3.1 Governance and Management of IT Overview

What Domain 2 Tests

Governance and Management of IT is the second CISA job-practice domain and carries roughly 18% of the exam. It examines whether information technology delivers value to the enterprise while remaining aligned with business strategy, operating within the organization's risk appetite, and complying with applicable laws and regulations. ISACA frames the domain around two big questions: Is IT governed effectively by the board and executive leadership? and Is IT managed effectively day to day?

The domain is built from job tasks, not vocabulary. Exam items describe a realistic situation and ask which action, control, structure, or reporting line is most appropriate. Because the answers are scenario-driven, memorizing definitions is necessary but not sufficient — you must apply the governance logic of accountability, alignment, and independent oversight.

The official CISA job-practice statements for this domain include evaluating the IT governance structure and IT organizational structure; the management of IT policies and practices; IT resource and portfolio management for alignment with strategy; the enterprise risk management program and defined ownership of IT risk, controls, and standards; legal and regulatory compliance; the monitoring and reporting of IT KPIs and KRIs; and the organization's ability to continue business operations. Expect items drawn from each of these task areas.

Governance vs. Management

CISA insists you separate these two ideas, and COBIT 2019 makes the distinction concrete:

Governance sets direction and evaluates whether objectives were met; management executes within that direction. A frequent trap presents an operational fix (a management activity) when the stem actually asks who is accountable — and accountability for the governance framework rests with the board, not the IT department.

COBIT 2019 at a Glance

COBIT 2019, published by ISACA, is the framework Domain 2 leans on most. It defines 40 governance and management objectives grouped into five domains:

• EDM — Evaluate, Direct, Monitor (5 governance objectives): the board's domain (e.g., ensuring governance framework setting, benefits delivery, risk optimization, resource optimization, stakeholder engagement).
• APO — Align, Plan, Organize (14): strategy, enterprise architecture, risk, security, vendors, budget, human resources.
• BAI — Build, Acquire, Implement (11): programs and projects, requirements, changes, configuration.
• DSS — Deliver, Service, Support (6): operations, service requests/incidents, problems, continuity, security services.
• MEA — Monitor, Evaluate, Assess (4): performance and conformance, internal control, compliance with external requirements, assurance.

Each objective is realized through seven governance components (processes; organizational structures; policies and procedures; information; culture/ethics/behavior; people, skills and competencies; and services, infrastructure and applications). COBIT 2019 also introduces design factors and focus areas so an enterprise can tailor its governance system rather than adopt a one-size-fits-all model.

A reliable memory hook for the exam: the single governance domain (EDM) is the board's, and the four management domains spell the lifecycle of running IT — you Align/Plan/Organize, then Build/Acquire/Implement, then Deliver/Service/Support, and continuously Monitor/Evaluate/Assess. If a stem describes setting direction or evaluating outcomes at the top, think EDM; if it describes planning, delivering, operating, or independently monitoring those activities, think one of the management domains.

COBIT is the framework CISA expects you to reach for when a question asks for a comprehensive governance-and-management model with defined objectives and components, as opposed to narrower standards such as ISO 27001 (security) or ITIL (service management).

The IS Auditor's Role in Governance

The auditor does not own IT strategy, controls, or risk — management and the board do. The auditor independently evaluates whether the governance framework is well designed and operating effectively, then reports findings and recommendations. This independence is why CISA answers rarely have the auditor implement a control or make a business decision; the auditor assesses, advises, and reports.

When scoping a governance review, the auditor confirms that an IT strategy exists and ties to business objectives, that organizational structures and accountabilities are defined, that policies cascade into standards and procedures, and that performance and risk are monitored and reported to the right level. Use the domain weight (18%) and your practice-test miss rate to budget review time — this is a heavily tested, judgment-rich domain.

Strategic Alignment and Value Delivery

The purpose of IT governance is strategic alignment — making sure IT investments, projects, and operations support the enterprise's goals rather than drifting into technology for its own sake. ISACA expresses this through five governance focus areas the board must oversee: strategic alignment, value delivery, risk management, resource management, and performance measurement. An IS auditor evaluating governance traces each of these: Does the IT strategy map to the business strategy? Are investments delivering measured benefits? Is risk kept within appetite? Are people, applications, infrastructure, and information used efficiently?

Are results monitored and reported?

Value delivery in particular is what links Domain 2 to the project portfolio: IT initiatives should be selected and prioritized by their business value and risk, not by who shouts loudest. A governance failure often shows up as a portfolio of disconnected projects with no benefit tracking. CISA answers reward restoring that line of sight — a steering committee that prioritizes by value, a portfolio view, and post-implementation benefit reviews — over simply approving more spending.