Certification in Risk Management Assurance (CRMA)


Published March 16, 2023

A CRMA certification can take an internal auditor's career to new heights. Find out what it takes to earn this credential and how it might benefit you.

Accounting.com is an advertising-supported site. Featured or trusted partner programs and all school search, finder, or match results are for schools that compensate us. This compensation does not influence our school rankings, resource guides, or other editorially-independent information published on this site.

Are you ready to discover your college program?

Credit: Rockaa / E+ / Getty Images

The certification in risk management assurance (CRMA) recognizes professionals with in-depth knowledge and skills related to organizational risk management. This credential, awarded by the Institute of Internal Auditors (IIA), demonstrates an understanding of risk assessment, identification, response, and controls.

CRMAs typically come from accounting careers as internal auditors and compliance officers, among others. They evaluate organizations' risk management controls and processes to provide strategic advice based on their findings. While not required for employment, the CRMA certification can improve a professional's credibility and employability.

Since 1941, the IIA has awarded credentials to internal auditors, including nearly 17,000 CRMA certifications. Members of the global organization join a network of over 210,000 professionals. Discover pathways to CRMA certification and some professional benefits this credential can provide with this helpful guide.

Why Get Certified as a CRMA?

  • Become a Risk Specialist: CRMAs are risk experts who advise organizational leaders on risk management strategy. The CRMA credential offers international recognition of these specialized skills, which can lead to better career opportunities and higher pay.
  • Career Advancement: The CRMA can dramatically improve a professional's career prospects. The credential demonstrates specialized expertise that can lead to leadership positions on auditing committees or consulting roles for executive managers. The credentials also highlight a commitment to professional development, which may stand out to employers.
  • Bring More Value to Organizations: CRMAs offer insight to organizational leaders. With in-depth knowledge of risk management strategies and governance, CRMAs can advise management on organizational risks and opportunities.

How Do You Qualify for the CRMA Certification?

To qualify for the CRMA credential, each candidate needs a valid certified internal auditor (CIA) certification. They also must possess five years of relevant experience and a passing score on the examination.

Once registered for the CRMA, candidates have two years to complete the exam and submit proof of their professional experience. The CRMA has the same requirements worldwide. Candidates can gain experience from any state or country and can take the exam in over 500 worldwide locations.

Educational Requirements

The CRMA has no specific education requirements, but each candidate needs a valid CIA credential. The CIA does have an education component.

To qualify for the CIA certification, candidates must satisfy one of the following requirements:

  • Master's degree with one year of relevant experience
  • Bachelor's degree with two years of relevant experience
  • Five years of relevant experience

Professional Requirements

The professional requirements for the CRMA include five years of experience in internal auditing or risk management. This work may occur within audit-related roles, such as audit managers, directors, associates, and specialists. Depending on their experience, professionals from accounting, financial services, risk assurance, and internal control positions may qualify.

Candidates cannot substitute education for the experience requirement. However, higher levels of education can reduce the experience requirements for the mandatory CIA certification.

What Does the CRMA Exam Cover?

The CRMA exam features 125 questions with up to 150 minutes of test time. The test has three sections: internal audit roles and responsibilities (20%), risk management governance (25%), and risk management assurance (55%). Question formats include multiple choice, fill in the blank, and matching. Test-takers must complete all components in one sitting.

Along with more than 500 testing locations worldwide, some CRMA candidates may take the exam online. A proctor will review the testing space before starting the exam to ensure it is free of unauthorized preparation materials.

CRMA Exam Structure
Section Topics Format

Internal Audit Roles and Responsibilities

  • Roles and competencies
  • Coordination
  • Multiple choice and multiple response
  • Fill in the blank
  • Categorizing and ordering
  • Matching and scenario sets
  • Hot spot

Risk Management Governance

  • Governance, risk management, and control frameworks
  • Risk management integration
  • Multiple choice and multiple response
  • Fill in the blank
  • Categorizing and ordering
  • Matching and scenario sets
  • Hot spot

Risk Management Assurance

  • Risk management approach
  • Assurance processes
  • Communication
  • Multiple choice and multiple response
  • Fill in the blank
  • Categorizing and ordering
  • Matching and scenario sets
  • Hot spot

Scoring the Exam

CRMA exams are scored and scaled by the IIA's Professional Certifications Board. The scale ranges between 250-750, and test-takers need a score of at least 600 to pass.

According to the IIA, the CRMA exam has a 50% global pass rate. Candidates who fail the exam must wait 30 days before retaking the test.

The board may post results within 24 hours on the Certification Candidate Management System (CCMS).

How Do You Register for the CRMA Exam?

To register for the IIA's CRMA exam, candidates need to access their profile on CCMS. Since each CRMA candidate needs an active CIA certification, they should already have a CCMS account.

From their CCMS profile, candidates must pay the $95 program application costs for IIA members or $210 for non-members. Each applicant also submits a government ID and proof of experience.

After applying, submitting their documents, and receiving approval, candidates can register for the exam and schedule their test time. Test times operate on a first-come, first-served basis and may fill up quickly depending on the location and time of year.

For more information, the IIA runs a 30-minute Q&A webinar.

Paying for the Exam

CRMA exam registration costs $445 for IIA members and $580 for non-members. Test-takers should arrive at the testing center 30 minutes early and with proper identification to ensure they have time to sign in and get situated.

Candidates who arrive late or without identification may be denied entry or told to forfeit their registration fee. Test-takers may cancel or reschedule their exam up to two before the test date for a $75 fee. Any changes within 48 hours of the test date will result in a no-show and fee forfeiture.

How Can You Prepare for the CRMA Exam?

Every person has their own study methods and requirements. With a 50% pass rate, the CRMA exam is challenging enough that test-takers should take their preparation seriously. Candidates should study early and often to ensure their success.

Top Tips

  • Review Key Resources: The IIA lists risk management assurance resources used to develop the CRMA exam. Candidates should use these materials and understand their core concepts. Test-takers can also check the list regularly, as the IIA may make updates.
  • Use IIA Study Materials: The IIA provides an official study guide for the CRMA exam. Candidates can also review the exam syllabus and question demonstrations on the IIA website. For best results, test-takers should study both the material and the exam format.
  • Find a Study Group or Mentor: Joining a study group with other test-takers can help candidates in several ways. Study groups offer valuable support, such as motivation and different perspectives. Mentors may offer insight into the exam or the risk management assurance field.
  • Focus On The Problem Spots: After studying and attempting practice tests, CRMA candidates should be able to identify the most challenging sections. They can then invest more time working on these problem areas. By approaching these topics from different angles, test-takers may find creative ways to remember key information.
  • Look For Third-Party Study Guides and Courses: While the IIA provides an official study guide, third-party resources can also be helpful. Candidates may find online study courses or guides that take a different approach to the material.

Practice Exams and Study Resources

  • Official Study Guide: The IIA has an official study guide covering the three exam domains and field terminology. The $199 guide also provides 200 practice questions, along with solutions and explanations. The 2nd edition of this resource has been updated to reflect changes to the exam.
  • Exam Syllabus: Test-takers should carefully review the exam syllabus to identify all areas covered on the CRMA exam. They can gain insight into the test by paying attention to the language used, the examples provided, and how each section is weighted.
  • Interactive Questions: The IIA provides a helpful database of interactive questions to familiarize test-takers with the types of questions they will encounter on their exams. The database has examples of all eight question types.

What Is Needed to Maintain Risk Management Certification?

Certified CRMAs need to maintain their credential with continuing professional education (CPE). The IIA requires practicing CRMAs to report at least 20 CPE hours annually, including two hours of ethics. Non-practicing CRMAs need 10 CPE hours to maintain certification.

Eligible CPE hours include:

  • Relevant professional education and development programs
  • Relevant examinations
  • Authoring or translating publications
  • Oral presentations
  • Subject matter expert volunteering
  • Quality assessment

Newly certified professionals automatically earn 40 CPE hours, which cover their test year and the following year.

Should You Get Multiple Certifications?

To qualify for the CRMA credential, each candidate needs a valid CIA certification. The CIA credential prepares professionals to handle core internal auditor responsibilities.

Along with the CIA and CRMA, the IIA offers the internal audit practitioner (IAP) certification. This temporary certification helps aspiring auditors qualify for the CIA credential. The non-renewable IAP expires after three years.

Questions About Risk Management Assurance

  • What is risk management assurance?

    Risk management assurance is the process of identifying, evaluating, and managing financial and operational risks. Assurance provides organizations with protection, confidence in their decision-making, and insight into opportunities.

  • What are the responsibilities of risk assurance?

    The responsibilities vary by organization and individual. In general, risk assurance educates and advises leaders on their organization's exposure to risk. The risk assurance process often includes internal audits, data and privacy reviews, and law and regulation compliance services.

  • What is a risk audit?

    A risk audit reviews an organization's finances and operations to determine risk. Successful audits highlight potential risks and help organizations identify pathways to manage, control, or alleviate the risk.

  • What is a pass score for CRMA?

    The CRMA exam has a maximum scaled score of 750. The minimum passing score is 600.

Recommended Reading

Search top-tier programs curated by your interests.

Let us know what type of degree you're looking into, and we'll find a list of the best programs to get you there.