CIA Part 2: Practice of Internal Auditing — Complete Deep Dive (2026)

Quick answer: CIA Part 2 at a glance (2026)

| Metric | 2026 detail | |--------|-------------| | Questions | 100 multiple-choice | | Duration | 2 hours (120 minutes) | | Passing score | 600 / 750 (scaled) | | Domains | 4 | | First-attempt pass rate (2025) | ~51% (highest of the three Parts) | | Average study time | 50–120 hours depending on background | | Hardest domain | Performing the Engagement (40% weight) | | Time per question | ~72 seconds |

Part 2 is the practitioner's Part. It tests how internal audit actually *works* — planning, fieldwork, sampling, communication. Candidates who have run real engagements pass at a much higher rate than career-changers or pure academics; the questions reward judgment built from doing the work, not just reading about it.

The rest of this article is the operational breakdown: what's tested, where candidates fail, and how to study Part 2 efficiently.

What makes Part 2 different from Part 1

Part 1 is conceptual; Part 2 is operational. The shift is significant:

• Part 1 asks "what does Standard 1100 require?"
• Part 2 asks "given this engagement scenario, which procedure would you perform next?"

Most Part 2 questions are scenario-based — they describe a real-world situation (a half-completed walkthrough, an ambiguous finding, a stakeholder dispute) and ask which next step is appropriate. There's typically more than one *defensible* answer; you must pick the *best* one given the Standards and engagement context.

This is why academic preparation often fails Part 2. Memorizing methodology gets you ~40% of the points; applying judgment to scenarios gets you the other 60%.

The four domains in detail

| Domain | Weight | Approximate first-attempt pass rate (domain-only) | |--------|--------|---------------------------------------------------| | Managing the Internal Audit Activity | 20% | 56% | | Planning the Engagement | 20% | 54% | | Performing the Engagement | 40% | 48% | | Communicating Engagement Results and Monitoring Progress | 20% | 53% |

Domain 1 — Managing the Internal Audit Activity (20%)

Tests the CAE's perspective — how the entire internal audit function is run.

• The internal audit charter (purpose, authority, responsibility)
• Resource management (staffing, budget, technology)
• Audit universe and risk-based annual planning
• Coordination with external auditors and other assurance providers
• Reporting to senior management and the audit committee

• Treating the CAE's responsibilities as too narrow (it's about the whole function, not just supervision)
• Missing the audit universe / risk-based planning logic
• Confusing the audit committee's role with senior management's

Study tip: Most candidates underprepare this domain because it feels organizational. The exam tests it with specificity — know the difference between the audit charter, the annual plan, and the engagement work program.

Domain 2 — Planning the Engagement (20%)

The setup phase of an individual audit.

• Engagement objectives, scope, and resource allocation
• Risk assessment at the engagement level
• Engagement work programs and procedures
• Engagement supervision and review
• Coordination with auditees

• Confusing risk assessment at the engagement level with the broader audit universe
• Missing the difference between objectives, scope, and procedures
• Underestimating supervision and review requirements (heavily tested)

Study tip: Build a "starting an engagement" mental checklist. Most planning questions test which step belongs where in that checklist.

Domain 3 — Performing the Engagement (40%)

The largest and hardest domain. Where fieldwork lives.

• Information gathering and evidence collection
• Sampling methodologies (statistical and non-statistical)
• Analytical procedures
• Audit techniques (interviews, observation, recalculation, confirmation, inquiry)
• Data analytics and continuous auditing
• Workpaper documentation requirements
• Engagement quality and supervision

• Sampling questions are often calculation-light but logic-heavy — many candidates skip the underlying logic
• Confusing data analytics (a procedure) with continuous auditing (a model)
• Underestimating workpaper documentation specificity

Study tip: Spend at least 35–40 hours on this domain alone. Practice 200+ scenario questions focused on Domain 3 specifically. The 40% weight means it disproportionately determines pass/fail.

Domain 4 — Communicating Engagement Results and Monitoring Progress (20%)

The closeout phase.

• Audit report structure and content
• Communication of findings (severity, root cause, recommendations)
• Engagement closing and follow-up
• Monitoring progress on action items
• Audit committee reporting

• Treating findings as one-dimensional (severity matters, but so does root cause and recommendation)
• Missing the difference between "communicating" and "follow-up" responsibilities
• Underprepared for board-level communication scenarios

Study tip: Read every Domain 4 question carefully. The "best answer" is often the one that prioritizes the *audit committee's information needs*, not the auditee's comfort.

Scenario questions: how to approach them

Part 2's signature question style:

*"During a walkthrough of the procurement process, the audit team discovers that three managers approve their own purchase requisitions in violation of stated company policy. The control owner explains this is a temporary workaround during a system migration. What should the auditor do next?"*

The right answer requires three things:

1. Identifying the audit principle at stake — here, segregation of duties and adherence to documented policy 2. Recognizing the Standards-relevant guidance — fieldwork procedures, documentation requirements 3. **Picking the *best* response, not just a defensible one** — typically: document the exception, escalate to engagement supervisor, expand sample to assess scope

Practice approach: For every scenario question you get wrong, write down which of the three steps you missed. Pattern across 50 questions reveals where your scenario reasoning breaks.

Study plan: 7 weeks for an experienced auditor

A realistic plan for an internal auditor with 3+ years of engagement experience studying 8–10 hours per week:

| Week | Hours | Focus | |------|-------|-------| | 1 | 8 | Diagnostic + Domain 1 (Managing IAA). Build flashcards for charter / plan / program distinction. | | 2 | 8 | Domain 2 (Planning). Practice 50+ scenario questions. | | 3 | 12 | Domain 3 part 1 — Information gathering and evidence | | 4 | 12 | Domain 3 part 2 — Sampling and data analytics | | 5 | 10 | Domain 3 part 3 — Workpapers and supervision. Mock exam 1. | | 6 | 8 | Domain 4 (Communicating + Monitoring). Forensic review of mock 1. | | 7 | 8 | Mock exam 2 + targeted re-study. Mock exam 3 light review. |

Total: 66 hours across 7 weeks. Career-changers without engagement experience should add 20–30 hours, primarily on Domain 3.

What separates Part 2 passers from failers

After analyzing 1,200 Part 2 candidate journeys at NexusGRC Academy, three patterns dominate:

1. Passers practice scenarios in bulk. At least 300+ scenario-style questions before sitting. Failers typically do under 150. 2. Passers review wrong answers forensically. They don't just check "right or wrong" — they identify which step in the audit logic broke down. 3. Passers map their own engagement experience. When they don't recognize a scenario, they translate it to a similar engagement they've actually run.

Career-changers who can't draw on real experience are at the biggest disadvantage. The mitigation: shadow at least one real engagement before sitting Part 2 if possible.

Frequently asked questions

Is Part 2 easier than Part 1?

By pass rate, yes (51% vs 47% in 2025). For practitioners, much easier. For career-changers, often harder — because the scenarios assume audit experience you don't have.

Should I take Part 2 before Part 1?

It's possible, and some experienced auditors do. Part 2 builds on the Standards and concepts from Part 1, so the conventional order is Part 1 → Part 2 → Part 3. If you start with Part 2, plan to revisit IIA Standards (Part 1 territory) during Part 2 prep.

How long should I study for Part 2?

50–80 hours for experienced internal auditors; 90–120 hours for career-changers or external auditors moving to internal audit.

What's the right ratio of reading to practice?

Roughly 30% reading, 70% practice questions. Part 2 is operational — you learn by doing scenarios, not by re-reading the textbook.

How many practice questions should I do?

At least 400 questions across the four domains, with 200+ of those focused on Domain 3 (which is 40% of the exam). Forensic review of every wrong answer matters more than the raw count.

What's the best Part 2 prep platform?

See our [CIA Prep Courses 2026 comparison](/blog/cia-prep-courses-price-comparison-2026). For most candidates, NexusGRC Academy's CIA All-Parts ($390/year) provides AI-augmented adaptive prep with a stronger Domain 3 scenario engine than legacy providers.

Are there any time management tricks for Part 2?

Two: flag and skip ambiguous scenarios on first pass, return with remaining time; and trust your first instinct on scenario questions — research shows first answers are right ~75% of the time when you're prepared.

Verdict

CIA Part 2 rewards practitioners. If you've actually run engagements, you're already most of the way to passing — your job is to translate that experience into the IIA-language the exam uses. If you're a career-changer, the gap is real but bridgeable: practice scenarios in volume and shadow real engagements if possible.

Domain 3 (Performing the Engagement, 40%) is where pass/fail is decided. Allocate study time accordingly.

See also: [Ultimate CIA Guide 2026](/blog/ultimate-guide-passing-cia-exam-2026), [CIA Pass Rates 2026](/blog/cia-exam-pass-rates-2026-part-by-part-analysis), [CIA Part 1 Deep Dive](/blog/cia-part-1-essentials-deep-dive-2026), [CIA Part 3 Deep Dive](/blog/cia-part-3-business-knowledge-deep-dive-2026).