Episode 34: Quality Assurance and Quality Management of IT
Welcome to The Bare Metal Cyber CISA Prepcast. This series helps you prepare for the exam with focused explanations and practical context.
In the context of IT, quality refers to the degree to which systems, services, and processes meet established expectations related to performance, usability, reliability, and supportability. Quality assurance, often abbreviated as QA, is a proactive set of practices that focus on preventing defects by designing strong processes, conducting reviews, and enforcing standards. Quality control, or QC, is reactive—it verifies that outputs such as code, services, or configurations meet expectations through testing and inspection. Continuous improvement ties these together by creating a feedback loop that helps teams learn from defects and refine both process and product. For CISA candidates, understanding how QA, QC, and continuous improvement differ—and how each contributes to control effectiveness—is essential for identifying strengths or gaps in an organization’s IT service delivery or project management functions.
The importance of IT quality cannot be overstated because service reliability, user satisfaction, and operational consistency all depend on processes that produce predictable and high-performing outcomes. When quality is embedded in daily operations, organizations avoid service disruptions, reduce rework, and increase trust in IT teams. High-quality processes are also more auditable because they include defined checkpoints, documented outputs, and performance tracking. The cost of fixing a defect after it’s in production is significantly higher than addressing it during development or design, which is why early-stage quality activities provide long-term savings and better control assurance. Quality programs support strategic IT objectives by ensuring that projects are completed successfully, controls are embedded effectively, and stakeholders—including customers and regulators—trust the integrity of IT services. On the CISA exam, you should expect questions that examine how poor quality affects risk exposure, how QA helps enforce consistency, and how quality supports IT governance.
A Quality Management System, or QMS, provides the structure for managing IT quality across all activities and teams. It begins with policies and objectives that define what quality means within the organization, including acceptable performance levels and alignment with customer or compliance expectations. It also includes documented procedures and standards that describe how quality will be built into processes—from change control to system testing and incident handling. Clear roles and responsibilities ensure accountability, from developers and system admins to quality managers and auditors. Monitoring and performance metrics help track whether processes are delivering as expected, and regular reviews help identify areas where improvements are needed. For CISA candidates, being able to identify the components of a QMS and assess whether the system is being followed—or merely exists on paper—is a key competency for evaluating operational maturity and risk mitigation capability.
Quality assurance activities are practical tasks that auditors can observe and assess across a range of IT operations. Peer reviews of code, configurations, and documentation help catch errors before they escalate. Internal process audits verify whether teams follow procedures and whether those procedures are working as intended. Change control processes must include test plans, approvals, and fallback options to ensure that deployments don’t introduce instability. Vendor and third-party quality reviews are also essential, especially when relying on outsourced services for critical operations. Auditors assess whether these QA activities are formalized, recurring, and documented. On the CISA exam, candidates may be asked whether QA is embedded into development or operations, or how gaps in review and approval processes could increase the likelihood of service failure, project delay, or regulatory noncompliance.
Quality metrics and key performance indicators are the primary tools used to measure whether services and processes are delivering consistent, reliable results. Examples include defect rates in software, repeated incidents tied to root cause categories, and user satisfaction scores derived from surveys. Service-level KPIs, such as system availability or help desk resolution times, show whether the organization is meeting internal and external expectations. Other quality indicators include process compliance rates—such as the percentage of changes that include documented backout plans—or the success rate of corrective actions tied to prior failures. Tracking these indicators helps teams identify where additional training, documentation, or process change is needed. CISA exam questions may ask how to interpret these metrics or evaluate whether they are appropriate given the risk level, control objective, or regulatory context.
Several widely recognized frameworks and methodologies support IT quality and can help organizations build structured quality programs. ITIL is perhaps the most commonly used in IT operations, focusing on service delivery, incident handling, and continual improvement through governance and defined processes. ISO 9001 is a global standard for quality management systems and provides general guidance on how to establish, document, and maintain quality practices across industries. COBIT supports quality through its focus on control objectives and IT governance, mapping process goals to performance outcomes. Six Sigma is another methodology that focuses on reducing variation, increasing predictability, and improving process capability—often through the use of data analysis and structured improvement cycles. On the CISA exam, you may be asked to recognize which framework supports a given scenario or to evaluate whether the organization’s quality approach aligns with its operational or strategic goals.
Auditors play a central role in evaluating IT quality by reviewing whether QA processes exist, whether they are followed, and whether they produce meaningful improvements. This includes confirming that procedures are documented, peer reviews are conducted, and test plans are completed prior to deployments or releases. Auditors also check the accuracy and completeness of quality-related documentation—whether findings are logged, tracked, and addressed with appropriate root cause analysis. Audits should confirm that quality reports are distributed to management, that performance metrics are reviewed, and that lessons learned are incorporated into updated procedures. If QA processes are skipped, inconsistently applied, or ignored under deadline pressure, auditors may identify these as findings with potential control and operational impact. On the CISA exam, candidates should expect to evaluate quality review cycles, trace corrective actions, and assess whether improvement activities are evidence-based.
Quality in software development and project delivery requires careful integration of QA at each stage of the lifecycle. Quality gates serve as checkpoints that must be passed before moving forward—such as requiring requirement signoff, code review, or successful testing prior to release. Verification testing ensures that the system was built correctly, while validation testing ensures that the right system was built to meet the user’s needs. Regression testing ensures that new changes don’t break existing functionality, and release readiness assessments verify that the organization is prepared for go-live. Agile projects incorporate retrospectives and backlog grooming as regular opportunities for identifying and addressing quality issues. Auditors assess whether testing is documented, independent where necessary, and aligned with project risks. On the CISA exam, expect scenarios involving software rollouts, SDLC checkpoints, or QA gaps that delay delivery or reduce system reliability.
A culture of continuous improvement distinguishes mature IT organizations from reactive or fragmented ones. In this culture, feedback loops from users, audit findings, incident reports, and service reviews are actively encouraged, documented, and turned into improvement plans. Teams are expected to share knowledge, collaborate across silos, and solve root causes—not just symptoms. Post-implementation reviews, project retrospectives, and regular service assessments provide structured forums for identifying opportunities for improvement. Organizations must track whether proposed improvements are actually implemented and whether they produce the desired results. Auditors evaluate whether continuous improvement efforts are systematic, reviewed by leadership, and tied to quality outcomes—not simply reactive or undocumented. CISA candidates must understand how continuous improvement contributes to governance, operational risk reduction, and assurance maturity.
To prepare for the CISA exam and succeed as a quality-focused auditor, you must be able to distinguish between quality assurance and quality control, identify when proactive versus reactive measures are appropriate, and evaluate the effectiveness of quality metrics and feedback cycles. Expect scenario-based questions that test your ability to review software testing protocols, assess quality documentation, or recommend process improvements. Strong quality management reflects a high level of IT maturity and directly supports control effectiveness, customer satisfaction, and risk mitigation. Audit findings in this space often lead to improvements in service reliability, documentation accuracy, and control execution. As an auditor, your role is not just to point out what went wrong—but to evaluate whether the organization has the mechanisms in place to get better. Quality assurance, when done right, is not just about reducing defects—it’s about building confidence in IT’s ability to deliver.
Thanks for joining us for this episode of The Bare Metal Cyber CISA Prepcast. For more episodes, tools, and study support, visit us at Baremetalcyber.com.
