CRMA Exam Guide 2026: From CIA to Risk Management Assurance Specialist
A complete walkthrough of the IIA Certification in Risk Management Assurance — exam structure, the three domains, prerequisites, and how to prepare in 80–120 hours.
Why the CRMA Matters in 2026
Boards and audit committees are demanding more than control testing — they want independent, formal assurance that enterprise risk management actually works. The Certification in Risk Management Assurance (CRMA) from the IIA is the credential that validates exactly that capability.
For internal auditors moving from execution to leadership, the CRMA is increasingly a differentiator: a 2025 IIA salary survey found CRMA holders earn 18% more on average than CIA-only peers in the same role.
Who Should Pursue the CRMA?
The CRMA is designed for:
- Senior internal auditors who want to specialize in risk assurance
- CAEs and audit directors who report on ERM to audit committees
- Internal auditors at organizations rolling out or maturing ERM programs
- CIA holders looking to deepen their risk management expertise
Prerequisites are firm: an active CIA designation or an active CPA with at least two years of internal audit experience.
Exam Structure
The CRMA is a single computer-based exam:
- 120 multiple-choice questions
- 150 minutes (2.5 hours)
- Passing score: 600 / 750 (scaled)
Three domains, with weighting that strongly favors execution:
| Domain | Weight | Focus |
|---|---|---|
| I. Internal Audit Roles and Responsibilities | 20% | Assurance vs. advisory, independence, coordination |
| II. Risk Management Governance | 25% | COSO ERM 2017, ISO 31000:2018, risk culture, board reporting |
| III. Risk Management Assurance | 55% | Methodology, evaluation, communication |
If you remember one thing: Domain III is more than half the exam. Allocate your study time accordingly.
Domain-by-Domain Breakdown
Domain I: Internal Audit Roles and Responsibilities (20%)
This domain frames the auditor's role in the broader risk management ecosystem. Key topics:
- The Three Lines Model — distinguishing first, second, and third-line responsibilities
- Assurance vs. consulting services on risk management, and where boundaries lie
- Organizational independence — reporting structure, audit committee oversight
- Coordinated assurance — risk assurance mapping, combined assurance reporting
Most candidates with strong CIA grounding find this domain manageable. The trickiest items test the line between advisory and operational responsibility.
Domain II: Risk Management Governance (25%)
This is the framework-heavy domain. You must know:
- COSO ERM 2017 — all 5 components and 20 principles
- ISO 31000:2018 — 8 principles, framework structure, and the risk management process
- Risk culture assessment — how culture is measured and how cultural failure causes ERM failure
- Risk appetite, tolerance, and limits — definitions and how to evaluate whether they're effective
Memorization matters here. Build flashcards for each COSO ERM principle and each ISO 31000 component.
Domain III: Risk Management Assurance (55%)
The largest domain covers the actual methodology of risk assurance work:
- Risk assessment approaches — qualitative, quantitative, data analytics, benchmarking
- Evaluating risk identification and assessment processes — completeness, rigor, bias detection
- Risk-based audit planning — linking the audit universe to the risk register
- Engagement design — objectives, scope, evidence requirements
- Evaluating ERM effectiveness — design adequacy vs. operating effectiveness
- Synthesis of assurance sources — internal audit, external audit, compliance, regulatory
- Specialized risk areas — cybersecurity, third-party, SDLC, data privacy
- Risk reporting and communication — board-level escalation of unacceptable risk
This domain rewards practitioners. Candidates who have actually executed risk-based audit plans, written ERM evaluation reports, and presented to audit committees do significantly better.
Recommended Study Plan (80–120 Hours)
A typical schedule across 10–12 weeks:
- Weeks 1–2 (15 hours): Domain I. Read the IIA's Three Lines Model paper, IPPF, and CRMA exam syllabus.
- Weeks 3–5 (25 hours): Domain II. Deep work on COSO ERM 2017 and ISO 31000:2018. Build framework comparison flashcards.
- Weeks 6–10 (50 hours): Domain III. The bulk of preparation. Practice questions, scenarios, and reading the Domain III references in depth.
- Weeks 11–12 (15 hours): Mock exams and weak-spot remediation.
How NexusGRC Academy Accelerates CRMA Prep
The NexusGRC CRMA track includes:
- 26 chapters across all three domains in English and French
- Domain mind maps for COSO ERM 2017, ISO 31000:2018, the Three Lines Model, and risk assurance methodology
- AI weakness diagnosis that highlights the topics where you're scoring below threshold
- Mock exams calibrated to the actual exam difficulty and weighting
- Adaptive flashcards for the framework-heavy Domain II content
If you already hold the CIA, your preparation can lean heavily on Domains II and III — the platform automatically reduces practice question volume in areas where you're already proficient.
Final Thought
The CRMA is one of those credentials that genuinely changes how you operate as an auditor. It moves the conversation from "did the controls work?" to "is the organization actually managing risk?" — and that shift is what makes a CAE valuable to a modern board.