3.4 Common Traps in Governance and Management of IT

Trap 1: Governance vs. Management Confusion

The most punished mistake is treating management activities as governance or making the IT department accountable for the governance framework. Accountability for IT governance rests with the board and executive leadership, not the CIO's team alone. When a stem asks 'who is accountable' or 'where does this decision belong,' resist the answer that pushes it down to IT operations.

The mirror trap is picking a board-level body for an operational task. The board does not approve individual project budgets; the steering committee does. Always anchor on the level the stem describes before choosing an answer.

A quick test for any 'who is accountable' item: governance accountabilities (framework, appetite, value oversight) cannot be delegated away from the board even when the work is delegated to management. So an answer that makes a vendor, a project team, or the IT department accountable for the governance framework itself is almost always wrong, even if that party performs the underlying activity day to day.

Trap 2: The Auditor Acting as Management

Attractive distractors have the auditor design controls, own the risk register, approve the strategy, or implement a fix. All of these impair independence and objectivity, which ISACA's IS audit standards (organizational independence, professional objectivity) require. The correct auditor action is almost always to evaluate, test, conclude, and report — and, where weaknesses exist, to recommend, not to remediate.

A related trap is having the auditor give an opinion on a system the auditor helped build or operate. Prior involvement is a self-review threat; the right move is to disclose the impairment and have an independent party perform the review. ISACA's IS Audit and Assurance Standards make independence (organizational independence, professional objectivity) a mandatory requirement, not a preference — so any answer that quietly compromises it is wrong even when it would be efficient. If a stem offers the auditor a chance to 'just fix it,' that efficiency is the bait.

Trap 3: Business Continuity on Paper Only

Business continuity governance is tested through outcomes, not the existence of a binder. The governing chain is: a business impact analysis (BIA) identifies critical processes and sets recovery objectives; the plan is built to meet them; it is tested regularly; and a senior owner maintains it.

The trap answer praises a comprehensive, expensive plan that has never been tested or whose RTO/RPO were set by IT without business input. CISA favors the choice tying recovery objectives to the BIA and validating them through testing.

Trap 4: Technical or Cost Shortcuts Over Alignment

Many distractors solve one department's immediate problem while creating compliance, data-quality, or strategic-alignment risk — for example, deploying a tool that bypasses change management, or cutting a control to save money without authorized risk acceptance. Domain 2 consistently rewards the option that keeps IT aligned to business strategy and within risk appetite, even when a faster or cheaper path is offered.

Guard against the 'familiar term' trap: an option may contain a buzzword you recognize (COBIT, balanced scorecard, SLA) yet still be wrong because it does not fit the role, level, or timing in the stem. Verify that the content of the option answers this scenario, not just that it sounds authoritative. Practice this domain with mixed questions so you can spot it even when the stem never names 'governance' explicitly.

Trap 5: Treating Compliance as a Checkbox

Domain 2 includes evaluating compliance with laws, regulations, and contractual requirements (privacy, financial-reporting, and industry rules vary by jurisdiction and sector). The trap is treating compliance as a one-time certificate rather than an ongoing governance obligation. Good governance assigns ownership of each obligation, maintains a register of applicable requirements, monitors changes in the legal landscape, and tests controls for continued conformance.

The exam rewards answers that build compliance into the governance machinery — a defined owner, monitoring, and periodic assessment — over answers that rely on a past audit, a signed attestation, or the assumption that 'legal handles that.' A related distractor offers a control that satisfies one regulation while violating another or while degrading data quality; the correct choice considers the full set of obligations, not a single one.

Finally, remember the auditor's compliance role is to assess conformance and report gaps, not to decide which laws apply (that is legal counsel's role) or to remediate violations directly. When a stem mixes a legal judgment with an audit action, separate the two: the auditor evaluates the control environment and escalates, while accountable management and counsel own the compliance decisions.

The recurring lesson across all five traps is the same: identify the governing rule and the accountable party first, and reject any option — however fast, cheap, or familiar — that quietly shifts accountability, skips a mandatory control, or trades long-term alignment for a short-term win.