CISA Exam

CISA Governance and Management of IT Cheat Sheet (2026): Key Formulas, Rules, and Mnemonics

cisa cisa2 cheat sheet

The CISA exam has a <50% pass rate.

VoraPrep's AI finds your weak spots before the exam does — adaptive practice that actually moves your score.

Try Free →

You're staring down CISA Domain 2, "Governance and Management of IT," and it feels like a dense jungle of frameworks, committees, and acronyms. Many candidates stumble here, not because the concepts are inherently complex, but because they fail to distinguish between governance (setting direction) and management (executing it). This domain isn't about rote memorization; it's about applying a strategic mindset to IT's role in the enterprise.

To conquer CISA Domain 2, you must internalize the distinction between governance and management, understand the purpose and application of key frameworks like COBIT, and evaluate IT investments through a risk-focused lens, always prioritizing business value and alignment.

Governance and Management of IT at a Glance

Domain 2, accounting for 17% of your CISA exam score, is where ISACA tests your ability to think like an executive, not just an auditor. This section evaluates your understanding of how an organization ensures its IT strategy supports its business objectives. You'll encounter questions on IT strategic planning, risk management, resource optimization, performance measurement, and the overarching framework of IT governance.

The highest-weight areas often revolve around strategic alignment (how IT supports business goals), value delivery (ensuring IT investments provide tangible benefits), and risk management (identifying, assessing, and mitigating IT-related risks). Expect scenario-based questions that require you to apply principles rather than just recall definitions. Your goal is to grasp the why behind each framework and principle. While you should memorize key COBIT 2019 principles or ITIL service lifecycle stages, focus more on understanding their practical application in real-world audit scenarios. For example, don't just know what an IT Steering Committee is; understand when and why an auditor would evaluate its effectiveness.

You don't need to know every single detail of every framework, but you must know their core purpose and how they relate to good governance. Try VoraPrep's free CISA practice questions to test your current understanding of these concepts.

Must-Know Formulas, Rules, and Frameworks

This domain demands a solid grasp of how IT decisions contribute to overall business value. Here are the core concepts and decision-making tools you'll need.

Core Financial Formulas for IT Investment

While the CISA exam isn't an accounting test, you'll need to understand how IT investments are evaluated.

  • Return on Investment (ROI):
  • Formula: `ROI = (Net Profit / Cost of Investment) * 100%`
  • Purpose: Measures the financial gain or loss relative to the initial cost. Helps justify IT projects.
  • Decision Rule: Higher ROI is generally better.
  • CISA Context: When evaluating an IT project proposal, an auditor assesses whether the projected ROI is realistic and whether all relevant costs and benefits (tangible and intangible) have been considered.
  • Net Present Value (NPV):
  • Purpose: Evaluates the profitability of an investment by discounting all future cash flows (inflows and outflows) back to their present value. Accounts for the time value of money.
  • Decision Rule: A positive NPV indicates a profitable project; a negative NPV suggests it's not worth undertaking.
  • CISA Context: Auditors check if management uses appropriate discount rates and considers all relevant cash flows when making long-term IT investment decisions.

Let's walk through an example:

Worked Example: Evaluating a Cloud Migration Project

An organization, "SecureCorp," is considering migrating its on-premise data center to a cloud provider. The project manager presents the following figures for the next three years:

  • Initial Investment (Year 0): $150,000 (migration costs, initial subscription setup)
  • Annual Savings (Year 1, 2, 3): $70,000 (reduced hardware, maintenance, power)
  • Projected Revenue Increase (Year 2, 3): $20,000 per year (due to improved agility and new service offerings)
  • Annual Cloud Subscription Costs (Year 1, 2, 3): $30,000
  • Discount Rate (Cost of Capital): 10%
Calculate the Project's Simple ROI and NPV: Step 1: Calculate Total Net Profit for ROI (ignoring time value for simplicity here)
  • Total Annual Benefit = Savings + Revenue Increase = $70,000 + $20,000 = $90,000
  • Total Annual Cost = Cloud Subscription = $30,000
  • Annual Net Benefit = $90,000 - $30,000 = $60,000
  • Total Net Profit over 3 years = $60,000 * 3 = $180,000
Step 2: Calculate Simple ROI
  • ROI = ($180,000 / $150,000) * 100% = 120%
Step 3: Calculate NPV
  • Year 0: -$150,000 (Initial Investment)
  • Year 1 Net Cash Flow: ($70,000 + $0) - $30,000 = $40,000
  • PV (Year 1) = $40,000 / (1 + 0.10)^1 = $36,363.64
  • Year 2 Net Cash Flow: ($70,000 + $20,000) - $30,000 = $60,000
  • PV (Year 2) = $60,000 / (1 + 0.10)^2 = $49,586.78
  • Year 3 Net Cash Flow: ($70,000 + $20,000) - $30,000 = $60,000
  • PV (Year 3) = $60,000 / (1 + 0.10)^3 = $45,078.89
  • NPV = -$150,000 + $36,363.64 + $49,586.78 + $45,078.89 = -$18,970.69
Analysis: The simple ROI of 120% looks good, but the NPV calculation, which accounts for the time value of money, reveals a negative NPV of approximately -$18,971. This indicates that, given the 10% discount rate, the project's future cash flows are not enough to recover the initial investment and cost of capital. Common Trap: Focusing only on positive ROI without considering the time value of money or qualitative risks (e.g., vendor lock-in, data sovereignty, security implications of the cloud provider). An auditor must look beyond the headline ROI figure.

Key Governance Principles and Frameworks

1. COBIT 2019 Principles (for Governance of Information & Technology): COBIT (Control Objectives for Information and Related Technologies) is the leading framework for IT governance. Focus on these six principles:
  • Holistic View: IT governance considers all internal and external aspects affecting IT.
  • Dynamic Governance System: Adapts to changes in strategy, technology, and environment.
  • Tailored to Enterprise Needs: Not one-size-fits-all; customized for specific organizational context.
  • Distinction Between Governance and Management: This is critical.
  • Governance: Evaluates (stakeholder needs), Directs (prioritization), Monitors (performance). It's about setting the strategy and ensuring it's followed.
  • Management: Plans, Builds, Runs, Monitors activities in alignment with the governance direction. It's about execution.
  • Governance Framework is Integrated: One comprehensive framework, not disparate pieces.
  • Separation of Governance from Management Components: Clear distinction in roles and activities.
Decision-Tree Playbook for COBIT:
  • Condition: Question asks about setting strategic direction for IT, overall accountability, or ensuring IT aligns with business goals.
  • Threshold/Indicator: Keywords like "Board of Directors," "IT Steering Committee," "strategic objectives," "value delivery," "risk appetite."
  • Action: Prioritize answers related to Governance (Evaluate, Direct, Monitor).
  • Trap to Avoid: Choosing answers that describe operational execution or day-to-day management (e.g., "CIO managing daily operations").
2. ITIL (Information Technology Infrastructure Library):
  • Purpose: A set of best practices for IT service management (ITSM), focusing on aligning IT services with the needs of business.
  • Core Concepts: Service Strategy, Service Design, Service Transition, Service Operation, Continual Service Improvement (CSI).
  • CISA Context: Auditors assess if IT services are delivered effectively and efficiently using ITIL principles, ensuring service level agreements (SLAs) are met, and processes like incident management and change management are robust.
3. ISO 27001 (Information Security Management System - ISMS):
  • Purpose: International standard for establishing, implementing, maintaining, and continually improving an ISMS.
  • Core Concepts: Risk assessment, risk treatment, Statement of Applicability (SoA), continual improvement (PDCA cycle).
  • CISA Context: Auditors check if the organization has an effective ISMS in place, if it's regularly reviewed, and if controls are implemented based on risk assessments.
4. NIST Cybersecurity Framework (CSF):
  • Purpose: Provides a policy framework of computer security guidelines for private sector organizations in the United States to assess and improve their ability to prevent, detect, and respond to cyber attacks.
  • Core Concepts: Identify, Protect, Detect, Respond, Recover.
  • CISA Context: Auditors evaluate how organizations use the CSF to manage cybersecurity risks, ensure alignment with business objectives, and establish a comprehensive cybersecurity program. It's a governance-level framework for cybersecurity.

Key Rules and Thresholds

  • Risk Appetite vs. Risk Tolerance:
  • Risk Appetite: The amount and type of risk an organization is willing to take to meet its strategic objectives. Set by the Board/senior management.
  • Risk Tolerance: The acceptable variation around risk appetite. More granular, often set by management.
  • CISA Context: An auditor evaluates if IT risk management activities align with the organization's stated risk appetite and tolerance levels. If IT is taking on more risk than the board is comfortable with, it's a governance failure.
  • RACI Matrix:
  • Responsible: The person who does the work.
  • Accountable: The person who is ultimately answerable for the completion of the task (and has the authority to approve/reject). Only ONE 'A' per task.
  • Consulted: People whose opinions are sought.
  • Informed: People who are kept up-to-date.
  • CISA Context: Used to clarify roles and responsibilities within IT processes. Auditors check for clear RACI assignments to prevent gaps or overlaps in accountability.
  • Business Impact Analysis (BIA) & Recovery Objectives:
  • Recovery Point Objective (RPO): The maximum tolerable amount of data loss (measured in time, e.g., 4 hours of data loss).
  • Recovery Time Objective (RTO): The maximum tolerable length of time that a computer system, application, or network can be down after a disaster or failure without causing significant damage to the business (e.g., 8 hours to restore service).
  • CISA Context: These are determined by the business, not IT. Auditors verify that IT's disaster recovery and business continuity plans can meet these business-defined objectives.

Common Traps and Test-Day Reminders

The CISA exam thrives on presenting tempting, yet incorrect, answers. Domain 2 is a prime example.

  • Confusing Governance with Management: This is the #1 trap.
  • Tempting Wrong Answer: "The CIO is responsible for setting the IT strategic direction."
  • Why it's wrong: The CIO implements the strategy and manages IT resources, but the Board of Directors or an IT Steering Committee (representing the business) is responsible for setting the strategic direction and ensuring it aligns with overall enterprise objectives. Governance is about oversight; management is about execution.
  • Reminder: If the question asks about who is responsible for overall strategic direction, ultimate accountability, or ensuring alignment with business objectives, think governance (Board, IT Steering Committee). If it asks about implementation, operations, resource allocation, or day-to-day oversight, think management (CIO, IT management).
  • Overlooking Business Context: Many questions will present technical scenarios, but the correct answer often hinges on the business impact or alignment with organizational objectives.
  • Tempting Wrong Answer: "Implement the latest firewall technology."
  • Why it's wrong (potentially): While good security is important, the best answer in a governance context often relates to assessing risk, defining a security strategy aligned with business risk appetite, or ensuring the control is cost-effective and meets regulatory requirements. A solution without a business rationale is usually not the most correct CISA answer.
  • Ignoring the "Independent" Role of the Auditor: Remember, you are an auditor. Your primary role is to provide independent assurance.
  • Tempting Wrong Answer: "The auditor should implement the recommended controls."
  • Why it's wrong: Auditors recommend controls or improvements; management implements them. Auditors maintain independence.
  • Misinterpreting "Best Practice" vs. "Most Appropriate": While frameworks like COBIT and ITIL are best practices, the exam often asks for the most appropriate action given a specific scenario, which might be a foundational step before implementing a full framework.
  • Reminder: Always consider the maturity level of the organization and the immediate problem presented in the scenario. Starting with a robust risk assessment is often more appropriate than immediately jumping to a full COBIT implementation if the organization is struggling with basic controls.

Mnemonics and Memory Aids

Mnemonics can be incredibly helpful for recalling lists and concepts under exam pressure. Here are a few for Domain 2, and how to create your own:

Built-in Mnemonics

  • COBIT 2019 Governance System Principles (GRAPE S):
  • Generic (integrated with enterprise governance)
  • Relevance (tailored to enterprise needs)
  • Alignment (holistic view)
  • Proactive (dynamic governance system)
  • Effective (clear distinction between governance and management)
  • Separation (governance and management components)
  • Note: My "GRAPE S" is a custom mnemonic for the principles. ISACA also has 5 domains of governance objectives. Don't confuse them.
  • RACI Matrix Roles (RACI):
  • Responsible (Does the work)
  • Accountable (Ultimately responsible, one per task)
  • Consulted (Provides input)
  • Informed (Kept updated)
  • This is already an acronym, just remember what each letter stands for.
  • PDCA Cycle (for Continual Service Improvement/ISMS):
  • Plan
  • Do
  • Check
  • Act
  • A foundational concept in many quality and security management systems.

How to Build Your Own Memory Hooks

  • Acronyms: Take the first letter of each item in a list and form a memorable word or phrase (like GRAPE S).
  • Visualizations: Create a mental image for abstract concepts. For instance, imagine a CEO on a high balcony (governance) directing workers on the ground (management).
  • Storytelling: Weave elements into a short, silly story.
  • Linkage: Connect new information to something you already know well.
What's Worth Memorizing with Mnemonics:
  • Key COBIT principles/enablers: Crucial for understanding the framework's foundation.
  • ITIL Service Lifecycle stages: Helps you place IT service management activities in context.
  • Steps in the risk management process: Identification, assessment, treatment, monitoring.
  • Roles and responsibilities of key committees: (e.g., IT Steering Committee, Security Steering Committee, Audit Committee). Knowing their primary functions will save you time.

How to Use This Cheat Sheet in Your Study Routine

This cheat sheet isn't a substitute for comprehensive study but a powerful supplement. Here's how to integrate it effectively:

  • Initial Review (This Week): Read through this entire cheat sheet now. Highlight areas where you feel weak or where concepts are new. This initial pass primes your brain for what's important.
  • Pre-Study Warm-up (Daily): Before diving into your detailed study session for Domain 2, spend 5-10 minutes reviewing a section of this cheat sheet. It acts as a mental warm-up, activating the key concepts you'll encounter.
  • Post-Question Analysis (Crucial): This is where the cheat sheet shines. After attempting a set of Domain 2 practice questions, review your answers (especially the incorrect ones).
  • If you got it wrong: Identify why. Was it a misunderstanding of a COBIT principle? Did you confuse governance and management? Look up the relevant section in this cheat sheet.
  • If you got it right: Confirm your reasoning. Did you apply the decision-tree logic correctly? This reinforces your understanding.
  • VoraPrep's adaptive learning engine targets your weak areas, and our AI-written explanations for 2,500+ practice questions directly support this type of post-question analysis.
  • Flashcard Creation (Ongoing): Convert key definitions, formulas (like ROI/NPV decision rules), and the "decision-tree playbook" rules into physical or digital flashcards. For example:
  • Front: "Who is responsible for setting IT strategic direction?" Back: "Board of Directors / IT Steering Committee (Governance)."
  • Front: "What is the primary difference between RPO and RTO?" Back: "RPO = max data loss (time); RTO = max downtime (time)."
  • Pre-Exam Cram: In the final days before your exam, this cheat sheet should be one of your primary review tools. It consolidates the high-impact information you need to recall quickly.

Remember, the goal is to develop the judgment required to pass. This cheat sheet gives you the tools; practice applies them.

Related VoraPrep resources

Deepen your understanding and solidify your readiness with these additional resources:

Frequently asked questions

What is the difference between IT Governance and IT Management? IT Governance is about evaluating, directing, and monitoring IT activities to ensure they align with business objectives and deliver value. IT Management is about planning, building, running, and monitoring IT operations and resources to execute the strategy set by governance. Governance asks "Are we doing the right things?"; Management asks "Are we doing things right?" Which IT frameworks are most important for CISA Domain 2? COBIT 2019 is paramount, as it's the leading IT governance framework. ITIL (for service management), ISO 27001 (for information security management), and the NIST Cybersecurity Framework are also highly relevant, especially in how they support or integrate with overall IT governance. Do I need to memorize specific numbers or percentages for ROI/NPV calculations? No, you won't need to perform complex calculations with specific numbers on the exam. Instead, you need to understand the concepts behind ROI and NPV, when they are used, and how to interpret their results to make sound IT investment decisions. The worked example helps you internalize the logic. How does an auditor assess IT Governance effectiveness? An auditor assesses IT governance effectiveness by reviewing the organization's IT strategy and policies, examining the roles and responsibilities of governance bodies (e.g., IT Steering Committee, Board), evaluating IT risk management processes, and verifying that IT performance is monitored and reported against business objectives. They also look for evidence of management's accountability for IT value delivery. What is the role of an IT Steering Committee? An IT Steering Committee, composed of senior business and IT leaders, is a key governance body. Its role is to provide strategic direction for IT, prioritize IT investments, align IT initiatives with business objectives, monitor IT project progress and performance, and manage IT-related risks. It acts as a bridge between overall business strategy and IT execution.

--- Ready to Pass Your CISA Exam? VoraPrep offers an adaptive learning engine that targets your weak areas, over 2,500 practice questions with AI-written explanations, and a 24/7 AI tutor (Vory) to help you master every CISA domain. Starting at just $19/month, with a 7-day free trial, we make CISA prep effective and affordable. Visit voraprep.com to get started. Start Your Free 7-Day Trial at voraprep.com →

Official resources and references

Studying for the CISA?

Stop guessing which topics to review. VoraPrep's adaptive engine diagnoses exactly where you're losing points and rebuilds those areas. 10 minutes a day, measurable score improvement.

Start your free trial → voraprep.com

Don't let this be why you retake the CISA.

Most candidates fail because they study the wrong things, not because they don't study enough. VoraPrep's AI identifies your actual weak spots and targets them — so you walk in knowing exactly where you're strong.

Start Free — No Credit Card →

Keep reading