CISA Domain 2: Full-Length Assessment Simulation
CISA Domain 2: Governance and Management of IT focuses on the strategic and oversight aspects of information technology within an organization. This domain accounts for approximately 17% of the CISA exam and is essential for auditors who need to evaluate whether IT is aligned with business objectives, managed effectively, and governed by appropriate policies and structures .
🎯 Core Objective
The primary goal is to assess the organization’s IT governance framework to ensure that:
- IT strategy supports and enables business goals
- IT resources are managed efficiently and effectively
- Risks are identified, evaluated, and mitigated at an enterprise level
- Performance is measured and monitored against defined objectives
- Compliance with laws, regulations, and internal policies is achieved
🔍 Key Areas of Focus
A. IT Governance Frameworks and Structures
- Strategic Alignment: Ensuring that IT strategy is directly linked to business strategy and objectives.
- Organizational Structures: Evaluating the roles and responsibilities of IT steering committees, boards, and management in IT decision-making.
- Frameworks and Standards: Understanding common frameworks like COBIT, ITIL, ISO 27001, and TOGAF, and how they support governance.
- IT Policies and Procedures: Reviewing whether comprehensive, approved policies exist for areas such as security, data management, and acceptable use.
B. IT Strategy and Planning
- IT Strategic Plan: Assessing whether the organization has a multi-year IT roadmap that aligns with business needs.
- Resource Management: Evaluating how IT budgets, personnel, and assets are planned, allocated, and managed.
- Portfolio Management: Reviewing how IT investments are prioritized and balanced across the organization’s project portfolio.
C. IT Risk Management
- Enterprise Risk Management (ERM): Evaluating how IT risks are integrated into the organization’s overall risk management framework.
- Risk Assessment: Assessing the process for identifying, analyzing, and responding to IT-related risks (e.g., cybersecurity, data privacy, system availability).
- Risk Appetite: Understanding the organization’s tolerance for IT risk and whether it is consistently applied in decision-making.
- Business Impact Analysis (BIA): Reviewing how critical business processes are identified and prioritized.
D. IT Performance Management
- Key Performance Indicators (KPIs): Evaluating whether the organization uses meaningful metrics to track IT performance and value delivery.
- Key Risk Indicators (KRIs): Assessing whether KRIs are in place to provide early warning signals for potential IT risks.
- Benchmarking: Comparing IT performance against industry standards or peers to identify areas for improvement.
- Balanced Scorecard: Understanding how IT performance is measured across multiple dimensions (financial, customer, internal process, learning/growth).
E. IT Compliance and Assurance
- Regulatory Compliance: Ensuring that IT practices comply with applicable laws and regulations (e.g., GDPR, HIPAA, SOX, PCI-DSS).
- Internal Controls: Evaluating the design and effectiveness of IT controls that support financial reporting and operational integrity.
- Internal and External Audit: Understanding the role of audit in providing independent assurance over IT governance and management.
F. IT Outsourcing and Vendor Management
- Vendor Governance: Assessing the processes for selecting, contracting, and monitoring third-party IT service providers.
- Service Level Agreements (SLAs): Reviewing whether SLAs are defined, measured, and enforced with appropriate penalties/rewards.
- Performance Monitoring: Evaluating how vendor performance is tracked and reported to ensure compliance with contractual obligations.
- Exit Strategies: Ensuring that contracts include provisions for knowledge transfer and data return in case of vendor termination.
G. Business Continuity and Disaster Recovery (as a governance responsibility)
- BCP/DRP Oversight: Evaluating whether management has ensured that business continuity and disaster recovery plans are developed, tested, and maintained.
- Crisis Management: Assessing whether the organization has established protocols for responding to IT-related incidents and emergencies.
💡 Why It Matters for the CISA Exam
- Strategic Thinking: Questions often test your ability to think beyond technical controls to the broader governance implications of IT decisions.
- Balancing Competing Priorities: You’ll be asked to evaluate situations where cost, speed, risk, and compliance must be balanced—requiring judgment based on ISACA principles.
- Risk-Based Auditing: This domain reinforces the importance of focusing audit efforts on areas of highest risk to the organization’s objectives.
- Management Interaction: Many scenarios involve interactions with senior management or boards, testing your ability to communicate audit findings in a business context.
In short, Domain 2 is about ensuring that IT is a strategic asset—not just a cost center—and that it is managed with the same rigor and accountability as any other critical business function. This is where the auditor moves from being a “tester of controls” to a “trusted advisor” to the organization’s leadership.
CISA Domain 2: Full-Length Assessment Simulation
Governance and Management of IT
Instructions
- Timed test: Manage your time as you would in the actual CISA exam.
- Scenario-based thinking: Each question presents a realistic enterprise IT audit situation.
- Single best answer: Select the most appropriate response among the four options.
- No partial credit: Only one correct answer per question.
- Immediate feedback: After selecting an answer, the interface will highlight correct/incorrect choices.
- Detailed explanations: At the end of the assessment, click "Show Details" to review audit reasoning for all questions.
Question 1
An organization is updating its enterprise IT strategy to ensure alignment with business strategic goals. Which of the following is the MOST reliable indicator that business and IT strategy alignment is being achieved effectively?
Question 2
An IS auditor is reviewing the governance structure of a multi-national financial institution. When assessing the roles of committees, which of the following responsibilities uniquely distinguishes the IT Strategy Committee from the IT Steering Committee?
Question 3
An enterprise implements an IT Balanced Scorecard framework. To measure systemic efficiency from the Internal Business Processes perspective, which metric should an IS auditor expect to find?
Question 4
During an audit of an enterprise's information security management system, the IS auditor notes that data ownership policies have not been updated for three years. Who should be held ULTIMATELY responsible for corporate IT governance and risk management?
Question 5
An IS auditor is evaluating the organizational chart of an IT department to detect potential lack of segregation of duties. Which of the following reporting relationships represents the GREATEST conflict of interest?
Question 6
An organization decides to outsource its core datacenter hosting services to a third-party cloud service provider. To maintain an "informed purchaser capability," what is the MOST critical governance activity for the organization?
Question 7
An IS auditor is assessing an organization's maturity level using a standard Capability Maturity Model Integration (CMMI) framework. The auditor finds that processes are documented, standardized, and integrated into organization-wide guidelines. Which level is indicated?
Question 8
When reviewing an enterprise’s risk management implementation, which of the following should be used as the PRIMARY driver for setting appropriate information security control baselines?
Question 9
During the planning phase of an IT audit focused on vendor risk management, what source document provides the BEST evidence regarding specific roles, service boundaries, and performance expectations?
Question 10
An IS auditor observes that a company relies entirely on lagging indicators to evaluate its risk management framework performance. What is the main disadvantage of using ONLY lagging indicators?
Question 11
An enterprise architecture (EA) framework is being evaluated by an internal IT audit team. What is the PRIMARY benefit of implementing a formalized enterprise architecture framework within an organization?
Question 12
An organization conducts a comprehensive Business Impact Analysis (BIA) as part of its business continuity management governance. Who should maintain direct ownership of the specific information assets and validation rules defined in the BIA?
Question 13
An IS auditor discovers that an enterprise has not formally defined its Key Goal Indicators (KGIs) for its IT investment portfolio. What is the primary purpose of establishing explicit KGIs?
Question 14
To optimize human resource management controls within database operations, an organization implements a mandatory vacation policy for all database administrators (DBAs). What is the primary governance objective of this practice?
Question 15
A Chief Information Security Officer (CISO) reports directly to the Chief Information Officer (CIO). What is the main audit concern regarding this structural reporting line?
Question 16
An organization purchases an expensive comprehensive cyber-insurance policy to protect against potential financial impacts from ransomware attacks. Which risk response strategy does this action represent?
Question 17
An IS auditor is reviewing an enterprise Quality Management System (QMS) framework for software operations. Which international framework provides standard certification for establishing a formalized QMS framework?
Question 18
Following a major business continuity drill failure, the IS auditor evaluates the post-incident review records. What is the primary objective of performing a formal post-incident review after an interruption or test?
Question 19
An IS auditor is evaluating IT portfolio management processes. What distinguishes portfolio management from program management?
Question 20
An organization relies heavily on Key Risk Indicators (KRIs) to track cybersecurity indicators. Which factor is MOST critical when defining an effective KRI?
Audit Reasoning & Explanations
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–