Do I need to have my CIA before applying for the CRMA?

Yes. The CRMA requires an active, current CIA (Certified Internal Auditor) certification in good standing. You cannot sit for the CRMA exam without first holding the CIA. There is no separate work-experience requirement beyond what you already met to earn your CIA.

How long does it take to prepare for the CRMA exam?

Most candidates report 4 to 8 weeks of focused study is sufficient, given that CIA holders already have a strong internal audit foundation. The key preparation areas are the four content domains — especially ERM frameworks (COSO ERM, ISO 31000) and the Three Lines Model for governance. Practicing with realistic exam questions under timed conditions significantly improves performance.

What is the passing score for the CRMA exam?

The passing score is 600 on a scaled score range of 200 to 800. Scores are provided immediately at the Pearson VUE testing center upon completion. Candidates who do not pass receive a domain-level diagnostic report to guide their retake preparation.

How do I renew the CRMA certification?

The CRMA is renewed every three years and is directly tied to your CIA certification. As long as your CIA remains active and in good standing, your CRMA renewal requirement is satisfied — there are no separate CRMA-specific continuing education units. This makes CRMA one of the most straightforward credentials to maintain over a long career.

CRMA Certification 2026 — Risk Management Assurance Exam Guide

CRMA certification 2026: complete guide to the IIA Certification in Risk Management Assurance covering eligibility, exam format, content domains, and career benefits for auditors.

CRMA - Certification in Risk Management AssuranceApr 26, 20268 min read

CRMA Certification 2026 — Risk Management Assurance Exam Guide

What Is the CRMA Certification?

The Certification in Risk Management Assurance (CRMA) is a professional credential issued by The Institute of Internal Auditors (IIA). It is designed for internal audit professionals who specialize in risk management assurance and want formal recognition of that expertise.

Unlike a standalone certification, the CRMA functions as a specialty designation built on the foundation of the CIA (Certified Internal Auditor). Holders demonstrate that they possess advanced knowledge in evaluating and assuring risk management processes, a capability increasingly demanded by audit committees, boards, and C-suite executives.

The credential signals to employers that an auditor can independently assess the organization's enterprise risk management (ERM) framework, verify that risk appetite is properly set and monitored, and provide the board with reliable assurance over risk governance. If you want to explore what exam questions look like before committing, our risk management assurance certification overview page is a strong starting point.

What is the Crma Certification? - CRMA - Certification in Risk Management Assurance certification study resource

Who Should Pursue the CRMA?

The CRMA is targeted at experienced internal audit practitioners who are ready to differentiate themselves in risk management. Common candidates include:

Senior internal auditors moving into risk-focused roles
Audit managers and directors who oversee risk-based audit plans
Enterprise risk management professionals with an internal audit background
Risk consultants serving financial services, healthcare, or regulated industries

Because the CRMA requires an active CIA certification, it is not an entry-level credential. Professionals who have already earned their CIA and want to deepen their market value in the risk assurance space are the primary audience. Ready to test your knowledge now? Take our CRMA practice test to gauge your readiness before exam day.

shield-checkCIA Certification Required

Candidates must hold a current, active CIA (Certified Internal Auditor) certification in good standing. The CRMA is a specialty add-on to the CIA — not a standalone credential.

clockNo Additional Experience Requirement

Beyond meeting CIA eligibility standards (which include education and experience), there is no separate work-experience threshold specifically for the CRMA designation.

academic-capIIA Membership Not Mandatory

Non-IIA members may sit for the CRMA exam, though IIA members receive a discounted exam fee. Membership also provides access to study resources and practice materials.

refreshRenewal Every 3 Years

The CRMA must be renewed every three years. Renewal is tied directly to maintaining an active CIA certification — there are no separate CRMA-specific continuing education units (CEUs).

CRMA Exam Format

The CRMA exam is a 100-question, multiple-choice assessment administered over 2 hours at Pearson VUE testing centers. All questions are computer-based, and candidates can schedule at any authorized Pearson VUE location worldwide.

Scoring

Results are reported on a scaled score of 200 to 800. The passing score is 600. Scores are provided immediately upon completion of the exam at the testing center. Candidates who do not pass receive a diagnostic report indicating relative performance in each content domain to guide future preparation.

Retake Policy

Candidates who fail may retake the exam. The IIA does not publicly specify a waiting period between attempts, but candidates are advised to consult the official IIA candidate handbook for current retake rules, which are subject to change.

Working through realistic CRMA exam questions under timed conditions is the most effective way to prepare for the 2-hour format. You can also review answer explanations through our CRMA practice questions with video answers.

Who Should Pursue the Crma? - CRMA - Certification in Risk Management Assurance certification study resource

Questions: 100 multiple-choice
Time limit: 2 hours
Delivery: Computer-based at Pearson VUE centers
Passing score: 600 (on a 200–800 scale)
Exam fee: ~$100 (IIA member) / ~$125 (non-member)
Prerequisite: Active CIA certification

CRMA Exam Content Domains

The CRMA exam is organized into four roughly equal content domains, each representing approximately 25% of the exam. Mastery across all four areas is required for a passing score.

Domain 1: Foundations of Risk Management (~25%)

This domain covers the theoretical and practical underpinnings of risk management, including widely used risk frameworks (COSO ERM, ISO 31000), the concepts of risk appetite and risk tolerance, and how organizations identify, assess, and respond to risk at the enterprise level. Candidates must understand ERM design principles and how risk frameworks align with organizational objectives.

Domain 2: Risk Management Roles and Responsibilities (~25%)

Governance of risk management is the focus here. The domain addresses the oversight role of the board and audit committee, management's accountability for day-to-day risk management, and the internal audit function's role in providing independent assurance. The Three Lines Model is central to this domain.

Domain 3: Core Audit Competencies Applied to Risk (~25%)

This domain bridges traditional internal audit methodology with risk management. Topics include risk-based audit planning (how to prioritize engagements based on risk), audit testing techniques applied to ERM processes, and how to communicate risk assurance findings in audit reports. Candidates must demonstrate they can translate risk assessment results into actionable audit conclusions.

Domain 4: Organizational Governance (~25%)

The final domain encompasses governance structures, ethical frameworks, stakeholder management, and the relationship between governance, risk, and compliance (GRC). Candidates must understand how effective governance supports risk management and how internal audit contributes to governance assurance.

Our CRMA certification exam page includes domain-by-domain study tips and links to practice resources aligned with each content area.

Verify your CIA certification is active and in good standing before applyingDownload the official IIA CRMA Exam Candidate Handbook and review the content outlineStudy all four content domains systematically — each is weighted equally at ~25%Complete timed practice sessions using realistic CRMA practice questions to build exam staminaReview the COSO ERM framework and ISO 31000 — core references for Domain 1Schedule your exam at a Pearson VUE center with at least 4–6 weeks of lead time

Exam Fees and Renewal

Exam Fees

The CRMA exam fee is approximately $100 for IIA members and $125 for non-members. These fees are subject to change; always confirm the current fee on the IIA's official website before registering. IIA membership itself carries an annual fee, but members who plan to sit for multiple IIA exams typically find membership cost-effective.

Renewal Requirements

The CRMA designation must be renewed every three years. Renewal is straightforward because it is directly tied to CIA maintenance — candidates who keep their CIA active and in good standing automatically satisfy the CRMA renewal requirement. There are no additional CRMA-specific continuing professional education (CPE) hours required beyond what the CIA demands. This makes the CRMA one of the more cost-efficient specialty certifications to maintain over a career.

Crma Exam Content Domains - CRMA - Certification in Risk Management Assurance certification study resource

Career Impact of the CRMA

Earning the CRMA credential has measurable career benefits for internal audit professionals. According to IIA salary surveys and industry benchmarks, CRMA holders typically earn between $75,000 and $130,000 annually, depending on experience level, industry, and organization size. Senior professionals in financial services or large multinationals tend to sit at the higher end of that range.

Common Career Paths

Internal Audit Director / Chief Audit Executive (CAE) — The CRMA is increasingly listed as preferred or required in CAE job postings at mid-to-large organizations.
Enterprise Risk Manager — Professionals who bridge internal audit and ERM functions benefit from the credential's explicit focus on risk governance.
Risk Consultant — Consulting firms serving regulated industries (banking, insurance, healthcare) value the CRMA as a client-facing differentiator.
Audit Committee Advisor — CRMA holders are well-positioned to advise boards and audit committees on risk assurance matters.

Beyond compensation, the CRMA demonstrates a commitment to the audit profession and signals that a practitioner can go beyond compliance-focused auditing to provide strategic risk insight to senior leadership.

Start building your exam confidence today with our CRMA certification exam practice questions, or watch worked solutions in our CRMA practice questions with video answers.

CRMA vs Other Certifications

CRMA vs CIA

The CIA (Certified Internal Auditor) is the foundational IIA credential — a three-part examination covering internal audit basics, practice, and business knowledge. It is more rigorous and broadly applicable than the CRMA. The CRMA, by contrast, is a specialty designation that requires an active CIA; it cannot be earned independently. Together, CIA + CRMA represents the gold standard for risk-focused internal auditors.

CRMA vs CISA

The CISA (Certified Information Systems Auditor), issued by ISACA, focuses on IT audit, information systems control, and cybersecurity governance. The CRMA focuses on enterprise risk management assurance across all risk types — operational, financial, strategic, and compliance — not just IT risk. Both credentials are respected in the audit profession; for auditors who want broad risk coverage rather than IT-specific expertise, the CRMA is the stronger fit. For IT-heavy roles, CISA remains the industry standard.

Explore our risk management assurance certification page for a detailed side-by-side comparison of CRMA against related credentials.

Start Free CRMA Practice Test

CPC