Monday, December 18, 2017

Certification in Control Self-Assessment® (CCSA®)

The Certification in Control Self-Assessment (CCSA®) is one of The IIA’s specialty certification programs designed specifically for practitioners of control self-assessment (CSA).

The program:

  • Identifies the skill sets needed by successful CSA practitioners,
  • Measures the candidate’s understanding of CSA; and
  • Provides guidance for CSA initiatives.


Whether you are a new convert to CSA or a seasoned practitioner, earning a CCSA offers many benefits, including:

  • Laying the groundwork for CSA practice;
  • Demonstrating your training, experience, and competence in CSA;
  • Increasing your credibility with clients and senior management; and
  • Increasing your value to prospective promotions and new career opportunities.


Individuals at any CSA experience level will benefit from this comprehensive program. Gaining the required knowledge of areas such as risk and control models – often considered the realm of auditors only – exposes CSA practitioners from all backgrounds to concepts that are vital in effectively using CSA to help clients achieve their objectives.


Exam Format

The CCSA exam is offered in one part containing 125 multiple choice questions. Candidates are given three hours and fifteen minutes to complete the exam. Some of the exam questions are included for research purposes only and do not affect the candidate’s score. These research questions are not identified, so candidates should answer all questions to the best of their ability. The use of research questions benefits CCSA candidates by allowing The IIA to include only pretested, statistically valid questions in scoring the CCSA exam.


Exam Nondisclosure

The CCSA exam is a nondisclosed examination, which means that current exam questions and answers will not be published or divulged.


CCSA Exam Topic Outline

The topics tested on the CCSA exam are framed in the context of a variety of industry situations. Candidates are not expected to be familiar with industry-specific controls, but should be able to relate to risks and controls that generally apply to business processes in various industries. Exam topics are subject to change.


The Certification in Control Self-Assessment (CCSA) exam covers the following domains. Click on the topic outline for details.

Domain I: CSA Fundamentals(5-10 percent)

  1. Code of Ethics (P)
  2. Ownership and accountability for control (P)
  3. Reliance on operational expertise (P)
  4. Comparison to traditional techniques of risk and control evaluation (P)
  5. Control awareness and education (P)
  6. Cooperation, participation, and partnership (P)


Domain II: CSA Program Integration(15-25 percent)

  1. Alternative approaches to CSA (A)
  2. Supporting technology alternatives (A)
    1. Database
    2.Electronic voting
    3.Presentation software and hardware
    4. Project management software
  3. Cost/benefit analysis for implementation of the CSA process (A)
  4. Organizational theory and behavior (A)
    1. Structure
    4. Management style
    5. Governance
  5. Strategic and operational planning processes (A)
  6. Change management and business process reengineering (A)
  7. Presentation techniques for successful integration (A)
  8. Organizational risk and control processes (A)
    1. Quality management
    2. Risk management
    3. Safety audits
    4. Environmental audits
    5. Internal and external audit
  9. Client feedback mechanisms (e.g., interviews, surveys) (A)
  10. Strategic CSA program planning methodologies or techniques, including resource allocation (A)


Domain III: Elements of the CSA Process(15-25 percent)

  1. Management’s priorities and concerns (P)
  2.  Project and logistics management (P)
  3.  Business objectives, processes, challenges, and threats for the area under review (P)
  4.  Resource identification and allocation (A)
    1. Participants
    2. CSA team
  5. Culture of area under review (P)
  6. Question development techniques (P)
  7. Technology supporting the CSA process (P)
  8. Facilitation techniques and tools (P)
  9. Group dynamics (P)
  10. Fraud awareness (A)
    1. Red flags/symptoms of fraud
    2. Communication and investigation channels
    3. Responding to evidence
  11. Evaluation/analytical tools and techniques (trend analysis, data synthesis, scenarios) (A)
  12. Formulating recommendations or actions plans (practical, feasible, cost-effective) (P)
  13. Nature of evidence (sufficiency, relevance, adequacy) (A)
  14. Reporting techniques and considerations (types, audience, sensitive issues, access to information) (P)
  15. Motivational techniques (creating support and commitment for recommendations) (A)
  16. Monitoring, tracking, and follow-up techniques (A)
  17. Awareness of legal, regulatory, and ethical considerations (A)
  18. Measuring CSA program effectiveness (A)


Domain IV: Business Objectives/Organizational Performance(10-15 percent)

  1. Strategic and operational planning processes (A)
  2. Objective setting, including alignment to the organization’s mission and values (P)
  3. Performance measures (P)
    1. Financial
    3. Qualitative
  4. Performance management (P)
    1. Aligning individual, group, and organizational objectives/goals
    2. Designing congruent incentives
  5. Data collection and validation techniques (e.g., benchmarking, auditing, consensus testing, etc.) (A)


Domain V: Risk Identification and Assessment(15-20 percent)

  1. Risk Theory (P)
    1. Defining risk
    2. Relationship of risk to strategic, operational, or process objectives
    3. Risk tolerance, residual risk, and exposure
    4. Impact assessment
  2. Risk models/frameworks (including COSO’s Enterprise Risk Management/
    Integrated Framework) (P)
  3. Understanding the risks inherent in common business processes (P)
  4. Application of risk identification and assessment techniques (P)
  5. Risk management techniques/cost-benefit analysis (P)
    1. Transfer, manage, or accept
    2. Impact/cost-benefit analysis
  6. Using CSA in enterprise risk management (P)


Domain VI: Control Theory and Application(20-25 percent)

  1. Corporate governance, control theory, and models (P)
    1. Accountability and responsibility for control
    2. Defining control
    3. Relationship between risk, control, and objectives
  2. Methods for judging and communicating the overall effectiveness of the system
    of internal control (P)
    1. Using CSA to support management’s assertion on controls
  3. Relationship between informal and formal controls (P)
  4. Techniques for evaluating formal controls (manual or automated) (P)
  5. Techniques for evaluating informal controls/control environment (P)
  6. Control documentation techniques (P)
    1. Flowcharting
    2. Business process mapping
    3. Control charts
    4. Control questionnaires
    5. Internal Control over financial reporting
  7. Control design and application (P)
    1. Defining control objectives
    2. Control design (e.g., preventive, detective, corrective; informal, formal)
    3. Cost/benefits
  8. Techniques for determining control track record for the organization (e.g., reviews,
    audits, other assessments) (A)


P = Candidates must exhibit proficiency (thorough understanding; ability to apply concepts) in these topic areas.
A = Candidates must exhibit awareness (knowledge of terminology and fundamentals) in these topic areas.


When you are ready to begin the exam, the system will advise you of the time that you have to complete the exam. The timeallotted for each actual exam is as follows:

CERTIFICATION IN CONTROL SELF-ASSESSMENT (CCSA)115 multiple choice questions*2 hours and 55 minutes*
CERTIFIED GOVERNMENT AUDITING PROFESSIONAL (CGAP)115 multiple choice questions*2 hours and 55 minutes*
CERTIFIED FINANCIAL SERVICES AUDITOR (CFSA)115 multiple choice questions*2 hours and 55 minutes*


Note:  As of mid-2013 the table above lists the number of questions and timing for the IIA specialty exams. Until the time of transition, the current 125-question specialty exam structure will remain in place. To view the transition timeline, please see:…