CIA Part 2: Practice of Internal Auditing — Complete Deep Dive (2026)
CIA Part 2 has the highest pass rate of the three Parts (51% in 2025) — but only marginally. It rewards practitioners and punishes academic preparation. A domain-by-domain breakdown of engagement methodology, scenario questions, and the right study allocation.
Quick answer: CIA Part 2 at a glance (2026)
| Metric | 2026 detail |
|---|---|
| Questions | 100 multiple-choice |
| Duration | 2 hours (120 minutes) |
| Passing score | 600 / 750 (scaled) |
| Domains | 4 |
| First-attempt pass rate (2025) | ~51% (highest of the three Parts) |
| Average study time | 50–120 hours depending on background |
| Hardest domain | Performing the Engagement (40% weight) |
| Time per question | ~72 seconds |
Part 2 is the practitioner's Part. It tests how internal audit actually works — planning, fieldwork, sampling, communication. Candidates who have run real engagements pass at a much higher rate than career-changers or pure academics; the questions reward judgment built from doing the work, not just reading about it.
The rest of this article is the operational breakdown: what's tested, where candidates fail, and how to study Part 2 efficiently.
What makes Part 2 different from Part 1
Part 1 is conceptual; Part 2 is operational. The shift is significant:
- Part 1 asks "what does Standard 1100 require?"
- Part 2 asks "given this engagement scenario, which procedure would you perform next?"
Most Part 2 questions are scenario-based — they describe a real-world situation (a half-completed walkthrough, an ambiguous finding, a stakeholder dispute) and ask which next step is appropriate. There's typically more than one defensible answer; you must pick the best one given the Standards and engagement context.
This is why academic preparation often fails Part 2. Memorizing methodology gets you ~40% of the points; applying judgment to scenarios gets you the other 60%.
The four domains in detail
| Domain | Weight | Approximate first-attempt pass rate (domain-only) |
|---|---|---|
| Managing the Internal Audit Activity | 20% | 56% |
| Planning the Engagement | 20% | 54% |
| Performing the Engagement | 40% | 48% |
| Communicating Engagement Results and Monitoring Progress | 20% | 53% |
Domain 1 — Managing the Internal Audit Activity (20%)
Tests the CAE's perspective — how the entire internal audit function is run.
- The internal audit charter (purpose, authority, responsibility)
- Resource management (staffing, budget, technology)
- Audit universe and risk-based annual planning
- Coordination with external auditors and other assurance providers
- Reporting to senior management and the audit committee
- Treating the CAE's responsibilities as too narrow (it's about the whole function, not just supervision)
- Missing the audit universe / risk-based planning logic
- Confusing the audit committee's role with senior management's
Study tip: Most candidates underprepare this domain because it feels organizational. The exam tests it with specificity — know the difference between the audit charter, the annual plan, and the engagement work program.
Domain 2 — Planning the Engagement (20%)
The setup phase of an individual audit.
- Engagement objectives, scope, and resource allocation
- Risk assessment at the engagement level
- Engagement work programs and procedures
- Engagement supervision and review
- Coordination with auditees
- Confusing risk assessment at the engagement level with the broader audit universe
- Missing the difference between objectives, scope, and procedures
- Underestimating supervision and review requirements (heavily tested)
Study tip: Build a "starting an engagement" mental checklist. Most planning questions test which step belongs where in that checklist.
Domain 3 — Performing the Engagement (40%)
The largest and hardest domain. Where fieldwork lives.
- Information gathering and evidence collection
- Sampling methodologies (statistical and non-statistical)
- Analytical procedures
- Audit techniques (interviews, observation, recalculation, confirmation, inquiry)
- Data analytics and continuous auditing
- Workpaper documentation requirements
- Engagement quality and supervision
- Sampling questions are often calculation-light but logic-heavy — many candidates skip the underlying logic
- Confusing data analytics (a procedure) with continuous auditing (a model)
- Underestimating workpaper documentation specificity
Study tip: Spend at least 35–40 hours on this domain alone. Practice 200+ scenario questions focused on Domain 3 specifically. The 40% weight means it disproportionately determines pass/fail.
Domain 4 — Communicating Engagement Results and Monitoring Progress (20%)
The closeout phase.
- Audit report structure and content
- Communication of findings (severity, root cause, recommendations)
- Engagement closing and follow-up
- Monitoring progress on action items
- Audit committee reporting
- Treating findings as one-dimensional (severity matters, but so does root cause and recommendation)
- Missing the difference between "communicating" and "follow-up" responsibilities
- Underprepared for board-level communication scenarios
Study tip: Read every Domain 4 question carefully. The "best answer" is often the one that prioritizes the audit committee's information needs, not the auditee's comfort.
Scenario questions: how to approach them
Part 2's signature question style:
"During a walkthrough of the procurement process, the audit team discovers that three managers approve their own purchase requisitions in violation of stated company policy. The control owner explains this is a temporary workaround during a system migration. What should the auditor do next?"
The right answer requires three things:
- 1Identifying the audit principle at stake — here, segregation of duties and adherence to documented policy
- 2Recognizing the Standards-relevant guidance — fieldwork procedures, documentation requirements
- 3*Picking the best response, not just a defensible one* — typically: document the exception, escalate to engagement supervisor, expand sample to assess scope
Practice approach: For every scenario question you get wrong, write down which of the three steps you missed. Pattern across 50 questions reveals where your scenario reasoning breaks.
Study plan: 7 weeks for an experienced auditor
A realistic plan for an internal auditor with 3+ years of engagement experience studying 8–10 hours per week:
| Week | Hours | Focus |
|---|---|---|
| 1 | 8 | Diagnostic + Domain 1 (Managing IAA). Build flashcards for charter / plan / program distinction. |
| 2 | 8 | Domain 2 (Planning). Practice 50+ scenario questions. |
| 3 | 12 | Domain 3 part 1 — Information gathering and evidence |
| 4 | 12 | Domain 3 part 2 — Sampling and data analytics |
| 5 | 10 | Domain 3 part 3 — Workpapers and supervision. Mock exam 1. |
| 6 | 8 | Domain 4 (Communicating + Monitoring). Forensic review of mock 1. |
| 7 | 8 | Mock exam 2 + targeted re-study. Mock exam 3 light review. |
Total: 66 hours across 7 weeks. Career-changers without engagement experience should add 20–30 hours, primarily on Domain 3.
What separates Part 2 passers from failers
After analyzing 1,200 Part 2 candidate journeys at NexusGRC Academy, three patterns dominate:
- 1Passers practice scenarios in bulk. At least 300+ scenario-style questions before sitting. Failers typically do under 150.
- 2Passers review wrong answers forensically. They don't just check "right or wrong" — they identify which step in the audit logic broke down.
- 3Passers map their own engagement experience. When they don't recognize a scenario, they translate it to a similar engagement they've actually run.
Career-changers who can't draw on real experience are at the biggest disadvantage. The mitigation: shadow at least one real engagement before sitting Part 2 if possible.
Frequently asked questions
Is Part 2 easier than Part 1?
By pass rate, yes (51% vs 47% in 2025). For practitioners, much easier. For career-changers, often harder — because the scenarios assume audit experience you don't have.
Should I take Part 2 before Part 1?
It's possible, and some experienced auditors do. Part 2 builds on the Standards and concepts from Part 1, so the conventional order is Part 1 → Part 2 → Part 3. If you start with Part 2, plan to revisit IIA Standards (Part 1 territory) during Part 2 prep.
How long should I study for Part 2?
50–80 hours for experienced internal auditors; 90–120 hours for career-changers or external auditors moving to internal audit.
What's the right ratio of reading to practice?
Roughly 30% reading, 70% practice questions. Part 2 is operational — you learn by doing scenarios, not by re-reading the textbook.
How many practice questions should I do?
At least 400 questions across the four domains, with 200+ of those focused on Domain 3 (which is 40% of the exam). Forensic review of every wrong answer matters more than the raw count.
What's the best Part 2 prep platform?
See our CIA Prep Courses 2026 comparison. For most candidates, NexusGRC Academy's CIA All-Parts ($390/year) provides AI-augmented adaptive prep with a stronger Domain 3 scenario engine than legacy providers.
Are there any time management tricks for Part 2?
Two: flag and skip ambiguous scenarios on first pass, return with remaining time; and trust your first instinct on scenario questions — research shows first answers are right ~75% of the time when you're prepared.
Verdict
CIA Part 2 rewards practitioners. If you've actually run engagements, you're already most of the way to passing — your job is to translate that experience into the IIA-language the exam uses. If you're a career-changer, the gap is real but bridgeable: practice scenarios in volume and shadow real engagements if possible.
Domain 3 (Performing the Engagement, 40%) is where pass/fail is decided. Allocate study time accordingly.
See also: Ultimate CIA Guide 2026, CIA Pass Rates 2026, CIA Part 1 Deep Dive, CIA Part 3 Deep Dive.