The audit profession moves faster than its credentials. A 2025 Wolters Kluwer survey found that 39% of internal auditors already use AI in their work and 41% plan to adopt within twelve months, which puts projected adoption near 80% by year-end 2026.
That changes how CCSA certification skills get used. It does not make them less useful. The work of running a risk conversation with the people who actually do the job still has to happen.
The CCSA, the IIA’s specialty credential for facilitators and risk practitioners, is in an awkward spot. The IIA closed new applications on December 31, 2018, and folded the body of knowledge into the relaunched Certification in Risk Management Assurance.
The CCSA designation itself is still valid for life, but only if holders complete their annual continuing professional education and report it through the Certification Candidate Management System on time.
For US internal auditors, risk officers, and Sarbanes-Oxley practitioners, the CCSA certification is still a credible signal of front-line control assessment skill.
That kind of work runs through operational risk programs at OCC-supervised banks, through SOX 404 management testing, and through how the IIA’s Three Lines Model treats first-line ownership.
The rest of this guide covers what the credential requires, what current holders need to do, and how the CRMA pathway picks up the work.
Why the CCSA Certification Still Matters in 2026
CSA, and the CCSA certification with it, lasts because the people who run a process know its weaknesses better than any auditor parachuted in for two weeks. CSA gives that intuition a structure.
CCSA-trained facilitators run the workshops, write the questionnaires, and turn what front-line teams say into something auditors, audit committees, and US regulators will accept as evidence.
In US banking, that translation is non-optional. The OCC’s Heightened Standards in 12 CFR Part 30, Appendix D, require national banks above the size threshold to maintain a risk governance framework where front-line units identify and assess their own controls.
The OCC proposed raising that threshold in December 2025, but supervisory expectations did not loosen. RCSA and CSA programs are still what examiners expect to see in covered banks.
The CCSA certification gave practitioners a working vocabulary: facilitation technique, control design versus operating effectiveness, residual risk, action ownership. It also gave them a credential US employers and regulators recognize. AI is changing how internal audit gathers evidence, but it cannot replace whoever designs the questions. The underlying skills the CCSA tests are worth more inside enterprise risk management programs now, not less. The credential is in legacy status. The methodology is not.
Figure 1: AI adoption across US internal audit functions (Wolters Kluwer, 2025; CPA Practice Advisor projection for 2026).
What Control Self-Assessment Is, and What the CCSA Certification Tests
Control Self-Assessment is a structured method for letting process owners, not auditors, evaluate the design and operation of the controls inside their work.
Three forms dominate practice. Facilitated workshops bring cross-functional teams together to talk through risks and controls in person.
Questionnaires push structured prompts to many process owners at once. Management-produced analysis layers self-evaluation on top of data finance, IT, and operations are already collecting.
The CCSA certification tested whether a candidate could pick the right CSA method for a given business problem, run the engagement to credible findings, and turn the output into something audit committees and US regulators could act on.
The last step is the one that matters. CSA findings sitting on a shared drive change nothing. CCSA-trained facilitators learn how to push findings into the risk register and the next risk-based audit plan.
In US financial services, CSA turns into Risk and Control Self-Assessment, the operational risk standard codified by Basel and embedded in OCC, Federal Reserve, and FDIC supervision.
Vendor RCSA modules from AuditBoard, Workiva, and MetricStream now run the questionnaire-and-workshop cycle digitally, with workflow automation, dashboards, and continuous control monitoring built in. The CCSA body of knowledge is what shapes those programs. The platforms are plumbing, not methodology.
CCSA Certification Status: Closed to New Applicants, Open to Active Holders
The IIA closed applications for the CCSA certification, the Certified Financial Services Auditor, and the Certified Government Auditing Professional on December 31, 2018. Anyone approved before that date got a window of two to four years to finish the exam.
The reason was consolidation: rather than keep three specialty certifications running alongside the CIA, the IIA folded the most useful content into a relaunched CRMA exam covering risk management assurance.
For practicing CCSA holders, that decision is mostly administrative. The designation is good for life as long as continuing professional education is reported through the Certification Candidate Management System on time.
There is no path back if a holder lapses to revoked status, which is why CPE compliance matters more than people realize. Holders who never earned the CIA can sit a one-part CIA Challenge Exam to convert into the IIA’s flagship designation.
Anyone looking at a CSA-focused certification today gets pointed toward the CRMA. The IIA no longer publishes a direct CSA-only credential.
The CCSA exam blueprint and learning objectives now sit inside the CRMA’s risk management assurance domain, especially around control evaluation, governance, and assurance reporting.
The choice for new candidates is simple: take the CRMA, or take the Certified Internal Auditor exam if full generalist standing is the goal.
CCSA Certification vs. Other IIA and Adjacent Credentials
| Credential | Status (2026) | Exam | CPE / Year | US Practitioner Fit |
| CCSA (legacy) | Closed to new applicants since Dec 31, 2018; valid for life with CPE | 115 questions / 2 hrs (closed) | 20 hrs (10 non-practicing) | Operational risk, RCSA, SOX 404 management testing, federal Green Book |
| CRMA (active successor) | Active; relaunched 2020-2021 | 125 questions / 2.5 hrs | 40 hrs (20 non-practicing) | Risk advisory, ERM, CRO office, second-line risk functions |
| CIA (active flagship) | Active; new Standards effective Jan 9, 2025 | 3 parts; multi-day | 40 hrs (20 non-practicing) | Internal audit generalist; required by many US CAEs |
| CISA (ISACA, adjacent) | Active | 150 questions / 4 hrs | 20 hrs (120 over 3 yrs) | IT audit, SOX ITGC, cyber assurance |
Eligibility, Exam Structure, and Domains for the CCSA Certification
The CCSA certification application window is closed, but the eligibility profile is still worth knowing for CRMA candidates inheriting the body of knowledge.
Candidates needed a four-year post-secondary degree or accredited equivalent, twelve months of control-related experience across audit, risk, compliance, quality assurance, or environmental auditing, and a character reference from a CIA, CRMA, CFSA, CGAP, CCSA holder, or direct supervisor. The IIA let candidates sit the exam before finishing experience hours.
Two requirements set the CCSA apart from every other IIA credential. First, a facilitation prerequisite: seven hours of facilitation experience or fourteen hours of facilitation training.
Running a CSA workshop is a facilitation exercise before it is an audit exercise, and the IIA wanted documented competency. Second, the exam weighted facilitation technique, group dynamics, and interviewing skill, not only risk and control theory.
The exam itself was a two-hour, 115-question, computer-based, multiple-choice assessment delivered through Pearson VUE testing centers worldwide. The Credly digital badge still issues to active holders for verification.
Results came back immediately at the end of the session. The blueprint covered six knowledge domains: CSA fundamentals, risk and control concepts, CSA process design, facilitation skills, data analysis and reporting, and the governance framework that gave CSA its institutional weight.
The Six CCSA Certification Exam Domains
| Domain | Coverage | Why It Mattered |
| 1. CSA Fundamentals | Objectives, benefits, methodologies (workshops, questionnaires, management-produced analysis), and CSA’s place in the governance framework | Tests whether the candidate could design a CSA program, not just describe one |
| 2. Risk Management & Internal Control | ISO 31000 and COSO frameworks, control design vs. operating effectiveness, residual risk, the relationship between risk and control | Anchored CCSA holders to the same vocabulary regulators and external auditors use |
| 3. CSA Methodology & Process | Scoping, criteria selection, planning, execution, documentation, action tracking | Closed the gap between assessment activity and remediation outcome |
| 4. Facilitation & Interviewing | Workshop facilitation, conflict management, active listening, candor-eliciting interviewing | The domain most unique to CCSA, and the one most directly tied to program success |
| 5. Data Analysis & Reporting | Trend analysis, KRI calibration, audit committee and management reporting, prioritization by risk significance | Translated CSA output into decisions audit committees actually act on |
| 6. Governance, Risk & Compliance | Board-level governance, regulatory compliance, ERM integration, GRC architecture | Placed CSA inside the integrated assurance picture US regulators expect |
The CCSA-to-CRMA Transition: What the Updated CRMA Tests in 2026
The IIA relaunched the CRMA in 2020-2021 as the successor pathway for risk-focused practitioners. The current exam runs 125 multiple-choice questions over 150 minutes, which makes it longer and broader than the legacy CRMA.
It is built around three weighted domains: Internal Audit Roles and Responsibilities at 20%, Risk Management Governance at 25%, and Risk Management Assurance at 55%. The assurance-heavy weighting is where former CCSA content lives.
Pricing in 2026 is simple. The IIA charges a $115 application fee for members and $230 for non-members, plus an exam fee of $445 for members and $580 for non-members. Against CIA pricing across three exam parts, the CRMA is the cheaper specialty path.
It is also the only IIA credential that explicitly tests risk assurance reasoning, which is the closest analog to what the CCSA certification once measured.
Practitioners who already hold the CCSA do not need to take the CRMA. For legacy holders, the two credentials carry equivalent IIA recognition.
But for risk officers entering the profession in 2026, or for experienced auditors moving from operational audit into risk advisory, the CRMA is the credential that says risk and control assurance depth. It also stacks naturally with the CIA for a complete credential set.
Figure 2: CRMA exam domain weighting. The assurance domain (55%) is where most former CCSA content sits (The IIA, 2026).
CCSA Certification CPE Requirements (and How to Stay Active)
Keeping a CCSA certification in active status requires twenty hours of continuing professional education each calendar year for practicing holders, ten hours for non-practicing holders. Two of those hours must cover ethics.
The ethics requirement sits inside the twenty-hour total, not on top of it. The IIA’s Certification Candidate Management System is the official reporting channel, and the deadline is December 31.
Late reporting is the single most common reason holders lose the credential. Missing the December 31 deadline moves status from active to inactive, which works as a grace period.
Continued non-compliance leads to permanent revocation, and the IIA does not maintain a recertification pathway for retired credentials. There is no exam to retake. There is no fast track back. The credential is gone, and the only path back to IIA-certified standing is through the CRMA or the CIA.
For CPE planning, mix mandatory and optional content. The IIA’s annual conferences, chapter events, and on-demand learning platform deliver CPE-eligible hours, as do major US-based GRC vendor user conferences.
CSA-relevant content includes facilitation refreshers, RCSA program design, AI in audit, and updated standards training. The new IIA Global Internal Audit Standards, effective January 9, 2025, are worth the CPE investment for any active CCSA certification holder.
Running CSA Programs the CCSA Certification Was Built To Lead
CSA programs run on a five-step cycle that the CCSA certification exam tested explicitly. Step one is scope: which processes, business units, or risk domains need assessment, set by the audit plan, regulatory exposure, and strategic priorities.
Step two is method selection: facilitated workshop, questionnaire, or hybrid. Step three is execution. Step four is evaluation and documentation. Step five is reporting and remediation tracking, which is the part that decides whether CSA changes anything.
Method selection gets less attention than it deserves. Facilitated workshops produce richer findings but eat calendar time and senior attention.
Questionnaires scale across hundreds of process owners but produce surface-level data unless they are designed carefully. The strongest US programs run both: questionnaires for triage, then targeted workshops on the highest-risk findings. Programs that pick one method and stick to it leave gaps the next risk assessment matrix review will surface.
The reporting step is where most CSA programs fail. Workshops produce action items. Questionnaires produce flagged controls. Without owners, deadlines, and risk mitigation tracking discipline, both produce nothing.
Effective programs route CSA findings into the same risk register that feeds quarterly board reporting and the next year’s internal audit plan. CCSA-trained facilitators learn to design that handoff into the program at the start, before audit committee patience starts to run out.
The Three Lines Model the IIA published in July 2020 (replacing the older Three Lines of Defense framing) is where CSA fits inside the broader assurance architecture. First-line ownership of risk and control sits with operating management.
CSA is the method that operationalizes that ownership. Second-line risk and compliance functions design the methodology, calibrate scoring, and aggregate results. Third-line internal audit then assures that the CSA program is reliable.
Five-Step CSA Program Cycle the CCSA Certification Equips Practitioners to Lead
| Step | Activities | Output and Common Failure Mode |
| 1. Scope and Objectives | Identify processes, business units, and risk domains; align to audit plan, regulatory exposure, and strategic priorities | Output: documented scope statement. Failure: vague objectives that allow workshops to drift. |
| 2. Method Selection | Choose facilitated workshop, questionnaire, or hybrid based on materiality, complexity, and stakeholder availability | Output: assessment design. Failure: defaulting to questionnaires only because workshops are harder to schedule. |
| 3. Preparation and Execution | Prepare agendas, calibrate questions, train facilitators, run sessions or distribute questionnaires | Output: workshop outputs and questionnaire responses. Failure: undertrained facilitators producing surface-level findings. |
| 4. Evaluation and Documentation | Assess control design vs. operating effectiveness, score residual risk, document gaps and root causes | Output: assessed risk profile with rationale. Failure: scoring inconsistency across business units. |
| 5. Reporting and Remediation Tracking | Report to management and audit committee; assign owners and deadlines; track remediation to closure | Output: remediation register tied to risk register. Failure: action items drift, audit committee loses confidence in the program. |
CCSA Certification and Career Value: US Salary Benchmarks (2026)
Internal audit compensation in the United States is mapped under the BLS Standard Occupational Classification 13-2011, Accountants and Auditors. The May 2024 BLS data, which is the latest available, reports a median annual wage of $81,680, with the top decile earning more than $141,420.
The BLS does not break internal auditors out separately, but Robert Half’s published 2026 ranges cover the role explicitly and track what risk practitioners actually recruit against.
The Robert Half 2026 Salary Guide puts a US Internal Auditor between $68,750 and $99,750, and a Senior Internal Auditor between $89,750 and $121,750. Audit Manager, Director of Internal Audit, and Chief Audit Executive bands climb well above that in financial services and Fortune 500 corporates. Specialty credentials (CIA, CRMA, CISA, and the legacy CCSA) track with the upper half of these ranges, though no public dataset isolates the CCSA-specific premium cleanly.
The pattern across US salary surveys is consistent: certified internal auditors earn more than non-certified peers, with the CIA premium estimated near 40% in industry surveys. Specialty credentials reinforce that premium when paired with focused experience.
A CCSA-trained operational risk officer with RCSA program leadership and a CRMA pairing is the kind of profile US banks and Fortune 1000 risk teams pay above-band for, especially when ERM technology implementation is on the agenda.
Figure 3: US internal audit salary ranges, 2026 (Robert Half 2026 Salary Guide; CAE band sourced from public proxies and recruiter data).
AI, GRC Software, and the Future of CCSA Certification Skills
The economics of governance, risk, and compliance technology explain why CSA skills are still in demand. Mordor Intelligence pegs the GRC software market at $21.04 billion in 2025, $23.32 billion in 2026, and $39.01 billion by 2031, a 10.84% compound annual growth rate.
North America accounts for roughly 39.55% of that revenue. The money chases automation of the same workflows CCSA-trained practitioners design and run.
The AI story matters more. Wolters Kluwer’s 2025 internal audit survey found that 39% of internal auditors already use AI, 41% plan to adopt within twelve months, and adoption is projected to reach roughly 80% by year-end 2026.
The IIA’s AI Auditing Framework, organized around the Three Lines Model, treats AI in audit as a baseline professional expectation rather than something on the horizon.
Where the CCSA skill set compounds with AI is in setting the questions AI tools answer. Machine learning surfaces patterns in transaction data. Natural language processing parses regulatory text. Generative AI drafts audit findings.
None of those substitute for the facilitator who decides which controls to test, frames the workshop question, and turns output into action ownership. AI speeds execution. The practitioners who design the assessment itself stay the bottleneck. They are also the value.
Figure 4: Global GRC software market, 2025-2031, with North America at roughly 39.55% of revenue (Mordor Intelligence, 2026).
Common Pitfalls in CCSA Certification CPE Compliance and CSA Programs
Two failure patterns dominate. The first is CCSA certification CPE lapses: holders forget the December 31 reporting deadline, miss it twice, and lose the credential.
The second is CSA programs stalling, with unclear scope, weak facilitation, no remediation tracking, and no integration with the risk register. The IIA body of knowledge addresses every one of these failures, but only if practitioners apply it after the exam.
| Pitfall | Root Cause | Remedy |
| Missed CCSA certification CPE reporting deadline | Lack of internal calendar discipline; assumption that the CCMS sends reminders | Set personal Q4 reminders; report progressively across the year, not in December |
| CCSA certification status drifting from inactive to revoked | Failure to act during the inactive grace period | Treat the first inactivity notice as a critical alert; restore CPE compliance immediately |
| Vague CSA scope statements | Pressure to launch programs quickly without scoping discipline | Anchor scope in regulatory exposure and the audit plan; document the rationale |
| Workshop facilitation by untrained leaders | Belief that domain expertise substitutes for facilitation skill | Use CCSA-trained facilitators; supplement with refresher facilitation training as CPE |
| CSA findings without owners or deadlines | Reporting culture focused on capture, not remediation | Build owner / deadline / status into the CSA template; track at audit committee level |
| CSA disconnected from the risk register | Treating CSA as a one-off instead of a program input | Route every CSA finding into the enterprise risk register; align with KRI thresholds |
| Over-reliance on questionnaires | Workshop scheduling friction; preference for scalability | Use questionnaires for triage; reserve workshops for the highest-risk processes |
| Treating AI as a substitute for facilitation | Vendor marketing positioning AI as a CSA replacement | Use AI for evidence gathering and pattern detection; preserve human-led question design |
What’s Coming Next for CCSA Certification and CSA Practice (2026-2028)
Three shifts will define how CSA practice evolves through 2028. First, the IIA’s new Global Internal Audit Standards, effective January 9, 2025, embed risk-based assurance more deeply across the audit lifecycle, including how internal auditors evaluate the CSA programs they rely on.
Practitioners should expect chief audit executives to scrutinize CSA program quality with sharper questions, especially around scoping discipline, facilitation rigor, and remediation closure rates.
Second, PCAOB AS 2201 amendments take effect for audits of fiscal years ending on or after December 15, 2026. They tighten external auditor expectations on management review controls, IT general controls, and information produced by the entity.
SOX 404 management self-assessment still anchors on the COSO Internal Control framework, and CCSA-trained skill in evaluating control design and operation is what AS 2201 calibrates against in 2026 and beyond.
Third, the GAO Green Book 2025 Revision becomes effective in fiscal year 2026 for federal entities and their contractors.
The 2025 edition replaces the 2014 version and codifies explicit fraud, improper payments, information security, and emergency program controls into the federal internal control standard. CSA programs at federal agencies and major contractors will recalibrate against the revised Green Book, and CCSA-trained facilitators are positioned to lead that work.
Underneath all three regulatory shifts, ISO 31000:2018, COSO ERM 2017, and the NIST AI Risk Management Framework still set the assurance vocabulary US practitioners use day to day.
Pair the CCSA-trained methodology with these current standards, and the result covers most of what US supervisory expectations look for through 2028. The credential closure does not change the underlying material that examiners and audit committees keep asking about.
CCSA Certification FAQs: Expert Answers to Critical Questions
Is the CCSA certification still valid in 2026?
Yes. The CCSA certification is valid for life for anyone who earned it before applications closed on December 31, 2018, provided annual CPE is reported.
The IIA stopped accepting new candidates but did not retire the credential. Practicing holders report 20 CPE hours each year (10 for non-practicing) through the Certification Candidate Management System by December 31. Skip a year, and status moves to inactive. Skip longer, and the credential is permanently revoked.
Can I still take the CCSA certification exam?
No. The IIA closed applications for the CCSA certification, the CFSA, and the CGAP on December 31, 2018. Candidates approved before that date got a two-to-four-year window to complete the exam, but no new applicants are accepted.
Anyone after a CSA-focused IIA credential in 2026 should pursue the Certification in Risk Management Assurance instead. The CRMA absorbed CCSA exam content during its 2020-2021 relaunch and is the recognized successor pathway.
What is the difference between the CCSA certification and the CRMA?
The CCSA certification was a specialty credential focused entirely on Control Self-Assessment, with explicit testing of facilitation technique and workshop design.
The CRMA is broader: it covers internal audit roles, risk management governance, and risk management assurance across 125 questions over 150 minutes. CRMA pricing in 2026 is $115 application plus $445 exam for members, $230 plus $580 for non-members. CCSA content sits inside the CRMA assurance domain.
How many CPE hours does the CCSA certification require each year?
Active practicing CCSA certification holders complete 20 CPE hours each calendar year through the IIA Certification Candidate Management System by December 31. Non-practicing holders need only 10 hours.
Two of the required hours must cover ethics, and ethics counts inside the 20-hour total rather than on top of it. CPE-eligible content includes IIA conferences, chapter events, on-demand learning, GRC vendor user conferences, and qualifying continuing education on risk, control, audit, or facilitation.
Is the CCSA certification worth pursuing if I already hold the CIA?
Pursuing the CCSA certification is no longer possible. Applications closed in 2018. For CIA holders interested in deeper CSA and risk-assurance specialization, the CRMA is the IIA’s current recommended path.
CIA-plus-CRMA fits well in operational risk roles at US banks subject to OCC Heightened Standards, in SOX 404 management testing functions, and in internal audit teams where the RCSA program is central to second-line interaction with regulators and the audit committee.
How does the CCSA certification fit with the new IIA Global Internal Audit Standards?
The IIA Global Internal Audit Standards, effective January 9, 2025, replaced the International Professional Practices Framework Standards. CSA practice (and the methodology the CCSA certification tested) sits inside the new Standards’ engagement-objective and risk-assurance domains.
Practicing CCSA certification holders should treat the new Standards as priority CPE content. Internal audit functions that rely on CSA inputs are now expected to evaluate program quality against the Standards’ updated risk-based assurance requirements, including scoping rigor and remediation tracking.
Does the CCSA certification still carry weight with US regulators?
Indirectly, yes. The CCSA certification is not named in OCC, Federal Reserve, FDIC, or SEC regulations, but the underlying skill set (CSA program design, facilitation, RCSA execution) is what those regulators expect to see in supervised institutions.
The OCC’s Heightened Standards in 12 CFR Part 30, Appendix D, currently in proposed rulemaking around the size threshold, anchor front-line risk identification and control assessment in covered banks. CCSA-trained practitioners design the programs supervisors evaluate.
The Bottom Line on the CCSA Certification in 2026
The CCSA certification is in legacy status, but the discipline it certified shows up everywhere: in US bank operational risk programs, in SOX 404 management testing, in federal Green Book compliance, and in AI-augmented continuous assurance work.
Current holders should treat CPE compliance as routine and the new Global Internal Audit Standards as priority study. New entrants should take the CRMA, pair it with the CIA where it fits, and use CSA methodology across the risk management lifecycle.
The shape of the actual work does not change. CSA succeeds when process owners feel safe flagging weakness, when facilitators design questions that surface real risk instead of performing compliance theater, and when findings drive remediation that boards can verify.
The CCSA certification formalized that skill set. Its legacy status does not retire the practice. For US risk and audit teams operating against OCC, SEC, PCAOB, and ISO 31000 benchmarks at once, the practice keeps mattering.
Want to tighten your CSA program design or build the CRMA pathway forward? Visit riskpublishing.com for practical playbooks on RCSA, COSO vs. ISO 31000, enterprise risk management frameworks, KRI calibration, risk appetite statements, and US regulatory expectations from OCC, SEC, PCAOB, and GAO. Have specific questions about CCSA certification CPE compliance or designing a defensible CSA program at your organization? Reach out through the contact page.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.