Introduction
CISA Domain 3 focuses on how information systems are planned, acquired, developed, tested, implemented, and maintained in alignment with business objectives. From a CISA exam and practitioner perspective, this domain emphasizes controls, risk management, governance oversight, and assurance activities across the system development lifecycle.
This quick guide provides a high‑yield, exam‑oriented overview of all major topics in Domain 3.
Information Systems Acquisition, Portfolio & Project Management
Portfolio and Program Management
From a CISA Domain 3 perspective, portfolio and program management ensure that IT investments are prioritized, governed, and aligned with business objectives before individual projects even begin.
Portfolio Management – Key Points:
Portfolio management is the professional practice of selecting, overseeing, and adjusting a collection of investments or projects to meet specific long-term financial objectives or strategic business goals while balancing risk and performance.
- Focuses on doing the right projects
- Aligns IT initiatives with business strategy and risk appetite
- Evaluates projects based on value, risk, resources, and strategic fit
- Ensures optimal allocation of funding and resources
Program Management – Key Points:
- Manages related projects to achieve broader business benefits
- Focuses on benefit realization and dependency management
- Oversees inter-project risks and shared resources
CISA Exam Tips:
- Portfolio decisions are made at a strategic level
- Project management is an execution-level activity
- Poor portfolio management leads to project failure even if project controls are strong
Golden Rule for CISA Questions:
When asked about selection, prioritization, or alignment, think portfolio. When asked about delivery and execution, think project.
Work Breakdown Structure (WBS) and Object Breakdown Structure (OBS)
A Work Breakdown Structure (WBS) is a hierarchical decomposition of project scope into manageable work packages, focusing on what work must be performed to deliver the project objectives.
An Object Breakdown Structure (OBS) is a hierarchical representation of project resources, organizational units, or responsible entities, focusing on who is responsible for performing the work.
Work Breakdown Structure (WBS):
In a CISA context, WBS is used to:
- A deliverable‑oriented hierarchical decomposition of project work
- Ensure complete coverage of project scope
- Support cost estimation and budgeting
- Enable project progress monitoring
- Identify control points for audits
Key CISA Point: WBS focuses on what work must be done, not who does it.
Object Breakdown Structure (OBS):
In a CISA context, OBS is used to:
- Define roles and responsibilities
- Support segregation of duties (SoD)
- Enable responsibility assignment
- Strengthen governance and accountability
WBS vs OBS – CISA Exam Comparison
| Aspect | WBS | OBS |
| Focus | Work | Responsibility |
| Key Question | What needs to be done? | Who will do it? |
| Orientation | Deliverables & tasks | Organizational roles |
| Used For | Planning & control | Accountability & governance |
| Audit Relevance | Scope completeness | Segregation of duties |
| Typical Tool | Gantt, CPM | RACI matrix |
Business Case and Feasibility Analysis
A business case is a formal justification document that explains why an information system should be acquired or developed. It links the proposed system to business objectives, expected benefits, costs, and risks, and supports management decision‑making.
In CISA terms, the business case answers:
- Why is this system needed?
- What business problem or opportunity does it address?
- Do the expected benefits justify the costs and risks?
How ISACA uses it in the exam:
- Tested as a governance control
- Approval of the business case is a management responsibility, not the auditor’s
- Lack of a business case indicates poor IT governance
Feasibility analysis evaluates whether the proposed system is practical, viable, and achievable within organizational constraints. It supports the business case by determining whether the project can realistically succeed.
Types of feasibility commonly tested in CISA:
- Technical feasibility: Can the technology support the system?
- Operational feasibility: Will users and operations be able to use and support it?
- Economic feasibility: Do benefits outweigh costs?
- Legal / regulatory feasibility: Are there compliance or contractual constraints?
CISA exam distinction:
- Business case = Should we do it?
- Feasibility analysis = Can we do it?
Key Elements (Applied Meaning)
- Business requirements definition: Clear articulation of what the business needs, not technical features
- Cost–benefit analysis: Comparison of tangible (measurable) and intangible (non‑quantifiable) benefits
- Risk assessment: Identification of risks that could affect cost, schedule, or objectives
- Management approval: Formal authorization to proceed
CISA Focus: A project should not proceed to development without an approved business case supported by feasibility analysis.
Auditors must ensure that system acquisition decisions are justified and aligned with business strategy.
Key elements:
- Business requirements definition
- Cost–benefit analysis (tangible vs. intangible benefits)
- Technical, operational, economic, and legal feasibility
- Risk assessment and management approval
CISA focus: The business case should be approved before development begins.
Project Governance and Management
Project governance is the framework that ensures projects are directed, controlled, and aligned with business objectives throughout their lifecycle. It defines who has authority, who is accountable, and how decisions are made.
In CISA exam context, governance focuses on oversight and control, not day‑to‑day execution.
Project management is the application of knowledge, skills, tools, and techniques to deliver a project’s objectives within approved scope, time, and cost.
CISA distinction:
- Governance = oversight and decision‑making
- Management = execution and delivery
Key Governance and Management Components (Explained)
- Project sponsor: Senior executive accountable for business outcomes
- Steering committee: Provides direction, resolves escalated issues
- Project charter: Formal authorization defining objectives, scope, and authority
- Scope definition: Prevents scope creep and uncontrolled changes
- Triple constraint: Balance between scope, time, and cost
- Change control: Ensures changes are evaluated and approved
- KPIs: Measure progress and performance
Common exam patterns:
- Questions asking for the root cause → weak governance
- Questions asking for the BEST control → steering committee or formal approval
- Questions confusing symptoms (delay, cost overrun) with causes (lack of governance)
Exam Tip: Weak project governance is a root cause, not a symptom.
Effective project governance ensures accountability, oversight, and alignment with organizational objectives.
Software Development Methodologies
Auditors should understand different methodologies and their control implications.
| Methodology | Key Characteristics | Audit Consideration |
| Waterfall | Sequential, phase‑based | Strong documentation, late testing risk |
| Agile | Iterative, incremental | Less documentation, continuous user involvement |
| DevOps | CI/CD, automation | Emphasis on controls embedded in pipelines |
CISA focus: Controls must exist regardless of methodology.
System Development Life Cycle (SDLC)
What is SDLC?
The System Development Life Cycle (SDLC) is a structured framework that defines the phases, activities, and controls used to build, acquire, implement, and maintain information systems.
In CISA context, SDLC is primarily a control and risk management framework, not a development methodology.
Why SDLC Matters for CISA
- Ensures controls are applied throughout the lifecycle
- Enables early detection of errors and risks
- Provides formal approval checkpoints
SDLC Phases
CISA expects a clear understanding of controls at each SDLC phase.
- Initiation / Feasibility – Business need identification
- Requirements Analysis – Functional and non‑functional requirements
- Design – Logical and physical design
- Development – Coding and configuration
- Testing – Validation and verification
- Implementation – Go‑live and transition
- Maintenance – Enhancements and fixes
Golden rule: Errors are cheapest to fix earlier in the SDLC.
Project Sizing and Measurement Techniques
Project sizing and cost estimation are critical in IS acquisition and development to support budgeting, feasibility analysis, and management decision‑making. CISA questions often test whether the auditor understands which estimation technique is appropriate in a given situation.
Common Project Estimation and Measurement Techniques
- Analogous Estimating
- Uses historical data from similar past projects
- Quick and low‑cost estimation technique
- Less accurate than detailed methods
Best used when:
- Limited information is available
- Early project stages (feasibility or initiation)
CISA Exam Tip: Appropriate for high‑level estimates, not final budgets.
- Parametric Estimating
- Uses statistical relationships between variables
- Examples: cost per function point, cost per line of code, cost per user
- More accurate than analogous estimating if the model is reliable
Best used when:
- Quantifiable metrics are available
- Organization has strong historical data
Exam Trap: Assuming parametric estimates are always precise—accuracy depends on data quality.
- Bottom‑Up Estimating
- Estimates cost at the lowest task level, then aggregates upward
- Requires a well‑defined WBS
- Most time‑consuming but most accurate
Best used when:
- Project scope is well understood
- Preparing final budgets and schedules
CISA Key Point: Bottom‑up estimating provides the highest level of assurance.
- Actual Cost Measurement
- Based on real expenditure incurred during project execution
- Used for performance monitoring and variance analysis
Key controls:
- Cost tracking against budget
- Variance analysis and corrective actions
CISA Focus: Actual cost data is essential for post‑implementation review (PIR) and future estimates.
Summary Table – Estimation Techniques
| Technique | Accuracy | Effort | Typical Use |
| Analogous | Low | Low | Early feasibility |
| Parametric | Medium | Medium | Planning & estimation |
| Bottom‑Up | High | High | Final budgeting |
| Actual Cost | Highest | Ongoing | Control & PIR |
Golden Rule for CISA: As project certainty increases, estimation techniques should move from analogous → parametric → bottom‑up.
Requirements Definition and Management
Poor requirements are a leading cause of system failure.
Key controls:
- User involvement and sign‑off
- Traceability matrix
- Change management for requirements
Exam trap: Lack of user sign‑off is a high‑risk finding.
Software Size Estimation and Scheduling Techniques
CISA Domain 3 expects candidates to understand how software size and schedule are estimated, and how different techniques support planning, control, and risk management.
Software Size Estimation
Software size estimation helps determine effort, cost, and duration of IS development or acquisition.
Common Techniques:
- Function Point Analysis (FPA): Measures software size based on functionality delivered to users (inputs, outputs, inquiries, files, interfaces)
- Lines of Code (LOC): Measures size based on number of source code lines
CISA Exam Focus:
- Function Points are technology‑independent and preferred for early estimation
- LOC is language‑dependent and more useful after design decisions
Exam Trap: Using LOC during early feasibility stages instead of Function Points
Critical Path Method (CPM)
CPM is a deterministic scheduling technique used to identify the longest sequence of dependent activities in a project.
Key Characteristics:
- Single time estimates per activity
- Identifies activities with zero slack (critical path)
- Delays on critical path directly delay the project
CISA Exam Tip: CPM is best when activity durations are well known.
Program Evaluation Review Technique (PERT)
PERT is a probabilistic scheduling technique used when activity durations are uncertain.
Key Characteristics:
- Uses three time estimates:
- Optimistic (O)
- Most likely (M)
- Pessimistic (P)
- Expected time formula: (O + 4M + P) / 6
CISA Exam Tip: PERT is preferred for research, development, or high‑uncertainty projects.
CPM vs PERT – CISA Exam Comparison
| Aspect | CPM | PERT |
| Time Estimates | Single | Three (O, M, P) |
| Nature | Deterministic | Probabilistic |
| Best Used When | Durations are known | Durations are uncertain |
| Exam Trap | Treating CPM as probabilistic | Forgetting PERT formula |
Timebox Management
Timeboxing is a schedule control technique, commonly associated with Agile and iterative development.
Key Features:
- Fixed time periods (timeboxes)
- Scope may be adjusted to meet time constraints
- Encourages rapid delivery and user feedback
CISA Exam Focus:
- Time is fixed; scope is variable
- Reduces schedule risk but may impact functionality
Exam Trap: Assuming timeboxing fixes scope instead of time
High‑Yield CISA Summary
- Use Function Points for early sizing, LOC for later stages
- Use CPM when activity durations are predictable
- Use PERT when uncertainty is high
- Use Timeboxing when rapid delivery and flexibility are required
Information Systems Design
User Involvement in System Design
Active user involvement during system design is critical to ensure that business requirements are correctly translated into technical solutions and that the system will be accepted after implementation.
Key Aspects of User Involvement:
- Participation in requirements definition and validation
- Review and approval of logical and physical design
- Involvement in prototyping and iterative feedback
- Formal sign‑off at key design milestones
Benefits:
- Reduces risk of requirements gaps
- Improves usability and acceptance
- Detects design issues early in the SDLC
CISA Exam Tip: Lack of user involvement is a primary cause of system failure and a high‑risk audit finding.
IS Auditor’s Role in Project Design
The IS auditor plays an independent assurance role during project design and must avoid assuming management responsibility.
Appropriate IS Auditor Activities:
- Reviewing design documentation for adequacy of controls
- Advising on control requirements (without designing controls)
- Assessing segregation of duties and security by design
- Providing risk‑based recommendations
Activities to Avoid (Independence Risk):
- Designing system functionality
- Selecting vendors or technologies
- Approving design decisions
- Acting as a project team member
CISA Golden Rule: The IS auditor may advise and review but must not design or implement the system.
Logical vs Physical Design
- Logical design: What the system must do (processes, data flows)
- Physical design: How the system will be built (hardware, software, network)
Auditors focus on whether the design:
- Supports segregation of duties (SoD)
- Incorporates security and controls by design
Security by Design
Security controls should be embedded early, not added later.
CISA principle: Preventive controls are preferred over detective controls.
System Development and Configuration
Development Standards and Practices
Key controls:
- Secure coding standards
- Version control
- Code reviews and peer reviews
- Separation of development, test, and production environments
Exam tip: Developers should not have access to production systems.
Configuration Management
Ensures system components are identified, controlled, and tracked.
Includes:
- Baseline configuration
- Change tracking
- Version control
System Testing
What Is System Testing?
System testing verifies that the system meets business requirements and control objectives before production use.
CISA Exam Logic: Testing provides assurance; UAT sign‑off is mandatory.
Types of Testing
| Testing Type | Purpose |
| Unit Testing | Validate individual components |
| Integration Testing | Validate interfaces |
| System Testing | End‑to‑end validation |
| User Acceptance Testing (UAT) | Confirm business requirements |
| Security Testing | Identify vulnerabilities |
| Regression Testing | Ensure changes don’t break existing functionality |
CISA focus: UAT sign‑off is mandatory before implementation.
Test Data Management
- Production data should not be used in testing without masking
- Test results should be documented and approved
System Implementation and Migration
What Is System Implementation?
System implementation is the controlled process of deploying a system into production, including data migration and fallback planning.
CISA Exam Logic: Implementation carries the highest operational risk.
Implementation Strategies
| Strategy | Description | Risk Level |
| Direct Cutover | Old system replaced immediately | High |
| Parallel | Old and new run together | Low |
| Phased | Gradual rollout | Medium |
| Pilot | Limited initial deployment | Medium |
Exam tip: Parallel implementation has the lowest risk, highest cost.
Data Conversion and Migration
Auditors assess:
- Data completeness and accuracy
- Reconciliation controls
- Backup before migration
Post‑Implementation Review (PIR)
What Is a PIR?
A PIR evaluates whether the system achieved business objectives and delivered expected benefits.
CISA Exam Logic: PIR focuses on benefits realization, not technical issues.
A PIR evaluates whether the system:
- Meets business objectives
- Delivers expected benefits
- Operates within acceptable risk
CISA focus: PIR is often missing but highly valuable.
Change, Release, and Patch Management
What Is Change Management?
Change management ensures all system changes are authorized, tested, approved, and documented.
CISA Exam Logic: Emergency changes require retrospective approval.
Change Management Controls
Key elements:
- Formal change requests
- Impact assessment
- Approval and testing
- Emergency change procedures
Exam trap: Emergency changes must be retrospectively approved.
Release and Patch Management
- Changes should be bundled into controlled releases
- Patches must be tested before deployment
Application Controls
What Are Application Controls?
Application controls ensure accuracy, completeness, validity, and authorization of data processed by applications.
CISA Exam Logic: Preventive input controls are preferred.
Data Validation and Editing Controls
- Sequence Check
Ensures transactions are processed in numerical or chronological order.
Detects missing or duplicate records. - Limit Check
Verifies that data does not exceed a predefined maximum or minimum - Range Check
Ensures data falls within an acceptable range of values. - Validity Check
Confirms data matches a predefined list of acceptable values (e.g., gender codes). - Reasonableness Check
Evaluates whether data appears logically reasonable based on context or trends. - Table Lookup
Compares entered data against a reference table (e.g., product codes, department IDs). - Existence Check
Verifies that referenced data already exists in the system (e.g., valid customer ID). - Key Verification (Keying Check)
Data is entered twice and compared to detect keying errors. - Check Digit
Mathematical value added to detect transposition or transcription errors. - Completeness Check
Ensures all required fields are populated and all records are processed. - Duplicate Check
Identifies repeated transactions or records. - Logical Relationship Check
Ensures data elements have a logical relationship (e.g., end date ≥ start date).
Data Validation Controls – Comparison Table
| Control | Primary Purpose | Exam Clue |
| Sequence Check | Detect missing/duplicate records | Missing invoice numbers |
| Limit Check | Enforce absolute thresholds | Salary cap exceeded |
| Range Check | Enforce acceptable span | Age between 18–60 |
| Validity Check | Allow only predefined values | Invalid status code |
| Reasonableness | Detect unusual values | Abnormal overtime |
| Table Lookup | Validate against master data | Invalid product code |
| Existence Check | Ensure referenced data exists | Nonexistent customer |
| Key Verification | Prevent keying errors | Double data entry |
| Check Digit | Detect transposition errors | Credit card numbers |
| Completeness | Ensure all data captured | Missing mandatory fields |
| Duplicate Check | Prevent repeated entries | Duplicate payments |
| Logical Relationship | Ensure data consistency | End date before start date |
CISA Exam Tips
- Validation controls are preventive input controls
- Detect errors before processing, reducing downstream impact
- Reasonableness checks are judgment‑based, not absolute
- Check digits detect transposition, not missing records
- Completeness ≠ accuracy (a field can be complete but incorrect)
