CRMA Eligibility Requirements: Who Can Apply in 2027

What the CRMA Certification Actually Covers

The Certification in Risk Management Assurance (CRMA) is a specialty credential issued by The Institute of Internal Auditors (IIA) for internal audit professionals who provide assurance over enterprise risk management (ERM) and governance processes. Unlike general risk certifications that treat risk from a management or compliance lens, the CRMA is explicitly designed for practitioners who evaluate whether an organization's risk management framework is functioning effectively - and who communicate those findings to boards, audit committees, and senior leadership.

This distinction matters enormously for eligibility. The IIA built the CRMA to reward internal auditors who have moved beyond transactional audit work into risk-focused assurance roles. That philosophy shapes every eligibility requirement, from the mandatory CIA prerequisite to the experience standards candidates must demonstrate before they can register.

Before diving into the specific requirements, it's worth understanding the three exam domains the credential tests, because they reveal exactly what kind of experience the IIA expects candidates to bring to the table:

The domain weightings tell you something concrete about eligibility: if you have spent most of your career testing controls without engaging in ERM assurance work, you will likely struggle to meet both the experience standard and the exam content demands of Domain 3. The IIA designed the CRMA for practitioners already operating at that level.

The Core Eligibility Requirements at a Glance

The CRMA has a more focused eligibility profile than many professional certifications because it is a specialty credential built on top of an existing one. Before reviewing each requirement in depth, here is a side-by-side summary of what the IIA requires:

Education Requirements: What Qualifies

Because the CRMA prerequisite is an active CIA, the education bar is effectively the same one candidates cleared to earn their CIA. The IIA requires a bachelor's degree or its equivalent recognized by the relevant education authority in the candidate's country. Candidates who qualified for the CIA through an experience-in-lieu-of-degree pathway should verify their standing directly with the IIA, as the CRMA application mirrors CIA standards in this regard.

Field of study is not restricted. Internal auditors who hold degrees in accounting, finance, information systems, engineering, law, or public administration are equally eligible from an education standpoint. What matters for the CRMA is not your academic discipline but your practical exposure to the domains the exam tests - particularly the risk management assurance work captured in Domain 3.

Experience Requirements: What Counts and What Doesn't

This is where CRMA eligibility gets nuanced, and where candidates most often misjudge their readiness. The IIA requires professional experience in internal auditing or risk management assurance. That phrasing is intentional and meaningful.

Experience That Typically Qualifies

• Internal audit roles with ERM assurance responsibilities - Conducting or supervising audit engagements that evaluate whether the organization's risk management processes identify, assess, and respond to risks appropriately.
• Risk-based audit planning - Participating in the development of an audit universe and annual plan that is explicitly linked to organizational risk assessments.
• Governance reporting - Preparing or contributing to reports delivered to audit committees or boards that address risk management effectiveness.
• ERM framework assessment engagements - Evaluating an organization's adoption of COSO ERM, ISO 31000, or a similar framework as part of a formal assurance or advisory engagement.

Experience That May Not Qualify

• Pure financial audit or SOX controls testing without any risk management assurance scope
• Risk management roles on the first or second line of defense (e.g., enterprise risk managers, compliance officers) where the work involves managing risk rather than providing assurance over risk management
• IT audit roles that are narrowly focused on technical controls rather than IT risk governance
• Academic or consulting roles without direct organizational assurance responsibilities

The CIA Credential Connection

No element of CRMA eligibility is more absolute than the CIA prerequisite. The IIA does not offer a conditional registration pathway for candidates who are still in the CIA certification process. Your CIA must be active at the time you apply for the CRMA.

For professionals who earned their CIA years ago and have maintained CPE compliance, this requirement is typically straightforward. For professionals who allowed their CIA to lapse - a situation that occurs when CPE requirements are not met - the path to CRMA eligibility runs through CIA reinstatement first.

If you are currently preparing for the CIA while also researching the CRMA, the good news is that there is meaningful content overlap. The internal audit standards, governance frameworks, and risk concepts covered in the CIA program are the foundation on which Domain 1 and Domain 2 of the CRMA are built. Candidates who have recently completed their CIA exams will find that their conceptual knowledge transfers efficiently to CRMA preparation, particularly for the domains covering internal audit roles and risk management governance.

Who Hires CRMA Holders and Why It Matters for Your Application

Understanding the employer landscape for the CRMA helps candidates assess whether their current role positions them well for both eligibility and career advancement. The designation is most recognized - and most actively recruited for - in sectors where enterprise risk management is mature and subject to regulatory oversight.

Financial services and banking represent the deepest market for CRMA holders. Internal audit functions at banks, credit unions, and investment firms are expected by regulators to provide explicit assurance over risk management frameworks. The CRMA signals to audit committee members and regulators that the internal auditor has demonstrated competency specifically in that assurance function.

Insurance companies similarly operate under sophisticated risk governance structures, and internal audit departments in those organizations increasingly seek auditors who can evaluate ERM frameworks against evolving regulatory expectations.

Government and public sector entities - particularly at the federal level and in large state agencies - have invested in ERM frameworks over the past decade. Internal auditors in those environments who hold the CRMA are positioned to lead assurance work on risk management programs that are under increased legislative and oversight scrutiny.

Large enterprises across industries - healthcare systems, energy companies, technology firms, and multinational manufacturers - that have formal ERM programs and board-level risk committees increasingly look for CRMA holders to staff senior internal audit positions focused on risk assurance.

This employer context is directly relevant to your eligibility assessment. If you work in one of these environments and your current role involves any of the assurance activities described above, you are likely building qualifying experience even if your job title does not say "risk" explicitly.

Navigating the Application and Registration Process

The CRMA application is managed through the IIA's online certification portal. Candidates submit documentation of their CIA credential, education, and professional experience, along with a character attestation. The IIA reviews applications before issuing authorization to test (ATT), which sets the window during which the candidate can schedule and sit for the exam.

IIA members and non-members both have access to the CRMA, but the fee structure differs - IIA members pay a reduced examination fee. Candidates who are not currently IIA members should weigh the membership cost against the fee differential when deciding whether to join before applying.

Once you have your ATT, scheduling is done through the IIA's testing partner. The exam is available at proctored testing centers and through remote proctoring, giving candidates flexibility around work schedules. Understanding the full structure of what you will face on exam day is essential preparation - review the CRMA Exam Format: Question Types, Time Limits and Scoring article for a detailed breakdown of how the exam is structured and scored.

Aligning Your Study Plan to Eligibility Milestones and Exam Domains

For candidates who have confirmed their eligibility and are moving toward registration, the domain weightings provide the clearest roadmap for study prioritization. Here is a practical framework for structuring your preparation across four weeks:

The rationale for this sequence is straightforward: Domain 2 provides the conceptual vocabulary that makes Domain 3 study more efficient. Understanding how governance bodies think about risk appetite before studying how to evaluate risk management assurance processes means you are building on a foundation rather than absorbing disconnected facts. Domain 1, while the smallest domain by weight, reinforces the standards and role clarity that tie everything together.

Use spaced repetition specifically for the governance and standards material in Domains 1 and 2 - these are content-dense areas where recall on exam day depends on consistent review over time. Domain 3 benefits most from scenario-based practice because the exam tests application of judgment, not just knowledge recall. CRMA practice tests that mirror real exam scenarios are the most efficient way to build that judgment quickly.

Candidates can find detailed practice resources - including domain-specific question banks aligned to the three CRMA domains - at the CRMA Exam Prep practice test platform. Using those resources alongside this eligibility and content overview gives you both the strategic context and the tactical practice repetitions needed to walk into the exam with confidence.

Frequently Asked Questions