Ring in the Holiday Season with Blazing Offers on
Most Popular Courses. Upto 50% OFF

CISA Domain 3 – Information Systems Acquisition, Development and Implementation – PART 1

PART 1 – CISA Domain 3 – Information Systems Acquisition, development and implementation

  • Overall understanding of Domain 3
  • What is benefits realization?
  • What is portfolio management?
  • What is Business case development and approval?
  • What are the business realization techniques?

Overall understanding of the domain:

Weightage – This domain constitutes 18 percent of the CISA exam (approximately 27 questions)

Covers 14 Knowledge statements covering the process of auditing information systems

  • Knowledge of benefits realization practices, (e.g., feasibility studies, business cases, total cost of ownership [TCO], return on investment [ROI])
  • Knowledge of IT acquisition and vendor management practices (e.g., evaluation and selection process, contract management, vendor risk and relationship management, escrow, software licensing) including third-party outsourcing relationships, IT suppliers and service providers.
  • Knowledge of project governance mechanisms (e.g., steering committee, project oversight board,
  • project management office)
  • Knowledge of project management control frameworks, practices and tools
  • Knowledge of risk management practices applied to projects
  • Knowledge of requirements analysis and management practices (e.g., requirements verification, traceability, gap analysis, vulnerability management, security requirements)
  • Knowledge of enterprise architecture related to data, applications, and technology (e.g., web-based applications, web services, n-tier applications, cloud services, virtualization)
  • Knowledge of system development methodologies and tools including their strengths and weaknesses (e.g., agile development practices, prototyping, rapid application development [RAD], object-oriented design techniques, secure coding practices, system version control)
  • Knowledge of control objectives and techniques that ensure the completeness, accuracy, validity and authorization of transactions and data
  • Knowledge of testing methodologies and practices related to the information system development life cycle (SDLC)
  • Knowledge of configuration and release management relating to the development of information systems
  • Knowledge of system migration and infrastructure deployment practices and data conversion tools, techniques and procedures
  • Knowledge of project success criteria and project risk
  • Knowledge of post-implementation review objectives and practices (e.g., project closure, control implementation, benefits realization, performance measurement)

Important concepts from exam point of view:

1. Benefits realization:

The objectives of benefits realization are

  • Is to ensure that IT and the business fulfill their value management responsibilities
  • IT-enabled business investments achieve the promised benefits and deliver measurable business value
  • Required capabilities (solutions and services) are delivered on time and within budget

2. Portfolio/Program Management:

The objectives of project portfolio management are:

  • Optimization of the results of the project portfolio (not of the individual projects)
  • Prioritizing and scheduling projects
  • Resource coordination (internal and external)
  • Knowledge transfer throughout the projects

3. Business case development and approval:

  • A business case provides the information required for an organization to decide whether a project should proceed
  • A business case is the first step in a project or a precursor to the commencement of the project
  • The business case should also be a key element of the decision process throughout the life cycle of any project
  • The initial business case would normally derive from a feasibility study undertaken as part of project initiation/planning
  • The feasibility study will normally include the following six elements:
    1. Project Scope – defines the business problem and/or opportunity to be addressed
    2. Current Analysis – defines and establishes an understanding of a system, a software Product. At this point in the      process, the strengths and weaknesses of the current system or software product are identified.
    3. Requirements – defined based upon stakeholder needs and constraints
    4. Approach – Recommended system and/or software solution to satisfy the Requirements
    5. Evaluation – is based upon the previously completed elements within the feasibility study. The final report addresses the cost-effectiveness of the approach selected
    6. Review – A formal review of feasibility study report is conducted with all stakeholders

4. Benefit realization techniques:

  • COBIT 5 provides the industry accepted framework under which IT governance goals and objectives are derived from stakeholder drivers with the intent of enterprise IT generating business value from IT-enabled investments
  • COBIT 5 based on 5 principles and 7 enablers
5 Principles 7 Enablers
1. Meeting Shareholders needs 1.  Principles, Policies and Frameworks
2. End-to-End coverage 2. Processes
3. Holistic Approach 3. Organizational Structures
4. Integrated Framework 4. Culture, Ethics and Behaviour
5. Separate governance from management 5. Information
6. Services, Infrastructure and Applications
7. People, Skills and Competencies

Part 1, Part 2, Part 3, Part 4, Part 5, Part 6, Part 7, Part 8, Part 9

Aswini Srinath ( )
Writer And Editor
I am a qualified Chartered Accountant based out of Chennai, with 8+ years of experience in various roles in finance domain including CA Practice, financial reporting and auditing. I have always been keen to challenge myself by exploring potential capabilities outside of my core competency. Picked up Information Security as one such thing. Cleared CISA with 2nd Rank in ISACA Chennai Chapter in 2019. Since then, i have been sharing my learning and experience to a small group of avid followers, helping them prepare for their CISA exams. This article is also one such attempt, where I summarize the key areas in each domain based on the importance and weightage from an exam point of view.
Establishing Governance and Risk-Managemen