Ring in the Holiday Season with Blazing Offers on
Most Popular Courses. Upto 50% OFF

PART 2 – CISA Domain 2 – Governance and Management of IT

PART 2 – CISA Domain 2 – Governance and Management of IT

  • What is IT Balanced Score Card (BSC)?
  • What are the roles and responsibilities of IT Governing Committee (IT Strategy and Steering committee)?
  • What are the Maturity and process improvement models?

4.IT Balanced Score Card (BSC):

  • BSC is a process management evaluation technique that can be applied to the GEIT process in assessing IT functions and processes
  • BSC is the most effective means to aid the IT strategy committee and management in achieving IT governance through proper IT and business alignment
Points to remember:

  • The purpose of IT Balance Score card is to evaluate and monitor performance indicators – Customer satisfaction, internal processes, innovation capacity, etc.
  • The IT BSC does not measure the financial performance of the enterprise

5.IT Governing committees:

  • Organizations, broadly have two committees
    1. IT Strategy committee
    2. IT Steering committee
  • There should be a clear understanding of both the IT strategy and IT steering committee

Role of IT strategy committee:

  • Advises the board and management on IT strategy
  • Is delegated by the board to provide input to the strategy and prepare its approval
  • Focuses on current and future strategic IT issues
  • Provides insight and advice to the board on topics such as:
  • The alignment of IT with the business direction
  • The availability of suitable IT resources, skills and infrastructure to meet the strategic objectives
  • The achievement of strategic IT objectives

Membership of IT Strategy committee:

  • Board members, and
  • Specialist non-board members

Role of IT Steering committee:

  • Assists the executive in the delivery of the IT strategy
  • Oversees day-to-day management of IT service delivery and IT projects
  • Focuses on implementation
  • Decides the overall level of IT spending and how costs will be allocated
  • Approves project plans and budgets, setting priorities and milestones
  • Communicates strategic goals to project teams
  • Monitors resource and priority conflict between enterprise divisions and the IT function as well as between projects
  • Report to the board of directors on IS activities.
  • Make decisions regarding centralization versus decentralization and assignment of responsibility.
Points to remember: The enterprise’s risk appetite is best established by IT Steering committee.

Membership of IT Strategy committee:

  • Sponsoring executive
  • Business executive (key users)
  • Chief information officer (CIO)
  • Key advisors as required (IT, audit, legal, finance)

6.Maturity and Process Improvement Models:

  • Implementation of IT governance requires ongoing performance measurement of an organization’s resources that contribute to the execution of processes that deliver IT services to the business
  • Some of the process improvement models are:
    • The IDEAL model is a software process improvement (SPI) program model in planning and implementing an effective software process improvement program and consists of five phases:
      1. Initiating,
      2. Diagnosing,
      3. Establishing,
      4. Acting and
      5. Learning
  • The COBIT Process Assessment Model (PAM), using COBIT 5,
  • Capability Maturity Model Integration (CMMI) – is a process improvement approach that provides enterprises with the essential elements of effective processes. It is based on ISO/IEC 15504 Information Technology—Process Assessment standard. CMMI have five maturity levels
    • Level 1 – Initial – This is a riskiest stage an organization can find itself – an unpredictable environment that increases risk and inefficiency.
    • Level 2 Managed – Projects are planned and performed, however there are lot of issues to be addressed
    • Level 3 Defined – Organizations are proactive at this level, rather than reactive. Processes are tailored for the organization. Organization is aware of their shortcomings, how to address and plans for improvement.
    • Level 4 Quantitatively managed – This level is more measured and controlled. The organization is ahead of risks, with more data-driven insight into process deficiencies.
    • Level 5 – Optimised – At this stage, the processes are stable and flexible. The organization will be in constant state of improving and responding to changes or other opportunities.

Part 1, Part 2, Part 3, Part 4, Part 5

Aswini Srinath ( )
Writer And Editor
I am a qualified Chartered Accountant based out of Chennai, with 8+ years of experience in various roles in finance domain including CA Practice, financial reporting and auditing. I have always been keen to challenge myself by exploring potential capabilities outside of my core competency. Picked up Information Security as one such thing. Cleared CISA with 2nd Rank in ISACA Chennai Chapter in 2019. Since then, i have been sharing my learning and experience to a small group of avid followers, helping them prepare for their CISA exams. This article is also one such attempt, where I summarize the key areas in each domain based on the importance and weightage from an exam point of view.