What does the CISA Governance & Management of IT domain cover?

CISA Governance & Management of IT covers CISA Domain 2 (~17%) — governance and management of IT, including COBIT, enterprise risk, IT strategy, policies, organizational structures, and maturity models. Expect scenario-based questions on IT Governance Frameworks (COBIT), Enterprise Risk Management, IT Strategy & Steering Committees, Policies, Standards & Procedures, Organizational Structures, Maturity Models.

How many Governance & Management of IT practice questions are on this page?

This free practice set includes 6 CISA Governance & Management of IT questions with detailed explanations. Premium members get unlimited access to the full CISA question bank with 775+ questions.

Is this CISA Governance & Management of IT practice test free?

Yes. The practice test is completely free with no signup required. Instant scoring and detailed explanations on every question.

Free CISA Governance & Management of IT Practice Test 2026 — Certified Information Systems Auditor Questions

This free CISA Governance & Management of IT practice test covers CISA Domain 2 (~17%) — governance and management of IT, including COBIT, enterprise risk, IT strategy, policies, organizational structures, and maturity models. Each question includes a detailed explanation aligned to the ITAF and ISACA CISA Review Manual.

Key Topics in CISA Governance & Management of IT

IT Governance Frameworks (COBIT)
Enterprise Risk Management
IT Strategy & Steering Committees
Policies, Standards & Procedures
Organizational Structures
Maturity Models

6 Free CISA Governance & Management of IT Practice Questions with Answers

Sample Question 1 — Governance and Management of IT

During an audit of an organization's IT governance, you discover that IT projects are consistently running over budget and behind schedule. Which of the following should be the auditor's primary focus to address this issue?

A. Evaluate the alignment of IT strategy with business objectives.
B. Assess the effectiveness of project management methodologies. (Correct answer)
C. Review the organization's IT risk management framework.
D. Examine the adequacy of IT resource allocation.

Correct answer: B

Explanation: The primary focus should be on assessing the effectiveness of project management methodologies (B). This directly addresses the issue of projects running over budget and behind schedule by evaluating whether the methodologies in place are adequate and appropriately applied. Option A, while important, is broader and does not directly address project execution issues. Option C is related to risk management, which might not directly resolve project management inefficiencies. Option D is relevant but secondary, as resource allocation issues might stem from ineffective project management practices.

Sample Question 2 — Governance and Management of IT

An organization has recently implemented a new IT governance framework. As an IS auditor, what is the most critical aspect to review to ensure the framework's effectiveness?

A. The documentation of IT policies and procedures.
B. The alignment of the framework with industry standards.
C. The involvement of stakeholders in the governance process.
D. The integration of the framework with the organization's risk management practices. (Correct answer)

Correct answer: D

Explanation: The most critical aspect to review is the integration of the framework with the organization's risk management practices (D). Effective IT governance should be closely aligned with risk management to ensure that IT supports business objectives while managing risks appropriately. Option A is important but more about compliance than effectiveness. Option B is relevant but secondary to risk integration. Option C is also important but not as critical as ensuring risk management is integrated with governance.

Sample Question 3 — Governance and Management of IT

During a review of IT governance, an auditor finds that the IT steering committee rarely meets and has limited influence on IT decisions. What is the potential risk associated with this finding?

A. IT projects may not align with business objectives. (Correct answer)
B. IT staff may lack adequate technical skills.
C. IT budgets may be consistently overestimated.
D. IT infrastructure may become outdated.

Correct answer: A

Explanation: The potential risk associated with an inactive IT steering committee is that IT projects may not align with business objectives (A). The steering committee is responsible for ensuring that IT initiatives support the strategic goals of the organization. Options B, C, and D are possible issues but are not directly linked to the steering committee's lack of influence and involvement.

Sample Question 4 — Governance and Management of IT

An organization is evaluating its IT performance metrics to ensure they support business objectives. Which of the following metrics would be most indicative of effective IT governance?

A. Percentage of IT budget spent on infrastructure maintenance.
B. Number of IT projects completed on time and within budget. (Correct answer)
C. Frequency of IT system outages.
D. Employee satisfaction with IT services.

Correct answer: B

Explanation: The number of IT projects completed on time and within budget (B) is the most indicative of effective IT governance as it reflects the organization's ability to manage IT resources efficiently and align them with business objectives. Option A is a cost metric, which does not directly indicate governance effectiveness. Option C is relevant to operational performance rather than governance. Option D is about user satisfaction, which is important but not as directly linked to governance effectiveness.

Sample Question 5 — Governance and Management of IT

An IT auditor is assessing the maturity of an organization's IT governance processes. Which of the following is the best indicator of a mature IT governance process?

A. IT governance processes are documented and communicated.
B. IT governance processes are regularly reviewed and updated.
C. IT governance processes are aligned with industry best practices.
D. IT governance processes are integrated with business strategy and decision-making. (Correct answer)

Correct answer: D

Explanation: The best indicator of a mature IT governance process is that it is integrated with business strategy and decision-making (D). This ensures that IT governance is not only implemented but also actively contributes to achieving business goals. Options A, B, and C are important components of governance maturity, but integration with business strategy is the most comprehensive indicator of maturity.

Sample Question 6 — Governance and Management of IT

An organization is in the process of aligning its IT strategy with its business goals. As an IS auditor, which of the following should you recommend as the most critical initial step to ensure effective governance and management of IT?

A. Develop a comprehensive IT risk management framework.
B. Establish a balanced scorecard to measure IT performance.
C. Identify and document key business processes and their IT dependencies. (Correct answer)
D. Implement an enterprise architecture framework.

Correct answer: C

Explanation: Identifying and documenting key business processes and their IT dependencies is crucial for aligning IT strategy with business goals. This ensures that IT initiatives support business objectives and that critical dependencies are understood. While options A, B, and D are important, they are subsequent steps that rely on a clear understanding of business processes and IT dependencies.

About the CISA / Certified Information Systems Auditor Exam

Questions: 150 multiple choice
Time: 4 hours
Passing score: 450 / 800 (scaled)
Cost: $575 (members) / $760 (non-members)
Validity: 3 years (renew with 120 CPEs)
Provider: ISACA
DoD 8570/8140: Approved for IAT III, IAM III, CSSP Auditor

Other CISA Practice Domains

Start the free CISA Governance & Management of IT practice test now | 10-question quick start | All CISA domains