CIA Challenge Exam Question Bank: What "Cross-Domain" Means for Your Prep
The CIA Challenge tests cross-domain reasoning, not memorization. Here is how to spot cross-domain questions, why they make up 30-40% of the exam, and how to train for them.
Quick answer
About 30-40% of CIA Challenge Exam items are cross-domain — they test concepts from Part 1 (Foundations), Part 2 (Practice) and Part 3 (Knowledge) simultaneously in a single question. Candidates who study each Part in isolation get blindsided. The fix is a question bank that tags cross-domain items explicitly and drills the conceptual bridges between domains.
The IIA does this on purpose: the Challenge route is reserved for already-experienced auditors (CCSA, CFSA, CGAP, CRMA, ACCA, CPA, CIMA), so the difficulty curve assumes you can integrate domains without prompting. That assumption is exactly what trips most candidates.
What "cross-domain" actually looks like
A pure single-domain question reads like this:
Per IPPF Standard 1000, which of the following must appear in the internal-audit charter?
That's a Part 1 / Domain A.1 item. You answer it from memory of one Standard.
A cross-domain question reads like this:
An internal auditor evaluating a SaaS access-review control discovers the control owner also designed the control. The control's design appears effective, but the auditor has not yet tested operating effectiveness. What is the auditor's most appropriate next step?
- Part 1: knowing Standard 1130.A1 (objectivity, prior involvement)
- Part 2: understanding the difference between design and operating effectiveness testing
- Part 3: enough IT-audit context to know what an access-review control looks like
A candidate who studied each Part separately would recognize the Standard 1130 piece but miss the design-vs-operating distinction (or vice versa) and pick a partially-right answer.
Why the IIA writes the exam this way
The Challenge route is explicitly described in the IIA's published guidance as a "competency check for experienced auditors." The phrase "experienced auditors" is doing a lot of work — it means the IIA is testing your ability to integrate frameworks, not regurgitate them.
The result is a question distribution roughly like this:
| Question type | % of exam | Difficulty |
|---|---|---|
| Single-domain recall | 25% | Easy |
| Single-domain judgment | 35% | Medium |
| Cross-domain (2 Parts) | 30% | Medium-Hard |
| Cross-domain (3 Parts) | 10% | Hard |
The 40% of cross-domain items is where most points are won or lost.
How to train for cross-domain reasoning
Three drills that move the needle:
1. Tag every question by the Parts it touches
After answering a question, label it: "1 only", "1+2", "1+2+3", etc. After 100 questions you'll see your weak intersections. Most candidates discover a blind spot at "2+3" (practice meets IT) or "1+3" (Standards meets cybersec).
2. Build "concept bridges" notes
For each cross-domain concept, write a single sentence linking the two Parts. Example:
"Standard 1130 (Part 1, objectivity) intersects with design-vs-operating effectiveness testing (Part 2) because an auditor with prior involvement can still report on operating effectiveness — but ONLY if a different auditor verified design."
These one-sentence bridges become your mental shortcuts on exam day.
3. Drill on a bank that tags cross-domain items
This is the killer. Generic CIA question banks lump all questions together — you can't filter "show me only cross-domain items." A purpose-built CIA Challenge bank should expose that filter.
The NexusGRC CIA Challenge bank ships 360 original questions, of which 128 are explicitly tagged as cross-domain (single tap to filter). Each cross-domain question's explanation surfaces the conceptual bridge between the Parts it spans.
[Open the CIA Challenge question bank →](/cia-challenge-questions) — first 5 questions free, no signup required.
The 8-week prep cadence that works
If you're approaching the Challenge as a CRMA, ACCA, or CPA holder:
| Weeks | Focus | Question volume |
|---|---|---|
| 1-2 | Foundations refresh (Part 1) | 80 single-domain Part 1 questions |
| 3-4 | Practice depth (Part 2) | 80 single-domain Part 2 questions |
| 5 | Knowledge survey (Part 3) | 50 Part 3 questions — only the IIA-specific bits, skip what your prior cert covers |
| 6 | Cross-domain drilling | 100 cross-domain questions, no single-domain mixed in |
| 7 | First full mock + remediation | 1× 150-question timed mock |
| 8 | Mock 2 + Mock 3 + final review | 2× 150-question timed mocks |
The week 6 cross-domain block is what separates pass-first-time candidates from retakers. Cut anything else before cutting this.
What your existing cert covers (and what it doesn't)
| You hold | Strong areas going in | Weak areas to over-invest in |
|---|---|---|
| CRMA | Risk management (Domain 1.B, Part 2 risk-based audit) | IT-audit specifics (Part 3 Domain B, C) |
| CCSA | Control concepts (Part 2) | IIA Standards naming/numbering (Part 1) |
| CGAP | Public-sector context, audit reports | Private-sector financial reporting context (Part 3) |
| ACCA / CPA | Financial domain (Part 3), reporting | IIA Standards taxonomy (Part 1) |
| CIMA | Strategy, governance (Part 1, Part 3) | Operational audit testing (Part 2) |
The biggest mistake: assuming your prior cert covers IIA Standards. It doesn't — every Challenge candidate, regardless of background, needs ~25 hours on Standards 1000-2600 specifically.
Frequently asked
Q: How many questions are on the actual Challenge exam? A: 150 questions, 3 hours, computer-based testing.
Q: What's the passing score? A: 600 on the 250-750 scale (equipercentile-scaled, not a raw percentage).
Q: Can I retake? A: Yes — 4 attempts per calendar year, with a 60-day waiting period between attempts.
Q: Is the Challenge easier than the 3 Parts? A: No. It's shorter (1 exam instead of 3), but the content is the full 3-Parts syllabus compressed. Same difficulty, less margin for error.
Key takeaways
- 130-40% of Challenge items are cross-domain. Studying each Part in isolation fails you on this band.
- 2Tag your questions by Parts touched. After 100 questions you'll see your weak intersections.
- 3Build one-sentence "concept bridges" between the most-frequently-paired domains.
- 4Drill cross-domain in week 6, never earlier — it depends on having the single-domain foundations first.
- 5Standards refresh is non-negotiable regardless of prior cert.
Ready to drill cross-domain? [Open the CIA Challenge question bank](/cia-challenge-questions) — 360 original questions, 128 cross-domain tagged.
See also: CIA Pass Rates 2026, Risk-Based Audit Approach, Three Lines Model Deep Dive.