firewalls, encryption, and access controls
• IT general controls (ITGCs) and application controls
• Cloud computing models (IaaS, PaaS, SaaS) and associated risks
• Data analytics: sampling, CAATs, continuous auditing
• Cybersecurity risk assessment and incident response
• Emerging tech: AI/ML, blockchain, RPA, and AI-enabled fraud risks
• Data governance, privacy regulations (GDPR, CCPA)

Domain IV: Leadership & Communication – Key Study Topics

• Leadership theories (transformational, servant, situational)
• Emotional intelligence and team development stages
• Stakeholder engagement and managing upward
• Internal audit report writing and presentation skills
• Quality assurance and improvement programmes (QAIP)
• The role of the CAE in organisational leadership
• Change management models (Kotter, ADKAR)
• Conflict resolution and negotiation strategies

Frequently Asked Questions About CIA Part 3