CISA Domain 2: Governance and Management of IT – Comprehensive Quick Guide

Introduction.

CISA Domain 2 focuses on the structures, frameworks, and control mechanisms that guide strategic IT decision-making across an enterprise. This guide provides a clear, comprehensive breakdown of key governance principles, roles, processes, and assurance practices every CISA candidate must master. It serves as a practical reference to strengthen both exam readiness and real-world IT governance capability.

Enterprise Governance & EGIT

Enterprise Governance

The system of enterprise governance directs and controls organizations to achieve objectives, manage risks, and ensure accountability. It encompasses both corporate governance (organizational oversight) and IT governance (oversight of IT).

Enterprise Governance of IT (EGIT)

EGIT refers specifically to the frameworks, structures, and processes that ensure IT supports and enables the achievement of business goals.

• Context in CISA: EGIT ensures that IT investments deliver value, risks are managed, and IT resources are used responsibly. It’s about aligning IT with business strategy and ensuring compliance.
• Application: CISA candidates must know how EGIT frameworks—such as COBIT—help establish accountability, clarify decision rights, and enable the measurement of IT performance.

Core EGIT Objectives

• Strategic alignment
• Value delivery
• Risk optimization
• Resource optimization
• Performance measurement

EGIT is a board-level responsibility, not an IT function.

Key Point:
EGIT is not just about IT management, but ensuring IT’s contribution to enterprise objectives and risk posture.

IT Governance Frameworks (COBIT, ITIL, ISO/IEC 38500)

COBIT (Control Objectives for Information and Related Technologies):

• Purpose: Provides a comprehensive framework for governance and management of enterprise IT.
• Focus: Aligns IT with business goals, value delivery, risk management, resource optimization, performance measurement.
• Use: Best for overall IT governance and controls, especially for auditors and management.

ITIL (Information Technology Infrastructure Library):

• Purpose: Offers best practices for IT service management (ITSM).
• Focus: Process-driven, focused on delivering quality IT services and continual service improvement.
• Use: Ideal for IT operations, help desk, and service delivery environments.

ISO/IEC 38500:

• Purpose: International standard for corporate governance of IT.
• Focus: Sets high-level principles and responsibilities for board and executive management.
• Use: Guidance for top-level management on IT decision-making, but not as detailed as COBIT.

How to Differentiate:

• COBIT: Choose when asked about a detailed governance and management framework with controls.
• ITIL: Select when the question is about improving IT services or processes (incident management, change management, etc.).
• ISO/IEC 38500: Pick when the scenario involves board or executive-level IT governance.

Framework	Primary Focus	Domain 2 Use
COBIT	EGIT & controls	Governance & assurance
ITIL	Service management	Operations
TOGAF	Enterprise architecture	System design
ISO/IEC 27001	Security management	Security controls

CISA Domain 2 tests when to use which framework, not definitions.

IT Assurance & Control Frameworks: COSO vs. COBIT

COSO (Committee of Sponsoring Organizations):

• Purpose: Focuses on enterprise internal controls (including financial reporting, risk management, and compliance).
• Use: Broader organizational context, not IT-specific.

COBIT framework:

• Purpose: IT governance and management framework, detailed controls and processes for IT systems.
• Use: IT-specific audit and assurance engagements.

How to Differentiate: COSO for overall controls and governance; COBIT for detailed IT processes and controls.

Organizational Structure & Roles

• Board of Directors: Sets overall direction, approves IT strategy, oversees risk management.
• Senior Management: Implements board directives, sets priorities, allocates resources.
• IT Steering Committee: Cross-functional, aligns IT projects with business strategy, resolves conflicts, monitors progress.
• IT Strategy Committee: Advises the board on IT strategy, Ensures IT strategy aligns with business strategy, Reviews major IT investments
• CIO/IT Director: Manages IT operations, executes IT strategy, reports to senior management.
• Data Owners: Responsible for data quality and use; authorize access and classify data.

Key Roles

Body	Primary Role
Board of Directors	Ultimate accountability
IT Strategy Committee	Business–IT alignment
IT Steering Committee	Project prioritization
Architecture Review Board	Standards compliance
Security Committee	Security governance

• Security Governance: Board and management set security policy, define responsibilities, and allocate resources.
• Security Management: Day-to-day implementation—security controls, monitoring, and incident response.

Exam Insight:
Strategy → Board / IT Strategy Committee
Execution → IT Steering Committee

If the question is about oversight, policy, or direction—think board/senior management. For execution and operations—think CIO/IT teams.

Segregation of Duties (SoD) and Key IT Roles

What Is Segregation of Duties?

SoD ensures no single individual can:

• Initiate
• Authorize
• Execute
• Review
  

  a critical activity end-to-end.

Why SoD Is Critical

• Prevents fraud
• Reduces error risk
• Strengthens accountability

Key IT and Security Roles That Must Be Segregated

1. Development vs Production

• Developers should not have access to production
• Prevents unauthorized code changes

2. System Administration vs Security Administration

• Admin manages systems
• Security admin defines controls and monitors compliance

3. Operations vs Change Management

• Operations executes changes
• Change management approves and tracks them

4. Requestor vs Approver

• User requesting a change must not approve it

Role Combination	Risk
Developer + Production access	Unauthorized changes
System admin + Audit logs	Log manipulation
Change initiator + approver	Bypassed controls
Security admin + operations	Conflict of interest

CISA Domain 2 Exam Insight:
Compensating controls (logging, monitoring) may be acceptable only when full SoD is not feasible.

IT Strategy Alignment

• Strategic Planning: Involves translating business goals into IT objectives and initiatives.
• Prioritization: IT projects should be evaluated and selected based on business value, risk, and resource availability.
• Feedback Loops: Regular reviews ensure IT remains aligned as business needs change.

Key Differentiator: If IT decisions are made without referencing business goals, misalignment is occurring. Look for the need to establish or improve governance processes.

Risk Management

• Risk Management Process: Identify, assess, respond, monitor, and communicate IT risks.
• Risk Appetite/Tolerance: The level of risk an organization is willing to accept.
• Risk Register: A living document tracking identified risks, owners, and mitigation actions.
• Inherent vs. Residual Risk:
  • Inherent: The risk present before controls.
  • Residual: The risk remaining after controls are applied.

IT Policies, Standards & Procedures

• Policy: High-level principles (e.g., “All data must be classified”).
• Standard: Mandatory requirements (e.g., “Passwords must be at least 12 characters”).
• Procedure: Step-by-step instructions (e.g., “How to request access to data”).
• Guideline: Recommended, not mandatory (e.g., “Suggested practices for secure email”).

Resource Management

• Types of Resources: People, applications, infrastructure, data.
• Key Concepts: Capacity planning, resource allocation, skills management.
• Best Practices: Regular resource assessments, ensuring right skills are available for IT initiatives.

Exam Tip: If a scenario describes resource shortages or bottlenecks, suggest resource planning or optimization.

Performance Measurement: KPIs, KRIs, and Balanced Scorecards

• KPI (Key Performance Indicator): Measures IT process effectiveness (e.g., % of successful backups).
• KRI (Key Risk Indicator): Measures risk exposure (e.g., # of unauthorized access attempts).
• Balanced Scorecard: Strategic tool tracking performance across multiple perspectives (financial, customer, internal process, learning/growth).

The Balanced Scorecard (BSC) is a performance management framework used to translate strategy into measurable objectives across multiple perspectives—not just financial outcomes. BSC translates strategy into measurable objectives. Four Perspectives of BSC:

1. Financial
2. Customer
3. Internal processes
4. Learning and growth

In CISA and EGIT context, BSC helps ensure that IT investments and system development efforts deliver business value, not just technical success.

 Why Balanced Scorecard Matters

• Links system acquisition and development to enterprise strategy
• Supports value delivery, a core EGIT objective
• Provides measurable assurance that IT initiatives succeed beyond go-live

Exam Insight:
Match the metric to the objective—KPIs for performance, KRIs for risk, Holistic performance measurement → Balanced Scorecard.

Quality Assurance (QA) vs. Quality Control (QC)

Quality Assurance (QA):

• Definition: A process-focused practice aimed at preventing defects by ensuring the processes used to manage and create deliverables work effectively.
• Example: Setting up standardized development and testing procedures.
• Goal: Prevent errors before they occur.

Key Characteristics

• Preventive in nature
• Process-oriented
• Implemented before and during development

Examples

• SDLC standards
• Development methodologies
• Coding standards
• Process audits

CISA View:
QA ensures the process is capable of producing quality.

Quality Control (QC):

• Definition: A product-focused practice involving the identification of defects in actual deliverables.
• Example: Inspecting completed software modules for bugs.
• Goal: Detect and correct errors after they occur.

Key Characteristics

• Detective in nature
• Product-oriented
• Implemented after development

Examples

• Testing activities
• Inspections
• Defect detection

Key Difference:
QA is proactive (process-oriented), QC is reactive (product-oriented).

QA vs QC – Side-by-Side Comparison (High-Yield)

Aspect	Quality Assurance (QA)	Quality Control (QC)
Focus	Process	Product
Nature	Preventive	Detective
Timing	Throughout SDLC	After development
Objective	Prevent defects	Detect defects
Ownership	Management	Testing/QA team

CISA Domain 2 Exam Tip:
If the question is about establishing or improving processes to avoid issues—think QA. If it’s about reviewing or testing outputs—think QC.

Batch Processing

• Definition: Data is collected and processed in groups or batches at scheduled times (e.g., payroll runs, end-of-day updates).
• Advantages: Efficient for high-volume transactions, reduces processing costs.
• Risks: Delayed error detection, less real-time control.
• Controls: Use of control totals, reconciliation, and batch balancing.

For questions about real-time controls or early error detection, continuous audit is the answer. For periodic, high-volume processing, think batch processing.

Application Controls

Purpose: Ensure accuracy, completeness, authorization, and validity of transactions.

Types of Application Controls

• Input Controls
  • Validation checks
  • Edit checks
• Processing Controls
  • Run-to-run totals
  • Reasonableness checks
• Output Controls
  • Distribution controls
  • Reconciliation
• Interface Controls
  • Data transfer between systems

Exam Tip

If data accuracy is questioned, look for input or processing controls, not access controls.

System Testing and Quality Assurance

Testing Types

• Unit Testing – Individual components
• Integration Testing – Interfaces between components
• System Testing – Entire system
• User Acceptance Testing (UAT) – Business validation
• Regression Testing – After changes

Key Audit Concern

• Test results must be documented
• UAT must be performed by users, not developers

System Development Life Cycle (SDLC)

What It Is : A structured framework that ensures systems are developed in controlled phases.

SDLC Phases Explained

1. Initiation: Identify business need
2. Requirements: Define what the system must do
3. Design: Translate requirements into architecture
4. Development: Build or configure system
5. Testing: Validate system works as intended
6. Implementation: Move to production
7. Post-Implementation Review: Confirm objectives met

Why It Matters

Each phase introduces control points to reduce risk.

Development Methodologies (Control Perspective)

Waterfall

• Sequential
• Strong documentation
• Changes are costly

Agile

• Iterative
• Continuous user involvement
• Requires strong governance to avoid chaos

Prototyping

• Early user feedback
• Risk of poor documentation

DevOps

• Integrates development and operations
• Emphasizes automation and continuous delivery

Application Controls

What They Are: Controls built into applications to ensure data integrity and transaction accuracy.

Types Explained

Input Controls

Ensure only valid data enters the system
Examples:

• Edit checks
• Format validation
• Authorization checks

Processing Controls

Ensure data is processed correctly
Examples:

• Run-to-run totals
• Reasonableness checks

Output Controls

Ensure output is complete and distributed correctly
Examples:

• Reconciliations
• Controlled report distribution

Interface Controls

Ensure data transferred between systems remains accurate

Exam insight: Data errors → input or processing control weakness.

System Testing and Quality Assurance

Unit Testing

• Tests individual components
• Performed by developers

Integration Testing

• Tests interfaces between components
• Detects data flow errors

System Testing

• Tests entire system end-to-end
• Confirms system meets specifications

User Acceptance Testing (UAT)

• Performed by business users
• Confirms system meets business needs

Regression Testing

• Ensures changes do not break existing functionality

Key Difference Summary

Test Type	Focus	Performed By
Unit	Component	Developer
Integration	Interfaces	IT
System	Whole system	QA/IT
UAT	Business requirements	Users
Regression	Impact of change	IT/QA

Outsourcing of IT Functions

What Is IT Outsourcing?

IT outsourcing is the practice of contracting third-party service providers to perform IT functions that were traditionally handled in-house.

In Domain 2, ISACA focuses on governance, risk, and control, not cost savings alone.

Commonly Outsourced IT Functions

• Application development and maintenance
• Infrastructure and data center operations
• Cloud services
• Help desk and support
• Security monitoring (SOC)

Why Organizations Outsource IT

• Access to specialized skills
• Scalability and flexibility
• Cost optimization
• Faster system development

📌 CISA Insight:
Cost savings are a secondary benefit; risk management remains the primary concern.

Key Risks of IT Outsourcing

• Loss of control and visibility
• Vendor dependency (lock-in)
• Data confidentiality and privacy risks
• Service disruption
• Compliance gaps

Key Controls Over Outsourced IT

• Clear contracts and SLAs
• Defined performance metrics
• Right-to-audit clauses
• Security and compliance requirements
• Exit and transition plans

📌 CISA Domain 2 Exam Rule:
Outsourcing does not transfer accountability. Management remains responsible.

CISA Domain 2 Exam Trap

If a question asks who is accountable for outsourced system failures, the answer is the organization, not the vendor.

Final Quick Tips for CISA Domain 2

• EGIT is about aligning IT with enterprise objectives and managing its risks and value.
• Know which framework fits which scenario and the difference between governance (oversight) and management (execution).
• QA prevents problems through process control; QC detects problems through inspection.
• Batch processing is efficient but less timely; continuous audit enables proactive, real-time assurance.
• Always link IT objectives to business goals.
• Know which framework fits which scenario.
• Distinguish between governance (policy, oversight) and management (implementation, operation).
• Be able to explain risk concepts and performance indicators in context.

https://thecyberskills.com/category/learn-train/isaca-certified-information-systems-auditor-cisa/

https://www.isaca.org/