2007Annual Report

ISACA® I IT Governance Institute®

LEARN

EXCEL

UNDERSTAND

MEET

GROW

COMPLY

DISCOVER

APPLY

LEARN

EXCEL

UNDERSTAND

MEET

GROW

COMPLY

DISCOVER

APPLY

LEARN

EXCEL

UNDERSTAND

MEET

GROW

COMPLY

DISCOVER

APPLY

LEARN

EXCEL

UNDERSTAND

MEET

GROW

COMPLY

DISCOVER

APPLY

servingpeople and theprofession

ISACA® (www.isaca.org) got its start in 1967, when a small group of individuals with similar jobs—auditing controls in

the computer systems that were becoming increasingly critical to the operations of their organizations—sat down to discuss

the need for a centralized source of information and guidance in the field. In 1969, the group formalized, incorporating as

the EDP Auditors Association.

The IT Governance Institute® (ITGITM) (www.itgi.org) was created in 1998 to assist enterprise leaders in their responsibility

to make IT successful in supporting the enterprise’s mission and goals. Its goals are to raise awareness and understanding

among, and provide guidance and tools to, boards of directors, executive management and CIOs to enable them to ensure

within their enterprises that IT meets and exceeds expectations, and its risks are mitigated.

Since their inception, ISACA and ITGI have become pace-setting global organizations for IT governance, security, control

and assurance professionals. Together, ISACA and ITGI lead the IT control community and serve its practitioners by providing

elements critical to professionals in an evolving industry: a code of ethics, research, a common body of knowledge,

standards, certification and education.

Table of Contents

President’s Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Combined Financial Statements . . . . . . . . . . . . . . . . . . . . . . .15

Report of Independent Certified Public Accountants . . . . . . . . .16

Association and Institute Combined Financial Statements . . . . . . . . . . . . . . . . . . . . . . .17

Notes to Combined Financial Statements . . . . . . . . . . . . . . . . .20

Audit Committee Chair’s Letter . . . . . . . . . . . . . . . . . . . . . . . .23

Management Report on Responsibility for Financial Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

ISACA Board of Directors/ITGI Board of Trustees . . . . . . . . . . .25

Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

Chapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

1

“...some of the most profound ideas are also some of the most simple.”

2

President’s Message

There is a new movement afoot to bring “simple” back to our lives. We live in a world propelled by

complicated technology, convoluted politics and intricate work structures. So much of what we have

to do now is just plain hard. Sooner or later, there had to be a backlash—and now, there is.

A quick Google search (a company that is immensely successful because it is so simple to use)

shows that there are simple shoes, a simple lifestyle web site, simple household cleaners, simple

financial advice, simple gourmet cooking—even a magazine dedicated to rediscovering the simple

life. Within ISACA and the IT Governance Institute, we too believe that some of the most profound

ideas are also some of the most simple.

Our organizations and their activities are often extraordinarily complex. We offer three certifications,

always in some state of update and validation; dozens of live and electronic education programs;

four regularly issued publications; continually evolving professional standards, supported by equally

active guidelines and procedures; an ever-growing roster of members and member benefits; an

increasingly demanding program of intellectual property protection and licensing; and never-ending

marketing and communications activities. It can, at times, become difficult to track where one activity

ends and another begins; how they interact; and whether they meet the needs of members,

certification holders, subscribers, book purchasers, students, academics and all the other individuals

who look to us for expertise.

Therefore, to simplify our planning and keep our eyes focused on the ultimate endgame, we like to

think of our activities as serving two objectives: serving people and serving the profession. Granted,

it takes a lot of activity to address those apparently simple goals, but keeping them in mind ensures

that our activity is focused in the right direction.

ISACA and ITGI apparently found the right direction in 2007, as we enjoyed a successful year,

characterized by growth and innovation. I am grateful to my fellow members of the ISACA Board of

Directors and the ITGI Board of Trustees for their thoughtful leadership, and to all the volunteers who

help make all of this activity happen. Their contributions, dedication and willingness to go farther than

is strictly required are beyond commendable; they are “simply” extraordinary.

Lynn Lawton, CISA, FBCS CITP, FCA, FIIA, PIIA

ISACA International President, 2007-2008

ITGI International President, 2007-2008

3

4

ME E T

GR OWUND ERSTA ND

C OM P L YD I S C O V ER

A P P L Y

L E ARNE X C E L

It is a general rule of graphic design that it is riskier to use too many colors than too few.

Too many colors can actually hinder the ability to convey a message; the viewer’s eye

becomes distracted by the multiple hues, causing the viewer difficulty in finding the

information he is seeking. Simplicity works.

The same can be said for enterprises in pursuing strategic objectives: too many

objectives can distract the organization from identifying the core goals that will generate

the most return. Some organizations want to be all things to all people. They scurry about

trying one “next big thing” after another, ultimately spreading themselves too thin and

causing confusion in the marketplace. Other organizations know that true success over

the long term results from having a few thoroughly tested, well-articulated objectives,

then focusing their resources on the vigorous pursuit and attainment of those objectives.

ISACA and ITGI subscribe to this reasoning. Each year there are many tempting

opportunities and innumerable paths that beckon to be taken. But the organizations train

their sights on two strategic targets: the people and the profession. To reach those

targets, numerous hours are spent to develop milestones, tactics, action plans, budgets

and accountability charts, but ultimately all that activity is pointed toward one of two

ends: serving people and serving the profession.

Report

It’s simple. And it works.

5

Learn. ISACA offers an extensive portfolio of conferences and education programs

worldwide. The programs are targeted at the topics of most concern to the association’s

constituency—IT audit and assurance, regulatory compliance, information security, IT risk

and IT governance—and are presented at experience levels ranging from basic to advanced.

ISACA makes every attempt to meet its constituents’ stated preference for face-to-face

training opportunities through the highly regarded Computer Audit, Control and Security

(CACS) conferences, Training Week series, and special-topic events, such as those focused

on the US Sarbanes-Oxley Act. At the same time, the association remains sensitive to the

limited amount of time professionals have available for travel and attendance at in-person

seminars and workshops. That challenge proves even more daunting when coupled with

ISACA’s commitment to provide education as effectively as possible to a global membership.

The association meets the challenge through a formalized program of online education,

begun in 2006. A monthly e-Symposium is offered for live (and, later, archived) viewing, and

makes it possible for ISACA members to earn three continuing professional education hours

per program—at no cost.

A survey of global IT executives conducted by ITGI in 2007 revealed “insufficient IT staffing” to be the most

pressing IT-related problem encountered within the previous 12 months. While ISACA and ITGI cannot do

much to make more IT professionals appear, they can make significant inroads into ensuring that the

people they touch are in some way better equipped to make their enterprise’s IT contribute to the

achievement of the enterprise’s strategic objectives.

Making that happen can occur in many ways. Perhaps an individual has met an expert halfway around the

world that can offer pragmatic solutions to a vexing problem; perhaps he has just attended a conference

presentation that outlined a way to create more value from IT; perhaps she ensures excellent service or

unimpeachable ethics via rigorous adherence to internationally tested standards or good practices. ISACA

and ITGI make that possible. They provide opportunities for people to indulge their innate predilections to

learn, excel, meet, understand and grow.

People

Learn, excel, meet, understand and grow.

6

Excel. ISACA offers two of the IT-related certifications that regularly appear on “best compensated” and “most in

demand” lists: Certified Information Systems AuditorTM (CISA®) and Certified Information Security Manager®

(CISM®). Through an internationally based and expert-driven process of identifying the tasks required in the audit

and security professions, and by ensuring those tasks are updated on a regular basis to reflect changes in the

industry, CISA and CISM have earned a global reputation for relevancy, credibility and excellence.

The numbers tell the story: more than 55,000 individuals have been certified as a CISA since the program’s

inception in 1978; more than 7,000 CISMs have been certified in the program’s considerably shorter (five years)

life span. Accreditation by American National Standards Institute (ANSI) under ISO/IEC 17024:2003 for both

certifications further supports the programs’ reputation for rigor, quality, openness and good practice.

In 2007, ISACA introduced a third certification: Certified in the Governance of Enterprise ITTM (CGEITTM). This new

certification was created to support the growing business demands related to IT governance, promote IT

governance good practices and acknowledge skilled IT governance professionals—those who have a significant

management, advisory or assurance role relating to the governance of IT and who wish to be recognized for their IT

governance-related experience and knowledge.

CGEIT is supported by ITGI and is, in fact, built on ITGI’s intellectual property, with input from subject matter

experts from around the world. The certification focuses on the five components of IT governance as defined by

ITGI—strategic alignment, resource management, risk management, performance measurement and value

delivery—as well as on frameworks that provide support for IT governance [e.g., Control Objectives for Information

and related Technology (COBIT®) and IT Infrastructure Library (ITIL)]. A grandfathering period was initiated in late

2007, and the first exam is scheduled for December 2008.

7

Meet. Nowhere is ISACA’s commitment to serve people more evident than in the care the association takes to discover

and fill the needs of its members. It requires a delicate balance to ensure that the needs of individuals, professional

niches, geographic locations and chapters are met to the greatest degree feasible. It is not always an easy task, given the

diversity of the membership. The members live and work in 150-plus countries and run the gamut of job titles, including

IS auditor, consultant, educator, information security manager, regulator, chief information officer, external auditor, student

and internal auditor. Some are new to the field, while others are at middle management levels or senior ranks. They work

in finance and banking, public accounting, government and the public sector, utilities, manufacturing, and retail. Far from

seeing this diversity as a dividing line, ISACA members have embraced it as providing a vast learning ground where they

may delve into the challenges and opportunities faced by colleagues in other countries, positions or industries.

That learning ground grows evermore vast as the association continues a period of unprecedented growth. Each of its five

geographic areas—Asia, Europe/Africa, Latin America, North America and Oceania—enjoyed an increase in membership

in 2007, as did 96 percent of its chapters. ISACA does not view its growth as merely an increase in the number of

database records; the association recognizes that its members constitute an extensive and varied pool of expertise—

expertise the association counts on to help provide services and products that engender credibility and capability in its

constituents. The more members, the more expertise; the more expertise, the better the ability to meet constituent needs.

Without question, members are ISACA’s greatest strength.

Those members are, for the most part, served locally by ISACA’s chapters. To ensure the chapters have what they need to

provide quality education and networking to the members, ISACA spends a good deal of time querying the chapter

leaders on their needs, providing them tools and resources to make their jobs easier, making available financial assistance

for marketing efforts, and offering leadership training to help them address the challenges of office. A recent significant

research effort was a global services review to ensure that the association is meeting the needs and expectations of

chapters and members. The information was gathered in 2006, and in 2007 the data analysis was completed and work

began on operationalizing the results.

These expectations include maintenance of current programs, development of enhancements to them and investment in

new initiatives—all designed to increase the value of membership. Each year, through its Membership Board and Finance

Board, ISACA reviews member dues in relation to the cost of supporting the products and services that are part of the

value proposition of membership. This review is done with the objective of offering member services on a break-even

basis, once all general and administrative expense is allocated. This delicate balance must provide for not only the current

benefits, but also include anticipated costs and investments in future value-adding initiatives such as translations to make

ISACA’s and ITGI’s material more accessible, and redesign of the web site to facilitate community building online.

Understand. ISACA’s and ITGI’s constituents work in a rapidly changing business and technological environment.

Helping them navigate their way through the maze is a responsibility the organizations take very seriously, and address

through regular periodicals and resources, both printed and electronic.

The Information Systems Control Journal® is ISACA’s official magazine. Issued bimonthly, and supported in the “off”

months by online articles, the Journal seeks to enhance the proficiency and competitive advantage of its international

8

readership by providing peer-reviewed

managerial and technical guidance from

experienced global authors. Other regular

periodicals issued by ISACA include Global

Communiqué®, an electronic newsletter

dedicated to ISACA/ITGI news; ExpressLine,

published monthly by ISACA and providing

chapter leaders information and resources to

help them carry out their responsibilities; and

COBIT® Focus, issued quarterly to the

organizations’ 50,000-plus COBIT database, to

provide them COBIT case studies, information

on new products and educational

opportunities, and general tips and

techniques.

K-NET® is ISACA’s global online knowledge

network of peer-reviewed links to information

on topics pertinent to IS audit, control, security

and IT governance. Since many of the

references are exclusive to ISACA members

only, it constitutes a valuable benefit of membership. All of K-NET’s references—numbering more than 6,200 by the end of

2007—have been reviewed by an IS audit, control and security practitioner for pertinence, reliability and timeliness.

Grow. Every career starts somewhere, and most people recognize the need to learn the profession and gain experience to

grow into greater responsibility. For many of tomorrow’s leaders of the IT control community, that career begins today, as a

student in a college or university. ISACA and ITGI are pleased to work with students, knowing that those individuals comprise

the future of the profession and the members and supporters of the next decades.

ISACA’s commitment to this special constituency group focuses on its efforts to familiarize student members with the

profession and expose them to business and marketplace issues. Not only does this provide the next generation of IT control

professionals with valuable experience, it also offers more seasoned individuals a chance to share their knowledge and

serve as a mentor. ISACA believes it contributes to the community experience for both groups.

Professors are supported as well, through the academic advocate program, which provides them special access to

classroom materials and a suggested curriculum. ISACA also assists in the distribution of surveys professors and students

undertake as part of their continuing education research.

Without question, members are ISACA’s greatest strength.

9

ME E T

GR OW

Comply. Standards help ensure that professional activities are conducted according to ethical

precepts and with the thoroughness and diligence the activities warrant. Because of ISACA’s

position as the recognized global leader in IT assurance, professionals and practitioners look to

ISACA for guidance to define the profession. In response, the association publishes three levels

of guidance: standards, which define mandatory requirements for IS auditing and reporting;

guidelines, which provide guidance in applying the standards; and procedures, which outline

examples of processes an IS auditor might follow in an audit engagement.

These guidance documents, along with the Code of Professional Ethics, ensure a consistent level

of excellence in the practice of IT assurance and help confer upon the profession the respect and

credibility it deserves.

In addition, ISACA and ITGI are committed to commenting on exposure documents or potential

regulatory requirements that may affect their constituencies. In 2007, the organizations issued

detailed responses, including suggestions for clarification, to the US Public Company Accounting

Oversight Board (PCAOB), the Committee of Sponsoring Organizations of the Treadway

Commission (COSO), and the US Securities and Exchange Commission (SEC).

Discover. Research is ITGI’s raison d’être. The institute was formed in 1998 specifically for

the purpose of carrying out research on IT governance and related topics. But ISACA is not

absent from research efforts. While ISACA tends to focus its efforts on practical applications of

ITGI’s concepts, the association performs some of its own research as well, notably on topics

very specifically directed to the IT assurance and information security fields.

When moving toward a target, one can take the direct or the indirect route. There are benefits either

way. ISACA and ITGI find it useful to use both. The organizations provide services and products directly

to constituents, as described previously, which help those individuals increase their skills and

capabilities. At the same time, ISACA and ITGI create conceptual materials designed to improve the

profession as a whole by uncovering new information; standardizing practices; or creating new, more

effective techniques to get things done. Ultimately, by improving the profession, ISACA and ITGI believe

they benefit their professionals: being a successful practitioner of a well-regarded and well-defined

profession enables professionals to enjoy credibility in the marketplace.

To meet that end, ISACA and ITGI create an environment in which individuals can learn how to comply,

engage in what is discovered, and apply the results.

Profession

10

Both organizations take very seriously their responsibility to identify themes of growing importance to the profession, define the

facets of the theme pertinent to selected audiences, convene a group of subject matter experts and conduct research into best

practices surrounding the theme. Both ISACA and ITGI have objectives of providing thought leadership, a holistic view of IT

issues (incorporating assurance, security and governance material) and practical tools to meet the inherent challenges of IT

control. Research is where progress toward those objectives begins.

ITGI has made a name for itself worldwide through its internationally tested and widely adopted frameworks. COBIT, released in

version 4.1 in 2007, is an IT governance and control framework, enabling management and practitioners to ensure that their IT

delivers value and its risks are mitigated through alignment with enterprise objectives, IT resources are properly allocated, and

IT performance is measured. COBIT does not stand alone; rather, it is at the heart of a healthy and growing family of products—

COBIT® Quickstart, COBIT® Security Baseline, IT Governance Implementation Guide, COBIT® Control Practices, COBIT Online®, and

IT Assurance Guide—all of which were reissued or introduced in 2007 to align with version 4.1. COBIT education, COBIT Focus

(a quarterly newsletter) and COBIT mappings to other international standards and frameworks complete the COBIT family.

The Val ITTM framework, which helps maximize return on IT-enabled investments, is structured around three domains—Value

Governance, Portfolio Management and Investment Management—and each domain is supported by a series of key

management practices. Val IT is an umbrella term, similar to COBIT, to describe a group of publications and other activities that

will be carried out on this topic. The inaugural publications in the project were:

Enterprise Value: Governance of IT Frameworks—The Val IT Framework

Enterprise Value: Governance of IT Frameworks—The Business Case

Enterprise Value: Governance of IT Frameworks—The ING Case Study

Version 2.0 of the framework is already underway and scheduled for release in 2008, as are an abbreviated version, to do for

Val IT what COBIT Quickstart does for COBIT, and an implementation guide.

Apply. ISACA and ITGI recognize that a profession as fast-paced as IT has a constant need for up-to-date, easily accessible

information. The organizations meet that need by seeking out, peer reviewing and placing appropriate volumes in the ISACA

Bookstore. The Bookstore is where those practicing in the IT control professions can see how research concepts are applied.

There they can find ISACA, ITGI and third-party books, CDs, white papers, mappings, e-books and survey results on topics from

audit to XSS exploits. Each year, more than 20,000 orders are processed from those who have found in the Bookstore’s shelves

the solution to a problem.

Two other applications of professional principles in which ISACA and ITGI engage are relationships with other entities and

protection of intellectual property. In 2007, ISACA and ITGI became founding sponsors of the IT Policy Compliance Group, and

ITGI attracted more sponsors and affiliates, for a total of 14 and 16, respectively. In addition, ITGI cosponsored, with Unisys,

CIONet and PricewaterhouseCoopers Belgium, a highly successful summit on IT value. While ISACA and ITGI strongly support

open collaboration among organizations and individuals for the betterment of the profession, there is still awareness that

intellectual property must be fully protected—as an enterprise would protect any investment. A rigorous program of monitoring,

copyrighting, trademarking and licensing is continually underway. At year-end, 43 licenses—for software, publishing and

training—were in place.

11

12

Simple isn’t always easy. Though our goal is to make what we do look effortless, it

does not mean that little or no effort is involved. Like ducks sailing smoothly

across the pond, there is a lot of paddling going on beneath the surface.

Each year, ISACA and ITGI gratefully acknowledge the swift and dedicated

paddling of a large and willing contingent of volunteers. The Board of Directors,

Board of Trustees, chairs and members of the many key boards, committees, task

forces and working groups, as well as the chapter leaders and members

themselves, provide their skills and their time to help make the complicated

appear simple. We are immensely grateful for their efforts.

Lynn Lawton, CISA, FBCS CITP, FCA, FIIA, PIIA

2007-2008 International President

ISACA

IT Governance Institute

Susan M. Caldwell

Chief Executive Officer

ISACA

IT Governance Institute

“Simple isn’t always easy.”

ISACA and ITGI 2007—The Year At a GlanceConferences and EducationComputer Audit, Control and Security conference sites:

Euro CACS (Vienna, Austria), Latin America (Monterrey,

Nuevo Leon, Mexico), North America (Grapevine, Texas,

USA), Oceania (Auckland, New Zealand, sponsored by

the host chapter)

International Conference site: Singapore

Training Week locations: Athens, Greece; Montreal,

Quebec, Canada; in the US, Washington, DC; Denver,

Colorado; San Antonio, Texas; Minneapolis, Minnesota;

Seattle, Washington; Charlotte, North Carolina;

Scottsdale, Arizona

Information security conferences: Las Vegas, Nevada,

USA; Panama City, Panama; and Frankfurt, Germany

New event: IT Governance and Compliance Conference

COBIT-related education: COBIT Awareness course

(online); COBIT Foundation course and certificate (online

and classroom; 2,100 certificates awarded in 2007);

Implementing IT Governance Using COBIT and Val IT

(classroom only); COBIT for Sarbanes-Oxley Compliance

(online only)

COBIT User Conventions (sponsored by host chapter):

Los Angeles, California, USA; Johannesburg, South Africa;

Bogota, Colombia

Sarbanes-Oxley education: Grapevine, Texas, USA;

Anaheim, California, USA; Chicago, Illinois, USA;

Washington DC, USA

Management Forums: Scottsdale, Arizona, USA

Number of accredited COBIT trainers: 40

Monthly e-Symposium attendees: Average of 2,100 per

live event, with more accessing the archived version

CISANumber of exam registrants: 26,733 (June and

December combined )

Number of languages: 11

CISMNumber of exam registrants: 4,265 (June and

December combined)

Number of languages: 3

MembershipMembership at year-end: 82,630

Membership at year-end by geographic area:

Asia—19,846, Europe/Africa—19,278,

Latin America—3,043, North America—37,879,

Oceania—2,584

New chapters added: Macao; Lahore, Pakistan;

Rhode Island (USA); Luxembourg

Number of chapters: 177

Number of chapters with a membership

in excess of 2,000: 7

Information Systems Control JournalEditorial calendar: Volume 1—IT Governance;

Volume 2—Information Security; Volume 3—Top IT

Problems; Volume 4—Value of Compliance;

Volume 5—Value and Performance in IT;

Volume 6—Emerging Technologies

AcademiaNumber of academic advocates: 185

Teaching materials published: IT Governance Using

COBIT® and Val ITTM material—Academic Student Book,

Presentation, Caselets and Teaching Notes, TIBO Case

Study and Teaching Notes

StandardsNew standards issued: S15 IT Controls,

S16 E-commerce

New/revised guidelines issued: G5 Audit Charter, G37

Configuration Management Process, G38 Access Controls

New procedure issued: P11 EFT

Exposure drafts issued: Standards—S15 IT Controls,

S16 E-commerce; Guidelines—G1 Using the Work of

Other Experts, G2 Audit Evidence Requirement, G3 Use of

Computer Assisted Audit Techniques (CAATs), G4

Outsourcing of IS Activities to Other Organizations, G5

Audit Charter, G6 Materiality Concepts for Auditing

Information Systems, G7 Due Professional Care, G8 Audit

Documentation, G39 IT Organization

ResearchNew COBIT-related deliverables: COBIT® Quickstart, 2nd

Edition—Supplemental Tools and Materials; COBIT®

Quickstart, 2nd Edition; COBIT® Security Baseline, 2nd

Edition; IT Assurance Guide Using COBIT®; COBIT® Control

Practices, 2nd Edition; COBIT® 4.1; IT Governance

Implementation Guide: Using COBIT and Val IT, 2nd Edition;

COBIT® Mapping: Mapping of NIST SP800-53 Rev 1 With

COBIT 4.1; COBIT® Mapping: Mapping of TOGAF With

COBIT 4.0; COBIT® Mapping: Mapping of CMMI for

Development V1.2 With COBIT 4.0; COBIT®

Mapping: Mapping of ITIL With COBIT; COBIT® Mapping:

Mapping of ISO/IEC 17799:2005 With COBIT; COBIT®

Mapping: Mapping of PRINCE2 With COBIT

New Val IT-related deliverables:

Value Governance—Police Case Study

Other books published: IT Control Objectives for Basel II:

The Importance of Governance and Risk Management for

Compliance; Stepping Through the InfoSec Program; The

Convergence of Physical and Information Security in the

Context of Enterprise Risk Management (published by

Alliance for Enterprise Security Risk Management, a

collaboration between ASIS International and ISACA)

BookstoreNumber of books added in 2007: 56 (39 English, one

French, seven Japanese, three Italian and six Spanish)

ISACA best sellers: CISA Review Manual 2007; CISA

Practice Question Database v7 CD-ROM/web site

download; CISA Review Questions, Answers &

Explanations Manual 2007 Supplement; CISM Review

Manual 2007; CISM Practice Question Database v7 CD-

ROM/web site download

ITGI best sellers: IT Control Objectives for Sarbanes-

Oxley, 2nd Edition; COBIT 4.1; COBIT Control Practices, 2nd

Edition; Board Briefing on IT Governance, 2nd Edition; IT

Governance Implementation Guide: Using COBIT and Val

IT, 2nd Edition

Third-party best sellers: Implementing Database Security

and Auditing; Manager’s Guide to Compliance: Best

Practices and Case Studies; IT Auditing: Using Controls

to Protect Information Assets; Sarbanes-Oxley IT

Compliance Using Open Source Tools, 2nd Edition;

Business Continuity & Disaster Recovery for InfoSec

Managers

13

ISACA/ITGI Historical Revenues (in millions)

35

30

25

20

15

10

5

2003

2004

2005

2006

2007

2007 Operating Revenues

Other 4%

Certification 37%

2007 Operating Expenses

Volunteer Structureand Administration 19%

Research 10%

Publications 9%

Education 21%

Membership 19%

Certification 22%

Publications 12%

Contributions 1%

Education 21%

Membership 25%

14

Combined Financial StatementsReport of Independent Certified Public Accountants 16

Association and Institute Combined Financial Statements 17

Notes to Combined Financial Statements 20

Audit Committee Chair’s Letter 23

Management Report on Responsibility for Financial Reporting 23

15

R E P O R T O F I N D E P E N D E N T C E R T I F I E D P U B L I C A C C O U N T A N T S

Board of Directors

Information Systems Audit and

Control Association Inc.

Board of Trustees

IT Governance Institute Inc.

We have audited the accompanying combined statements of financial position of the Information Systems Audit and Control

Association, Inc. and the IT Governance Institute, Inc. (collectively, the “Organization”) as of 31 December 2007 and 2006,

and the related combined statements of activities and cash flows for the years then ended. These financial statements are the

responsibility of the Organization’s management. Our responsibility is to express an opinion on these financial statements

based on our audits.

We conducted our audits in accordance with auditing standards generally accepted in the United States of America as

established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform the

audits to obtain reasonable assurance about whether the financial statements are free of material misstatement. An audit

includes consideration of internal control over financial reporting as a basis for designing audit procedures that are

appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the Organization’s

internal control over financial reporting. Accordingly, we express no such opinion. An audit also includes examining, on a

test basis, evidence supporting the amounts and disclosures in the financial statements, assessing the accounting principles

used and significant estimates made by management, as well as evaluating the overall financial statement presentation. We

believe that our audits provide a reasonable basis for our opinion.

In our opinion, the financial statements referred to above present fairly, in all material respects, the combined financial

position of the Information Systems Audit and Control Association, Inc. and the IT Governance Institute, Inc. as of 31

December 2007 and 2006, and the combined changes in their net assets and their combined cash flows for the years then

ended, in conformity with accounting principles generally accepted in the United States of America.

Chicago, Illinois

10 June 2008

16

A S S O C I A T I O N A N D I N S T I T U T E C O M B I N E D F I N A N C I A L S T A T E M E N T S

Combined Statements of Financial PositionInformation Systems Audit and Control Association Inc. and IT Governance Institute Inc.

31 December 2007 2006

ASSETS

CURRENT ASSETSCash and cash equivalents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 997,876 $ 861,999 Investments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43,582,825 35,948,623 Accounts receivable, net . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 945,794 462,946 Prepaid expenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1,263,977 1,137,688 Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608,301 492,597 Other current assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170,476 133,898

Total current assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47,569,249 39,037,751

FIXED ASSETSLeasehold improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297,039 281,081 Furniture and fixtures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99,794 99,125 Office equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261,950 133,356 Computer system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2,103,151 2,270,821

2,761,934 2,784,383

Less accumulated depreciation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2,013,989 2,169,787

Net fixed assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 747,945 614,596

TOTAL ASSETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 48,317,194 $ 39,652,347

LIABILITIES AND NET ASSETS

CURRENT LIABILITIES Accounts payable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 4,795,568 $ 3,449,928 Deferred revenues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7,017,135 5,052,495 Other liabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314,032 258,140

Total current liabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12,126,735 8,760,563

NET ASSETSUnrestricted Board-designated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25,070,133 15,920,603Undesignated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11,017,394 14,868,249

Total unrestricted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36,087,527 30,788,852

Temporarily restricted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61,821 61,821 Permanently restricted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41,111 41,111

Total net assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36,190,459 30,891,784

TOTAL LIABILITIES AND NET ASSETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 48,317,194 $ 39,652,347

The accompanying notes are an integral part of these statements.

17

A S S O C I A T I O N A N D I N S T I T U T E C O M B I N E D F I N A N C I A L S T A T E M E N T S

Combined Statement of ActivitiesInformation Systems Audit and Control Association Inc. and IT Governance Institute Inc.

OPERATING REVENUESMembership . . . . . . . . . . . . . . $ 8,929,726 $ - $ - $ 8,929,726Certification . . . . . . . . . . . . . . 13,127,522 - - 13,127,522Education . . . . . . . . . . . . . . . . 7,263,440 - - 7,263,440Publications . . . . . . . . . . . . . . 4,264,610 - - 4,264,610Contributions and sponsorships . 164,951 10,000 - 174,951Interest, dividends, IP use,

royalties, and other . . . . . . . 2,017,468 - - 2,017,468Net assets released from

restrictions . . . . . . . . . . . . . . 10,000 (10,000) - -

Total operating revenues . . . . . 35,777,717 - - 35,777,717

OPERATING EXPENSES Program services

Membership . . . . . . . . . . . . . . 5,962,084 - - 5,962,084Certification . . . . . . . . . . . . . . 6,604,549 - - 6,604,549Education . . . . . . . . . . . . . . . . 6,406,042 - - 6,406,042Publications . . . . . . . . . . . . . . 2,663,967 - - 2,663,967 Research . . . . . . . . . . . . . . . . . 2,980,224 - - 2,980,224

Total program services . . . . . . 24,616,866 - - 24,616,866

Supporting servicesBoard and administrative . . . . 5,916,372 - - 5,916,372

Total operating expenses . . . . . 30,533,238 - - 30,533,238

OTHER GAINS AND LOSSES Net gain on investments . . . . . . 54,196 - - 54,196Gain/(loss) on foreign

currency translation . . . . . . . - - - -

Total other gains and losses . . 54,196 - - 54,196

CHANGE IN NET ASSETS . . 5,298,675 - - 5,298,675

NET ASSETS, beginning of year . . . . 30,788,852 61,821 41,111 30,891,784

NET ASSETS, end of year . . . . . . . . . $ 36,087,527 $ 61,821 $ 41,111 $ 36,190,459

The accompanying notes are an integral part of these statements.

$ 7,649,087 $ - $ - $ 7,649,087 11,629,888 - - 11,629,8886,593,357 - - 6,593,357 4,187,743 - - 4,187,743

118,358 15,700 - 134,058

1,615,513 - - 1,615,513

15,700 (15,700) - -

31,809,646 - - 31,809,646

5,125,532 - - 5,125,532 5,746,894 - - 5,746,894 5,518,639 - - 5,518,639 2,438,540 - - 2,438,540 2,168,731 - - 2,168,731

20,998,336 - - 20,998,336

4,913,285 - - 4,913,285

25,911,621 - - 25,911,621

841,412 - - 841,412

257 - - 257

841,669 - - 841,669

6,739,694 - - 6,739,694

24,049,158 61,821 41,111 24,152,090

$ 30,788,852 $ 61,821 $ 41,111 $ 30,891,784

UnrestrictedTemporarilyRestricted

PermanentlyRestricted Total Unrestricted

TemporarilyRestricted

PermanentlyRestricted Total

Years ended 31 December 2007 2006

18

Combined Statements of Cash FlowsInformation Systems Audit and Control Association Inc. and IT Governance Institute Inc.

Years ended 31 December 2007 2006

Cash flows from operating activities Change in net assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 5,298,675 $ 6,739,694Adjustments to reconcile change in net assets to net cash provided by operating activities

Depreciation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455,983 418,896Loss on sale of fixed assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5,989 -Net gain on investments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (54,196) (841,412)Changes in assets and liabilities

Accounts receivable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (482,848) (190,290)Prepaid expenses and other current assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (162,867) (372,854)Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (115,704) (48,584)Accounts payable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1,345,640 (113,266)Deferred revenues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1,964,640 1,507,226Other liabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55,892 (22,055)

Net cash provided by operating activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8,311,204 7,077,355

Cash flows from investing activities Acquisition of fixed assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (595,321) (270,950)Proceeds from the sale of investments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106,504,018 47,972,796Purchase of investments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (114,084,024) (54,584,993)

Net cash used in investing activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (8,175,327) (6,883,147)

NET CHANGE IN CASH AND CASH EQUIVALENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135,877 194,208

Cash and cash equivalents, beginning of year . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 861,999 667,791

Cash and cash equivalents, end of year . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 997,876 $ 861,999

The accompanying notes are an integral part of these statements.

A S S O C I A T I O N A N D I N S T I T U T E C O M B I N E D F I N A N C I A L S T A T E M E N T S

19

N O T E S T O C O M B I N E D F I N A N C I A L S T A T E M E N T S

Notes to Combined Financial StatementsInformation Systems Audit and Control Association Inc. and IT Governance Institute Inc.31 December 2007 and 2006

Note A—OrganizationThe “Organization” consists of the Information Systems Audit and Control Association,Inc. (the “Association”) and the IT Governance Institute, Inc. (the “Institute”). TheAssociation’s and Institute’s financial statements are presented on a combined basis.The Association has an economic interest in the Institute due to the inter-relationship ofeducation and research activities. The Organization operates on a global basis, with themajority of revenues and net assets attributable to the Association, the predominantentity within the Organization. The Organization maintains its books and records at itsheadquarters building located in Rolling Meadows, Illinois.

The Association was incorporated in 1969 under the name of the Electronic DataProcessing Auditors Association. The name of the Association, as approved at theannual general membership meeting held 26 July 1993, was changed to InformationSystems Audit and Control Association, Inc. The Association was organized to providecontinuing professional education and development in information systems audittechniques and standards to its members. The Association is an internationalorganization that includes 177 international chapters (the “Chapters”) with more than82,000 members. The Association also has responsibility for the Certified InformationSystems Auditor (“CISA”) and Certified Information Security Manager (“CISM”)Certification Programs, with more than 43,100 and 7,200 individuals, respectively,currently certified as of 31 December 2007.

The Institute was incorporated under the name of the Electronic Data ProcessingAuditors Foundation, a California not-for-profit corporation. The Board of Trustees ofthe Institute formally approved a change of the name of the Institute to the InformationSystems Audit and Control Foundation, Inc. at the 5 February 1994 Board of Trusteesmeeting and, subsequently, to the IT Governance Institute, Inc. at the 3-4 May 2003Board of Trustees meeting. The Institute was organized for the purpose of providingprofessional education and research in information systems audit and controltechniques and standards. The objectives of the Institute are to conduct research andpublish authoritative information on information systems auditing and control.

Note B—Summary of Significant Accounting PoliciesBasis of PresentationThe combined financial statements include the assets, liabilities, net assets andfinancial activities of the Organization. Significant intercompany balances have beeneliminated. The Chapters are not fiscally accountable to the Organization and,accordingly, have not been included in the accompanying combined financialstatements.

Cash and Cash EquivalentsCash and cash equivalents consist primarily of interest-bearing deposits to be used foroperating purposes. These deposits are carried at fair value, which approximates cost.

InvestmentsInvestments are carried at fair value based on quoted market prices. Managementconsiders all realized and unrealized gains and losses as non-operating activities.Interest income and dividends are considered operating revenue. Gains and losses oninvestments include net realized and unrealized gains and losses.

Concentration of Credit RiskThe Organization maintains cash balances at several financial institutions, which areinsured by the Federal Deposit Insurance Corporation up to $100,000. Uninsuredbalances totaled $8,061,933 and $6,930,728 at 31 December 2007 and 2006,respectively. The Organization has not experienced any losses in such accounts, andbelieves that it is not exposed to any significant credit risk on cash and cashequivalents.

Accounts ReceivableAccounts receivable are due within 30 days and are stated at amounts due fromcustomers net of an allowance for doubtful accounts. Accounts outstanding longerthan the contractual payment terms are considered past due. The Organizationdetermines its allowance for doubtful accounts by considering a number of factors,including the length of time trade accounts receivable are past due, the Organization’sprevious loss history, the customer’s current ability to pay its obligation to theOrganization and the condition of the general economy and the industry as a whole.The Organization writes off accounts receivable when they become uncollectible, andpayments subsequently received on such receivables are credited to the allowance fordoubtful accounts.

InventoryInventory consists solely of study aids and other publications printed for theOrganization for sale to its members and interested outside parties. Inventory is valuedat the lower of cost or market, and cost is determined by the average cost method.Provisions for obsolete items are based on estimated future usage as related toquantities of stock on hand.

Fixed AssetsFixed assets are carried at cost. Depreciation on furniture, fixtures, equipment and thecomputer system is computed using the straight-line method. The estimated usefullives of the related assets range from 2 to 10 years. Leasehold improvements areamortized using a straight-line basis over the shorter of the lease terms or theirestimated useful lives. Depreciation expense totaled $455,983 and $418,896 for 2007and 2006, respectively.

Net AssetsThe net assets, revenues, expenses, gains and losses are classified based on theexistence or absence of donor-imposed restrictions, using the following classifications:

• Unrestricted - Represents unrestricted resources available for support of daily operations and contributions received for which no donor restriction has been put on their use. The Board may designate certain net assets for a particular function or activity.

20

N O T E S T O C O M B I N E D F I N A N C I A L S T A T E M E N T S

The components of investment income for the years ended December 31, 2007 and2006, are as follows:

2007 2006Interest and dividends $ 1,681,150 $ 1,383,128Net realized and unrealized gainon marketable securities 54,196 841,412

$ 1,735,346 $ 2,224,540

Note D—Related-Party TransactionsAs a service to the Chapters, the Organization includes the amount of individual chapterdues with its annual billing and, on a monthly basis, remits to the Chapters amountscollected on their behalf. The balances of $1,276,434 and $899,396 at 31 December2007 and 2006, respectively, are reflected in accounts payable and represent theunremitted portion of dues collected for local chapters.

Note E—Income TaxesThe Association and the Institute have received favorable determination letters from theInternal Revenue Service stating that they are exempt from Federal income taxes underSection 501(a) of the Internal Revenue Code, as organizations described in Sections501(c)(6) and 501(c)(3), respectively. However, unrelated business income is subjectto taxation. In 2007 and 2006, the Association did not incur a tax liability resultingfrom unrelated business activities.

Note F—Leases During 2003, the Organization entered into an office facilities operating lease that wasscheduled to expire in December 2007 and required monthly payments comprised ofrent, property taxes, pro rata share of common operating expenses and insurance.Subsequent to entering into the original lease, the Organization signed variousamendments to the original lease for additional space. In September 2007, theOrganization signed an amendment that extended the term of the lease through 31January 2018, expanded the total space leased, and provided for the relinquishment ofpreviously leased space four months after construction of the new space has beencompleted. In February 2008, the agreement was further amended to take on twoadditional blocks of space to be remodeled and made available within the year.

The Organization also rents office equipment under three non-cancelable leases withterms in excess of one year.

As of 31 December 2007, the minimum future rentals payable under these non-cancelable operating lease commitments were as follows:

Years ending Office31 December equipment Facilities Total

2008 $ 32,300 $ 288,000 $ 320,3002009 32,300 481,800 514,1002010 32,300 494,900 527,2002011 14,300 507,900 522,2002012 3,600 521,000 524,6002013 and thereafter - 2,759,400 2,759,400

Rent expense under these leases for the years ended 31 December 2007 and 2006, was$395,028 and $346,856, respectively.

• Temporarily Restricted - Represents resources whose use has been temporarily restricted by the contributor. When a donor restriction has been satisfied by incurring expenses consistent with the designated purpose, temporarily restricted net assets are reclassified to unrestricted net assets for reporting of related expenses.

• Permanently Restricted - Represents resources that are subject to restrictions of gift instruments requiring that the principal be invested and maintained in perpetuity. The income generated from these funds is classified based on the terms of the gift instruments.

Revenue RecognitionRevenues received by the Organization consist primarily of annual membership duesand new member fees, CISA and CISM examination and annual maintenance fees,attendance fees for educational conferences, the sale of advertising space inperiodicals, charges for various publications, sponsorships and contributions, andlicense fees. Membership dues, and annual maintenance fees for both CISA and CISMare recognized as revenue in the applicable membership period. New member fees arerecorded in the period that the membership application is processed, with theapplicable chapter membership dues collected by the Association recorded as a liabilityuntil remitted to the Chapters. The Organization recognizes unrestricted, restricted andendowment contributions in accordance with donor restrictions in the period that thecommitment for support is obtained, with other revenues recognized over the periodthat the goods or services are provided. Unearned dues, fees and subscriptions areclassified as deferred revenue.

Foreign Currency TranslationTranslation of foreign currencies is performed at current exchange rates, and translationdifferences are included as other gains and losses on the statements of activities.

Use of EstimatesThe preparation of financial statements in conformity with accounting principlesgenerally accepted in the United States of America requires management to makeestimates and assumptions that affect the reported amounts of assets and liabilities andthe disclosure of contingent assets and liabilities at the date of the financial statements,as well as the reported amounts of revenues and expenses during the reporting period.Actual results could differ from those estimates.

Note C—InvestmentsInvestments as of 31 December consisted of the following:

2007 2006Government debt securities $ 7,407,425 $ 10,400,502Mutual funds: government debt 25,358,510 3,388,336Equities 9,949,913 5,828,652Short-term fixed income investments - 11,519,255Money market/interest-bearing deposits 866,977 4,811,878

$ 43,582,825 $ 35,948,623

21

N O T E S T O C O M B I N E D F I N A N C I A L S T A T E M E N T S

Note G—Board-Designated Net AssetsThe ISACA/ITGI Board of Directors/Trustees designates a portion of the Organization’sunrestricted net assets for contingency purposes in order to protect the Organizationagainst unforeseen global events and economic downturn. The designated amount,calculated based on annual operating expenses, totals $25,054,353 as of 31 December2007. Additional funds totaling $15,780 have been designated by the ISACA/ITGIBoard of Directors for various research projects. These funds, while designated for thepurposes noted above, are categorized within the Organization’s financial statements asunrestricted net assets.

Note H—Restricted Net AssetsTemporarily restricted net assets at 31 December have been designated by the donorsfor the following purposes:

2007 2006Research $ 51,872 $ 51,872Membership 550 550Education 2,139 2,139Standards 155 155Certification 100 100IS hardware and software 5,250 5,250Building 1,755 1,755Total $ 61,821 $ 61,821

Permanently restricted net assets at 31 December have been designated by the donorsas an endowment to the Organization. The earnings on these funds have norestrictions.

Note I—Net Assets Released from RestrictionsDuring 2007 and 2006, net assets were released from restriction to satisfy the followingpurposes:

2007 2006General research $ - $ 1,000COBIT 10,000 14,700

$ 10,000 $ 15,700

Note J—Employee Benefit PlanThe Association maintains the IT Governance Institute, Inc./Information Systems Auditand Control Association Defined Contribution (Money Purchase) Retirement Plan (the“Plan”). The Plan is funded through individually owned annuities issued by theTeachers Insurance and Annuity Association and the College Retirement Equities Fund.Employees who have completed at least six months and 720 hours of service in a yearare eligible to participate in the Plan. Employees may make pretax contributions to thePlan, of which the Association will match the first 5% contributed by the employee. TheAssociation’s contributions to the Plan for the years ended 31 December 2007 and2006, were $335,560 and $304,632, respectively.

Note K—Accounts ReceivableAccounts receivable consist of the following at 31 December:

2007 2006Trade receivables $1,055,476 $ 566,602Less allowance for doubtful accounts (109,682) (103,656)Net receivables $ 945,794 $ 462,946

Changes in the Association’s allowance for doubtful accounts are as follows for theyears ended 31 December:

2007 2006Beginning balance $ 103,656 $ 55,040Bad debt expense 48,016 51,068Accounts written off (41,990) (2,452)Ending balance $ 109,682 $ 103,656

22

A U D I T C O M M I T T E E C H A I R ’ S L E T T E R

The Audit Committee of the Board of Directors/Trustees (the Board) of theInformation Systems Audit and Control Association/IT Governance Institute (theOrganization) oversees the Organization’s financial reporting process on behalfof the Board, and is composed of five independent members. In fulfilling itsresponsibility, the committee recommended to the Board the selection of theOrganization’s independent certified public accountants.

The committee discussed with the independent certified public accountantsthe overall scope and specific plans for their audit. The committee alsodiscussed the Organization’s combined financial statements and the adequacyof its internal controls.

The committee met with the Organization’s independent certified publicaccountants, without management present, to discuss the results of theirexamination, their evaluation of the Organization’s internal controls, and theoverall quality of the Organization’s financial reporting.

Kevin B. Weston, CISA, CPAChairAudit Committee

The management of the Information Systems Audit and Control Association/ITGovernance Institute (the Organization) has the responsibility for thepreparation, integrity and fair presentation of the accompanying financialstatements. The statements were prepared in accordance with generally acceptedaccounting principles applied on a consistent basis and are not affected bymaterial fraud or error. The financial statements include amounts that are basedon management’s best estimates and judgments. Management also prepared theother information in the annual report and is responsible for its accuracy andconsistency with the financial statements.

The Organization’s financial statements for 2007 have been audited by GrantThornton LLP, independent certified public accountants, elected by the Board ofDirectors/Trustees (the Board). Management has made available to GrantThornton LLP all of the Organization’s financial records and related data, as wellas the minutes of the Board’s meetings. Management believes that allrepresentations made to Grant Thornton LLP during its audit were valid andappropriate.

The Organization maintains a system of internal control, which is designed toprovide reasonable assurance to management and to the Board regarding thepreparation and publication of reliable and accurate financial statements, theeffectiveness and efficiency of operations, and compliance with applicable lawsand regulations. The system includes a documented organizational structure anddivision of responsibility, established policies and procedures that arecommunicated throughout the Organization, and the careful selection, trainingand development of our personnel. Management also recognizes itsresponsibility for fostering a strong ethical climate so that the Organization’saffairs are conducted according to the highest standards of personal andcorporate conduct.

As part of its audit of the Organization’s financial statements, Grant ThorntonLLP assessed the Organization’s internal accounting controls structure to

establish a basis for reliance thereon in determining the nature, timing and extentof audit tests to be applied. Management and Grant Thornton LLP have reviewedthe internal control assessment with the Audit Committee as part of thecommittee’s acceptance of the financial statements. The Board, operatingthrough its Audit Committee, which is composed entirely of members who arenot officers or employees of the Organization, provide oversight to the financialreporting process.

There are inherent limitations in the effectiveness of any system of internal control,including the possibility of human error and the circumvention or overriding ofcontrols. Accordingly, even an effective internal control system can provide onlyreasonable assurance with respect to financial statement preparation.

The Organization assessed its internal control system as of 31 December 2007in relation to criteria for effective internal control over financial reportingdescribed in Internal Control—Integrated Framework, issued by the Committeeof Sponsoring Organizations of the Treadway Commission. Based on thisassessment, the Organization believes that, as of 31 December 2007, its systemof internal control over financial reporting met those criteria.

Susan M. CaldwellChief Executive Officer

Scott R. Artman, CPAChief Financial Officer

M A N A G E M E N T R E P O R T O N R E S P O N S I B I L I T Y F O R F I N A N C I A L R E P O R T I N G

23

“I am grateful to my fellow members of the ISACA Board of Directors and the ITGI Board of

Trustees for their thoughtful leadership, and to all thevolunteers who help make all of this activity happen.”

— LYNN LAWTON

24

Everett C. Johnson, Jr., CPAPast PresidentUSA

Emil G. D’Angelo, CISA, CISMISACA DirectorUSA

Greg T. Grocholski, CISAISACA DirectorUSA

Avinash Kadam, CISA, CISM,CISSP, CBCP, GSEC, GCIHVice President/ITGI TreasurerIndia

Georges Ataya, CISA, CISM, CISSPVice PresidentBelgium

Jose Angel Pena IbarraVice PresidentMexico

Lynn Lawton, CISA, FBCS CITP,FCA, FIIA, PIIAInternational PresidentUK

Marios Damianides, CISA, CISM, CA, CPAPast PresidentUSA

Ronald Saull, CSPITGI TrusteeCanada

Susan M. CaldwellSecretaryUSA

Robert E. StroudVice PresidentUSA

Kenneth L. Vander Wal, CISA, CPAVice PresidentUSA

ISACA Board of Directors / ITGI Board of Trustees

Key Board and ConstituentCommittee Chairs

Greg T. Grocholski, CISAAssurance CommitteeUSA

Howard Nicholson, CISACGEIT Certification BoardAustralia

Juan Luis Carselle Alvarado, CISACISA Certification BoardMexico

Evelyn Susana Anton, CISA, CISMCISM Certification BoardVenezuela

Robert D. Johnson, CISA, CISM, CISSPConferences and Education BoardUSA

Anjay R. Agarwal, CISA, CFE, CA, ACSGovernmental and Regulatory Agencies BoardIndia

Tony HayesIT Governance Committee Australia

Stephen L. Thorsted, CISA, CPAMembership BoardUSA

Emil G. D’Angelo, CISA, CISMSecurity Management CommitteeUSA

Ravi Muthukrishnan, CISA, CISM, FCA, ISCAStandards BoardIndia

Archie G. Watt, CISA, CISM, CAFinance BoardUK

25

Frank Yam, CISA, FHKIoD, FHKCS,CIA, CFE, CCP, CFSA, FFAVice PresidentHong Kong

Howard Nicholson, CISAVice President/ISACA TreasurerAustralia

Tony HayesITGI TrusteeAustralia

M E M B E R S

PlatinumSunil Bhaskar BakshiJohn Warner BeveridgeSusan CaldwellCharles M. CribaroMarios Damianides*John A. KuyersJohn W. Lainhart*Lynn C. LawtonAkira MatsuoRonald W. RibaRobert S. RousseyRonald SaullLily M. Shue*Patrick StachtchenkoMarc A.L.J. Vael

GoldGirish BabuRobert F. FrelingerStacey J. HamakerEverett C. JohnsonMichael E. KnightThomas C. LammCharles Cheong LiangDiane NelsonAnthony P. NobleRobert G. Parker*Jane SeagoSalvatore Philip SerraShital M. ShahKiyoshi ShiinaPaul A. WilliamsMichael H. Wittmer

SilverAbdul Hamid AbdullahScott R. ArtmanAugustono BasukiVinod Velji BavaraVipan BijWayne M. BrissonFernando CalvilloWai Lee Fredarine ChanDouglas M. ChildesArt A. ChristoffersonGuy A. ClarkeKunle CokerReynaldo J. de la FuenteMark A. DouglasAndre N. ErtlJames John FinnRon HaleStephen Wesley HeadChi John HoShankar V. IyerJoanna B. KarczewskaTina KayRoberto Lopez EscaleraRia T. LucasFlemming LundgrenRobert J. MayMicky Lee McCullochDouglas MelvilleGilbert NanemaFrancis J. NemiaVan Quang NguyenAlexander PapanastassiouHugh Henning Penri-WilliamsMartín Pérez SánchezSteve PhelanDaniel Fernando RamosSree Krishna RaoRicardo RendonJose M. SaucedoDiane L. SchulteBrian SelbyKeiko ShimizuRui Fernando Simoes GomesSudarshan Rao SingeethamJoann Skiba

Edward Joseph SlusarskiPeter D. SmithsonRoger W. SouthgateJohn SpangenbergHeather L. StebbingsVáclav StverkaRamnathan N. SubramanianScott R. TompkinsTerry TrsarConstantin VasiliuVatsaraman VenkatakrishnanArchie G. WattDaniel A. Wiechec

DonorKhaled Mostafa A. SamadAli Abbasnejad KonjinRobert M. AbislaIsnaeni AchdiatJoan L. AckermanBryan Keith AdamsAyodeji Abiodun AdelakunAnthony Oluwole AdeosunJayson AgagnierMazhar Bashir AhmadMd. Mushtaque AhmedKosei AkatsukaDana Raluca AlbuLozina Metodieva AlexievaCaroline L. AllinsonOmar Saud AlomarAli Fathi M. Al-Sheikh AhmedHenry Amoako-KenaNofri Defri AndaMichael E. AndersonFoteini AndriaFrancis AnthonyHoracio E. Antonelli MattersonKeith R. AntonidesRoberto ApollonioRenato Aquilino-PujolMahary A. AraiaHenri S. V. ArendsenSam E. ArthurAkintayo Emmanuel AshaMichael AustinYasir Awad BabikerMohammed BachiriAbiodun Oluremi BadaChernor Sulaiman BahKirk C. BaileyAndrew Samuel BakerPaula M. BakerGintautas BalciunaitisSunday Ben BamideleKiyotaka BandoTed BarilaChristopher BarkerGary A. BassettRobert BastienAndrew J. BeardIvonne BeauboeufMark BeavanJose A. BellonCharles R. BennettPaul L. BerkebileGayle BerkeleyThomas S. BerkeyGlauco BertocchiTomas BezouskaSuresh U. BhattDaljit Singh BilkhuLaszlo Miklos BiroCian J. BlackwellShari BleyJean BlochJohn A. BloxhamRudy W. BodewesYves BodiouRobert W. BoereKhaled A.R. BohsaliJohn BombakosHenk BoutDerrick Lennox BraddickJohn BradyRodney Braithwaite

Ricardo J. BriaRobert Andrew BricePeter B. BroadGilbert R. BrooksDaniel BrunnerNadeem BukhariPhil Joseph Patrick BurnsHarijs BussChester J. ButkiewiczAbdulrahman Moulay BziouiFelix M. CaceresSriram Narayanan CadambiClaude CalbryMarta CalderonCynthia F. CannadayJorge L. CarballeiraRaymond E. CatoeHerve CaveyRuben Dario Chacon AlvaradoWilliam Gerard ChampVictor Sze-Tin ChanEvan ChanCecilia Tak Wai ChanSriraman Vijayaraghava ChariMihir ChatterjeeChun-Hung ChengAnthony Charles ChestnutJames A. W. CheyneColin ChildesSusanna Lai Kuen ChiuChi Ming ChowRajeev Ramchand ChughBan Heng ChungHenny J. ClaessensRobert ClarkeJames D. CobbArlene ColemanPaul C. ConradieFrançois CorminboeufP J CorumBrian J. CoutancheJohn Allen CurranAbelardo Francisco CurrasGordon M. CurtisBernard CzajaBernard CzajaKarl E. DahlbergBarbara Angela DanielClive DavidsWilliam Z. DavidsonR.J.R. DavidszThon A. de BlokWerner De BruinOhna De BruinJosé De La Peña-SánchezDonna P. DegenhartAshok Kumar DesaiSydney Morgan DiamondAmiel Abary DiazTony DjajanaTom DoddsCharles A. DormannZea Du PreezSocrates R. Duenas MonteroLucian Bogdan DumitriuAndrew DunnStéphane DupontHans-Rudolf EgliMichael J. EisenbergJustus Ihechikara EkeigweLarry ElderDavid T. EmpeyKiyoshi EndohPatricia A. EnfantoJames Enin-OkutKoji EnjoMary A. ErlangerAndreas EschbachJames E. EtheridgeFrazier D. EvansJoseph O. EwegbejeDieter FabritiusBarry R. FawthropTao FengConcepcion C. FerminLuis S. Ferreira

Cherrie Mae Arciaga Ferreria ChiomentoLuis A. FigueroaGuy W. FilomenaMoshe FinkelshteinBrian Alexander FisackerlyKenneth Glenn FitzpatrickGregory J. FouquetJames E. FranceJames O.B. FrancisCarlos M. FraticelliGerd FrenzenHannes FuchsbergerMutsuhiro FujiiHirofumi FukuraEdmund Nigel GallFredrik GaltungRea Lea Galyon-CampbellJohn Calston GambleJorge Antonio GarciaLuis Enrique García de ParedesJohn GarrettWilhelmus GeijtenbeekJohn J. GenerelliNiklas GerdinSteve GerickPhilip Andrew GesnerShankha GhoshDavid Alwyn GittensIan GloverJohn Cameron GloverTimothy GloverArvind Shivram GodboleJulio C. GolcherMartin Gomez HernandezAjit Vasant GoreJay Randall GottschalkManoharan GovindarajArturo J. Gradoli SandemetrioFranklin W. GramEardley Patrick GrantThomas GraumannAdam W. GrayGlen L. GrayHoward Laurence GreenblattKevin J. GreenfieldRoger Scott GreenwellStefan GrossKlaus-Peter GrosserBaiju K. GujarathiJose P. GumbauRamana V. GurazadaOlivier HaasFiras S. HaddadKoichi HagaMartyn Jack HammondLars B. HansenAshok N. HarinarayanLaura HarrisonRawle D. HasmataliMasahiko HayakawaMarkus HeinenSteven M. HelwigKenneth R. HenryJohan HermansErnest David HernandezFrank L. HernandezJacqueline HerzigMark HindsScott C. HippensteelDonald L. HoffmanAdrian David HoweRicardo HuelinThomas HungerbuehlerRoberta J. HunterJuHwan HwangZsolt IllésiGanesh InguvaHadyn A. InnissMassimo InnocentiManabu IsogaiRosemary O. IsunuoyaAlbert A. IturreySeethalakshmi K.P. IyerAbdulai G. JallohOsama A.Latif JanahiSabira M. Jawad

Robert JendryAlan Glyn Lloyd JenkinsYoung-Ha JeonMayowa Anthony JimohPanshi JinThomas R. JoergerAnil K. JoganiChristopher J. JohnArlene E. JohnsonJulio Rogelio Jolly MooreGuy W. JordanPierre Blocher JosephKeshav Madhukar JoshiGhassan A.N. KabbaraMasato KagotaniDusan Ljubomir KalanjKanaka-Rao V. KalimikondaOkechukwu KaluAsouma KamagateShinichi KamikawaIlan Shmuel KamilQuaye E. KandakaiNoriko KanedaNiraj K. KapasiRay KaplanParikshat KapurShari A. KasugaKenichi KatoRich M. KeeseckerJeffrey A. KendigPeter J. KerrRobert F. KettellAsad Zaman KhanHiroshi KiireJae Hak KimYoshihiro KitsutakaTerje KleppAart S. KnoopChin Guan KohYoshio KoideRodger T. KraftUnni C. KrishnanRobert G. KroesBruno KuengWalter KuketzBhalchandra KulkarniMathew KuriakoseKeryl Lynn KurtzVladimir KuznetsovStefan LaagerJason C. LachanceShirley Celestino LacsonTaoheed LagudaRay Hsing-Tung LaiJenny LamRussell A. LamosekAjith Dhammika LanerolleStephen O. LantripIlga LapsaRichard A. LarsonRobin LasradoTak Wa LauKai Hing LauLee Frederick LaubachTon LaumenColm Noel LawlorPatricia Liechty LayfieldEmmanuel E. LazidisSylvain LeclairElsa K. LeeChang Hee LeeV.V. LeeladharJean-Marc Alexandre LegrandPeter W. LeitchJaroslaw LejkoDavid A. LessPeter LeynsAluca LindstromVincent LiuJoe W. LivingstonRobert J. LluisPeter LoosJose Maria Lopez SanchezJohn LorzGregory John LotzeFrancis W. Lucas

Contributors

26

Holger LudwigRogelio Enrique Luna MuñozChristopher LuseHelen Woon-Yee MaEllen MachNeil MackrellStephen William MaddisonPaul Jay MalyszNicholas Dimitrios MandilarasSrinivasulu Chetty MandyamJagannadha Rao ManguPaul Williams ManningCharles-Robert ManterfieldPeter R. ManzoClifford R. MaraschinoPaul MarchSteven A. MarcoFabiana Leticia MargesLarry MarksRobert Bamber Marshall JrRichard S. MarshoWayne S. MartinDavid M. MartinezSergey MartinovRoss W. MartynClaxton H. MartyrAtsushi MasakiKyriakos MatheouEiichi MatsubaraRobin Charles MattadeenCatherine Demes MaydewChristian Michael MayerAdrian M. MayersJohn E. MayorJohn J. McDonoughJames R. McIntoshAlisdair John McKenzieSirak MedhaneYahya MehdizadehIhab Adel Ahmed MekkyAlfonso MendezJohn MensahLawrence MigglerMartin J. MillerThomas F. MillerAnna Marie MinorMasami MitsuboriHisafumi MitsushioHideo MiuraTokujiro MizutaniEmmanuel Lundere MkusaWillem Ewoud ModdermanM. P. MohanZoltán MohosPule D. MoiloaGerard MolinesAlexis Joseph MonacoArmanda L. MooreMichael MooreAdel Ilyas MoubarakLucy Nyanjugu MuchiriJames MurenYusufali F. MusajiMargaret Shannon MyersJacques H. Nack NgueKazuhiko NagaiVidyapathy Nagar AndalNirmala R. NagarajanNatarajan NagarajanDai NakayamaSudha NallamothuJohn Downy Solomon NallathambiChandramohan NarayanBalasubramanian NarayananMats Kristerviking NarstromUmesha NayakJohn Edward NewsteadEphrem Yiannis NikitasMarino G. NjalssonFranc Njoku-EbereTakeshi NojimaStephen NorkunasJovita Tchi NsohHazel NyathiKathleen O`Hare*John Tanko Ogazuma

Justus Babatope OguntuaseJakpoloho A. OhwobeteElijah Adebayo OladosuAlbert OlafssonTaiwo OlalereOlusola Pius OlasehindeRobert John OliverDerek J. OliverMitsuhiro OritoNeil R. PackardLaura L. PadgettTrudy Anne PageFaith PagePetros G. PanagiotidisJohn M. ParkerHugh A. ParkesIla S. PatelBhagyashree PatilJoseph E. PatrickRoberto PavesiCarl M. PearceTimothy John PearsonFrederic Patrick PetersEdmund Xavier PetersFrank Anthony PhillipsonAlan J. PilgrimWallace Chesterfield PittJoseph PonnolyLeo R. PonsaaHorace H.C. PoonMarlene PortalatinPiero PortalupiTimothy J. PorterAndreas PostlMarjan PotocnikRen PowersDouglas L. PriceVitor Spinola PriscaGayle ProsperRonald A. ProulxWagner Roberto PuglieseRajesh Kantesh PurohitAlberto QuezadaRuth C. QuezadaKishor RabiDiane G. RadostiEmil J. RagonesChristian RagotMaliki Julian Hendrawan RakhmantoRamkumar RamachandranFrancisco Vicente Ramon-MiraAntonio Ramos GarciaJohann Ludwig RampfN. RamuPeter G. RandallJoseph RandollaVenkataraman Ranganathan RanganathanK.B. Ravi-ShankarErvin P. ReevesKostja ReimDavid George ReinholdJoshua ReismanGerardo RenzettiSalvador Reyes QuirozSalomon RicoKees RiemensKim J. RiesSuerte Alexander RigonanSuzanne Chrystal Adrienne RoachRex Merritt RobertsDror-John RoecherSteven H. RoesingFacundo Rojo GilMichael P. RoseDavid P. RossDenes RothPatricia Aneta Rowe-SealePatrick A. RozarioVijayakumar S.R.Noam SaboMaritza Salinas GutierrezAlexander SamarinMilton Eric SambolinJesús Sanchez-AguileraJosue Santana FernandezAnthony A. Saranchak

Martin SchlaeppiJoshua James SchmidtNiels SchneckerBrigitte Schnyder von MorischJanice SchoberJohn F. SchofieldEkkehard ScholzTed SchuytRobert SchwindVirgilio Jamito SeballeChristodoulos C. SeferisDaniel SeiderToni SerraJorge A. SerranoRobert L. SettlesKetan Vinodchandra ShahMaxwell J. ShanahanJulie SharekMauri C. ShawAhsan I. SheikhMakoto ShibataKi Jun ShimBrent V. ShirleyTakashi ShitamichiPete ShomadeCraig Anthony ShorterHarinder SidhuBramwel Kibet SigowoPablo A. SilberfichRichard A. SimpsonWilliam Lee SimpsonDominic SinghThomas R. SinnottMartins SitcsRobert Brian SkadowskiPer B. SkovDavid A. SmithGlenda J. SpencerThomas Heaton SpittersSrikanth SreedharanPatrick R. StevensDariya Inozemtseva StevesLeRoy StewartAndreas StorkSubbaramaiah SubbakrishnaDudung SuryanaHartono Ari SusetyoMark F. SutnikLeonard L. SuttonRadim SvejdaMary Clare SwabonChandra Sekaran T. SwaminathanChing Kwong SzeIchiro TabataSugako TaketomiAdedoyin Abiodun TalabiDaniel O. TalbotKeng Yong TanNobuyuki TanabeKishor P. TannaCassandra D. TatumKenneth W. TaylorTeruo TazakiDaniel TeijidoJeri Teller-KanzlerHiroshi TeraiMladen TerceljAjit ThankappanConstantinos TheodoropoulosIra D. ThompsonKerry L. ThorneCarl Robert ThorpNatalia Gracia TjandraShunji TobaToshimitsu TohChiew Beng TohTatsuya TominagaSenol Mahmut ToygarCraig TrailDuyen Nha TranMichael S. TriauCassandra L. TriggsFrank James TrombleyEduardo Ng TsangHitoko TsumuraFreddie Tully

Luis M. UriaBoudewijn van der WoerdMarcel M.M.J.A. van DijkPaul F.H. van DomburgKaren Serena Van HorneBartholomeus M. van LodensteijnDavid VarasHuib G. VellekoopChris VerdonckKjeld VerhoevenDavid A. VerkestGagan VermaRobert C. VickroyRonald Allan VieraJuan Guillermo VillaRosemarie VillarS. VilvanathanJason Edward James ViolaManuel Jose ViscasillasSatya VithalaMichael A. VlachakisWendell Lawrence VossC. Elizabeth VotroubekSlavomir VricanIchiro WakitaPaul Chung-Wei WangHoyt M. WarrenJesse H. WebbRaymond Tee Meng WeeCharles W. WehkingWinston Washington WeirKennet B. WestbyNeil R. S. WhiteWilliam B. WilkersonGregory K. WilliamsDennis Edward WohrerMatthew A. WolfeP.J. WolteringWilliam Wai Lam WongOliver Lam WongHow Kee WongYeunDae WooScott J. WrightDaniel WynigerGanapathy YadavalliHiroshi YamamotoAnn Marie Jeanine YamamotoLi-Jen Lyaw YangSarkis Aram YaralianA. YingFong Siang YongBobby YoungKam K. YuenMichael Wai-Kee YungBashir Olalere Akanji YusufXavier ZequeiraDouglas E. ZiegenfussDiane V. ZobreChristopher ZoladzPaul A. ZonneveldPeter Zuong

C H A P T E R S

PlatinumAustin Chapter Central Florida Chapter Central Maryland Chapter Central Ohio Chapter Charlotte Chapter Chicago Chapter Cincinnati Chapter Detroit Chapter Kansas City Chapter London Chapter Los Angeles Chapter Middle Tennessee Chapter Milano Chapter Minnesota Chapter National Capital Area Chapter New Jersey Chapter

New York Metropolitan Chapter North Texas Chapter Northern Alabama Chapter Ottawa Valley Chapter Philadelphia Chapter Puget Sound Chapter Quebec City Chapter San Francisco Chapter Silicon Valley Chapter South Africa Chapter Toronto Chapter Victoria Chapter West Florida Chapter Winnipeg Chapter

GoldTaiwan Chapter SilverManila Chapter Omaha Chapter Donor CircleNew England Chapter Sri Lanka Chapter

C O R P O R AT E D O N O R S A N D S P O N S O R S

ACL ServicesALC Training Pty LtdAldion Consulting PTE LtdALESTRAAnalytixBWise B.V.CA, Inc.Consult2ComplyDeloitteErnst & YoungHewlett-Packard CompanyIBM CorporationIFUA Horvath & Partner ITpreneurs Nederlands BVJefferson WellsKaseyaKPMGLogLogic, Inc.Newport Promotional Services, Incorporated OraclePhoenix Business & Systems Process, Inc.PricewaterhouseCoopersProjectRx, Inc.ProtivitiSymantec CorporationTargetTruArx, Inc.Wolcott GroupWollongong University World Pass IT Solutions

A F F I L I AT E S

ITGI gratefully acknowledges itsaffiliates, nonprofit organizationsthat support ITGI's mission.AICPAASIS InternationalCenter for Internet SecurityCommwealth Association for CorporateGovernance Inc (CACG)FIDA InformInformation Security ForumInformation Systems Security AssociationInstitut de la Gouvernance des Systemesd'InformationInstitute of Management Accountants, Inc.ISACAISACA ChaptersITGI JapanSocitm Performance Management GroupSolvay Business SchoolUniversity of Antwerp Management School

* Denotes Wasserman Award winner

27

AsiaHong KongSingaporeTokyoMacaoMalaysiaChennaiOsakaKoreaBangkokNagoyaIndonesiaManilaBangaloreNew DelhiSri LankaTaiwanMumbaiKarachiUnited Arab EmiratesRiyadh, Saudi Arabia CoimbatoreLahore, PakistanPuneHyderabadKolkataJeddahMuscat, OmanCochinLebanon

Central and South AmericaMexicoCosta RicaMonterreyPuerto RicoPanamaMerida, YucatanVenezuelaBuenos AiresBogota, ColombiaMontevideo, UruguaySantiago de ChileMendozaLima, PeruSao Paulo, BrasilLa Paz, BoliviaQuito, EcuadorAsuncion

Europe/AfricaTel-Aviv, IsraelMilano, ItalyLondonOslo, NorwayParis-FranceSwedenDenmarkLuxembourgNetherlandsGerman

Northern EnglandMadridFinlandSwitzerlandBudapestSouth AfricaCentral UKAthens, GreeceSloveniaLatviaBelgiumLagosWarsawCzech RepublicIrishAustriaKenyaSlovenskoEstonianMoscow, RussiaCroatiaBarcelonaRomaniaTanzaniaScottishRomeLithuaniaValenciaAbuja, NigeriaMaltaSofia

North AmericaCanadaTorontoVancouverOttawa ValleyMontrealWinnipegQuebecVictoriaNova ScotiaCalgaryEdmonton

IslandsTrinidad & TobagoBermuda

Midwestern United StatesChicagoGreater CincinnatiMinnesotaDetroitOmahaNortheast OhioCentral OhioKentuckianaWestern MichiganCentral IndianaKettle Moraine

IlliniIowaMichianaQuad CitiesNorthwest Ohio

Northeastern United StatesNational Capital AreaPhiladelphiaNew York MetropolitanPittsburghNew EnglandCentral MarylandGreater HartfordCentral New YorkNew JerseyHarrisburgRhode Island Western New YorkHudson Valley

Southeastern United StatesVirginiaSouth FloridaAtlantaWest FloridaMemphisCharlotteSouth Carolina MidlandsJacksonvilleResearch TriangleNorth AlabamaCentral FloridaMiddle Tennessee

Southwestern United StatesGreater Houston AreaSt. LouisNorth TexasDenverAustinTulsaCentral OklahomaGreater New OrleansSan Antonio/South TexasCentral ArkansasNew MexicoBaton RougeGreater Kansas City

Western United StatesLos AngelesUtahSan FranciscoSan DiegoPuget SoundBoiseWillamette ValleyPhoenixSilicon ValleyHawaii

SacramentoOrange CountyMt. RainierAnchorageLas Vegas

OceaniaSydneyBrisbaneaMelbournePerthAdelaideWellingtonAucklandCanberraPapua New Guinea

Chapters in FormationBaku, AzerbaijanNassau, BahamasBahrainDhaka, BangladeshBarbadosGaborone, BotswanaBelo Horizonte, BrazilBrasilia, BrazilRio de Janeiro, BrazilDouala, CameroonNicosia, CyprusSanto Domingo, Dominican RepublicCairo, EgyptAccra, GhanaGuatemala City, GuatemalaTegucigalpa, HondurasAhmedabad, IndiaAurangabad, IndiaTrivandrum, IndiaVijayawada, IndiaKingston, JamaicaAlmaty, KazakhstanKuwaitPort Louis, MauritiusGuadalajara, MexicoCasablanca, MoroccoManagua, NicaraguaPort Harcourt, NigeriaIslamabad, PakistanLisbon, PortugalSt. Petersburg, RussiaMalaga, SpainIstanbul, TurkeyAbu Dhabi, UAEKampala, UgandaKyiv, UkraineKnoxville, TN, USAPortland, ME, USATallahassee, FL, USALusaka, ZambiaHarare, Zimbabwe

Sharing information across continents and cultures helps enhance the professional skills of ISACA

members. With 177 chapters in 72 countries, the association unites members through international

standards, esteemed certification programs, professional development and education, technical

publications and a code of professional ethics.

Chapters

28

3701 Algonquin Road, Suite 1010

Rolling Meadows, IL 60008 USA

ISACA Phone: +1.847.253.1545

ITGI Phone: +1.847.660.5700

Fax: +1.847.253.1443

E-mail: info@isaca.org

info@itgi.org

Web Sites: www.isaca.org

www.itgi.org