Certification in Risk Management Assurance® (CRMA®)
Examination Syllabus
Section 1: Internal Audit Roles and Responsibilities 20%
A. Roles and Competencies
1. Determine appropriate assurance and consulting services for the
internal audit activity with regard to risk management.
2. Determine the knowledge, skills, and competencies required (whether
developed or procured) to provide risk management assurance and
consulting services.
3. Evaluate organizational independence of the internal audit activity and
report impairments to appropriate parties.
B. Coordination
1. Recommend establishing an organizationwide risk management
strategy and processes, or contribute to the improvement of the
existing strategies and processes.
2. Coordinate risk assurance efforts and determine whether to rely on the
work of other internal and external assurance providers.
3. Assist the organization with creating or updating an organizationwide
risk assurance map to ensure proper risk coverage and minimize
duplication of efforts.
Section 2: Risk Management Governance 25%
A. Governance, Risk Management, and Control Frameworks
1. Evaluate the organization's governance structure and application of
risk management concepts found in governance frameworks.
2. Assess the organization's application of concepts and principles found
within risk and control frameworks appropriate to the organization.
3. Assess key elements of the organization's risk governance and risk
culture (e.g., risk oversight, risk management, tone at the top, etc.)
and the impact of organizational culture on the overall control
environment and risk management strategy.
B. Risk Management Integration
1. Evaluate management’s commitment to risk management and
analyze the integration of risk management into the organization's
objectives, strategy setting, performance management, and
operational management systems.
© 2024 The Institute of Internal Auditors, Inc. All rights reserved. The IIA and its logo are trademarks or registered trademarks of The Institute of Internal Auditors, Inc
� Certification in Risk Management Assurance® (CRMA®)
Examination Syllabus
2. Evaluate the organization’s ability to identify and respond to changes
and emerging risks that may affect the organization’s achievement of
strategy and objectives.
3. Examine the effectiveness of integrated risk management reporting
(e.g., risk, risk response, performance, and culture, etc.) to key
stakeholders.
Section 3: Risk Management Assurance 55%
A. Risk Management Approach
1. Evaluate various approaches and processes for assessing risk (e.g.,
relevant measures, control self-assessment, continuous monitoring,
maturity models, etc.).
2. Select data analytics techniques (e.g., ratio estimation, variance
analysis, budget vs. actual, trend analysis, other reasonableness
tests, benchmarking, etc.) to support risk management and assurance
processes.
B. Assurance Processes
1. Evaluate the design and application of management’s risk
identification and assessment processes.
2. Utilize a risk management framework to assess organizationwide
risks from various sources (e.g., audit universe, regulatory
requirements and changes, management requests, relevant market
and industry trends, emerging issues, etc.).
3. Prioritize audit engagements based on the results of the
organizationwide risk assessment to establish a risk-based internal
audit plan.
4. Manage internal audit engagements to ensure audit objectives are
achieved, quality is assured, and staff is developed.
5. Evaluate the effectiveness and efficiency of risk management at all
levels (i.e., process level, business unit level, and organizationwide).
6. Analyze the results of multiple internal audit engagements, the work
of other internal and external assurance providers, and management's
risk remediation activities to support the internal audit activity’s
overall assessment of the organization’s risk management
processes.
7. Assess risk management, project management, and change controls
throughout the systems development lifecycle.
8. Evaluate data privacy, cybersecurity, IT controls, and information
security policies and practices.
© 2024 The Institute of Internal Auditors, Inc. All rights reserved. The IIA and its logo are trademarks or registered trademarks of The Institute of Internal Auditors, Inc
� Certification in Risk Management Assurance® (CRMA®)
Examination Syllabus
9. Evaluate risk management monitoring processes (e.g., risk register,
risk database, risk mitigation plans, etc.).
C. Communication
1. Manage the audit engagement communication and reporting process
(e.g., holding the exit conference, developing the audit report,
obtaining management responses, etc.) to deliver engagement
results.
2. Evaluate management responses regarding key organizational risks,
and communicate to the board when management has accepted a
level of risk that may be unacceptable to the organization.
3. Formulate and deliver communications on the effectiveness of the
organization’s risk management processes at multiple levels and
organizationwide.
© 2024 The Institute of Internal Auditors, Inc. All rights reserved. The IIA and its logo are trademarks or registered trademarks of The Institute of Internal Auditors, Inc
