- The CRMA is issued by The IIA and sits within the CIA certification family, making CIA candidacy or completion a prerequisite path.
- Domain 3 (Risk Management Assurance) carries 55% of exam weight-allocate the majority of your study time here.
- You must submit your application through The IIA's online portal and receive approval before scheduling your exam date.
- Employers in internal audit, financial services, and enterprise risk functions actively seek CRMA holders for senior assurance roles.
What the CRMA Application Actually Involves
The Certification in Risk Management Assurance (CRMA) is a specialty credential awarded by The Institute of Internal Auditors (The IIA). Unlike a standalone certification you can pursue in isolation, the CRMA is structurally tied to the CIA program-meaning your first step is understanding exactly where you stand within that ecosystem before you touch the application form.
The application process has two distinct phases that candidates often conflate: the eligibility and approval phase, which happens entirely on The IIA's platform before any exam scheduling, and the exam delivery phase, handled through Pearson VUE testing centers or authorized remote proctoring. Confusing these two phases leads to the most common application mistakes-attempting to book an exam before receiving an approval notice, or submitting documentation that is incomplete.
Eligibility Requirements at a Glance
Before filling out a single field in the application portal, confirm you meet the baseline eligibility criteria. The CRMA is not an entry-level credential, and The IIA's requirements reflect that positioning.
CIA Relationship Requirement
Candidates must either hold an active CIA designation or be an active CIA candidate in good standing. This is the single most important eligibility gate. If you have not begun your CIA journey, the CRMA application will not proceed. The IIA treats the CRMA as a specialty certification that deepens CIA-level competency in risk assurance-it is not a shortcut around the CIA program.
Experience and Character
The IIA requires verified internal audit experience, though the specific hours threshold depends on your educational background. A character reference is required as part of the application. This is not a formality-choose a professional reference who can speak directly to your assurance and risk work, not just your general employment history.
| Requirement | Details | Common Mistake |
|---|---|---|
| CIA Status | Active CIA holder or active CIA candidate | Assuming CIA candidacy lapsed status still qualifies |
| Work Experience | Verified internal audit experience (hours vary by education level) | Submitting general finance experience instead of audit-specific hours |
| Character Reference | Professional reference attesting to character and work quality | Using a personal reference rather than a direct supervisor or audit leader |
| IIA Membership | Active IIA membership provides reduced fees; non-members may apply at higher rates | Letting membership lapse before applying, increasing total cost |
Step-by-Step Application Walkthrough
The application has a defined sequence. Jumping ahead causes delays that can push your target exam date back by weeks. Follow these steps in order.
- Create or log in to your IIA account. All CRMA application activity happens through your IIA member portal. Ensure your profile is current, including your mailing address, employer information, and membership status.
- Confirm your CIA status is active and reflected in the portal. If you are a CIA candidate, your candidate number must appear correctly. If you have completed the CIA, your designation should show as active. Discrepancies here will stall your CRMA application.
- Complete the online CRMA application form. The form collects your educational background, work experience details, and reference contact information. Be precise with dates and job titles-vague entries invite follow-up requests that delay processing.
- Submit your character reference request. The IIA sends a separate form to your reference electronically. Alert your reference contact in advance so they respond promptly. Unreturned references are one of the top causes of application delays.
- Pay the applicable exam fee. Fee amounts differ for IIA members versus non-members. Payment is submitted through the portal at the time of application submission. Keep your confirmation receipt.
- Await approval notification. Processing times vary. Do not contact Pearson VUE or attempt to schedule your exam until you receive an official approval email from The IIA with your authorization to test (ATT).
- Schedule your exam through Pearson VUE. Once you hold your ATT, log in to the Pearson VUE portal and select a test center or remote proctoring session. The ATT has an expiration window-schedule promptly to avoid forfeiting your fee.
Key Takeaway
Your Authorization to Test (ATT) expires. Once you receive it, scheduling should be your immediate next action-not something to revisit after "a few more weeks of studying." If the ATT lapses, you will need to reapply and repay fees.
What You Are Being Tested On
The CRMA exam is built around three domains with clearly defined weightings. Understanding this structure is not optional context-it is the foundation of every effective preparation strategy. For a detailed look at how to map your prep calendar to these domains, see our guide on CRMA Study Schedule: How to Plan Your Exam Prep.
Domain 1: Internal Audit Roles and Responsibilities (20%)
This domain tests your understanding of how the internal audit function is positioned within an organization and what authoritative standards govern its operation.
- The IIA's International Standards for the Professional Practice of Internal Auditing (IPPF)
- The role of the Chief Audit Executive (CAE) in risk-based audit planning
- Coordination between internal audit and other assurance providers
- Independence and objectivity requirements that affect risk assurance engagements
- Communication of results to the audit committee and senior management
Domain 2: Risk Management Governance (25%)
Governance is the connective tissue between risk management and organizational accountability. This domain tests whether you understand how risk frameworks are structured, governed, and overseen.
- Enterprise Risk Management (ERM) frameworks, particularly COSO ERM
- The board's role in risk oversight and appetite-setting
- Three lines of defense model and how internal audit operates as the third line
- Risk appetite statements, risk tolerance thresholds, and escalation protocols
- Regulatory and compliance dimensions of risk governance
Domain 3: Risk Management Assurance (55%)
More than half the exam lives here. This is where the CRMA differentiates itself from the CIA-it demands deep technical competency in how assurance is designed and delivered within a risk management context.
- Assurance engagement planning using a risk-based approach
- Evaluating the design and operating effectiveness of risk management processes
- Risk identification, assessment, and response evaluation techniques
- Testing control environments that address key organizational risks
- Reporting assurance conclusions to governance stakeholders
- Continuous monitoring and emerging risk considerations
- Integration of data analytics into risk assurance engagements
After Approval: Preparing for the Exam
Receiving your ATT is a milestone, but it shifts the pressure from administrative to intellectual. Many candidates underestimate how domain-specific the CRMA study challenge is compared to general audit certifications.
The most reliable way to assess your readiness across all three domains is to work through scenario-based practice questions that mirror the real exam format. At CRMA Exam Prep, our practice tests are structured around the exact domain weightings-55% of questions in Risk Management Assurance, 25% in Risk Management Governance, and 20% in Internal Audit Roles and Responsibilities-so your scores directly reflect where you stand on the real exam blueprint.
Understanding Your Weak Domains Before the Exam
Candidates who pass on their first attempt almost universally share one characteristic: they identified their weakest domain before exam day, not during it. Domain 3's weight means a significant gap there cannot be compensated by perfecting Domains 1 and 2. Run diagnostic practice sets separated by domain to get an honest picture of your distribution of readiness. You can begin that diagnostic process at our practice test platform today.
Mapping Your Study to the Three Domains
Given the domain weight distribution, a proportional study plan is straightforward to build. The following timeline assumes a candidate with active CIA experience who has already completed their application and is preparing during an ATT window.
Domain 1 Foundation - Internal Audit Roles and Responsibilities
- Review IPPF standards with a focus on risk-based audit planning sections
- Map the CAE's reporting relationships and how they affect assurance independence
- Complete a 30-question Domain 1 practice set; note any missed concepts for re-review
Domain 2 Deep Dive - Risk Management Governance
- Study COSO ERM framework components in depth, particularly risk appetite and risk response
- Work through the Three Lines Model with scenario examples from financial services and regulated industries
- Complete a 40-question Domain 2 practice set; focus on board oversight and governance questions
Domain 3 Intensive - Risk Management Assurance
- Break Domain 3 into sub-topics: assurance planning, control evaluation, reporting, and data analytics
- Complete 60+ scenario-based Domain 3 questions per week
- Use spaced repetition specifically for risk assessment methodologies and reporting frameworks-these appear frequently in complex scenarios
- Review any weak sub-topics identified in practice test analytics
Full-Length Simulation and Final Review
- Take at least two full-length timed practice exams simulating real exam conditions
- Analyze results by domain-any domain scoring below your target needs a focused final review session
- Revisit the CRMA application process article for exam day logistics: CRMA Application Process: Step-by-Step Guide 2026
Who Hires CRMA Holders and Why It Matters
Understanding the professional market for the CRMA shapes how you position the credential in your application-and reinforces why the exam's content is weighted the way it is.
Financial institutions, insurance companies, healthcare systems, and large publicly traded corporations are the primary employers of CRMA holders. These are organizations where enterprise risk management is not a theoretical exercise-it is a regulated, board-level function with direct accountability to audit committees and external regulators. CRMA holders are brought in specifically because they can provide assurance over risk management processes, not just over transactional controls.
Internal audit leadership roles-Senior Internal Auditor, Audit Manager, Director of Internal Audit, and Chief Audit Executive-frequently list the CRMA as a preferred or required credential when the organization has a mature ERM program. Consulting firms that provide co-sourced or outsourced internal audit services also value the credential when staffing risk assurance engagements for regulated clients.
Frequently Asked Questions
No. You can apply for the CRMA as an active CIA candidate-meaning you have begun the CIA program and are in good standing-even if you have not yet passed all three CIA parts. However, to maintain the CRMA designation long-term, you must complete the CIA. Check The IIA's current requirements for any updates to this policy before applying.
Processing times vary and are not guaranteed. Historically, applications with complete documentation and a returned character reference are processed faster than incomplete submissions. Plan for a multi-week window between submission and receiving your Authorization to Test, and do not schedule any time off for exam day until you hold the ATT in hand.
If your ATT expires without you scheduling and sitting the exam, you will generally need to reapply and pay fees again. This is one of the more painful administrative outcomes candidates face. Treat ATT receipt as a hard deadline trigger-schedule within days of receiving it, even if your exam date ends up being weeks away.
The CRMA is delivered through Pearson VUE, which offers both physical testing center locations and remote proctored options. The availability of remote proctoring depends on your location and current Pearson VUE offerings. Review both options when scheduling-remote proctoring has specific technical and environment requirements that you should verify before selecting that format.
The CRMA uses a scaled scoring system rather than a raw percentage. Pearson VUE typically provides a preliminary pass/fail result at the testing center immediately after you complete the exam. Official results and credential processing then go through The IIA. The scaled score accounts for variation in question difficulty across different exam versions, ensuring consistency in the passing standard.
Ready to Start Practicing?
Test your knowledge across all three CRMA domains with scenario-based practice questions built to match the real exam's 55/25/20 domain weighting. Identify your gaps now-before exam day.
Start Free Practice Test