CRMA Certification 2026 June — Risk Management Assurance Exam Guide

What Is the CRMA Certification?

The Certification in Risk Management Assurance (CRMA) is a professional credential issued by The Institute of Internal Auditors (IIA). It is designed for internal audit professionals who specialize in risk management assurance and want formal recognition of that expertise.

Unlike a standalone certification, the CRMA functions as a specialty designation built on the foundation of the CIA (Certified Internal Auditor). Holders demonstrate that they possess advanced knowledge in evaluating and assuring risk management processes, a capability increasingly demanded by audit committees, boards, and C-suite executives.

The credential signals to employers that an auditor can independently assess the organization's enterprise risk management (ERM) framework, verify that risk appetite is properly set and monitored, and provide the board with reliable assurance over risk governance. If you want to explore what exam questions look like before committing, our risk management assurance certification overview page is a strong starting point.

Who Should Pursue the CRMA?

The CRMA is targeted at experienced internal audit practitioners who are ready to differentiate themselves in risk management. Common candidates include:

• Senior internal auditors moving into risk-focused roles
• Audit managers and directors who oversee risk-based audit plans
• Enterprise risk management professionals with an internal audit background
• Risk consultants serving financial services, healthcare, or regulated industries

Because the CRMA requires an active CIA certification, it is not an entry-level credential. Professionals who have already earned their CIA and want to deepen their market value in the risk assurance space are the primary audience. Ready to test your knowledge now? Take our CRMA practice test to gauge your readiness before exam day.

CRMA Exam Format

The CRMA exam is a 100-question, multiple-choice assessment administered over 2 hours at Pearson VUE testing centers. All questions are computer-based, and candidates can schedule at any authorized Pearson VUE location worldwide.

Scoring

Results are reported on a scaled score of 200 to 800. The passing score is 600. Scores are provided immediately upon completion of the exam at the testing center. Candidates who do not pass receive a diagnostic report indicating relative performance in each content domain to guide future preparation.

Retake Policy

Candidates who fail may retake the exam. The IIA does not publicly specify a waiting period between attempts, but candidates are advised to consult the official IIA candidate handbook for current retake rules, which are subject to change.

Working through realistic CRMA exam questions under timed conditions is the most effective way to prepare for the 2-hour format. You can also review answer explanations through our CRMA practice questions with video answers.

CRMA Exam Content Domains

The CRMA exam is organized into four roughly equal content domains, each representing approximately 25% of the exam. Mastery across all four areas is required for a passing score.

Domain 1: Foundations of Risk Management (~25%)

This domain covers the theoretical and practical underpinnings of risk management, including widely used risk frameworks (COSO ERM, ISO 31000), the concepts of risk appetite and risk tolerance, and how organizations identify, assess, and respond to risk at the enterprise level. Candidates must understand ERM design principles and how risk frameworks align with organizational objectives.

Domain 2: Risk Management Roles and Responsibilities (~25%)

Governance of risk management is the focus here. The domain addresses the oversight role of the board and audit committee, management's accountability for day-to-day risk management, and the internal audit function's role in providing independent assurance. The Three Lines Model is central to this domain.

Domain 3: Core Audit Competencies Applied to Risk (~25%)

This domain bridges traditional internal audit methodology with risk management. Topics include risk-based audit planning (how to prioritize engagements based on risk), audit testing techniques applied to ERM processes, and how to communicate risk assurance findings in audit reports. Candidates must demonstrate they can translate risk assessment results into actionable audit conclusions.

Domain 4: Organizational Governance (~25%)

The final domain encompasses governance structures, ethical frameworks, stakeholder management, and the relationship between governance, risk, and compliance (GRC). Candidates must understand how effective governance supports risk management and how internal audit contributes to governance assurance.

Our CRMA certification exam page includes domain-by-domain study tips and links to practice resources aligned with each content area.

Exam Fees and Renewal

Exam Fees

The CRMA exam fee is approximately $100 for IIA members and $125 for non-members. These fees are subject to change; always confirm the current fee on the IIA's official website before registering. IIA membership itself carries an annual fee, but members who plan to sit for multiple IIA exams typically find membership cost-effective.

Renewal Requirements

The CRMA designation must be renewed every three years. Renewal is straightforward because it is directly tied to CIA maintenance — candidates who keep their CIA active and in good standing automatically satisfy the CRMA renewal requirement. There are no additional CRMA-specific continuing professional education (CPE) hours required beyond what the CIA demands. This makes the CRMA one of the more cost-efficient specialty certifications to maintain over a career.

Career Impact of the CRMA

Earning the CRMA credential has measurable career benefits for internal audit professionals. According to IIA salary surveys and industry benchmarks, CRMA holders typically earn between $75,000 and $130,000 annually, depending on experience level, industry, and organization size. Senior professionals in financial services or large multinationals tend to sit at the higher end of that range.

Common Career Paths

• Internal Audit Director / Chief Audit Executive (CAE) — The CRMA is increasingly listed as preferred or required in CAE job postings at mid-to-large organizations.
• Enterprise Risk Manager — Professionals who bridge internal audit and ERM functions benefit from the credential's explicit focus on risk governance.
• Risk Consultant — Consulting firms serving regulated industries (banking, insurance, healthcare) value the CRMA as a client-facing differentiator.
• Audit Committee Advisor — CRMA holders are well-positioned to advise boards and audit committees on risk assurance matters.

Beyond compensation, the CRMA demonstrates a commitment to the audit profession and signals that a practitioner can go beyond compliance-focused auditing to provide strategic risk insight to senior leadership.

Start building your exam confidence today with our CRMA certification exam practice questions, or watch worked solutions in our CRMA practice questions with video answers.

CRMA vs Other Certifications

CRMA vs CIA

The CIA (Certified Internal Auditor) is the foundational IIA credential — a three-part examination covering internal audit basics, practice, and business knowledge. It is more rigorous and broadly applicable than the CRMA. The CRMA, by contrast, is a specialty designation that requires an active CIA; it cannot be earned independently. Together, CIA + CRMA represents the gold standard for risk-focused internal auditors.

CRMA vs CISA

The CISA (Certified Information Systems Auditor), issued by ISACA, focuses on IT audit, information systems control, and cybersecurity governance. The CRMA focuses on enterprise risk management assurance across all risk types — operational, financial, strategic, and compliance — not just IT risk. Both credentials are respected in the audit profession; for auditors who want broad risk coverage rather than IT-specific expertise, the CRMA is the stronger fit. For IT-heavy roles, CISA remains the industry standard.

Explore our risk management assurance certification page for a detailed side-by-side comparison of CRMA against related credentials.