CISA__Preparing_for_the_Exam-_Domain_2_Part_3.pdf

Transcript

1. CISA - Domain 2 Governance & Management of IT -

   Part 3 Governance Implementation & Control Environment © Alison Wickens | Management System Insights CISA Series 2026 Not affiliated with ISACA. Redistribution or commercial use prohibited

2. CISA Series Overview Part 1 – Introduction & Overview Part

   2 – Domain 1: Information System Auditing Process Part 3 – Domain 2: Governance and Management of IT Part 4 – Domain 3: Information Systems Acquisition, Development, and Implementation Part 5 – Domain 4: Operations and Business Resilience Part 6 – Domain 5: Protection of Information Assets Part 7 – Exam Practice & Revision Covers all 5 CISA domains in a structured learning journey

3. Domain 2: Governance and Management of IT. IT Governance Direction

   (Alignment) IT Management Execution (Control)

4. COBIT Governance & Management Mapping Type Purpose Full Name Domain

   Governance Governance – set direction and oversight Evaluate, Direct, Monitor EDM Management Strategy, planning, and organisation Align, Plan, Organise APO Management Deliver solutions and change Build, Acquire, Implement BAI Management Operations and service delivery Deliver, Service, Support DSS Management Performance and compliance monitoring Monitor, Evaluate, Assess MEA

5. Laws, Regulations, and Industry Standards Purpose Ensure the organisation operates

   in compliance with legal, regulatory, and industry requirements, reducing risk and supporting governance. Governance, Risk & Compliance (GRC) (2.8.1) • Governance • Ensures IT aligns with business objectives • Provides oversight and accountability • Risk Management • Identifies and manages IT- related risks • Aligns with risk appetite • Compliance • Adherence to: • Laws (e.g., data protection) • Regulations • Industry standards Impact on IS Audit What Auditors Must Do • Identify applicable: • Laws and regulations • Industry standards and frameworks • Assess whether controls ensure compliance Audit Implications • Non-compliance = legal, financial, reputational risk • Audits must: • Include compliance testing • Evaluate control effectiveness • Verify policies reflect legal requirements Examples • Data protection laws (e.g., POPIA, GDPR) • Industry standards (e.g., ISO 27001, PCI- DSS) • Financial regulations (e.g., SOX-type controls) Auditor’s Role • Ensure compliance is: • Identified • Documented • Implemented and monitored • Do not interpret law — verify controls align to requirements CISA Exam Focus • GRC = Governance + Risk + Compliance • Compliance drives control requirements • Auditor verifies compliance and effectiveness • Understand impact of non- compliance

6. IT Governance and IT Strategy Purpose •Ensure IT supports business

   objectives, delivers value, manages risk, and uses resources effectively. Core Areas •Enterprise Governance of IT (EGIT) •Align IT with business goals •Deliver value from IT investments •Manage IT- related risks •Optimise resources and performance Good Practices for EGIT •Frameworks (e.g., COBIT principles) •Clear accountability and decision- making •Performance measurement and monitoring Auditor’s Role in EGIT •Evaluate alignment of IT and business strategy •Assess governance structures and controls •Verify value delivery and risk management Information Security Governance •Protect information assets •Align security with business and risk appetite •Ensure policies, roles, and accountability Effective Security Governance: •Board-level oversight •Defined security strategy •Continuous monitoring Information Systems Strategy •Long-term plan for technology direction •Supports digital transformation •Aligns with business priorities Strategic Planning •Translate strategy into actionable plans •Define initiatives, budgets, and timelines •Monitor execution and performance •Business Intelligence & Data Governance •Use data for decision- making •Ensure data quality, integrity, and security •Define ownership and accountability for data CISA Exam Focus •IT must be aligned to business objectives •Governance = value + risk + resources •Auditor evaluates effectiveness, not designs strategy •Data governance is critical for reliable decision-maki

7. Organisational Structure (IT Governance & Roles) Purpose Ensure IT is

   properly governed, structured, and controlled with clear accountability and effective segregation of duties. Ensure IT is properly governed, structured, and controlled with clear accountability and effective segregation of duties. IT Governing oversight IT Governing CommitteesProvid e strategic direction and oversight • Ensure IT aligns with business objectives • Monitor: • Performance • Risk • Investment decisions • Ensure IT aligns with business objectives • Monitor: • Performance • Risk • Investment decisions Roles & Responsibilities Board of Directors • Ultimate accountability for governance • Ensures IT supports business strategy and risk appetite Senior Management • Implements strategy and policies • Ensures effective IT operations and controls CISO (Chief Information Security Officer) • Leads information security program • Ensures risk management and compliance IT Steering Committee • Aligns IT initiatives with business priorities • Reviews projects, risks, and performance Information Security Committee • Oversees security strategy and controls Board of Directors • Ultimate accountability for governance • Ensures IT supports business strategy and risk appetite Senior Management • Implements strategy and policies • Ensures effective IT operations and controls CISO (Chief Information Security Officer) • Leads information security program • Ensures risk management and compliance IT Steering Committee • Aligns IT initiatives with business priorities • Reviews projects, risks, and performance Information Security Committee • Oversees security strategy and controls RACI / Matrix RACI / Responsibility Matrix • Defines who is responsible, accountable, consulted, informed • Defines who is responsible, accountable, consulted, informed IT Organisational Structure Clearly defined roles and reporting lines • Separation between: • Operations • Development • Security • Supports control effectiveness Clearly defined roles and reporting lines • Separation between: • Operations • Development • Security • Supports control effectiveness Segregation of fraud and errors Segregation of DutiesPrevents fraud and errors • Key principle: • No single person controls end-to- end process Examples: • Developer ≠ Production access • Request ≠ Approval ≠ Implementation • Key principle: • No single person controls end-to- end process Examples: • Developer ≠ Production access • Request ≠ Approval ≠ Implementation Auditing Structure Auditing Governance Structure Review: • Org charts • Policies and charters • Committee structures • Ensure: • Proper oversight • Clear accountability • Effective controls Review: • Org charts • Policies and charters • Committee structures • Ensure: • Proper oversight • Clear accountability • Effective controls CISA Exam Focus • Board = accountability, management = execution • Committees ensure alignment and oversight • Segregation of duties is critical • Auditor evaluates structure effectiveness, not design • Board = accountability, management = execution • Committees ensure alignment and oversight • Segregation of duties is critical • Auditor evaluates structure effectiveness, not design

8. IT Strategy and Alignment •Support business objectives •Enable: •Growth •Efficiency

   •Risk management •Be: •Documented •Approved •Reviewed IT Strategy Must: •Not: “IT has a strategy” What Alignment Actually Means •IT initiatives directly support: •Revenue goals •Customer outcomes •Example: •Business goal: Expand online services •IT strategy: Cloud platform, cybersecurity investment But: •Purpose: Prevent: •Fraud •Error •Example: •Developer cannot deploy to production •System admin cannot approve own access •If Not Possible: •Compensating controls: •Logging •Monitoring •Independent review •CISA Insight: •Lack of segregation = high-risk control weakness Segregation of Duties

9. Governance Structures in Practice Typical Risk if Weak Audit Focus

   What They Do in Practice Key COBIT Processes COBIT Domain Governance Structure IT decisions disconnected from business - IT aligned to business strategy- Risk appetite defined- Board oversight of IT - Set strategic direction- Define risk appetite- Ensure value delivery- Oversee IT governance EDM01, EDM02, EDM03, EDM04, EDM05 EDM Board of Directors Strategy exists but not executed - Strategy formally approved- Resource allocation aligned - Approve IT strategy- Allocate resources- Translate governance into plans EDM02, APO02, APO05 EDM / APO Executive Management IT operates in silos - Business involvement in IT decisions- Project prioritisation documented - Align IT with business- Prioritise projects- Manage portfolio APO02, APO05, APO06 APO IT Steering Committee IT risk not visible to business - IT risks included in ERM- Risk reporting to executives - Define risk appetite- Monitor enterprise risk- Integrate IT risk into ERM EDM03, APO12 EDM / APO Risk Committee Controls exist but ineffective - Audit findings tracked- Evidence of corrective actions - Review control effectiveness- Oversee audits- Ensure compliance MEA01, MEA02, MEA03 MEA Audit Committee Fragmented IT landscape - Projects aligned with EA- Architecture reviews enforced - Define architecture standards- Approve designs- Ensure integration APO03, BAI03 APO / BAI Architecture Review Board (ARB) Security treated as technical only - Security metrics reported- Incident response effectiveness - Oversee security controls- Monitor incidents- Ensure protection APO13, DSS05 APO / DSS Information Security Committee Data mismanaged or exposed - Data classification applied- Ownership defined - Define data ownership- Approve classification- Ensure compliance APO03, APO13 APO Data Governance Committee Third-party risk unmanaged - Due diligence performed- Vendor monitoring - Manage vendor risk- Monitor SLAs- Ensure compliance APO10, DSS01 APO / DSS Vendor Governance Committee Uncontrolled changes - Change approvals documented- Segregation of duties - Approve changes- Assess risk- Ensure controlled implementation BAI06 BAI Change Advisory Board (CAB) Projects bypass governance - Projects aligned with strategy- Risks managed - Manage projects- Track delivery- Align with business goals BAI01, APO05 BAI / APO Project Governance / PMO Poor service delivery - SLA performance- Incident handling - Deliver IT services- Execute controls- Manage incidents DSS01, DSS02 DSS Operations Management KPIs meaningless or ignored - KPIs aligned to business- Reports reviewed by management - Monitor KPIs- Report performance- Support decisions MEA01 MEA Performance & Reporting (Management)

10. IT-Related Frameworks Purpose •Provide structured approaches to governance, management, control,

    and assurance of IT within the organisation. Key Frameworks (CISA Context) •COBIT (Control Objectives for Information and Related Technologies) •Focus: Governance & Management of IT (EGIT) •Aligns IT with business objectives Covers: •Value delivery •Risk management •Resource optimisation •Most important framework for CISA ITIL (Information Technology Infrastructure Library) •Focus: IT Service Management (ITSM) •Ensures efficient delivery of IT services •Covers: •Incident management •Change management •Service continuity ISO/IEC 27001 •Focus: Information Security Management (ISMS) •Risk-based approach to protect information assets •Includes: •Policies •Controls •Continuous improvement COSO (Internal Control Framework) •Focus: Enterprise internal controls & governance •Used for: •Financial reporting •Risk management •Supports audit and control evaluation Why Frameworks Matter •Provide best practices and structure •Improve consistency and control effectiveness •Enable benchmarking and maturity assessment •Support audit and assurance activities •Auditor’s Role •Assess adoption and alignment of frameworks •Evaluate effectiveness of controls •Do not enforce a specific framework •Ensure frameworks support business and risk objectives CISA Exam Focus •COBIT = governance framework (primary for CISA) •ITIL = service management •ISO 27001 = security •COSO = internal control •Frameworks guide what good looks like, not mandatory by default

11. Policies, Standards, Procedures Purpose Establish a hierarchical control structure to

    ensure IT is consistent, secure, and aligned to governance and risk requirements. Hierarchy Overview Standards • Mandatory, specific requirements • Ensure uniform implementation • Example: Encryption standards, password rules Policies • High-level management direction • Define what must be done • Approved by senior management Information Security Policy • Sets overall security objectives and direction • Defines roles, responsibilities, and accountability Review of Information Security Policy • Must be periodically reviewed • Triggered by: • Changes in risk • Technology updates • Regulatory requirements Procedures • Define how policies are implemented • Detailed, step-by-step operational instructions • Example: User access provisioning process Guidelines • Recommended practices (not mandatory) • Provide flexibility and best practice guidance CISA Exam Focus • Policy = what • Procedure = how • Standard = mandatory rules • Guideline = recommended guidance • Policies must be: • Approved • Communicated • Regularly reviewed • Auditor verifies existence, approval, and compliance

12. Enterprise Architecture (EA) Purpose Provide a structured framework to ensure

    IT supports business strategy, improves efficiency, and manages complexity. What is Enterprise Architecture •Blueprint of: • Business processes • Applications • Data • Technology infrastructure •Ensures alignment between IT and business Core Components Business Architecture • Defines business processes and objectives • Aligns IT initiatives to business needs Application Architecture • Structure of applications and systems • Ensures integration and avoids duplication Data Architecture • Defines how data is stored, managed, and used • Ensures data quality, consistency, and governance Technology Architecture • Infrastructure: networks, hardware, platforms • Supports scalability and performance Why EA is Important •Improves alignment of IT and business strategy •Reduces complexity and duplication •Supports standardisation and integration •Enables better decision-making Auditor’s Role •Assess whether EA: • Supports business objectives • Is documented and maintained • Is followed in system development and changes •Identify risks such as: • Fragmented systems • Poor integration • Data inconsistencies CISA Exam Focus •EA = alignment + structure •Must support business strategy •Auditor evaluates effectiveness and adherence •Poor EA leads to: • Inefficiency • Increased risk • Weak data governance

13. Enterprise Risk Management (ERM) Purpose •Identify, assess, and manage risks

    to ensure the organisation achieves its business objectives while staying within risk appetite. Developing a Risk Management Program •Establish risk framework and policies •Define: •Risk appetite & tolerance •Roles and responsibilities •Integrate risk into governance and decision-making •Ensure continuous monitoring and reporting Risk Management Process •Step 1: Asset Identification •Identify critical assets (data, systems, processes) •Step 2: Threats & Vulnerabilities •Determine what could exploit weaknesses •Step 3: Impact Assessment •Evaluate business impact (financial, operational, reputational) •Step 4: Risk Calculation •Risk = Likelihood × Impact •Step 5: Risk Response •Options: •Mitigate •Transfer •Accept •Avoid Risk Analysis Methods •Qualitative •Uses ratings (High / Medium / Low) •Faster, subjective •Semi-Quantitative •Uses scoring scales (e.g., 1–5) •Balance between simplicity and detail •Quantitative •Uses numerical values (e.g., monetary loss) •More precise but complex CISA Exam Focus •Risk = Likelihood × Impact •ERM must align with business objectives •Auditor evaluates process effectiveness, not sets risk appetite •Understand risk response options •Qualitative vs Quantitative differences are commonly tested

14. Enterprise Risk Management (ERM) - Model Establish Context •Business objectives

    •Internal & external environment •Risk appetite Risk Identification •Strategic, operational, financial, IT risks •Threats, vulnerabilities, scenarios Risk Analysis •Likelihood × Impact •Inherent vs Residual risk Risk Evaluation •Compare against risk appetite •Prioritisation Risk Treatment •Avoid, Mitigate, Transfer, Accept Monitoring & Reporting •Continuous tracking •Management reporting Continuous Improvement •Feedback into governance Common Issues No defined risk appetite IT risk not linked to business impact Risk register not updated Controls not mapped to risks Risk treatment decisions not justified No executive- level reporting

15. Key Risk Definitions (ERM) Why It Matters (CISA / Audit

    Insight) Definition Term Always tied to business objectives — not just technical issues. The possibility that an event will occur and impact the achievement of objectives (typically measured as likelihood × impact). Risk Threats exploit vulnerabilities — they are not risks on their own. A potential cause of an unwanted incident that may result in harm. Threat Without a vulnerability, a threat cannot materialise into risk. A weakness that can be exploited by a threat. Vulnerability In ERM, impact must be expressed in business terms. The consequence or effect if a risk materialises (financial, operational, reputational, regulatory). Impact Used with impact to determine risk level. The probability of a risk occurring. Likelihood Shows the true exposure of the organisation. The level of risk before any controls are applied. Inherent Risk Must be within risk appetite or formally accepted. The level of risk remaining after controls are applied. Residual Risk Defined by governance — drives all decisions. The amount and type of risk an organisation is willing to accept in pursuit of its objectives. Risk Appetite Used operationally to guide thresholds and limits. The acceptable variation around risk objectives (more granular than appetite). Risk Tolerance Must be current, complete, and actively used. A central repository of identified risks, including their analysis, evaluation, and treatment. Risk Register Critical for accountability — often missing in audits. The individual responsible for managing and monitoring a specific risk. Risk Owner Controls must be linked to risks, not implemented in isolation. A measure that modifies risk (preventive, detective, corrective). Control Impacts residual risk calculation. The degree to which a control reduces risk as intended. Control Effectiveness Must be justified and aligned to risk appetite. The process of selecting and implementing measures to modify risk (avoid, mitigate, transfer, accept). Risk Treatment Must be formally approved and within appetite. A decision to take no action to reduce a risk. Risk Acceptance Does not eliminate risk — only reassigns responsibility. Shifting risk to a third party (e.g., insurance, outsourcing). Risk Transfer Often the most extreme option. Eliminating the activity that gives rise to the risk. Risk Avoidance Most common treatment strategy. Reducing likelihood and/or impact through controls. Risk Mitigation Enables proactive risk management. A measurable value used to monitor risk exposure over time. Key Risk Indicator (KRI) Aligns strongly with ISO 27005 and real-world analysis. A structured description of a risk using cause → event → impact. Scenario-Based Risk

16. Privacy Program & Principles Purpose Ensure personal data is protected,

    used appropriately, and compliant with legal and regulatory requirements. What is a Privacy Program •Framework to manage collection, processing, storage, and sharing of personal data •Aligns with: • Regulations (e.g., GDPR, POPIA) • Organisational policies •Integrates with information security and risk management Core Privacy Principles Data Minimisation • Collect only what is necessary Purpose Limitation • Use data only for defined purposes Lawfulness & Fairness • Process data legally and transparently Accuracy • Ensure data is correct and up to date Storage Limitation • Retain data only as long as needed Confidentiality & Security • Protect data from unauthorised access or loss Key Components of a Privacy Program •Privacy policies and procedures •Data classification and handling •Consent management •Data subject rights (access, correction, deletion) •Incident and breach management Auditor’s Role •Assess compliance with privacy laws and policies •Verify: • Data is properly classified and protected • Controls are implemented and effective •Evaluate privacy risks and mitigation measures CISA Exam Focus •Privacy = legal + control + governance •Strong link to information security •Auditor evaluates compliance and effectiveness •Understand core principles (minimise, protect, limit use)

17. Data Governance & Classification •Ensure data is properly managed, protected,

    and used according to its value and sensitivity Purpose: •Data must have clearly defined ownership •Data must be classified based on sensitivity •Controls must be applied based on classification level Key Concepts: •Data classification determines the level of protection required •Data owners are responsible for classification and protection decisions •Controls must be aligned with data sensitivity CISA Exam Focus: •Data not classified •No clear data ownership Typical Audit Concern:

18. Practical IT Governance Example — Cloud CRM Evidence (Audit View)

    Controls / Actions Applied in Scenario (CRM System) Governance Focus Area (2A) - Regulatory register - Compliance mapping - Privacy policy - Privacy policy - Data protection controls - Compliance mapping POPIA applies to customer data processed in CRM Identify compliance obligations Laws, Regulations, and Industry Standards - Org structure - Role descriptions - Approved IT strategy - Defined roles and responsibilities Segregation of duties - IT strategy (cloudfirst) CIO, Security Officer, DPO responsible for CRM governance Define accountability and direction Organisational Structure, IT Governance, and IT Strategy - Policy documents - Version control - Training records - Access control policy - Encryption standard - Incident response procedures Security and privacy policies governing CRM use Establish enforceable rules IT Policies, Standards, Procedures and Practices - Architecture diagrams - Design approvals - Standard identity provider Integrated logging - Approved architecture design CRM deployed on approved cloud architecture Ensure alignment with enterprise design Enterprise Architecture (EA) and Considerations - Risk register - Risk treatment plan - Control mapping - Risk assessment - MFA implementation - Vendor SLA controls Risks: data breach, vendor outage, insider misuse Identify and manage risks Enterprise Risk Management (ERM) - Privacy impact assessment - Processing records - Consent logs - Data minimisation - Consent management - Data subject access process CRM processes personal customer data Protect personal data Privacy Program and Principles - Data classification register - Access control matrix - Data classification policy - Access restrictions - Encryption controls Customer data classified as Confidential Classify and control data Data Governance and Classification

19. Maturity Models Purpose •Assess and improve how well processes are

    defined, managed, and optimised over time. Capability Maturity Model Integration (CMMI) (2.7.1) •Measures process maturity •Focuses on: •Process standardisation •Consistency •Continuous improvement Typical Maturity Levels: •Initial – Ad hoc, unpredictable •Managed – Basic processes established •Defined – Standardised across organisation •Quantitatively Managed – Measured and controlled •Optimising – Continuous improvement IDEAL Model •Initiating •Define business drivers and objectives •Diagnosing •Assess current state and gaps •Establishing •Plan improvements and priorities •Acting •Implement process improvements •Learning •Review results and embed continuous improvement Why Maturity Models Matter •Identify gaps and weaknesses •Support process improvement •Enable benchmarking and measurement •Align IT processes with business goals Auditor’s Role •Evaluate current maturity level •Identify opportunities for improvement •Assess whether processes are: •Defined •Consistent •Controlled CISA Exam Focus •CMMI = maturity levels (progression model) •IDEAL = improvement lifecycle •Higher maturity = more control, predictability, and efficiency •Auditor assesses maturity — does not implement it

20. Governance to Management Flow •Governance provides direction and oversight •Management

    ensures implementation of controls •Operations perform day-to-day execution •Governance provides direction and oversight •Management ensures implementation of controls •Operations perform day-to-day execution Flow: Flow: •Effective governance ensures alignment, control, and accountability •Weak governance results in ineffective control and increased risk •Effective governance ensures alignment, control, and accountability •Weak governance results in ineffective control and increased risk Key Insight: Key Insight: •Governance is the responsibility of senior management and the board •Management is responsible for execution and control implementation •Lack of alignment between governance and management leads to control failures •Governance is the responsibility of senior management and the board •Management is responsible for execution and control implementation •Lack of alignment between governance and management leads to control failures CISA Exam Focus: CISA Exam Focus:

21. IT Management Overview Focus: Execute governance decisions Manage IT resources

    Ensure operational efficiency Key Distinction: Governance = Direction Management = Execution

22. IT Resource Management Purpose Ensure IT resources (people, budget, systems)

    are used effectively, aligned to business objectives, and deliver value Value of IT • IT must deliver: • Business value • Efficiency and effectiveness • Focus on: • Return on investment • Cost vs benefit • Strategic alignment IT Portfolio Management • Manage IT investments as a portfolio • Prioritise initiatives based on: • Business value • Risk • Strategic alignment Key distinction: • Portfolio management → investment decisions • Balanced scorecard → performanc e measurement IT Management Practices • Governance and operational practices for: • Service delivery • Performance monitoring • Resource optimisation Human Resource Management Key areas: • Hiring and onboarding • Training and development • Performance evaluation • Promotion and termination Audit focus: • Segregation of duties • Skills and competency • Access aligned to roles Organisational Change Management • Manage impact of: • System changes • Process changes • Ensure: • Communicati on • Training • User adoption Financial Management Practices • IT budgeting and cost control • Investment tracking • Ensure: • Cost effectiveness • Alignment with business strategy Information Security Management • Protect IT assets, systems, and data • Includes: • Security policies • Controls • Risk management CISA Exam Focus • IT resources must be: • Aligned to business goals • Efficiently managed • Portfolio management drives prioritisation • HR controls focus on segregation of duties and competence • Change management ensures adoption and risk control • Financial management ensures value delivery • Security protects IT resources and information

23. IT Vendor Management Purpose Ensure third- party services are selected,

    governed, monitored, and aligned to business and risk requirement s Ensure third- party services are selected, governed, monitored, and aligned to business and risk requirement s Outsourcing Practices & Strategies • Use outsourcing to: • Reduce cost • Access specialised skills • Improve scalability • Consider: • Industry standards and benchmark ing • Global sourcing strategies • Use outsourcing to: • Reduce cost • Access specialised skills • Improve scalability • Consider: • Industry standards and benchmark ing • Global sourcing strategies Third-Party Audit Reports Third-Party Assurance & Audit Reports • Use independen t reports (e.g. SOC reports) to: • Evaluate control effectivene ss • Reduce audit effort • Auditor must: • Assess scope, relevance, and reliability • Use independen t reports (e.g. SOC reports) to: • Evaluate control effectivene ss • Reduce audit effort • Auditor must: • Assess scope, relevance, and reliability Cloud Governance • Ensure: • Data security and privacy • Complianc e with regulations • Clear shared responsibilit y model • Understand: • Risks of cloud environme nts • Ensure: • Data security and privacy • Complianc e with regulations • Clear shared responsibilit y model • Understand: • Risks of cloud environme nts Governance Outsourcing Governance in Outsourcing • Define: • Roles and responsibilit ies • Service expectatio ns (SLAs) • Ensure: • Accountab ility • Risk managem ent oversight • Define: • Roles and responsibilit ies • Service expectatio ns (SLAs) • Ensure: • Accountab ility • Risk managem ent oversight Capacity & Planning Capacity & Growth Planning • Ensure providers can: • Meet current demand • Scale with business growth • Avoid: • Performan ce bottlenecks • Service disruptions • Ensure providers can: • Meet current demand • Scale with business growth • Avoid: • Performan ce bottlenecks • Service disruptions Third-Party Third-Party Service Delivery Management • Monitor: • Performan ce against SLAs • Quality of service • Ensure: • Issues are identified and resolved • Monitor: • Performan ce against SLAs • Quality of service • Ensure: • Issues are identified and resolved Monitoring & Services Monitoring & Review of Services • Perform: • Regular performan ce reviews • Risk assessment s • Validate: • Ongoing complianc e and effectivene ss • Perform: • Regular performan ce reviews • Risk assessment s • Validate: • Ongoing complianc e and effectivene ss Managing Services Managing Changes to Services • Ensure: • Formal change managem ent processes • Impact assessment before changes • Avoid: • Uncontrolle d changes affecting service quality • Ensure: • Formal change managem ent processes • Impact assessment before changes • Avoid: • Uncontrolle d changes affecting service quality Service Service Improvement & User Satisfaction • Focus on: • Continuous improveme nt • User feedback • Measure: • Service performan ce • Customer satisfaction • Focus on: • Continuous improveme nt • User feedback • Measure: • Service performan ce • Customer satisfaction CISA Exam Focus • Third parties do NOT remove accountabili ty • Always assess: • Risk, control, and governanc e • Key areas: • SLAs and performan ce monitoring • Third-party assurance (SOC reports) • Cloud risk and shared responsibilit y • Ongoing monitoring and review • Biggest trap: • Assuming outsourced = controlled • Third parties do NOT remove accountabili ty • Always assess: • Risk, control, and governanc e • Key areas: • SLAs and performan ce monitoring • Third-party assurance (SOC reports) • Cloud risk and shared responsibilit y • Ongoing monitoring and review • Biggest trap: • Assuming outsourced = controlled

24. IT Performance Monitoring & Reporting Purpose Ensure IT performance is

    measured, monitored, and reported, enabling informed decisions and continuous improvement Performance Optimisation • Focus on improving: • Efficiency • Effectiveness • Service delivery • Align IT performance with: • Business objectives • Strategic goals Critical Success Factors (CSFs) • Define what must go right for success • Linked to: • Business priorities • IT objectives • Used to guide: • Performance measurement • Control focus Methodologies & Tools • Use structured approaches to measure performance: • KPIs (Key Performance Indicators) • KRIs (Key Risk Indicators) • Tools may include: • Dashboards • Monitoring systems • Reporting frameworks Tools & Techniques • Data analysis and reporting tools • Automated monitoring solutions • Trend analysis and benchmarking • Continuous performance tracking IT Balanced Scorecard • Translates strategy into measurable outcomes • Perspectives typically include: • Financial • Customer • Internal processes • Learning and growth Purpose: • Align IT performance with business strategy • Provide a balanced view beyond financial metrics CISA Exam Focus • Performance monitoring must be: • Aligned to business objectives • Measured using meaningful metrics • CSFs define what success looks like • KPIs measure how well IT is performing • Balanced scorecard = strategic alignment tool • Key trap: • Measuring activity instead of value and outcomes

25. Quality Assurance and Quality Management of IT Purpose Ensure IT

    processes and controls are effective, consistent, and continuously improving, delivering reliable outcomes Ensure IT processes and controls are effective, consistent, and continuously improving, delivering reliable outcomes Quality Assurance (QA) •Focus: Ensuring processes are followed correctly •Preventive in nature •Activities include: • Reviews and audits • Standards enforcement • Process validation Goal: Ensure quality is built into processes, not just checked after •Focus: Ensuring processes are followed correctly •Preventive in nature •Activities include: • Reviews and audits • Standards enforcement • Process validation Goal: Ensure quality is built into processes, not just checked after Quality Management (QM) •Broader focus on: • Planning, controlling, and improving quality •Includes: • Quality policies • Procedures and standards • Continuous improvement initiatives Goal: Ensure overall quality of IT services and outputs •Broader focus on: • Planning, controlling, and improving quality •Includes: • Quality policies • Procedures and standards • Continuous improvement initiatives Goal: Ensure overall quality of IT services and outputs Key Components •Defined standards and procedures •Monitoring and measurement of performance •Continuous improvement cycles •Management involvement and accountability •Defined standards and procedures •Monitoring and measurement of performance •Continuous improvement cycles •Management involvement and accountability Continuous Improvement •Identify: • Weaknesses • Inefficiencies •Implement: • Corrective actions • Process enhancements •Measure: • Improvements over time •Identify: • Weaknesses • Inefficiencies •Implement: • Corrective actions • Process enhancements •Measure: • Improvements over time CISA Exam Focus •QA = process- focused (preventive) •QM = overall quality framework (broader scope) •Quality must be: • Consistent • Measured • Continuously improved •Auditor role: • Evaluate effectiveness of QA and QM processes •Key trap: • Confusing QA (process) with QC (testing/output) •QA = process- focused (preventive) •QM = overall quality framework (broader scope) •Quality must be: • Consistent • Measured • Continuously improved •Auditor role: • Evaluate effectiveness of QA and QM processes •Key trap: • Confusing QA (process) with QC (testing/output)

26. Audit Perspective •Alignment between IT strategy and business objectives •Whether

    controls are effective and operating as intended •Whether decisions are risk-based and appropriately justified Auditors Evaluate: •Evidence must demonstrate control effectiveness, not just existence •IT must support business objectives and governance direction •Weak governance or management leads to increased organisational risk CISA Exam Focus: •Policies exist but are not enforced in practice •Inadequate vendor governance and oversight •Lack of meaningful performance monitoring and reporting Common Findings:

27. Full Practical Applications Audit Evidence Example What Happens in Practice

    Sub-Area Domain Board minutes Approve digital platform strategy Define IT direction Strategy Setting Governance Risk appetite statement Accept cloud risk level Define acceptable risk Risk Appetite Meeting minutes Steering committee reviews Monitor initiatives Oversight RACI matrix CIO accountable Assign ownership Accountability Strategy documents Platform supports revenue growth Align IT to business Business Alignment Strategy & Alignment Portfolio roadmap Select key IT projects Prioritise initiatives Portfolio Mgmt Budget approvals Approve cloud spend Allocate budget Investment Decisions Process diagrams Online order workflow Define processes Business Architecture Enterprise Architecture Data models Customer data model Structure data Data Architecture Architecture diagrams CRM + payment gateway Integrate systems Application Architecture Tech standards Cloud platform design Define infrastructure Technology Architecture Risk register Data breach risk Identify threats Risk Identification Risk Management Risk matrix Likelihood × impact scoring Evaluate risk Risk Assessment Treatment plan Encryption, MFA Apply controls Risk Treatment Risk reports Monthly reviews Track risk status Risk Monitoring Approved policies Security policy Define direction Policies Policies & Procedures Standards docs Password standards Define rules Standards SOPs Access provisioning Define steps Procedures Logs/reports Access reviews Ensure compliance Enforcement Compliance register POPIA/GDPR Identify laws Legal Compliance Compliance reports Data protection controls Apply regulations Regulatory SLA reports SLA commitments Meet agreements Contractual Audit reports Internal audits Track compliance Monitoring HR records Hire cloud engineers Ensure skills Workforce Resource Management Capacity reports Scale infrastructure Plan resources Capacity Asset register Server inventory Track assets Asset Mgmt Dashboards CPU utilisation Monitor usage Performance Due diligence report Evaluate cloud vendor Due diligence Selection Vendor Management Contracts SLA, security clauses Define terms Contracting SLA reports Uptime tracking Track vendor Monitoring Vendor risk register Security assessment Manage vendor risk Risk Mgmt KPI framework 99.9% uptime KPI Define measures KPI Definition Performance Monitoring Tools/logs System monitoring Track performance Monitoring Reports Monthly KPI reports Inform management Reporting Meeting minutes Fix downtime issues Improve performance Action QA documentation SDLC framework Define processes QA Quality Management Test results UAT testing Test outputs QC Defect logs Bug tracking Track issues Defect Mgmt Improvement log Lessons learned Improve processes Improvement Data policies Data classification Manage data lifecycle Data Governance Privacy & Data Protection DPIAs POPIA controls Apply laws Privacy Compliance Security configs Encryption Secure data Data Protection Request logs Data access requests Manage requests Data Rights Reports KPI reviews Evaluate effectiveness Performance Review Continuous Improvement Lessons register Incident reviews Capture insights Lessons Learned Updated procedures Automation Improve processes Optimisation Maturity assessment Move to automated controls Improve capability Maturity

28. Domain 2 - Summary Core Principle Core Principle Governance =

    Direction & Oversight (Board) Governance = Direction & Oversight (Board) Management = Execution & Control (Operations) Management = Execution & Control (Operations) Alignment ensures value delivery, risk management, and accountability Alignment ensures value delivery, risk management, and accountability Key Focus Areas Key Focus Areas IT Governance & Strategy • Align IT with business objectives • Deliver value + manage risk IT Governance & Strategy • Align IT with business objectives • Deliver value + manage risk Organisational Structure • Clear roles, responsibilities, segregation of duties • Effective oversight and accountability Organisational Structure • Clear roles, responsibilities, segregation of duties • Effective oversight and accountability Frameworks, Policies & Procedures • Structured control environment • Policy (what) | Procedure (how) | Standards (rules) Frameworks, Policies & Procedures • Structured control environment • Policy (what) | Procedure (how) | Standards (rules) Enterprise Architecture & Risk Management • EA = alignment + integration • ERM = identify, assess, treat, monitor risks Enterprise Architecture & Risk Management • EA = alignment + integration • ERM = identify, assess, treat, monitor risks Operational Execution Operational Execution Resource Management → Optimise people, systems, budgets Resource Management → Optimise people, systems, budgets Vendor Management → monitor third parties (accountability remains internal) Vendor Management → monitor third parties (accountability remains internal) Performance Monitoring → KPIs, KRIs aligned to business value Performance Monitoring → KPIs, KRIs aligned to business value Quality Management → consistent, controlled, continuously improving processes Quality Management → consistent, controlled, continuously improving processes Data, Privacy & Governance Data, Privacy & Governance Protect data through classification, ownership, and controls Protect data through classification, ownership, and controls Comply with legal and regulatory requirements Comply with legal and regulatory requirements Audit & Exam Focus Audit & Exam Focus Governance is board responsibility Governance is board responsibility Auditor evaluates effectiveness, not design Auditor evaluates effectiveness, not design Controls must be aligned, monitored, and evidenced Controls must be aligned, monitored, and evidenced Always think: Business alignment + Risk + Value Always think: Business alignment + Risk + Value

29. What CISA Really Tests in Domain 2 Alignment to business

    objectives Clear accountability Risk-based decision making Control effectiveness (not existence) Continuous monitoring Management action If governance does not drive execution, controls will fail.

30. Question 1 — Governance vs Control Effectiveness  An organisation

    has implemented a comprehensive IT governance framework aligned with business strategy. During an audit, it is found that business units frequently bypass standard processes to meet urgent deadlines.  What should the auditor recommend FIRST?  A. Strengthen enforcement of policies and procedure  B. Increase monitoring of IT performance  C. Redesign the IT governance framework  D. Implement additional technical controls

31. Question 1 — Governance vs Control Effectiveness  An organisation

    has implemented a comprehensive IT governance framework aligned with business strategy. During an audit, it is found that business units frequently bypass standard processes to meet urgent deadlines.  What should the auditor recommend FIRST?  A. Strengthen enforcement of policies and procedure  B. Increase monitoring of IT performance  C. Redesign the IT governance framework  D. Implement additional technical controls  Answer: A — Strengthen enforcement of policies and procedures  Why: Governance exists and is aligned. The issue is lack of operational enforcement, not design.

32. Question 2 — Vendor Risk Ownership  A critical vendor

    manages customer data. Contracts include strong SLAs, but there is no internal owner responsible for vendor oversight.  What is the GREATEST risk?  A. SLA non-compliance  B. Lack of accountability for vendor risk  C. Poor contract design  D Inadequate monitoring tools

33. Question 2 — Vendor Risk Ownership  A critical vendor

    manages customer data. Contracts include strong SLAs, but there is no internal owner responsible for vendor oversight.  What is the GREATEST risk?  A. SLA non-compliance  B. Lack of accountability for vendor risk  C. Poor contract design  D Inadequate monitoring tools  Answer: B — Lack of accountability for vendor risk Why: Governance principle — ownership is foundational. Without it, everything else fails.

34. Question 3 — KPI Misalignment  IT reports 99.9% system

    uptime, but the business reports frequent service disruptions during peak hours.  What is the MOST likely cause?  A. Ineffective monitoring tools  B. KPIs not aligned to business objectives  C. Poor incident management  D. Weak IT governance

35. Question 3 — KPI Misalignment  IT reports 99.9% system

    uptime, but the business reports frequent service disruptions during peak hours.  What is the MOST likely cause?  A. Ineffective monitoring tools  B. KPIs not aligned to business objectives  C. Poor incident management  D. Weak IT governance  Answer: B — KPIs not aligned to business objectives Why: Classic CISA trap — technical metrics ≠ business value.

36. Question 4 — Risk Appetite Misalignment  IT has implemented

    strict security controls that significantly slow down business operations. Business leaders are bypassing controls to maintain productivity.  What is the BEST course of action?  A. Enforce controls more strictly  B. Reduce security controls  C. Align controls with organisational risk appetite  D. Increase user awareness training

37. Question 4 — Risk Appetite Misalignment  IT has implemented

    strict security controls that significantly slow down business operations. Business leaders are bypassing controls to maintain productivity.  What is the BEST course of action?  A. Enforce controls more strictly  B. Reduce security controls  C. Align controls with organisational risk appetite  D. Increase user awareness training  Answer: C — Align controls with organisational risk appetite Why: Controls must balance risk vs business objectives — not over-control.

38. Question 5 — Enterprise Architecture Failure  An organisation has

    a defined enterprise architecture, but projects are approved without architecture review to accelerate delivery timelines.  What is the PRIMARY risk?  A. Increased operational costs  B. Non-compliance with standards  C. Fragmented IT environment  D. Poor vendor performance

39. Question 5 — Enterprise Architecture Failure  An organisation has

    a defined enterprise architecture, but projects are approved without architecture review to accelerate delivery timelines.  What is the PRIMARY risk?  A. Increased operational costs  B. Non-compliance with standards  C. Fragmented IT environment  D. Poor vendor performance  Answer: C — Fragmented IT environment Why: EA failure leads to duplication, inconsistency, and long-term complexity.

40. Question 6 — Monitoring vs Action  A SIEM system

    detects multiple security incidents and generates alerts, but no formal process exists to respond to them.  What is the MOST significant control weakness?  A. Lack of monitoring  B. Lack of incident response process  C. Ineffective SIEM configuration  D. Poor governance structure

41. Question 6 — Monitoring vs Action  A SIEM system

    detects multiple security incidents and generates alerts, but no formal process exists to respond to them.  What is the MOST significant control weakness?  A. Lack of monitoring  B. Lack of incident response process  C. Ineffective SIEM configuration  D. Poor governance structure  Answer: B — Lack of incident response process Why: Monitoring without response = no control effectiveness.

42. Question 7 — Policy vs Practice  An organisation has

    a strong data classification policy. However, audits reveal inconsistent classification across departments.  What should be the auditor’s PRIMARY concern?  A. Policy design is inadequate  B. Lack of enforcement and training  C. Data is not protected  D. Classification levels are incorrect

43. Question 7 — Policy vs Practice  An organisation has

    a strong data classification policy. However, audits reveal inconsistent classification across departments.  What should be the auditor’s PRIMARY concern?  A. Policy design is inadequate  B. Lack of enforcement and training  C. Data is not protected  D. Classification levels are incorrect  Answer: B — Lack of enforcement and training Why: Policy exists → failure is in implementation and awareness.

44. Question 8 — Risk Integration  IT maintains a detailed

    risk register, but enterprise risk reports do not include IT risks.  What is the GREATEST issue?  A. IT risk assessment is incomplete  B. Lack of risk monitoring  C. IT risk not integrated into ERM  D. Poor documentation

45. Question 8 — Risk Integration  IT maintains a detailed

    risk register, but enterprise risk reports do not include IT risks.  What is the GREATEST issue?  A. IT risk assessment is incomplete  B. Lack of risk monitoring  C. IT risk not integrated into ERM  D. Poor documentation  Answer: C — IT risk not integrated into ERM Why: Domain 2 key principle → integration with enterprise risk.

46. Question 9 — Control Design vs Effectiveness  An organisation

    has implemented multi-factor authentication (MFA). However, users frequently share authentication tokens to bypass controls.  What is the MOST critical issue?  A. MFA is ineffective  B. Weak user awareness and enforcement  C. Poor authentication technology  D. Lack of monitoring

47. Question 9 — Control Design vs Effectiveness  An organisation

    has implemented multi-factor authentication (MFA). However, users frequently share authentication tokens to bypass controls.  What is the MOST critical issue?  A. MFA is ineffective  B. Weak user awareness and enforcement  C. Poor authentication technology  D. Lack of monitoring  Answer: B — Weak user awareness and enforcement Why: Control exists but is not operating effectively due to human factors.

48. Question 10 — Audit Evidence  During an audit, management

    provides policies, risk registers, and performance reports. However, there is little evidence of corrective actions taken.  What is the auditor MOST likely to conclude?  A. Governance is effective  B. Monitoring is adequate  C. Control environment is ineffective  D. Risk management is sufficient

49. Question 10 — Audit Evidence  During an audit, management

    provides policies, risk registers, and performance reports. However, there is little evidence of corrective actions taken.  What is the auditor MOST likely to conclude?  A. Governance is effective  B. Monitoring is adequate  C. Control environment is ineffective  D. Risk management is sufficient  Answer: C — Control environment is ineffective Why: No corrective action = no control loop closure.

50. Question 11 — MOST LIKELY During the same audit scenario,

    the auditor confirms that issues are identified and reported, but no formal process exists to ensure corrective actions are implemented and tracked.  What should the auditor recommend FIRST?  A. Improve documentation of policies  B. Implement a formal corrective action tracking process  C. Increase frequency of performance reporting  D. Conduct additional risk assessments

51. Question 11 — MOST LIKELY During the same audit scenario,

    the auditor confirms that issues are identified and reported, but no formal process exists to ensure corrective actions are implemented and tracked.  What should the auditor recommend FIRST?  A. Improve documentation of policies  B. Implement a formal corrective action tracking process  C. Increase frequency of performance reporting  D. Conduct additional risk assessments  Answer: B — Implement a formal corrective action tracking process  Why this is a trap:  Many will choose C (more reporting) — but reporting already exists  Some may choose D (more risk assessments) — but risks are already identified  The real issue is the missing link in the control lifecycle  CISA thinking: Identify → Assess → Monitor → ACT

52. Question 12 — MOST LIKELY  During an audit, management

    presents documented policies, a risk register, and regular performance reports. However, there is no evidence that identified issues have been tracked or resolved over time.  What is the MOST LIKELY conclusion?  A. Governance processes are not defined  B. Monitoring activities are ineffective  C. The control environment is not operating effectively  D. Risk identification is incomplete

53. Question 12 — MOST LIKELY  During an audit, management

    presents documented policies, a risk register, and regular performance reports. However, there is no evidence that identified issues have been tracked or resolved over time.  What is the MOST LIKELY conclusion?  A. Governance processes are not defined  B. Monitoring activities are ineffective  C. The control environment is not operating effectively  D. Risk identification is incomplete  Answer: C — The control environment is not operating effectively  Why this is a trap:  Everything looks good on paper (policies, reports, risks)  The missing piece is action and follow-through  CISA logic:  Controls must not just exist — they must be effective and evidenced  No remediation tracking = control failure, not just monitoring weakness

54. Key Takeaways Governance defines direction and accountability Governance defines direction

    and accountability Management ensures execution Management ensures execution Controls must be operationalised Controls must be operationalised Integration is critical for audit success Integration is critical for audit success

55. Next  Domain 3: Information Systems Acquisition, Development and Implementation

56. Disclaimer PERSONAL LEARNING JOURNEY BASED ON CURRENT UNDERSTANDING OPEN TO

    INPUT AND DIFFERENT PERSPECTIVES I DO NOT REPRESENT ANY ORGANISATION ONE MAY USE THIS MATERIAL IF YOU WISH TO ALSO LEARN FROM THIS.