Chapter 2

Governance & Management of IT

Visual mnemonics for IT governance frameworks, strategy alignment, risk management, and organizational oversight

Domain 2: Governance & Management of IT 17%
👩‍💼

Alex's Week 2 — The Governance Gap

Alex survived her first week. She knows how to plan an audit and collect evidence. Now her manager drops a bigger challenge: audit IT governance at Meridian Corp. “You'll need to understand how the whole thing is supposed to work,” he says, “before you can tell them how badly it isn't.” Alex opens her notebook to a fresh page.

Part A Section 2.1

IT Governance Frameworks

D2-G1 — The Four Pillars

IT Governance Frameworks: "CITI"

👩‍💼
Alex's Story

Alex sits across from Meridian's CIO and asks the question every governance auditor starts with: “What framework does your IT governance follow?” He pauses. Looks at his bookshelf. “We follow… best practices.” Alex writes in her notebook: No formal framework adopted. This is going to be a long week.

A grand boardroom with four marble pillars labeled COBIT, ITIL, ISO, TOGAF supporting a ceiling inscribed GOVERNANCE
Mnemonic — Remember the 4 Frameworks
C · I · T · I  —  "CITI"
C

COBIT

IT governance & management framework by ISACA. Focus: business-IT alignment, value delivery, risk management.

I

ITIL

IT service management best practices. Focus: service lifecycle — strategy, design, transition, operation, improvement.

T

TOGAF

Enterprise architecture framework. Focus: architecture development method (ADM) for aligning IT with business.

I

ISO 27001

Information security management system (ISMS) standard. Focus: confidentiality, integrity, availability.

COBIT is the #1 Framework for CISA

COBIT (Control Objectives for Information and Related Technologies) is ISACA's own framework and the most heavily tested. It provides 5 governance principles and distinguishes governance (evaluate, direct, monitor) from management (plan, build, run, monitor).

Key Exam Tip

COBIT is the primary framework referenced by ISACA for IT governance. Know the distinction: Governance is the board's responsibility (evaluate, direct, monitor); Management is the executive team's responsibility (plan, build, run, monitor). The exam frequently tests this separation.

📰 Real World

The 2017 Equifax breach was attributed partly to governance failures — the security team reported to the CTO, not the board, creating accountability gaps that let a known Apache Struts vulnerability go unpatched for months. The breach cost $575 million in FTC settlement alone.

Test Yourself — Governance Frameworks
Q1. An IS auditor finds that an organisation has not adopted a formal IT governance framework. What is the MOST significant risk?
A. IT projects may exceed their budgets
B. There is no structured basis for aligning IT with business objectives
C. The organisation cannot pass external audits
D. IT staff will lack technical certifications
Reveal Answer
Correct: B
The primary purpose of an IT governance framework is to ensure IT supports business objectives. Without one, there is no structured mechanism for alignment, value delivery, or risk management. Budget overruns (A) are a symptom, not the root risk. External audit failure (C) is possible but not the most significant risk. Staff certifications (D) are an HR issue.
Q2. Which IT governance framework is MOST closely associated with ISACA and is the PRIMARY framework referenced on the CISA exam?
A. ITIL
B. ISO 27001
C. COBIT
D. TOGAF
Reveal Answer
Correct: C
COBIT (Control Objectives for Information and Related Technologies) is ISACA's own framework and the most heavily tested on the CISA exam. ITIL (A) focuses on IT service management. ISO 27001 (B) focuses on information security management. TOGAF (D) focuses on enterprise architecture.
Q3. In COBIT, the distinction between governance and management is BEST described as:
A. Governance implements controls; management monitors them
B. Governance evaluates, directs, and monitors; management plans, builds, runs, and monitors
C. Governance is the CIO's responsibility; management is the Board's responsibility
D. Governance applies to IT only; management applies to the whole organisation
Reveal Answer
Correct: B
COBIT clearly separates governance (Evaluate, Direct, Monitor — the Board's role) from management (Plan, Build, Run, Monitor — the executive team's role). The trap is reversing the roles (C) or confusing who does what (A). Governance applies to the whole organisation, not just IT (D).

Alex now knows Meridian has no framework. But does it at least have an IT strategy? She asks to see it.

Part A Section 2.2

IT Strategy & Alignment

D2-G2 — The Bridge

IT Strategy Aligned to Business Strategy

👩‍💼
Alex's Story

Alex asks for the IT strategy document. Someone finds it on a shared drive. Last updated four years ago. Signed by a CEO who left in 2022. The IT department spent $2M building a data warehouse — nobody in the business asked for it. Alex underlines a phrase in the strategy document: “Align IT with business needs.” Ironic.

A business boardroom on the left connected by a golden bridge labeled Alignment to an IT command center on the right
🏢

Business Strategy

  • Mission, vision, values
  • Business objectives & goals
  • Competitive positioning
  • Market & stakeholder needs
💻

IT Strategy

  • IT mission aligned to business
  • Technology roadmap
  • IT capabilities & investments
  • Service delivery model
Strategic Alignment Model
Business Strategy IT Strategy IT Architecture Business Processes

IT Balanced Scorecard Links Strategy to Performance

The IT balanced scorecard translates IT strategy into four measurable perspectives: Financial (cost efficiency), Customer (user satisfaction), Internal Processes (operational excellence), and Learning & Growth (innovation & skills).

Key Exam Tip

The IT strategic plan should be a 3–5 year long-range plan aligned to the business strategic plan. The IT tactical plan covers 1 year and breaks down the strategic plan into actionable projects. If asked what should be reviewed FIRST when auditing IT governance, the answer is the IT strategic plan.

📰 Real World

Kodak's IT strategy remained focused on film digitisation infrastructure while the business needed digital camera and mobile photo capabilities. The $1B+ IT investment did not align to where the business needed to go — a textbook IT-business misalignment.

Test Yourself — IT Strategy & Alignment
Q1. When auditing IT governance, what should an IS auditor review FIRST?
A. IT operational procedures
B. The IT strategic plan and its alignment to business strategy
C. IT budget variance reports
D. System access control logs
Reveal Answer
Correct: B
The IT strategic plan is the foundation of IT governance — it defines how IT supports business objectives. Without reviewing alignment first, the auditor cannot assess whether IT activities are properly directed. Operational details (A, C, D) come later.
Q2. An IS auditor finds that an organisation's IT strategic plan was last updated three years ago and references technologies the organisation no longer uses. What is the GREATEST risk?
A. The IT budget may be inaccurate
B. IT investments may not align with current business objectives
C. The CIO may lose credibility with the board
D. IT staff may lack proper training on current systems
Reveal Answer
Correct: B
An outdated IT strategic plan cannot guide IT investments toward current business goals — this is the fundamental purpose of the plan. Budget inaccuracy (A) is a symptom. CIO credibility (C) is a secondary concern. Staff training (D) is an operational issue, not the greatest strategic risk.
Q3. An IS auditor discovers that the IT department built a major system without a corresponding business requirement. This BEST indicates a failure of:
A. Change management
B. Project management
C. IT-business strategic alignment
D. Quality assurance
Reveal Answer
Correct: C
Building systems nobody asked for is a classic alignment failure. Change management (A) governs modifications to existing systems. Project management (B) would be relevant if the project existed but was poorly run. QA (D) checks quality, not purpose. The root cause is IT acting independently of business needs.

An outdated strategy is one thing. But who is supposed to own it? Alex asks who is responsible for IT governance at Meridian. The answer is… complicated.

Part A Section 2.3

Roles & Responsibilities

D2-G3 — The Royal Court

IT Governance Roles & Responsibilities

👩‍💼
Alex's Story

Alex asks the question that makes everyone uncomfortable: “Who owns IT risk at Meridian?” The CIO points at the CISO. The CISO points at the infrastructure manager. The infrastructure manager points at the CIO. Three people. Three fingers. Nobody pointing at themselves. Alex writes: No clear accountability for IT risk.

A royal court scene with the Board of Directors on a throne, CIO with a tech scepter, CISO with a shield, and IT Steering Committee at a round table
👑

Board of Directors

  • Ultimate accountability for IT governance
  • Approves IT strategy & policies
  • Oversees risk appetite
  • Ensures value delivery
📊

IT Steering Committee

  • Cross-functional oversight body
  • Prioritizes IT projects & investments
  • Monitors IT performance
  • Resolves resource conflicts
🖥️

CIO (Chief Information Officer)

  • Leads IT strategy execution
  • Manages IT operations
  • Reports to CEO or Board
  • Bridges business & technology
🛡️

CISO (Chief Info Security Officer)

  • Owns information security program
  • Develops security policies
  • Manages security incidents
  • Reports to CIO or directly to CEO

Key Separation: Governance vs. Management

Governance (Board)

  • Evaluate, Direct, Monitor
  • Sets direction and limits

Management (Executives)

  • Plan, Build, Run, Monitor
  • Executes within boundaries
Key Exam Tip

The Board of Directors has ultimate accountability for IT governance — this is non-delegable. The IT Steering Committee is an advisory/oversight body, not an operational body. The CISO should ideally report independently of the CIO to avoid conflict of interest.

📰 Real World

At Enron, the IT risk function reported to business unit heads who had financial incentives to downplay risk. When no single owner was accountable for IT governance, the oversight gaps enabled the fraud to persist.

Test Yourself — Roles & Responsibilities
Q1. Who has ULTIMATE accountability for IT governance in an organisation?
A. The CIO
B. The IT Steering Committee
C. The Board of Directors
D. The CISO
Reveal Answer
Correct: C
The Board of Directors has ultimate, non-delegable accountability for IT governance. The CIO (A) executes IT strategy. The Steering Committee (B) provides oversight but is advisory. The CISO (D) manages security specifically. ISACA always points to the Board as the top of the accountability chain.
Q2. The IT Steering Committee's PRIMARY role is to:
A. Make day-to-day IT operational decisions
B. Provide strategic direction and prioritise IT investments
C. Develop IT security policies
D. Approve individual change requests
Reveal Answer
Correct: B
The IT Steering Committee sets strategic direction and prioritises investments — it is NOT an operational body. The trap (A) confuses strategic oversight with operational management. Security policies (C) are the CISO's domain. Change requests (D) go through change management.
Q3. An IS auditor finds that the CISO reports directly to the CIO. What is the auditor's GREATEST concern?
A. The CISO may lack technical skills
B. Security budget may be insufficient
C. Independence of the security function may be compromised
D. The CIO may not understand security threats
Reveal Answer
Correct: C
When the CISO reports to the CIO, there is a conflict of interest — the CIO may prioritise delivery over security. The CISO should ideally report independently to the CEO or Board. This is an independence issue, not a skills (A), budget (B), or knowledge (D) issue.

Nobody owns risk. Nobody owns strategy. But surely, Alex thinks, they at least have policies written down? She opens the document repository.

Part A Section 2.4

Policies, Standards, Procedures & Guidelines

D2-G4 — The Pyramid of Authority

IT Policy Hierarchy

👩‍💼
Alex's Story

Alex opens the shared drive and finds 47 IT-related documents. None reference each other. Some call themselves “policies.” One is clearly someone's working notes with “POLICY” typed at the top in bold. Another “standard” is actually a guideline. Alex starts sorting them into a hierarchy. It takes the rest of the morning.

A tiered pyramid in a grand library, with layers labeled Policy, Standard, Procedure, and Guideline from top to bottom
Hierarchy (Top = Most Authority)
1 Policy — High-level intent from senior management. MANDATORY. "What" to do.
2 Standard — Specific, mandatory requirements. "What" exactly is required.
3 Procedure — Step-by-step instructions. "How" to do it. Mandatory.
4 Guideline — Recommended practices. OPTIONAL. "How" it could be done.
Mnemonic — Remember the Hierarchy
"Please Stop Performing Guesswork"

Mandatory Documents

  • Policy — Senior management approved
  • Standard — Specific requirements
  • Procedure — Detailed steps

Optional Document

  • Guideline — Best practices, advisory
  • Can be deviated from with justification
  • Most flexible document type
Key Exam Tip

Only guidelines are optional — policies, standards, and procedures are all mandatory. Policies must be approved by senior management. When the exam asks what to check FIRST for governance issues, start with whether an up-to-date policy exists.

📰 Real World

The 2013 Target breach was enabled partly by inadequate vendor access policies — a third-party HVAC vendor had network access that wasn't governed by appropriate policy controls. Target paid $18.5M in state settlement.

Test Yourself — Policy Hierarchy
Q1. In the IT policy hierarchy, which document type is the ONLY one that is optional?
A. Policy
B. Standard
C. Procedure
D. Guideline
Reveal Answer
Correct: D
Guidelines are advisory and optional — they can be deviated from with justification. Policies (A), standards (B), and procedures (C) are all mandatory. The trap is thinking procedures are optional because they're detailed — they're not.
Q2. Who should approve IT policies?
A. The IT department
B. The IS auditor
C. Senior management
D. The IT Steering Committee
Reveal Answer
Correct: C
Policies must be approved by senior management to carry organisational authority. IT (A) drafts them but shouldn't approve them. The auditor (B) reviews them but never approves. The Steering Committee (D) may review but senior management signs off.
Q3. An IS auditor reviewing the policy framework finds that policies exist but no supporting standards or procedures have been developed. What is the BEST recommendation?
A. Accept the policies as sufficient governance
B. Recommend developing standards and procedures to operationalise the policies
C. Recommend replacing policies with more detailed guidelines
D. Report that the organisation has no governance framework
Reveal Answer
Correct: B
Policies without standards and procedures are unenforceable — they state intent without specifying requirements or steps. The auditor should recommend completing the hierarchy. Accepting them (A) ignores the gap. Replacing with guidelines (C) weakens governance. The framework exists but is incomplete (D is too extreme).

Policies are a mess. But at least Meridian tracks its risks… right? Alex asks to see the risk register.

Part B Section 2.5

Risk Management

D2-G5 — Castle Defense

IT Risk Management Process

👩‍💼
Alex's Story

The risk register exists. Alex finds it in a dusty folder on the infrastructure manager's desk. Last reviewed eighteen months ago. Item #1: “Legacy system failure — HIGH.” No action taken. No owner assigned. Alex asks why. “We've always managed,” says the infrastructure manager. Alex writes: Risk register exists but is not actively managed.

A medieval castle with four watchtowers flying flags for Avoid, Transfer, Mitigate, and Accept, with a dragon threat in the distance
Risk Management Lifecycle
1
Identify

Catalog threats, vulnerabilities, and assets

2
Assess

Analyze likelihood × impact. Quantitative or qualitative.

3
Respond

Choose: avoid, transfer, mitigate, or accept

4
Monitor

Ongoing tracking, KRIs, risk register updates

Risk Formula
Risk = Threat × Vulnerability × Impact
4 Risk Response Strategies

🚫 Avoid

Eliminate the risk by stopping the activity entirely

🤝 Transfer

Shift to a third party (insurance, outsourcing)

🛠️ Mitigate

Reduce likelihood or impact with controls

✋ Accept

Acknowledge & absorb. Must be approved by management.

Risk Appetite vs. Risk Tolerance

Risk Appetite — The broad level of risk the organization is willing to accept to achieve its objectives. Set by the Board.

Risk Tolerance — The acceptable variation from the risk appetite. More specific and measurable.

Key Exam Tip

Risk acceptance requires formal approval by senior management — it cannot be decided by IT alone. The risk register should be updated continuously, not just annually. Know the difference between qualitative (high/medium/low) and quantitative (ALE = ARO × SLE) risk analysis.

📰 Real World

Knight Capital Group (2012) had a risk register entry about its legacy trading system. The risk was not actioned. A faulty software deployment activated the dormant system, and within 45 minutes, Knight lost $440 million.

Test Yourself — Risk Management
Q1. An IS auditor discovers that the risk register has not been updated in 18 months. What is the MOST significant concern?
A. The register may contain too many items
B. New risks may be unidentified and existing risk ratings may be inaccurate
C. The format of the register may be outdated
D. Management may have changed roles since the last update
Reveal Answer
Correct: B
A stale risk register means new threats are unidentified and existing assessments may no longer reflect reality. The concern is about risk visibility, not volume (A), formatting (C), or personnel changes (D). ISACA emphasises continuous risk monitoring.
Q2. Risk acceptance as a response strategy requires:
A. Approval by the IT department
B. Formal documentation and approval by senior management
C. No documentation since the risk is being accepted
D. Transfer of the risk to an insurance provider
Reveal Answer
Correct: B
Risk acceptance must be a conscious, documented decision approved by senior management — not IT alone (A). The trap is thinking acceptance means ignoring the risk (C). Transfer to insurance (D) is a different response strategy entirely.
Q3. Which risk assessment approach uses the formula ALE = ARO × SLE?
A. Qualitative risk analysis
B. Quantitative risk analysis
C. Semi-quantitative risk analysis
D. Risk-based audit planning
Reveal Answer
Correct: B
ALE (Annual Loss Expectancy) = ARO (Annual Rate of Occurrence) × SLE (Single Loss Expectancy) is a quantitative formula. Qualitative (A) uses high/medium/low categories. The trap is confusing quantitative methods with qualitative scales.

The risks are known but ignored. Alex wonders: if nobody is managing risk, who is managing the IT resources? She pulls the asset inventory.

Part B Section 2.6

IT Resource Management

D2-G6 — Resource Operations Center

The Four IT Resources

👩‍💼
Alex's Story

Alex pulls the IT asset inventory and finds something remarkable. Meridian has three separate project management systems. Three different departments bought their own without checking what already existed. Nobody knows which one is the “official” system. Annual licence cost for the duplicates: $340,000. Alex writes: No central resource governance.

A vibrant operations center with four resource stations: Human Resources, Infrastructure, Applications, and Information
Mnemonic — Remember the 4 Resources
"P · I · A · I" — People, Infrastructure, Applications, Information
👥

People

  • Skills & competencies
  • Training programs
  • Succession planning
  • Segregation of duties
🖧

Infrastructure

  • Hardware & networks
  • Data centers
  • Cloud services
  • Capacity planning
📱

Applications

  • Business software
  • Enterprise systems
  • Custom development
  • License management
📁

Information

  • Data classification
  • Data lifecycle
  • Data quality
  • Data governance

Resource Optimization Goal

IT resource management ensures that the right resources are available at the right time to support business objectives. The IS auditor should verify that resources are inventoried, managed, and optimized through proper planning and monitoring.

Key Exam Tip

Human resources are often the most critical and vulnerable IT resource. The exam frequently tests mandatory vacations, job rotation, and segregation of duties as key HR controls. Data classification is the foundation of information resource management.

📰 Real World

The UK's NHS experienced system conflicts during the WannaCry ransomware attack (2017) partly because different trusts ran incompatible legacy systems with no central resource governance. 80 NHS trusts were affected.

Test Yourself — IT Resource Management
Q1. An IS auditor discovers that multiple departments have independently purchased systems with overlapping functionality. This BEST indicates a failure of:
A. Vendor management
B. IT resource management and governance
C. Data classification
D. Change management
Reveal Answer
Correct: B
Duplicate systems indicate no central resource governance or oversight of IT investments. This is a resource management failure, not a vendor issue (A), data issue (C), or change issue (D). The IT Steering Committee should coordinate to prevent this.
Q2. Which IT resource control is MOST effective at detecting fraud?
A. Segregation of duties
B. Mandatory vacations
C. Job rotation
D. Background checks
Reveal Answer
Correct: B
Mandatory vacations are a detective control — when an employee is away, someone else performs their duties and may discover irregularities. Segregation of duties (A) is preventive. Job rotation (C) is both preventive and detective but mandatory vacation is more directly targeted at fraud detection. Background checks (D) are preventive.
Q3. The MOST critical IT resource in most organisations is:
A. Infrastructure
B. Applications
C. People
D. Information
Reveal Answer
Correct: C
ISACA considers people (human resources) the most critical and vulnerable IT resource. Without skilled people, infrastructure, applications, and information cannot be effectively managed. The trap is choosing information (D), which is valuable but managed by people.

Three systems doing one job. Zero coordination. But surely the performance dashboard would have flagged this? Alex checks the KPIs.

Part B Section 2.7

IT Performance Management

D2-G7 — Mission Control

KPIs, KRIs & the Balanced Scorecard

👩‍💼
Alex's Story

The KPI dashboard looks beautiful. Bright green: 98% uptime. Alex is almost reassured — until she pulls the actual incident logs. Twenty-three outages last month. They weren't counted because they were classified as “planned maintenance.” The dashboard is measuring what makes management comfortable, not what matters. Alex writes: KPIs do not reflect operational reality.

A mission control center with screens showing KPI gauges, KRI warnings, balanced scorecard quadrants, and benchmarking charts
📈

KPIs (Key Performance Indicators)

  • Measure performance against goals
  • Lagging indicators — what happened
  • Example: system uptime %, project on-time delivery
⚠️

KRIs (Key Risk Indicators)

  • Early warning signals of risk
  • Leading indicators — what could happen
  • Example: failed login attempts, overdue patches
IT Balanced Scorecard — 4 Perspectives

💰 Financial

Cost efficiency, IT budget variance, ROI on IT investments

😊 Customer

User satisfaction, SLA adherence, service quality

⚙️ Internal Process

System uptime, incident resolution time, change success rate

📚 Learning & Growth

Staff certifications, training hours, innovation projects

Benchmarking

Comparing IT performance against industry peers, best practices, or internal historical data. Types: Internal (within the org), External/Competitive (against peers), Functional (against best-in-class processes regardless of industry).

Key Exam Tip

Know the difference: KPIs are lagging (measure past performance), KRIs are leading (warn of future risk). The balanced scorecard translates strategy into measurable objectives across four perspectives. Benchmarking against industry peers is an external benchmark.

📰 Real World

The Boeing 737 MAX crisis involved KPIs that measured on-time delivery but not safety gate compliance. When performance metrics don't measure what matters, organisations optimise for the wrong outcomes.

Test Yourself — Performance Management
Q1. An IS auditor reviews a KPI dashboard showing 98% system uptime but discovers that outages classified as "planned maintenance" are excluded. The auditor's GREATEST concern should be:
A. The dashboard technology is outdated
B. The KPI definition does not accurately reflect service availability
C. Planned maintenance is occurring too frequently
D. The dashboard should show more metrics
Reveal Answer
Correct: B
The core issue is that the KPI is defined to exclude real downtime, making it misleading. KPIs must measure what they claim to measure. The concern is not the technology (A), frequency (C), or quantity of metrics (D) — it's the integrity of the metric definition.
Q2. KPIs are BEST described as:
A. Leading indicators that predict future performance
B. Lagging indicators that measure past performance against goals
C. Risk indicators that warn of potential threats
D. Compliance indicators that track regulatory adherence
Reveal Answer
Correct: B
KPIs are lagging indicators — they measure what has already happened. KRIs (Key Risk Indicators) are leading indicators (A/C) that warn of future risk. The trap is confusing KPIs with KRIs — ISACA tests this distinction heavily.
Q3. The IT balanced scorecard translates strategy into measurable objectives across how many perspectives?
A. 2 (Financial and Customer)
B. 3 (Financial, Customer, Internal Process)
C. 4 (Financial, Customer, Internal Process, Learning & Growth)
D. 5 (Financial, Customer, Internal Process, Learning & Growth, Risk)
Reveal Answer
Correct: C
The balanced scorecard has exactly four perspectives: Financial, Customer, Internal Process, and Learning & Growth. Risk (D) is not a separate BSC perspective — it's embedded across all four. The trap is adding an extra perspective that sounds plausible.

The metrics are lying. But where does the money go? Alex turns to the IT budget — and finds a process that would make any auditor wince.

Part B Section 2.8

IT Investment & Budgeting

D2-G8 — The Treasure Vault

IT Investment Analysis Methods

👩‍💼
Alex's Story

Alex maps out Meridian's IT budget process. Department heads submit wish lists in November. The CFO cuts everything by 30%. IT rebuilds the same requests in January. No ROI analysis. No TCO calculation. No prioritisation framework. The most expensive project last year was approved because the VP who requested it “was very insistent.” Alex writes: No formal investment analysis methodology.

A treasure vault with four chests representing TCO, ROI, NPV, and Cost-Benefit Analysis, with a finance officer reviewing investments
💰

TCO (Total Cost of Ownership)

Full lifecycle cost: acquisition + operation + maintenance + retirement. Includes hidden costs like training and support.

⚖️

ROI (Return on Investment)

Measures profitability: (Net Benefits / Cost) × 100%. Higher ROI = better investment.

🔮

NPV (Net Present Value)

Present value of future cash flows minus initial investment. Accounts for time value of money. Positive NPV = good.

📋

Cost-Benefit Analysis

Compare total costs vs. total benefits. Include tangible & intangible factors. Benefits must exceed costs.

Key Formulas
ROI = (Benefit − Cost) / Cost  •  NPV = Σ CF/(1+r)n − Initial Cost

IRR (Internal Rate of Return)

The discount rate that makes NPV = 0. Projects with IRR greater than the cost of capital (hurdle rate) are typically approved. Also know payback period — time to recoup the investment.

Key Exam Tip

NPV is the most reliable method because it accounts for the time value of money. A positive NPV means the project adds value. TCO gives the most complete picture of total costs. The IT Steering Committee typically prioritizes projects based on these financial metrics aligned with strategic goals.

📰 Real World

The FBI's Virtual Case File project (2005) was cancelled after spending $170 million because investment decisions were made without proper business case analysis, requirements management, or ROI framework.

Test Yourself — IT Investment & Budgeting
Q1. Which IT investment analysis method is considered MOST reliable because it accounts for the time value of money?
A. ROI (Return on Investment)
B. Payback Period
C. NPV (Net Present Value)
D. TCO (Total Cost of Ownership)
Reveal Answer
Correct: C
NPV discounts future cash flows to present value, accounting for the time value of money. ROI (A) doesn't account for when returns occur. Payback Period (B) only measures time to break even. TCO (D) measures total costs but not returns. ISACA considers NPV the most comprehensive method.
Q2. An IS auditor reviewing IT investment decisions finds that security and compliance projects are consistently rejected because they show negative ROI. The BEST recommendation is to:
A. Accept that these projects do not justify investment
B. Use alternative metrics such as risk reduction, NPV of avoided losses, or regulatory penalty avoidance
C. Inflate the ROI calculations to gain approval
D. Report the finding but take no action
Reveal Answer
Correct: B
Security and compliance investments often have no positive ROI by design — their value is in risk reduction and penalty avoidance. The trap is applying ROI universally (A) when it's the wrong metric. Inflating numbers (C) is unethical. Taking no action (D) fails the auditor's advisory role.
Q3. The PRIMARY purpose of TCO (Total Cost of Ownership) analysis is to:
A. Calculate the profitability of an IT investment
B. Determine when an investment will break even
C. Capture the full lifecycle cost including hidden costs like training, support, and retirement
D. Compare the organisation's IT costs to industry benchmarks
Reveal Answer
Correct: C
TCO captures all costs across the asset lifecycle, including often-overlooked costs like training, maintenance, support, and decommissioning. Profitability is ROI (A). Break-even is Payback Period (B). Industry comparison is benchmarking (D).

No investment discipline. Alex is starting to see a pattern. She now turns to the vendors — and finds something that keeps her up that night.

Part B Section 2.9

Vendor & Third-Party Management

D2-G9 — The Merchant Guild

Vendor Management Lifecycle

👩‍💼
Alex's Story

Alex reviews the vendor contracts and her stomach drops. Meridian's most critical system — the one processing all customer transactions — is hosted by a vendor whose contract expired eight months ago. They're operating month-to-month. No SLA is currently enforceable. The vendor knows it. Alex writes in capitals: CRITICAL SYSTEM ON EXPIRED CONTRACT. NO ENFORCEABLE SLA.

A medieval marketplace with a guild master reviewing SLA contracts at vendor stalls, each displaying quality rating shields
Vendor Management Lifecycle
1
Selection

RFP, due diligence, vendor evaluation

2
Contract

SLAs, terms, right-to-audit clause

3
Monitor

SLA compliance, performance reviews

4
Renew/Exit

Renegotiate or transition plan

SLAs (Service Level Agreements)

  • Define measurable service levels
  • Uptime guarantees (e.g., 99.9%)
  • Response & resolution times
  • Penalties for non-compliance

Key Contract Clauses

  • Right-to-audit — Essential for IS auditor
  • Data ownership — Org retains ownership
  • Exit strategy — Data return/destruction
  • Liability & indemnification

Vendor Risk Management

Outsourcing transfers execution, not accountability. The organization remains responsible for data protection and compliance. Perform ongoing vendor risk assessments, especially for critical vendors. Review SOC reports (SOC 1, SOC 2) for assurance on vendor controls.

Key Exam Tip

The right-to-audit clause is the most critical contractual element for an IS auditor. Without it, the auditor cannot verify vendor controls. Outsourcing does NOT transfer accountability — the organization remains ultimately responsible. SOC 2 Type II reports provide the most assurance over a period.

📰 Real World

The 2013 Target breach entry point was a third-party HVAC vendor with network access governed by an expired contract with no current SLA. Third-party risk management is only effective when contracts are current and SLAs are enforceable.

Test Yourself — Vendor Management
Q1. An IS auditor discovers that a critical vendor's contract has expired and the organisation is operating month-to-month. The MOST significant risk is:
A. The vendor may increase prices
B. The organisation has no enforceable SLAs or contractual protections
C. The vendor relationship may deteriorate
D. The organisation may need to find a new vendor
Reveal Answer
Correct: B
Without a current contract, SLAs, liability clauses, and right-to-audit provisions are unenforceable. Price increases (A) and relationship issues (C) are secondary. Finding a new vendor (D) is a possible action, not a risk. The core exposure is the loss of contractual protections.
Q2. For an IS auditor, the MOST critical clause to include in a vendor contract is:
A. Price escalation limits
B. Right-to-audit clause
C. Vendor staff qualifications
D. Marketing co-branding rights
Reveal Answer
Correct: B
The right-to-audit clause is essential because without it, the IS auditor cannot independently verify the vendor's controls. All other clauses are important but from an audit perspective, the ability to audit is non-negotiable.
Q3. An organisation outsources its data processing to a third party. Which statement is MOST accurate regarding accountability?
A. The vendor assumes full accountability for data protection
B. Accountability is shared equally between the organisation and vendor
C. The organisation retains accountability; only execution is transferred
D. Accountability depends on what the contract states
Reveal Answer
Correct: C
Outsourcing transfers execution, NEVER accountability. The organisation remains responsible for its data and compliance regardless of what the contract says (D is the trap). This is a core ISACA principle tested frequently.

Expired contracts, no SLAs. Alex needs a way to summarise just how bad Meridian's governance is. She reaches for a maturity model.

Part C Section 2.10

Maturity Models

D2-G10 — The Staircase of Maturity

CMM Maturity Levels (0–5)

👩‍💼
Alex's Story

Alex maps Meridian's IT governance against the maturity model. Level 1. Maybe. The infrastructure manager disagrees. He thinks they're Level 3 — “We have processes,” he insists. Alex shows him the evidence: no documentation, no consistency, no measurement. He goes quiet. Alex writes: Self-assessed Level 3. Evidence supports Level 1.

A grand staircase with six levels ascending from chaotic rubble at Level 0 to a gleaming crystal platform with a golden crown at Level 5
Capability Maturity Model Levels
5 Optimizing — Continuous improvement. Proactive innovation. Best-in-class.
4 Managed & Measurable — Quantitatively measured and controlled. KPIs drive decisions.
3 Defined — Standardized, documented processes. Organization-wide consistency.
2 Repeatable but Intuitive — Basic processes exist but depend on individuals. Not documented.
1 Initial / Ad Hoc — Chaotic, reactive. Some processes exist, inconsistently applied.
0 Non-existent — Complete lack of any recognizable process. No awareness.
Mnemonic for Levels 0–5
"Nobody Really Defines Metrics More Optimally"

Maturity Model Usage in Auditing

IS auditors use maturity models to assess the current state of IT processes and recommend a target maturity level. Most organizations aim for Level 3 (Defined) as a baseline. Maturity assessments help prioritize improvement efforts and track governance progress over time.

Key Exam Tip

Level 3 (Defined) is the minimum acceptable maturity for most organizations. The key distinction between Level 2 and Level 3 is documentation — at Level 2, processes exist but aren't documented; at Level 3, they are standardized and documented. Not all processes need to reach Level 5.

📰 Real World

A 2019 Gartner survey found 87% of organisations rated their IT governance maturity at Level 3 or above. Independent assessments found most were actually at Level 1–2. Self-assessment without evidence is the most common maturity model failure.

Test Yourself — Maturity Models
Q1. An organisation's management insists their IT change management process is at maturity Level 3 (Defined). The IS auditor discovers that the process works well only when a particular senior engineer manages it, and other staff frequently deviate from the documented procedure. What maturity level should the auditor assess?
A. Level 3 — because documented procedures exist
B. Level 2 — because the process depends on key individuals
C. Level 4 — because the process is being measured
D. Level 1 — because there is no process at all
Reveal Answer
Correct: B
Level 2 (Repeatable) means processes exist but depend on individual knowledge — they work when the right person does them. Level 3 requires standardised, documented processes followed consistently by everyone. The trap is A — having documents alone doesn't achieve Level 3 if staff don't follow them. Level 4 (D) requires quantitative measurement, and Level 1 means ad hoc processes, which is too low given some consistency exists.
Q2. An organisation's management insists their IT governance maturity is Level 4. An IS auditor should FIRST:
A. Accept management's assessment
B. Recommend the organisation aim for Level 5
C. Verify the assessment against objective evidence
D. Report the finding as satisfactory
Reveal Answer
Correct: C
An auditor must verify claims with evidence — never accept self-assessment at face value. The trap is accepting management's word (A) or assuming higher is always better (B). Evidence-based verification is fundamental to the audit role.
Q3. Is a higher maturity level always the appropriate target for an organisation?
A. Yes, all organisations should target Level 5
B. No, the optimal level depends on business needs, cost, and risk appetite
C. Yes, regulators require Level 5 for all industries
D. No, Level 3 is the maximum any organisation needs
Reveal Answer
Correct: B
Not every organisation needs Level 5 — the optimal level depends on business requirements, cost-benefit analysis, and risk appetite. Level 5 may be overkill and too expensive for some. The trap is the “higher is always better” assumption (A) or setting an arbitrary cap (D).

Level 1. Alex has the evidence. Now she needs to deliver it properly — through the right channels, to the right people. That's where audit governance comes in.

Part C Section 2.11

Audit's Role in IT Governance

D2-G11 — The Watchtower

IS Auditor: Independent Guardian of Governance

👩‍💼
Alex's Story

Alex's governance report is ready. She walks it to the IT Steering Committee's desk. It's the first time audit findings have ever gone directly to the committee. The CIO intercepts her in the hallway: “Shouldn't that come to me first?” Alex pauses. “No,” she says. “That would compromise our independence.” The CIO thought audit reported to him.

An independent watchtower observatory with an auditor using a telescope, overlooking a corporate city with Board, Management, and IT buildings, connected by a narrow communication bridge
🔍

What the IS Auditor Does

  • Evaluates IT governance effectiveness
  • Reviews alignment of IT with business
  • Assesses risk management practices
  • Verifies control design & operating effectiveness
  • Reports findings to the Board/Audit Committee
🚫

What the IS Auditor Does NOT Do

  • Does NOT implement controls
  • Does NOT make management decisions
  • Does NOT approve transactions
  • Does NOT take on operational responsibilities
  • Does NOT compromise independence

Independence is Non-Negotiable

The IS auditor must be organizationally independent from the areas being audited. Ideally reports to the Audit Committee of the Board, not to IT management. Independence ensures objectivity and credibility. If independence is impaired, the auditor must disclose this.

Audit's Governance Relationship
Board / Audit Committee ← reports to ← IS Auditor → evaluates → IT Management
Key Exam Tip

The IS auditor's primary role in governance is to provide independent assurance. They should never implement or approve controls — doing so impairs independence. When the exam asks about an auditor's "greatest concern," think about threats to independence and objectivity.

📰 Real World

The collapse of Carillion (UK, 2018) was partly attributed to an internal audit function that reported to the CFO rather than the audit committee. Audit findings about cash flow and contract risk were not escalated independently.

Test Yourself — Audit's Role in Governance
Q1. The IS auditor's PRIMARY role in IT governance is to:
A. Implement governance controls
B. Approve IT policies on behalf of the Board
C. Provide independent assurance on the effectiveness of governance
D. Manage the IT risk register
Reveal Answer
Correct: C
The auditor provides independent assurance — they evaluate, they don't implement (A), approve (B), or manage (D). Any of these would compromise independence. This is a fundamental ISACA principle.
Q2. An IS auditor should ideally report to:
A. The CIO
B. The CFO
C. IT Management
D. The Audit Committee of the Board
Reveal Answer
Correct: D
Reporting to the Audit Committee ensures maximum independence. Reporting to the CIO (A) or IT Management (C) creates a conflict of interest. Reporting to the CFO (B) is better but still not ideal. The Audit Committee provides the highest level of organisational independence.
Q3. If an IS auditor is asked to both design and later audit an IT control, the auditor should:
A. Accept, as this demonstrates deep expertise
B. Accept but document the dual role
C. Decline, as this would impair independence
D. Accept if approved by IT management
Reveal Answer
Correct: C
Designing and auditing the same control is a self-review threat — a clear independence violation. No amount of documentation (B) or management approval (D) resolves this. The auditor must decline to maintain objectivity.

The governance report is delivered. But there's one more thing Alex needs to check: what happens when everything goes wrong? She opens the Business Continuity Plan.

Part C Section 2.12

Business Continuity Planning Governance

D2-G12 — The Storm Ship

BCP: Board-Level Oversight of Resilience

👩‍💼
Alex's Story

Alex opens Meridian's Business Continuity Plan. It looks professional — until she reads the details. The plan references three systems that were decommissioned two years ago. The contact list includes people who no longer work at Meridian. “Nobody told us,” says the BCP owner. Alex writes her final finding: BCP is outdated and untested against current infrastructure.

A ship navigating a storm with a calm captain at the helm, crew below deck executing a BCP plan, and a lighthouse in the distance representing recovery objectives

BCP Governance Responsibilities

Board / Senior Management

  • Approve & fund BCP program
  • Set recovery priorities
  • Review BCP test results
  • Ensure adequacy & currency of plans

BCP Coordinator / Team

  • Develop & maintain the BCP
  • Conduct Business Impact Analysis
  • Organize testing & exercises
  • Update plans after changes/tests
BCP Development Process
1
BIA

Business Impact Analysis — identify critical processes

2
Strategy

Define recovery strategies & set RTO/RPO

3
Plan

Document procedures, roles, contacts

4
Test

Tabletop, simulation, full interruption tests

5
Maintain

Regular updates after changes or lessons learned

Key Terms

  • BIA — Identifies critical processes & impact of disruption
  • RTO — Recovery Time Objective (max downtime)
  • RPO — Recovery Point Objective (max data loss)
  • MTD — Maximum Tolerable Downtime

BCP Testing Types (Least → Most Disruptive)

  • Checklist Review — Paper review only
  • Tabletop / Walkthrough — Talk through scenarios
  • Simulation — Simulated disaster
  • Parallel Test — Activate backup while primary runs
  • Full Interruption — Shut down primary (riskiest)
Key Exam Tip

The BIA is the first step in BCP development — always. Senior management must approve the BCP and its testing results. A full interruption test is the most thorough but also the most risky. The BCP must be updated whenever significant changes occur (new systems, org changes, after actual incidents).

📰 Real World

When Hurricane Katrina struck in 2005, many banks' BCP plans referenced physical backup sites in New Orleans — the same area hit by the hurricane. Plans that aren't reviewed and tested against realistic scenarios fail precisely when needed most.

Test Yourself — BCP Governance
Q1. The FIRST step in developing a Business Continuity Plan is:
A. Defining recovery strategies
B. Conducting a Business Impact Analysis (BIA)
C. Testing the existing plan
D. Purchasing backup infrastructure
Reveal Answer
Correct: B
The BIA always comes first — it identifies critical business processes and the impact of their disruption. You cannot define strategies (A), test plans (C), or buy infrastructure (D) without understanding what needs protecting and why.
Q2. Which BCP testing method provides the MOST assurance but carries the HIGHEST risk?
A. Tabletop exercise
B. Simulation test
C. Parallel test
D. Full interruption test
Reveal Answer
Correct: D
A full interruption test shuts down the primary system to test recovery — maximum assurance but maximum risk. Parallel tests (C) activate backup while primary runs. Simulation (B) is a drill without real system impact. Tabletop (A) is paper-based only.
Q3. An IS auditor finds that a BCP references decommissioned systems and former employees. The BEST recommendation is to:
A. Rewrite the entire BCP from scratch
B. Update the BCP to reflect current systems, personnel, and test it
C. Accept the BCP since it demonstrates governance intent
D. Report the finding but take no action until the next audit
Reveal Answer
Correct: B
The plan needs updating to reflect current reality, then testing to verify it works. Rewriting from scratch (A) is wasteful — the structure may be sound. Accepting it (C) ignores critical gaps. Waiting (D) violates the auditor's duty to report actionable findings.
📋

Alex's governance report lands on the IT Steering Committee's desk.

Twelve findings. Three critical. The CIO reads it in silence. He expected a clean bill of health. What he got was a mirror. “We knew some of this,” he says finally. “We just didn't have it written down.” Alex has learned something important: governance failures are rarely malicious. They're usually just… unwritten. Her job is to write them down.

✓ Governance Frameworks ✓ IT Strategy & Alignment ✓ Roles & Responsibilities ✓ Policy Hierarchy ✓ Risk Management ✓ IT Resource Management ✓ Performance Management ✓ IT Investment & Budgeting ✓ Vendor Management ✓ Maturity Models ✓ Audit's Role in Governance ✓ BCP Governance
Continue to Domain 3 →

Top 10 Exam Traps — Domain 2

1
❌ “COBIT is an IT governance framework you implement”
✓ COBIT is a framework for governance — it provides principles and practices, not a specific implementation recipe
2
❌ “IT strategy should be created by the IT department”
✓ IT strategy must be aligned TO business strategy — the business leads, IT enables
3
❌ “Outsourcing transfers IT risk to the vendor”
✓ Outsourcing transfers execution, NEVER accountability — management retains ownership of risk
4
❌ “A higher maturity level is always better”
✓ The optimal maturity level depends on business needs — not every organisation needs Level 5
5
❌ “The IT Steering Committee makes operational IT decisions”
✓ Steering Committee sets strategic direction — operational decisions stay with IT management
6
❌ “Policies and standards are the same thing”
✓ Policy = what we will do (high level). Standard = specific mandatory requirement. Procedure = how to do it step by step
7
❌ “KPIs measure what matters most to the business”
✓ KPIs measure what you CHOSE to measure — the trap is measuring activity, not outcomes
8
❌ “A vendor with a long relationship doesn't need a formal contract”
✓ Relationship doesn't replace contract — SLAs and accountability must be documented regardless of history
9
❌ “ROI is the best measure for all IT investments”
✓ Some IT investments (compliance, security) have no positive ROI by design — use NPV, TCO, or risk reduction metrics instead
10
❌ “Risk acceptance means the risk is gone”
✓ Risk acceptance means management consciously decides to live with the risk — it must be documented and periodically reviewed