2012 Annual Report - ISACA

ISACA® and IT Governance Institute® 2012 Annual Report

Charting Our Course

President’s Message Explorers have long sought new lands of opportunity. ISACA® knows that, while it must continue to protect its core strengths, it too must continually evolve and pursue new goals to ensure it provides the most valuable, timely and effective benefits to constituents and their enterprises worldwide. We welcome this change, but we are also keenly aware that it brings its own set of benefits and challenges. As ISACA moved forward in 2012 with its ambitious new strategic initiatives, known as Strategy 2022 (S22), it moved several steps closer to its goal of expanding the breadth and depth of the audiences it serves. To facilitate this significant effort, ISACA began using COBIT® 5. Just as a rudder helps keep a ship on course, COBIT 5 continues to be instrumental in efficiently steering the implementation of S22. In the midst of all of this change, there were also some important constants in 2012. Relationship-building continued to be a key focus throughout the year. ISACA’s events, educational opportunities, certifications, publications, web site and research brought global professionals together and provided platforms for discussing, sharing and gathering knowledge. The release of COBIT 5 is a great example of how the global contribution of many professionals led to the development of a significant business resource used by a variety of enterprises worldwide. And our World Congress: INSIGHTS 2012 featured interactive discussions about the latest business and technology issues facing enterprises. ISACA chapters also continued to contribute greatly to the association and many reached milestones and won prestigious awards. In a first-time achievement, ISACA grew to 200 chapters in 2012. Thank you to all members and chapter leaders for your hard work and expertise. In an era of increasing disconnect, ISACA has become a trusted resource and gathering spot for business and IT professionals—from novice to seasoned expert—in all fields, geographies and types of enterprises. ISACA takes this role seriously and endeavors to support professionals and their enterprises to the fullest extent possible. Please read through the pages of this 2012 annual report and learn more about how ISACA’s outstanding constituents and staff have worked together to chart new courses.

Gregory T. Grocholski, CISA International President 2012-2013 ISACA and the IT Governance Institute® (ITGI®)

Table of Contents 2012 Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 2012 Year at a Glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 ISACA and ITGI Combined Financial Statements . . . . . . . . . . . . . .6 Report of Independent Certified Public Accountants . . . . . . . . . . . .7 Audit Committee Chair’s Letter . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Management Report on Responsibility for Financial Reporting . . .16 ISACA Board of Directors/ITGI Board of Trustees . . . . . . . . . . . . .17 ISACA Knowledge Center: www.isaca.org/knowledge-center Twitter: www.twitter.com/ISACANews LinkedIn: www.linkd.in/ISACAOfficial Facebook: www.facebook.com/ISACAHQ

Letter From the International President and the CEO . . . . . . . . . .17 Board, Committee, Subcommittee and Task Force Chairs . . . . . .18 Chapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Charting Our Course 2012 Annual Report

ISACA Vision Trust in, and value from, information systems

With the winds of change continuously sweeping through business and technology, we must evolve and adjust our course when needed. ISACA helps enterprises worldwide reach their goals by building trust with and delivering value to our members and their organizations. Strategy Progress continued regarding the strategic aspirational view approved by the ISACA/ITGI Board of Directors/Trustees in November 2011. ISACA’s Strategy 2022 (S22) is an ambitious extension of ISACA’s strategy that is setting ISACA’s direction over a 10-year horizon. S22 is supported by a portfolio of more than 20 prioritized initiatives focused on expanding products, reaching new constituencies, building relationships and strengthening operations. To help chart the course forward for S22, ISACA adopted COBIT 5. This innovative use of COBIT® as a non-IT business framework has been documented in a case study at www.isaca.org/cobit.

Membership and Chapters ISACA achieved a milestone with its highest membership retention rate ever—83.9 percent—in 2012. Member satisfaction is a high priority, and ISACA continues to enhance member benefits: n

The eLibrary collection grew and now features more than 525 third-party books and almost all ISACA books.

n

n

The member-appreciation program provided a new discount to Gold- and Platinum-level members who attended INSIGHTS 2012. Free continuing professional education (CPE) hours were awarded for webinars, virtual conferences, archived e-symposia, online training, ISACA® Journal quizzes, volunteering and mentoring.

ISACA also attracted many new members interested in the value that ISACA brings to their enterprises and their professional development. Membership grew by 7 percent as a result of many factors, including: n Members from approximately 85 percent of chapters participated in the Member Get A Member campaign, which attracted more than 600 new members. n Academic Advocate (faculty) membership grew by 40 percent, student membership grew by 51 percent and 60 percent of chapters had academic relations coordinators on their boards. ISACA created a new academic relations resource tool kit section on the Chapter Leader Portal, and the ISACA student group program grew from four to 12 groups on camzpuses. For the first time in history, ISACA grew to 200 chapters in 2012. ISACA has chapters in 82 countries and members in 170 countries.

1

Certification Independent studies continued to rate ISACA’s four globally recognized certifications highly. Professionals also noted that the certifications help them add value to their employers, differentiate themselves, and enhance their earning potential and credibility. Earning a certification indicates that a professional has key knowledge and experience within a profession. Each of ISACA’s globally recognized certifications addresses a specific area of expertise: n Certified Information Systems Auditor® (CISA®)—Providing assurance by conducting audits and assessments of information systems n Certified Information Security Manager® (CISM®)—Overseeing, directing and managing information security activities n Certified in the Governance of Enterprise IT® (CGEIT®)—Defining, establishing, maintaining and managing a framework of governance over IT n Certified in Risk and Information Systems Control™ (CRISC™)— Identifying, evaluating and managing risk through the development, implementation and maintenance of information systems controls Certification-related achievements in 2012 included the following: n The CISA, CISM and CGEIT certifications received continued accreditation under the ISO standard ANSI/ISO/IEC 17024 from the American National Standards Institute (ANSI). n CISA gained 20 percent, CISM gained 8.3 percent and CGEIT gained 25 percent in average market compensation value from 1 April to 1 October 2012. The three certifications, plus CRISC, were also listed among the highest paying certifications, according to the Foote Partners’ IT Skills and Certification Pay Index™. n Based on requests from certification holders, ISACA launched a new online CPE reporting system. n The updated CISM job practice was implemented. n The updated CGEIT job practice analysis was completed, aligning it with COBIT 5 where appropriate.

When IT and non-IT folks see my ISACA credentials, they immediately relax and feel confident that I am capable of providing them the guidance, insight and expertise to meet today’s challenges with risk, control, management or review of their environment. The ISACA name is recognized worldwide. This gives me extra confidence to do my job well and feel proud that I have invested in my career. Gail P. Ricketts, CISA, CRISC Senior Manager, Sunera LLC, USA

Our goal at ANZ is to continuously uplift our capabilities and ensure we’re adding value to our stakeholders. COBIT 5 has provided incredibly valuable guidance on identifying our priorities and areas for improvement to ensure we effectively govern and manage our technology processes. COBIT 5 provides good practices and activities that any organization can leverage and benchmark against. Mitra Minai Technology Governance Lead, ANZ Bank, Australia

enterprise leaders and IT professionals protect the integrity of their enterprise’s information so they can use it to focus on the highest-value projects and make the best decisions. New COBIT-related publications included: n COBIT 5 n COBIT® 5: Enabling Processes n COBIT® 5 Implementation n COBIT® 5 for Information Security Development continued for COBIT® 5 for Assurance, COBIT® 5 for Risk and COBIT® 5: Enabling Information, as well as for the three COBIT 5 Assessment Programme products and training courses. The COBIT 5 accredited training program and the COBIT 5 Foundation course and exam were both launched in November. COBIT® 4.1, Val IT 2.0, Risk IT, and the Business Model for Information Security™ were supported throughout 2012.

Research Thought leadership continued to be a strength of ISACA, and this was supported by the variety of research publications delivered throughout the year. Volunteer subject matter experts around the world contributed extensive expertise that further builds on the many benefits that ISACA already provides to members and constituents. Highlights of the many research-related activities follow. Ten audit programs were developed: Personally Identifiable Information, BYOD, Outsourced IT Environments, Software Assurance, Identity Management, VPN Security, Biometrics, E-commerce/PKI, Cybercrime and IPv6 Security.

COBIT

2

COBIT achieved a major milestone in 2012 with the introduction of COBIT 5, an internationally accepted framework of globally accepted practices, analytical tools and models that can help any enterprise effectively address critical issues through governance and management of information and technology.

Five white papers covering industry topics were published: Calculating Cloud ROI: From the Customer Perspective, Guiding Principles for Cloud Computing Adoption and Use, Business Continuity Management: Emerging Trends, Virtualization Desktop Infrastructure, and Incident Management and Response.

Information is the currency of the 21st century, and COBIT 5 helps enterprises get the most value from this critical asset. COBIT 5 helps

Four books were released: Securing Mobile Devices Using COBIT® 5 for Information Security, Security Considerations for Cloud Computing,

SOC 2 User Guide, and Security, Audit and Control Features Oracle PeopleSoft, 3rd Edition. Also published was Cloud Computing Market Maturity Study Results, a joint survey with the Cloud Security Alliance.

from, information and information systems. According to the 2012 ISACA member needs survey, 95 percent of ISACA members read portions of each issue.

Conferences, Training and Education

Media Outreach

In addition to the global events listed in the Year at a Glance section, ISACA offered several other well-attended training and education opportunities. The popular monthly webinar program, which grew to more than 25 offerings, and three virtual conferences featured valuable topics and the opportunity for free CPE hours. ISACA partnered with Deloitte for 11 four-day, technical training courses focusing on areas such as cloud computing, advanced auditing, information security, network security, privacy and health care information technology.

ISACA was mentioned nearly 17,000 times in news articles, blogs and radio interviews in 2012. In addition, significant growth was experienced in ISACA’s social media communities—an average of 61 percent among Facebook, LinkedIn and Twitter. Visits to ISACA’s web site via social media links increased by 405 percent compared to 2011.

ISACA also introduced the COBIT 5 training and accreditation program in partnership with APMG-International. Accreditation provides a comprehensive and consistent approach for training organizations and individuals interested in becoming licensed to deliver COBIT 5 training and exams.

ISACA provides multiple options for CPE, which demonstrates a strong commitment to members by helping us stay current with the latest trends and thinking. The CACS and INSIGHTS conferences provide great opportunities to obtain CPEs and interact with world-class speakers. Local chapter events and many online learning options also provide flexibility. The fact that ISACA offers so many free and low-cost CPE options is fantastic. Peter Christiaans, CISA, CISM, CRISC, PMP Senior Manager, Deloitte Consulting LLP, USA

The ISACA Knowledge Center and research publications offer the expertise of global subject matter experts who know about IT security, audit, assurance, governance and risk. Content is developed frequently and helps us understand new technology and trends. These tools are the easiest way to stay informed on topical business issues. Juan Davila Ramirez, CISA, CISM, ISO 27001 LA IT Audit Chief, Telefonica del Peru, Peru

Web Site New features were added to ISACA’s web site to improve ease of use and enable new activities. For example, the COBIT controls area within ISACA's Knowledge Center was created to promote collaboration and sharing of information, solutions and experiences. A chapter leader work space beta program was in development to help chapter leaders connect and share documents. In addition, the chapter web site hosting program added 73 more chapters.

Finance Standards All 16 ISACA IS audit and assurance standards were reviewed. Key terms were defined, and where applicable, terminology was aligned with relevant standard-setting bodies. The standards public exposure process closed on 28 December and resulted in feedback from more than 1,100 individuals and entities.

Periodicals ISACA publishes four periodicals, each covering a different aspect of important content. Delivered biweekly, the @ISACA® e-newsletter provides members with timely access to ISACA- and industry-related news. It is read regularly by 68 percent of members, according to the 2012 ISACA member needs survey. The monthly ExpressLine e-newsletter presents unique content to chapters leaders, to support their roles. The quarterly COBIT Focus e-newsletter provides all those interested in COBIT with practical content on real-world experiences as well as the latest news on the COBIT family of products. The ISACA Journal is the association’s flagship periodical. Issued six times per year, it is a peer-reviewed journal that covers technical, managerial and business topics aimed at enhancing trust in, and value

The financial results for 2012 reflect another strong year for ISACA, building upon the foundation formed in previous years. A record member retention rate, expanding market support for our professional certifications and effective management of costs are all evident in the financial results. ISACA’s investment portfolio recovered from the previous year’s unrealized loss, reporting a solid realized/unrealized gain in 2012. This investment portfolio has allowed ISACA to position itself for operational sustainability and strategic growth in the future. To strategically position ISACA as a leading global organization, its reserves have been prudently grown since the early 1990s. These reserves comprise an operational reserve of US $30,186,325, established to cover 10 months of operating expenses based on the average for the last three years, and a strategic reserve of US $34,901,238, which will be used to enhance growth and member benefit objectives through S22 and other strategic initiatives over the next several years. Looking forward, management will continue to monitor key business drivers and economic conditions and their related impact on operations and constituents in 2013 and beyond. The 2012 audited financial statements for the organization are presented within this annual report.

3

2012 Year at a Glance Membership and Chapters

New Chapters in 2012

Bookstore

Membership at year-end: 110,388, which represents 7.1% growth from 31 December 2011, in 170 countries

Fukuoka (Japan) Chapter Katowice (Poland) Chapter Huntsville (Alabama, USA) Chapter Ibadan (Nigeria) Chapter Lusaka (Zambia) Chapter

Books added in 2012: 77 titles Total number of books available: 324

Chapters at year-end: 200 in 82 countries Chapters with more than 1,000 members: 34

Membership at year-end by geographic area

North America—49,677 (6% growth)

n

Asia—23,742 (7% growth)

n

n

Europe/Africa—28,470 (8% growth) n

Oceania—3,545 (7% growth)

n

Central/South America—4,954 (11% growth) n

Indicates a new chapter formed in 2012

Best sellers: CISA® Review Manual 2012 CISA® Practice Question Database v12 (CD-ROM and download) CRISC® Review Manual 2012 CISM® Review Manual 2012 CGEIT® Review Manual 2012 Best sellers excluding certification study materials: COBIT 5 COBIT 5: Enabling Processes COBIT 5 Implementation COBIT 5 for Information Security Board Briefing on IT Governance, 2nd Edition Third-party best sellers: SAP Security and Risk Management, 2nd Edition IT Governance: A Pocket Guide Information Technology Risk Management in Enterprise Environment IT Governance: Policies & Procedures, 2012 Edition A New Auditor’s Guide to Planning, Performing and Presenting IT Audits

Certification Certified Information Systems Auditor (CISA) Exam registrants (June and December combined): More than 18,000 Languages in which exam was available: 11 Locations in which exam was available: 252 Certified since inception (1978): More than 99,000

Certified in the Governance of Enterprise IT (CGEIT) Exam registrants (June and December combined): More than 1,100 Languages in which exam was available: 1 Locations in which exam was available: 252 Certified since inception (2007): More than 5,400

Product licensees: 36 ITGI affiliates: 15, plus all ISACA chapters ITGI sponsors: 6 COBIT 5 Foundation certificates earned: 208 (November launch) COBIT 4.1 Foundation certificates earned: 3,613 COBIT 5 accredited training organizations: 6 (November launch) COBIT 5 accredited training individuals: 2 (November launch) Introduction to COBIT 5 company licensees: 31 Introduction to COBIT 5 individual licensees: 86 COBIT 4.1 company licensees: 10 COBIT 4.1 individual training: 14

Certified in Risk and Information Systems Control (CRISC) Exam registrants (June and December combined): More than 1,300 Languages in which exam was available: 1 Locations in which exam was available: 252 Certified since inception (2010): More than 16,000

Translations Program

Certified Information Security Manager (CISM) Exam registrants (June and December combined): More than 4,900 Languages in which exam was available: 4 Locations in which exam was available: 252 Certified since inception (2002): More than 21,000

ISACA Journal Editorial calendar: Volume 1—Critical Resource Management Volume 2—Extended Enterprise Volume 3—Audit Process Volume 4—Data Analytics/Mining Volume 5—Privacy and the Cloud Volume 6—Cybersecurity and Risk Analysis

4

COBIT

Circulation at year-end 2012: More than 97,000 Number of downloads of the ISACA Journal app: More than 25,000

In 2012, ISACA translated 162 items and publications in 14 non-English languages. Materials translated include COBIT 5, ISACA Glossary of Terms, certification exams, study materials, ISACA Journal articles and white papers. Languages and number of items translated are: Arabic: 5 Chinese (Simplified): 14 Chinese (Traditional): 8 Dutch: 7 French: 14

German: 12 Hebrew: 1 Italian: 9 Japanese: 25 Korean: 22

Polish: 3 Portuguese: 6 Russian: 3 Spanish: 33

Conferences, Education and Training World Congress: INSIGHTS 2012 site: San Francisco, California, USA Computer Audit, Control and Security (CACS), Information Security and Risk Management (ISRM), and IT Governance, Risk and Compliance (IT GRC) conference sites: Asia-Pacific CACS/ISRMSM—New Delhi, India North America CACSSM—Orlando, Florida, USA SM Euro CACS/ISRM —Munich, Germany Oceania CACSSM—Wellington, New Zealand SM Latin America CACS/ISRM —Bogota, Colombia ISRM/IT GRCSM—Las Vegas, Nevada, USA ISACA 2012 Training Events Atlanta, Georgia, USA Denver, Colorado, USA Chicago, Illinois, USA

ISACA provides its members access to experts at all levels of management in different industries around the world. Networking with other members allows me to share experiences and exchange thoughts, which often trigger innovative solutions. ISACA helps me reduce inefficiency and foster effective results. Daniela Gschwend, CISA, CGEIT, CRISC Director, Head IT Governance and Risk Management, Swiss Reinsurance Company Ltd., Switzerland

Dallas, Texas, USA Orlando, Florida, USA Las Vegas, Nevada, USA

Strategic Alliances and Relationships No ship can sail without a crew, and ISACA was fortunate to band together with a broad complement of global organizations. Throughout 2012, ISACA had relationships with many diverse and prestigious enterprises including:

On-Site Training Program Provided to 27 organizations and/or chapters in Canada, Egypt, Germany, Qatar, UK and USA Increase in training events and revenue compared to 2011: 300%

n n n

l

INSIGHTS 2012 l l ISRM/IT GRCSM

EuroCACS/ISRMSM l

l

North America CACSSM

n

Asia-Pacific CACS/ISRMSM

n

l

Latin America CACS/ISRMSM

n n n

Oceania CACSSM l

ISACA 2012 Conference Locations

l

n n n n

Academic Relations

Web Site

Academic advocates: 537 (40% growth) Chapters with academic relations coordinators: 119 (57% growth) Student members: 1,427 (51% growth) Official ISACA student groups: 12 (200% growth)

Unique visitors: 27% increase Page views: 18% increase Total visits: 25% increase Visitors originated from 225 countries Knowledge Center topic members: More than 10,000

n n

n

n n n

Model Curricula Released the Model Curriculum for IS Audit and Control, 3rd Edition Released the Model Curriculum for Information Security Management, 2nd Edition

n n

n n

ISACA’s online education provides a flexible learning environment for busy professionals like me, who travel and need to know about developments in a dynamic IT environment. ISACA’s in-person events feature world-class speakers who enhance my knowledge of tools and methods that benefit organizations globally. Khawaja Faisal Javed, CISA, CRISC, CBCP, ISMS LA, ITSMS LA, BCMS LA, Manager of Operations and ICT Products, SGS Pakistan (Pvt) Limited, Pakistan

n n n n n n n

IT Service Management Forum International (itSMFI) The Institute of Internal Auditors (IIA) International Information Systems Security Certification Consortium Inc. (ISC)2 Cloud Security Alliance (CSA) Institute for Development and Research in Banking Technology (IDRBT) Federacion Latinoamericana de Bancos (FELABAN) National Association of Corporate Directors (NACD) Open Compliance & Ethics Group (OCEG) EC Council BCS, the Chartered Institute for IT APMG-International Deloitte Services LLP International Organization for Standardization (ISO) European Network and Information Security Agency (ENISA) Committee of Sponsoring Organizations of the Treadway Commission (COSO) Skills Framework for the Information Age (SFIA) Cybersecurity Credentials Collaborative (C3) Information Security Forum (ISF) International Federation of Accountants (IFAC) American Institute of Certified Public Accountants (AICPA) CERT-In International Association of Privacy Professionals (IAPP) Australian Computer Society (ACS) HP IBM Microsoft Protiviti Symantec UBM India

5

ISACA and IT Governance Institute Combined Financial Statements All monetary amounts included in the financial statements are in US dollars.

2012 Operating Revenues Interest, dividends, IP use, royalties and other 4%

Membership 30%

Contributions and sponsorships 1%

ISACA/ITGI Historical Revenues

Publications 9% Education 17%

(in millions of US dollars)

Certification 39%

45

40

2012 Operating Expenses Supporting services and administration 18%

35

Membership 20% 30

Research 13% Certification 22% Publications 9%

25

Education 18% 20

15

10

6

2012

2011

2010

2009

2008

5

R E P O R T O F I N D E P E N D E N T C E R T I F I E D P U B L I C A C C O U N TA N T S

Board of Directors ISACA, Inc. Board of Trustees IT Governance Institute, Inc.

We have audited the accompanying combined financial statements of ISACA, Inc. and IT Governance Institute, Inc. (together, the Organization), which comprise the combined statements of financial position as of 31 December 2012 and 2011, and the related combined statements of activities and cash flows for the years then ended, and the related notes to the financial statements.

Management’s responsibility for the financial statements Management is responsible for the preparation and fair presentation of these combined financial statements in accordance with accounting principles generally accepted in the United States of America; this includes the design, implementation and maintenance of internal control relevant to the preparation and fair presentation of combined financial statements that are free from material misstatement, whether due to fraud or error.

Auditor’s responsibility Our responsibility is to express an opinion on these combined financial statements based on our audits. We conducted our audits in accordance with auditing standards generally accepted in the United States of America. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the combined financial statements are free from material misstatement. An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the combined financial statements. The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the combined financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity’s preparation and fair presentation of the combined financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. Accordingly, we express no such opinion. An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluating the overall presentation of the combined financial statements. We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinion.

Opinion In our opinion, the combined financial statements referred to above present fairly, in all material respects, the combined financial position of ISACA, Inc. and IT Governance Institute, Inc. as of 31 December 2012 and 2011, and the combined changes in their net assets and their combined cash flows for the years then ended, in accordance with accounting principles generally accepted in the United States of America.

Chicago, Illinois, USA 2 April 2013

7

A S S O C I AT I O N A N D I N S T I T U T E C O M B I N E D F I N A N C I A L S TAT E M E N T S

Combined Statements of Financial Position ISACA, Inc. and IT Governance Institute, Inc.

2012

2011

CURRENT ASSETS Cash and cash equivalents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Investments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Accounts receivable, net . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Prepaid expenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inventory, net . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other current assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

$ 9,871,562 67,744,555 999,238 1,321,529 396,714 80,434

$ 7,354,756 60,619,105 795,873 1,290,173 587,493 50,617

Total current assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

80,414,032

70,698,017

Less accumulated depreciation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

808,579 384,131 205,131 5,733,697 7,131,538 (4,636,209)

802,428 351,026 182,683 4,944,562 6,280,699 (3,643,768)

Net fixed assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2,495,329

2,636,931

TOTAL ASSETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

$82,909,361

$73,334,948

$ 5,799,123 11,398,768 582,223

$ 5,045,710 10,461,772 400,800

.................................................

17,780,114

15,908,282

NET ASSETS Unrestricted Board designated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Undesignated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

30,186,325 34,901,238

28,678,191 28,696,842

Total unrestricted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

65,087,563

57,375,033

Temporarily restricted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Permanently restricted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

573 41,111

10,522 41,111

Total net assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

65,129,247

57,426,666

TOTAL LIABILITIES AND NET ASSETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

$82,909,361

$73,334,948

31 December ASSETS

FIXED ASSETS Leasehold improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Furniture and fixtures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Office equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Computer system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

LIABILITIES AND NET ASSETS CURRENT LIABILITIES Accounts payable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deferred revenues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other liabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Total current liabilities

The accompanying notes are an integral part of these statements.

8


Combined Statements of Activities ISACA, Inc. and IT Governance Institute, Inc.

2012

Years ended 31 December Unrestricted

Temporarily Restricted

2011

Permanently Restricted

OPERATING REVENUES Membership . . . . . . . . . . . . . . $13,152,411 $ - $ Certification . . . . . . . . . . . . . . 17,056,388 Education . . . . . . . . . . . . . . . . 7,262,999 Publications . . . . . . . . . . . . . . 4,041,991 Contributions and sponsorships . 150,834 12,500 Interest, dividends, IP use, royalties and other . . . . . . 1,857,945 9 Net assets released from restrictions . . . . . . . . . . . . 22,458 (22,458)

Total

Unrestricted

-

$13,152,411 17,056,388 7,262,999 4,041,991 163,334

$11,890,682 21,105,666 7,424,460 3,666,519 173,817

-

1,857,954

1,565,657

-

-

Temporarily Restricted

$

-

Permanently Restricted

$

Total

-

$11,890,682 21,105,666 7,424,460 3,666,519 173,817

9

-

1,565,666

50,484

(50,484)

-

-

Total operating revenues . . . . .

43,545,026

(9,949)

-

43,535,077

45,877,285

(50,475)

-

45,826,810

OPERATING EXPENSES Program services Membership . . . . . . . . . . . . . . Certification . . . . . . . . . . . . . . Education . . . . . . . . . . . . . . . . Publications . . . . . . . . . . . . . . Research . . . . . . . . . . . . . . . . .

7,560,910 8,621,194 6,830,190 3,554,068 5,150,728

-

-

7,560,910 8,621,194 6,830,190 3,554,068 5,150,728

7,661,588 8,485,224 5,802,209 3,041,162 4,331,481

-

-

7,661,588 8,485,224 5,802,209 3,041,162 4,331,481

Total program services . . . . . .

31,717,090

-

-

31,717,090

29,321,664

-

-

29,321,664

Supporting services Board and administrative . . . . Contributions—Disaster Relief

7,068,971 5,000

-

-

7,068,971 5,000

8,489,058 15,000

-

-

8,489,058 15,000

Total supporting services . . . . .

7,073,971

-

-

7,073,971

8,504,058

-

-

8,504,058

Total operating expenses . . . . .

38,791,061

-

-

38,791,061

37,825,722

-

-

37,825,722

OTHER GAINS AND LOSSES Net realized and unrealized gains/(losses) on investments

2,958,565

-

-

2,958,565

(1,789,581)

-

-

(1,789,581)

CHANGE IN NET ASSETS . . . . . .

7,712,530

(9,949)

-

7,702,581

6,261,982

(50,475)

-

6,211,507

NET ASSETS, beginning of year . . .

57,375,033

10,522

41,111

57,426,666

51,113,051

60,997

41,111

51,215,159

573

$ 41,111

$65,129,247

$57,375,033

$10,522

$41,111

$57,426,666

NET ASSETS, end of year . . . . . . . . $65,087,563 $ The accompanying notes are an integral part of these statements.

9


Combined Statements of Cash Flows ISACA, Inc. and IT Governance Institute, Inc.

2012

2011

$ 7,702,581

$ 6,211,507

992,717 100 (2,958,565)

793,136 1,789,581

(203,365) (61,173) 190,779 753,413 936,996 181,423

103,049 67,733 163,977 185,453 573,643 14,257

Net cash provided by operating activities . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7,534,906

9,902,336

Cash flows from investing activities Acquisition of fixed assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Proceeds from the sale of investments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Purchase of investments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(851,215) 25,897,090 (30,063,975)

(1,104,290) 12,367,302 (14,993,298)

Net cash used in investing activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(5,018,100)

(3,730,286)

NET CHANGE IN CASH AND CASH EQUIVALENTS . . . . . . . . . . . . . . . . . . .

2,516,806

6,172,050

Cash and cash equivalents, beginning of year . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7,354,756

1,182,706

Cash and cash equivalents, end of year . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

$ 9,871,562

$ 7,354,756

Years ended 31 December Cash flows from operating activities Change in net assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adjustments to reconcile change in net assets to net cash provided by operating activities Depreciation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Loss on disposal of equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Net realized and unrealized (gain) loss on investments . . . . . . . . . . . . . . . . . . . . . . Changes in assets and liabilities Accounts receivable, net . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Prepaid expenses and other current assets . . . . . . . . . . . . . . . . . . . . . . . . . . Inventory, net . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Accounts payable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deferred revenues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other liabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The accompanying notes are an integral part of these statements.

10

N O T E S T O C O M B I N E D F I N A N C I A L S TAT E M E N T S

Notes to Combined Financial Statements ISACA, Inc. and IT Governance Institute, Inc. 31 December 2012 and 2011

Note A—Organization The Organization consists of ISACA, Inc. (the Association) and the IT Governance Institute, Inc. (the Institute). The Association’s and the Institute’s financial statements are presented on a combined basis due to a majority of Board members serving both entities and the Association’s economic interest in the Institute. The Organization operates on a global basis, with the majority of revenues and net assets attributable to the Association, the predominant entity within the Organization. The Organization maintains its books and records at its headquarters building located in Rolling Meadows, Illinois, USA. The Association was incorporated in 1969 under the name Electronic Data Processing Auditors Association, a California (USA) not-for-profit corporation. In 1993, to reflect the evolving state of technology, as well as the Association’s expanding constituency base, the name was changed to Information Systems Audit and Control Association, Inc. The Association now presents itself by its acronym, ISACA. With more than 100,000 constituents in more than 180 countries at year-end 2012, ISACA is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards. ISACA also administers the globally respected Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) designations. The Association supports development, update and education activities related to COBIT 5, a globally adopted business framework for governing and managing enterprise IT. The Institute was incorporated in 1976 under the name Electronic Data Processing Auditors Foundation, a California (USA) not-forprofit corporation. In 1994, its name was changed to Information Systems Audit and Control Foundation, to align with the changed name of the Association, and was changed again in 2003 to IT Governance Institute, Inc. The Institute’s role in the mission it shares with ISACA focuses on provision of knowledge on IT governance and related topics. Through its collaborative development model,

the Institute brings global perspectives to critical issues facing enterprise leaders and practitioners in its IT governance responsibilities.

Note B—Summary of Significant Accounting Policies Basis of Presentation The combined financial statements include the assets, liabilities, net assets and financial activities of the Organization. Significant intercompany balances have been eliminated in combining the two entities. The Organization has a relationship with ISACA chapters located throughout the world; however, the chapters are not fiscally accountable to the Organization and, accordingly, have not been included in the accompanying combined financial statements.

Cash and Cash Equivalents Cash and cash equivalents consist primarily of non-interest-bearing deposits with maturity dates of three months or less at the time of purchase to be used for operating purposes. These deposits are carried at cost, which approximates fair value.

Investments Investments, other than money market funds, interest-bearing deposits and certificates of deposit, are reflected in the accompanying combined financial statements at fair value according to generally accepted accounting principles (GAAP). GAAP has established a framework for measuring fair value, as well as a fair value hierarchy based on the inputs used to measure fair value. A financial instrument’s level within the fair value hierarchy is based on the lowest level of any input that is significant to the fair value measurement; however, the determination of what constitutes observable requires significant judgment. The fair value hierarchy is broken down into three levels based on the transparency of inputs as follows: • Level 1—Quoted prices (unadjusted) in active markets for identical assets or liabilities. • Level 2—Quoted prices, other than quoted prices included in Level 1, that are observable for the assets or liabilities, either directly or indirectly. • Level 3—Inputs that are unobservable for the assets or liabilities. Investment gains and losses include net realized and unrealized gains and losses and are reflected in the accompanying combined financial

11


statements as non-operating activities, while interest income and dividends are considered operating revenue.

Concentration of Credit Risk Certain financial instruments, primarily cash and investments, subject the Organization to credit risk. The Organization maintains cash balances (non-interest-bearing) at a financial institution, which for 2012, are fully federally insured. With respect to investments, concentration is limited through the diversification of the portfolio. As of 31 December 2012, the Organization maintained 28 percent of its investment balance in one mutual fund, which invests primarily in high-quality money market instruments and short-term fixed income securities. The fund may also invest in a wide range of non-money market securities, which tend to be less liquid, more volatile and carry greater risk than money market securities (for comparison, 18 percent of this fund was held in the Organization’s investment balance as of 31 December 2011). As of 31 December 2011, the Organization maintained 23 percent of its investment balance in one mutual fund, which invests primarily in a portfolio of short-term US Treasury and government agency securities, including repurchase agreements collateralized fully by US Treasury and government agency securities. This fund was sold during 2012.

Accounts Receivable Accounts receivable are due within 30 days and are stated at amounts due from customers net of an allowance for doubtful accounts. Accounts outstanding longer than the contractual payment terms are considered past due. The Organization determines its allowance for doubtful accounts by considering a number of factors, including the length of time that trade accounts receivable are past due, the Organization’s loss history, the customer’s current ability to pay its obligation to the Organization, and the condition of the general economy and the industry as a whole. The Organization writes off accounts receivable when they become uncollectible, and payments subsequently received on such receivables are credited to the allowance for doubtful accounts.

Net Assets Net assets, revenues, expenses, gains and losses are classified based on the existence or absence of donor-imposed restrictions using the following classifications: • Unrestricted - Represents unrestricted resources available for support of daily operations and contributions received with no donor restriction. The Board may designate certain net assets for a particular function or activity. • Temporarily restricted - Represents resources for which use has been temporarily restricted by the contributor. When a donor restriction has been satisfied by incurred expenses consistent with the designated purpose, temporarily restricted net assets are reclassified to unrestricted net assets for reporting of related expenses. • Permanently restricted - Represents resources that are subject to restrictions of gift instruments requiring that the principal be invested and maintained in perpetuity. The income generated from these funds is classified based on the terms of the gift instruments.

Revenue Recognition Revenues received by the Organization consist primarily of annual membership dues and new member fees; examination, annual maintenance fees and other fees for CISA, CISM, CGEIT and CRISC programs; attendance fees for educational conferences; the sale of advertising space; charges for various publications; sponsorships and contributions; and license fees. Membership dues and annual maintenance fees for CISA, CISM, CGEIT and CRISC are recognized as revenue in the applicable period. New member fees are recorded in the period in which the membership application is processed, with chapter membership dues collected by the Association recorded as a liability until remitted to the chapters. The Organization recognizes unrestricted, restricted and endowment contributions in accordance with donor restrictions in the period in which the commitment for support is obtained, with other revenues being recognized in the period in which the goods or services are provided. Unearned dues, fees and subscriptions are classified as deferred revenues.

Inventory Inventory consists solely of study aids and other publications printed for the Organization for sale to its members and interested outside parties. Inventory is valued at the lower of cost or market, with cost determined by the average cost method. Provisions for obsolete items are based on estimated future usage as related to quantities of stock on hand.

Fixed Assets Fixed assets are carried at cost. Depreciation is computed using the straight-line method. The estimated useful lives of the related assets range from two to ten years. Leasehold improvements are amortized using the straight-line method over the shorter of the lease terms or their estimated useful lives. Depreciation expense totaled $992,717 and $793,136 for 2012 and 2011, respectively.

12

Promotion and Advertising Costs Promotion and advertising costs are expensed as incurred. Total promotion and advertising costs were $3,672,639 and $3,781,991 for the years ended 31 December 2012 and 2011, respectively.

Use of Estimates The preparation of the combined financial statements in conformity with accounting principles generally accepted in the United States of America requires management to make estimates and assumptions that affect the reported amounts of assets and liabilities and the disclosure of contingent assets and liabilities at the date of the combined financial statements, as well as the reported amounts of revenues and expenses during the reporting period. Actual results could differ from those estimates.


Reclassifications Certain reclassifications have been made to the 2011 financial statements to conform to the current-year financial statement presentation.

Note C—Investments The following table presents information about the Organization’s investments. Money market funds and interest-bearing deposits are stated at cost. Certificates of deposit are stated at cost plus accrued interest. Investments, which are based on quoted market prices in active markets and therefore classified as Level 1, include actively listed mutual funds, exchange-traded funds and government debt securities. Investments at 31 December 2012 and 2011, consisted of the following: 2012 2011 Mutual funds Large cap $ 5,040,158 $ 5,057,319 Mid cap 774,836 1,032,427 Small cap 1,089,070 1,507,677 International 2,862,679 3,105,235 Fixed income 36,589,740 22,656,968 Alternatives 1,582,135 Tactical allocation 1,674,837 REIT 1,319,214 1,312,683 Money market 11,168,167 16,399,890 Total mutual funds 62,100,836 51,072,199 Exchange-traded funds Large cap Mid cap Small cap International Fixed income Total exchange-traded funds Money market/interestbearing deposits Total investments

2,929,597 244,581 321,385 1,534,217 613,711 5,643,491

2,954,529 364,521 362,539 1,865,948 3,996,553 9,544,090

228 $67,744,555

2,816 $60,619,105

The components of investment return for the years ended 31 December 2012 and 2011, are as follows: 2012 2011 Interest and dividends $1,354,083 $ 1,191,836 Net realized and unrealized gain (loss) on investments 2,958,565 (1,789,581) Total investment return $4,312,648 $ (597,745)

Note D—Accounts Receivable

Changes in the Organization’s allowance for doubtful accounts are as follows for the years ended 31 December:

Beginning balance Bad debt expense Accounts written off Ending balance

2012 $ 57,169 19,355 (37,903) $ 38,621

2011 $48,122 12,065 (3,018) $57,169

Note E—Board-designated Net Assets The Association’s Board of Directors and the Institute’s Board of Trustees designate a portion of the Organization’s unrestricted net assets for contingency purposes in order to protect the Organization against unforeseen global events and economic downturn. The designated amount, based on a three-year average of operating expenses, totals $30,186,325 as of 31 December 2012. As of 31 December 2011, the designated amount was $28,678,191. These funds, while designated for the purposes noted above, are categorized within the Organization’s combined financial statements as unrestricted net assets.

Note F—Temporarily Restricted Net Assets Temporarily restricted net assets at 31 December 2012 and 2011 have been restricted by donors for the following purposes: 2012 2011 Research $ 573 $ 573 Membership 550 Education 2,139 Standards 155 Certification 100 IS hardware and software 5,250 Building 1,755 Total $ 573 $10,522

Note G—Net Assets Released from Restrictions During 2012 and 2011, net assets were released from restrictions to satisfy the following purposes: 2012 2011 Research $ 1,000 $50,475 COBIT 11,500 Membership 550 Education 2,139 Standards 155 Certification 100 IS hardware and software 5,250 Building 1,755 Endowment appropriation for expenditure 9 9 $22,458 $50,484

Accounts receivable consist of the following at 31 December: 2012 2011 Trade receivables $1,037,859 $853,042 Less allowance for doubtful accounts (38,621) (57,169) Accounts receivables, net $ 999,238 $795,873

13


Note H—Permanently Restricted Net Assets Permanently restricted net assets are restricted as investments in perpetuity. The Organization’s endowment consists only of donorrestricted endowment funds. Net assets associated with the Organization’s endowment funds are classified and reported based on the existence of donor-imposed restrictions. There are no donor restrictions on the earnings of the Organization’s endowment funds. The Organization accounts for endowment net assets by preserving the fair value of the original gift as of the gift date of the donorrestricted endowment fund absent explicit donor stipulations to the contrary. As a result, the Organization classifies the original value of the gifts donated to the permanent endowment as permanently restricted net assets. All earnings on the endowment funds are temporarily restricted until appropriated for current-year operating expenses as allowed by the donor. As of 31 December 2012 and 2011, endowment assets include only those assets of donor-restricted funds that the Organization must hold in perpetuity. The Organization does not have any Board-designated endowment funds. The Organization’s Finance Committee meets on a regular basis to ensure that the objectives of the Organization’s investment policy are being met, and that the investment approach used to meet the objectives is in accordance with the investment policy approved by the Board of Directors. Under this policy, the endowment assets are invested in a manner that is intended to provide adequate liquidity and maximize returns on funds invested. Interest and dividends earned on endowment funds are appropriated for current-year operating expenses.

14

During 2012 and 2011, the Organization had the following endowmentrelated activities: Temporarily Restricted Endowment Funds

Endowment net assets, 1 January 2011 $ Interest and dividends Appropriation of endowment assets for expenditure Total change in endowment net assets Endowment net assets, 31 December 2011 Interest and dividends Appropriation of endowment assets for expenditure Total change in endowment net assets Endowment net assets, 31 December 2012 $

Permanently Restricted Endowment Funds

Total Endowment Funds

9

$41,111 -

$41,111 9

(9)

-

(9)

-

-

-

9

41,111 -

41,111 9

(9)

-

(9)

-

-

-

-

$41,111

$41,111

Note I—Related-party Transactions As a service to the chapters, the Organization includes the amount of individual chapter dues with its annual billing and remits to the chapters amounts collected on their behalf. The balances of $2,386,075 and $2,164,712 at 31 December 2012 and 2011, respectively, are reflected in accounts payable and represent the unremitted portion of dues collected for individual chapters. During 2012, chapter dues collected and remitted totaled $3,570,681 and $3,349,318, respectively. For 2011, dues collected and remitted totaled $3,311,870 and $3,346,005, respectively.


Note J—Leases

Note L—Employee Benefit Plan

The Organization has an office facility operating lease through 31 July 2018, which requires monthly payments comprised of rent, property taxes, pro rata share of common operating expenses and insurance. The Organization also rents office equipment under three noncancelable leases with initial lease terms in excess of one year.

The Association maintains a defined contribution retirement plan for qualified employees. Participation in the plan is optional. The Association will match the first 5 percent contributed by the employee. The Association’s contributions to the plan for the years ended 31 December 2012 and 2011, were $593,186 and $553,209, respectively.

As of 31 December 2012, the minimum future rentals payable under these non-cancelable operating lease commitments were as follows: Years ending 31 December 2013 2014 2015 2016 2017 2018

Office Equipment

Facility

Total

$24,800 6,700 3,100 1,600 -

$504,000 514,500 525,100 535,600 546,100 556,700

$528,800 521,200 528,200 537,200 546,100 556,700

Rent expenses under these leases for the years ended 31 December 2012 and 2011, were $569,096 and $613,423, respectively.

Note K—Income Taxes The Association and the Institute have received favorable determination letters from the Internal Revenue Service stating that they are exempt from federal income taxes under Section 501(a) of the Internal Revenue Code of 1986 (IRC), as organizations described in Sections 501(c)(6) and 501(c)(3), respectively, except for income taxes pertaining to unrelated business income. The Financial Accounting Standards Board issued guidance that requires tax effects from uncertain tax positions to be recognized in the financial statements only if the position is more likely than not to be sustained if the position were to be challenged by a taxing authority. Management has determined that there are no material uncertain positions that require recognition in the financial statements. Additionally, no provision for income taxes is reflected in these financial statements, and there is no interest or penalties recognized in the statement of activities or statement of financial position. The tax years ended 2009, 2010, 2011 and 2012 are still open to audit for both federal and state purposes.

Note M—Contribution—Disaster Relief During 2012, ISACA chapters, members, CISAs, CISMs, CGEITs and CRISCs were affected by a local disaster. Given the long-time support of these chapters, members and certified individuals, the Association contributed $5,000 to the American Red Cross on behalf of those affected by the hurricane that devastated many regions. During 2011, ISACA chapters, members, CISAs, CISMs, CGEITs and CRISCs were affected by two substantial local disasters. Given the long-time support of these chapters, members and certified individuals, the Association contributed $5,000 to the Premier’s Disaster Relief Appeal, a relief and development organization to assist those affected by extreme flooding in Brisbane, Australia, and $10,000 to the American Red Cross on behalf of those affected with the earthquake and tsunami that devastated northeast Japan.

Note N—Subsequent Events The Organization evaluated its 31 December 2012 combined financial statements for subsequent events through 2 April 2013, the date that the combined financial statements were available to be issued. The Organization is not aware of any subsequent events that would require recognition or disclosure in the combined financial statements.

15

AUDIT COMMITTEE CHAIR’S LETTER

The Audit Committee of the Board of Directors/Trustees (the Board) of ISACA/IT Governance Institute (the Organization) oversees the Organization’s financial reporting process on behalf of the Board, and is composed of six independent members. In fulfilling its responsibility, the committee recommended to the Board the selection of the Organization’s independent certified public accountants. The committee discussed with the independent certified public accountants the overall scope and specific plans for their audit. The committee also discussed the Organization’s combined financial statements and the adequacy of its internal controls.

The committee met with the Organization’s independent certified public accountants, without management present, to discuss the results of their examination, their evaluation of the Organization’s internal controls, and the overall quality of the Organization’s financial reporting.

Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, FACS CP Chair, Audit Committee

MANAGEMENT REPORT ON RESPONSIBILITY FOR FINANCIAL REPORTING

The management of ISACA/IT Governance Institute (the “Organization”) has the responsibility for the preparation, integrity and fair presentation of the accompanying financial statements. The statements were prepared in accordance with generally accepted accounting principles applied on a consistent basis and, as such, include amounts that are based on management’s best estimates and judgments. Management also prepared the other information in the annual report and is responsible for its accuracy and consistency with the financial statements. The Organization’s financial statements for 2012 have been audited by Grant Thornton LLP, independent certified public accountants, elected by the Board of Directors/Trustees (the Board). Management has made available to Grant Thornton LLP all of the Organization’s financial records and related data, as well as the minutes of the Board’s meetings. Management believes that all representations made to Grant Thornton LLP during its audit were valid and appropriate. The Organization maintains a system of internal control that is designed to provide reasonable assurance to management and to the Board regarding the preparation and publication of reliable and accurate financial statements, the effectiveness and efficiency of operations, and compliance with applicable laws and regulations. The system includes a documented organizational structure and division of responsibility, established policies and procedures that are communicated throughout the Organization, and the careful selection, training and development of personnel. Management also recognizes its responsibility for fostering a strong ethical climate so that the Organization’s affairs are conducted according to the highest standards of personal and corporate conduct. There are inherent limitations in the effectiveness of any system of internal control, including the possibility of human error and the circumvention or overriding of controls. Accordingly, even an effective internal control system can provide only reasonable assurance with respect to financial statement preparation.

16

The Organization evaluates its internal control system in relation to criteria for effective internal control over financial reporting described in Internal Control—Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission, and as of 31 December 2012 the Organization believes that its system of internal control over financial reporting met those criteria. As part of its audit of the Organization’s financial statements, Grant Thornton LLP assessed the Organization’s internal accounting controls structure to establish a basis for reliance thereon in determining the nature, timing and extent of audit tests to be applied. Management and Grant Thornton LLP have reviewed the internal control assessment with the Audit Committee as part of the committee’s acceptance of the financial statements. The Board, operating through its Audit Committee, which is composed entirely of members who are not officers or employees of the Organization, provides oversight to the financial reporting process.

Susan M. Caldwell Chief Executive Officer

Neville Rademeyer Chief Financial Officer

ISACA Board of Directors/ITGI Board of Trustees

Gregory T. Grocholski, CISA International President USA

Kenneth L. Vander Wal, CISA, CPA Immediate Past International President USA

Emil G. D’Angelo, CISA, CISM Past International President USA

Allan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP International Vice President UK

Juan Luis Carselle, CISA, CGEIT, CRISC International Vice President Mexico

Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC International Vice President Greece

Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt International Vice President Spain

Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA International Vice President Australia

Jeff M. Spivey, CRISC, CPP International Vice President USA

Marc Vael, CISA, CISM, CGEIT, CRISC, CISSP, ITIL International Vice President Belgium

John Ho Chi, CISA, CISM, CRISC, CBCP Director Singapore

Krysten McCabe, CISA Director USA

Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, FACS CP Director Australia

Susan M. Caldwell Secretary USA

Letter From the International President and the CEO ISACA and the IT Governance Institute continued with steady forward progress on the strategic direction that was first adopted in 2009. This course is clearly described in the aspirational statement for Strategy 2022 (S22). By 2022, ISACA will be the foremost global organization on the topic of trust in and value from information and information systems, providing distinctive relevant knowledge and services to help stakeholders enhance the governance and management of information and information systems. S22 is an ongoing effort that is bringing together hundreds, if not thousands, of ISACA constituents all focused on the same goals. We strongly believe that these partnerships and communities of expertise set ISACA apart and make us a uniquely vibrant association.

ISACA’s 2012 accomplishments were possible only because we have such productive and dedicated volunteers, such as those who serve on the international Board of Directors and Board of Trustees, boards, committees, subcommittees and task forces, as well as all chapter leaders and members around the world. These contributions, collaboration and collegiality make the difference.

Gregory T. Grocholski, CISA International President 2012-2013 ISACA and the IT Governance Institute

Susan M. Caldwell Chief Executive Officer ISACA and the IT Governance Institute

17

Board, Committee, Subcommittee and Task Force Chairs Krishna Seeburn, CISSP, PMP, CFE, CIA Academic Program Subcommittee Mauritius

Richard James Hollis, CISM, CRISC EuroCACS/ISRM Task Force UK

Rosemary M. Amato, CISA, CPA, CMA Knowledge Management and Education Committee The Netherlands

Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, FACS CP Audit Committee Australia

Vernon Richard Poole, CISM, CGEIT, CRISC EuroCACS/ISRM Task Force UK

Thomas E. Borton, CISA, CISM, CRISC, CISSP Knowledge Management and Education Committee USA

Todd A. Weinman, CPS Career Management Task Force USA

Kamal N. Dave, CISA, CISM, CGEIT External Advocacy Committee USA

Marcelo Antonio De Carvalho, Jr., CISA, CRISC, CISSP Latin America CACS/ISRM Task Force Brazil

Christopher Whitman Bates, CISA, CGEIT, CRISC CGEIT Certification Committee USA

Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA Finance Committee Australia

Salomon Rico, CISA, CISM, CGEIT Latin America CACS/ISRM Task Force Mexico

Michal J. Niezurawski, CISA, CISM, CGEIT, CRISC, CISSP, FLMI, PMP CGEIT Test Enhancement Subcommittee Poland

Steven Andrew Babb, CGEIT, CRISC, ITIL Framework Committee UK

Todd A. Weinman, CPS Leadership Development Committee USA

Jon W. Singleton, FCA Governance Advisory Council Canada

Nickson Wei-Sin Choo, CISA, CRISC, CA Membership Growth and Retention Committee Malaysia

Andrew J. MacLeod, CISA, FCPA, MACS, CP, CIA Government and Regulatory Advocacy Committee Australia

Charlie Blanchard, CISA, CISM, CRISC, CISSP, CIPP, CIPP/E North America CACS Program Development Task Force USA

Masatoshi Kajimoto, CISA, CRISC Governance and Regulatory Advocacy Regional Subcommittee 1 Asia/Pacific Japan

Thomas E. Borton, CISA, CISM, CRISC, CISSP North America ISRM Task Force USA

Robert C. Newbould, CISA, FCA Chapter Support Committee UK David Yeok Wah Yeung, CISA, CIA, CFE CISA Certification Committee Singapore Matthew William Snider, CISA, CCNA, CISSP CISA Test Enhancement Subcommittee USA Garry James Barnes, CISA, CISM, CGEIT, CRISC CISM Certification Committee Australia Christian Palomino Herrero, CISA, CISM, CGEIT CISM Test Enhancement Subcommittee Spain Anthony P. Noble, CISA COBIT for Assurance Task Force USA Steven Andrew Babb, CGEIT, CRISC, ITIL COBIT for Risk Task Force UK

Sarbjit S. Sembhi, CISM, CISSP-ISSAP, GCIH Governance and Regional Advocacy Regional Subcommittee 3 Europe/Africa UK Christopher P. Buse, CISA, CISSP, CPA Governance and Regional Advocacy Regional Subcommittee 4 North America USA

Michael P. Bilger, CGEIT Professional Influence/Advocacy Committee USA Steven E. Sizemore, CISA, CIA, CGAP Professional Standards and Career Management Committee USA Horst Karin, CISA, CRISC, SAP, CISSP, ITIL Publications Subcommittee Canada Jeff M. Spivey, CRISC, CPP Relations Board USA

Steven De Haes COBIT IRM Task Force Belgium

Peter J. Fowler, CISM, CGEIT, CRISC, MACs(Snr) CP Governance and Regional Advocacy Regional Subcommittee 5 Oceania Australia

John W. Lainhart IV, CISA, CISM, CGEIT, CRISC COBIT Online Replacement Task Force USA

Phil James Lageschulte, CGEIT, CPA Guidance and Practices Committee USA

Theresa Grafenstine, CISA, CGEIT, CRISC, CPA, CIA, CGAP, CGMA Communities Committee USA

Niraj K. Kapasi, CISA, FCA India Growth Initiative Task Force India

Markus Bittner, CISA, CISM, CGEIT, CRISC, ITIL Svc Mgmt, bDSB World Congress Program Development Task Force Germany

Robert E. Stroud, CGEIT, CRISC ISO Liaison Subcommittee USA

Marc Vael, CISA, CISM, CGEIT, CRISC, CISSP, ITIL World Congress Program Development Task Force Belgium

Marc Vael, CISA, CISM, CGEIT, CRISC, CISSP, ITIL Knowledge Board Belgium

Isabelita Litonjua Ojeda, CISA, CISM, CRISC Young Professionals Subcommittee Philippines

Charlie Blanchard, CISA, CISM, CRISC, CISSP, CIPP CIPP/E Conference Program Development Subcommittee USA Allan Boardman, CISA, CISM, CGEIT, CRISC, CA(SA), ACA, CISSP Credentialing and Career Management Board UK Terry Chrisman, CGEIT, CRISC CRISC Certification Committee USA Jack Freund, CISA, CISM, CRISC, CISSP, PMP, CIPP CRISC Test Enhancement Subcommittee USA Jamie Robert Pasfield, CGEIT, ITILv3, PRINCE2, MSP Emerging Business and Technology Committee UK

18

Jorge Garibay Orozco, CISA, CRISC, CISSP Governance and Regional Advocacy Regional Subcommittee 2 Latin America Mexico

Everett C. Johnson Jr., CPA Strategic Advisory Council USA Hubert Darnell Glover, CRISC, CPA, CIA, CMA, CRMA Student and Academic Subcommittee USA

The benefits of being an active ISACA member include far more than the knowledge I gain. I really value the leadership opportunities and the professional validation that come with being a member of such a prestigious professional body. The chapter events and networking opportunities have been real door-openers. C.K. Bruce, CISA, CISM, CRISC, CEO, Innovaré, Ghana

Chapters Asia Bahrain Dhaka, Bangladesh China Hong Kong Bangalore, India Cochin, India Coimbatore, India Hyderabad, India Kolkata, India Chennai, India Mumbai, India New Delhi, India Pune, India Vijayawada, India Indonesia Fukuoka, Japan Nagoya, Japan Osaka, Japan Tokyo, Japan Korea Lebanon Macao Malaysia Muscat, Oman Karachi, Pakistan Lahore, Pakistan Manila, Philippines Jeddah, Saudi Arabia Riyadh, Saudi Arabia Singapore Sri Lanka Taiwan Bangkok, Thailand UAE

Central and South America Buenos Aires, Argentina Mendoza, Argentina La Paz, Bolivia Brasilia, Brazil Rio de Janeiro, Brazil Sao Paulo, Brazil Santiago, Chile Bogota, Colombia San Jose, Costa Rica Quito, Ecuador Guatemala City, Guatemala Guadalajara, Mexico Merida, Yucatan, Mexico Mexico City, Mexico Monterrey, Mexico Panama Asuncion, Paraguay Lima, Peru Puerto Rico Montevideo, Uruguay Venezuela

Europe/Africa Austria Belgium Sofia, Bulgaria Croatia Cyprus Czech Republic

Denmark Estonia Finland France (Paris) Germany Accra, Ghana Athens, Greece Budapest, Hungary Ireland Tel-Aviv, Israel Milan, Italy Rome, Italy Venice, Italy Kenya Latvia Lithuania Luxembourg Malta Mauritius Netherlands Abuja, Nigeria Ibadan, Nigeria Lagos, Nigeria Norway Katowice, Poland Warsaw, Poland Lisbon, Portugal Moscow, Russia Romania Slovenia Slovak Republic South Africa Barcelona, Spain Madrid, Spain Valencia, Spain Sweden Switzerland Tanzania Ankara, Turkey Istanbul, Turkey Kampala, Uganda Kyiv, Ukraine London, UK Central UK Northern England, UK Scotland, UK Winchester, UK Lusaka, Zambia

North America Canada Calgary, AB Edmonton, AB Vancouver, BC Victoria, BC Winnipeg, MB Atlantic Provinces Ottawa Valley, ON Toronto, ON Montreal, PQ Quebec City, PQ

Islands Bermuda Trinidad & Tobago

Midwestern United States Central Indiana (Indianapolis) Chicago, IL Illini (Springfield, IL) Illowa Iowa (Des Moines) Kentuckiana (Louisville, KY) Detroit, MI Western Michigan Minnesota Omaha, NE Central Ohio (Columbus) Greater Cincinnati, OH Northeast Ohio (Cleveland) Northwest Ohio Kettle Moraine, WI (Milwaukee)

Northeastern United States Greater Hartford, CT Central Maryland (Baltimore) New England New Jersey Central New York (Syracuse) Hudson Valley, NY (Albany) New York Metropolitan Western New York (Buffalo/Rochester) Harrisburg, PA Philadelphia, PA Pittsburgh, PA Rhode Island National Capital Area (DC)

Southeastern United States Birmingham, AL Huntsville, AL Central Florida (Orlando) Jacksonville, FL South Florida Tallahassee, FL West Florida (Tampa) Atlanta, GA Charlotte, NC Research Triangle (Raleigh, NC) South Carolina Midlands (Columbia) Memphis, TN Middle Tennessee (Nashville) Virginia

Southwestern United States Central Arkansas (Little Rock) Denver, CO Baton Rouge, LA Greater New Orleans, LA Greater Kansas City, MO Springfield, MO

St. Louis, MO New Mexico (Albuquerque) Central Oklahoma (Oklahoma City) Tulsa, OK Austin, TX Greater Houston Area, TX North Texas (Dallas) San Antonio/So. Texas

Western United States Anchorage, AK Phoenix, AZ Los Angeles, CA Orange County, CA (Anaheim) Sacramento, CA San Francisco, CA San Diego, CA Silicon Valley, CA (Sunnyvale) Hawaii (Honolulu) Boise, ID Las Vegas, NV Willamette Valley, OR (Portland) Utah (Salt Lake City) Mt. Rainier, WA (Olympia) Puget Sound, WA (Seattle)

Oceania Adelaide, Australia Brisbane, Australia Canberra, Australia Melbourne, Australia Perth, Australia Sydney, Australia Auckland, New Zealand Wellington, New Zealand Papua New Guinea

Chapters in Formation Ahmedabad, India Jaipur, India Amman, Jordan Almaty, Kazakhstan Kuwait City, Kuwait Islamabad, Pakistan Doha, Qatar Rosario, Argentina Belo Horizonte, Brazil Santo Domingo, Dominican Republic Guayaquil, Ecuador Tegucigalpa, Honduras Yerevan, Armenia Gijon, Spain Gaborone, Botswana Cairo, Egypt Abidjan, Ivory Coast Casablanca, Morocco Tunis, Tunisia Harare, Zimbabwe Curacao

19

Contributors Members Platinum Susan M. Caldwell Charles Cribaro John Lainhart* Lynn Lawton Ria Lucas Neville Rademeyer Ronald Riba Robert Roussey Ronald Saull Jane Seago Brian Selby Kiyoshi Shiina Manny Singh Patrick Stachtchenko Kenneth Vander Wal Daniel Wiechec

Gold Erik Philip Friebolin Ron Hale Shankar Iyer Everett Johnson* Thomas Lamm Diane Nelson Robert Parker* William Price Sean Stringer Terry Trsar Marc Vael Archie Watt

Silver Abdul Hamid Abdullah Kim Ahmer Gary Akin Mohammed Al Omari Wayne Dennis Allums Ali Fathi Al-Sheikh Ahmed David Applebaum Jim Arnold Scott Artman Garry James Barnes Mary Begel Douglas Bencomo Susanna Bezold Deepak Balkrishna Bhandarkar Ramesh Bhat Allan Boardman Cornelius Buergin Dexter Burger Cynthia Cannaday Raymond Catoe Peter Albert Christiaans Nancy Cohen Reynaldo de la Fuente Helene Demoulin Patricia Giovanna Diaz Tori Shannon Donahue Mark Douglas Cassius Downs Susumu Eda Koji Enjo Concepcion Fermin Francesc Xavier Fernández Cuesta Julia Fullerton Luis Enrique Garcia de Paredes John Garrett Ashok Ghosh Jen Hajigeorgiou Markus Heinen Jason Ingalls Babatunde Jaji Guy Jordan Vincent Kaabunga Ghassan Kabbara Vijaya Bhaskar Kakulavarapu Vijay Karayi

20

* Denotes Wasserman Award winner

Tina Kay Masaji Kinpara Tara Kissoon Michael Knight Emiko Kurihara John Kuyers Chandrasekar Lakshmi Varahan Patricia Liechty Layfield Yong-Seok Lee Min Chee Liew Albert Lima Jeremy Lucas Helen Woon-Yee Ma Atsushi Masaki Kay Matsumoto Bryan McAtee Christian Greiffo Da Justa Menescal Walter Merkt Thomas Mockbee Wasseem Mohanna Yuji Morita Van Quang Nguyen Anthony Noble Deborah Oetjen Mecki Oker Anthony Oghene Okolo Jim Patterson Jeffrey Patubo Hugh Henning Penri-Williams Andreas Postl Daniel Fernando Ramos David George Reinhold Salomon Rico Kees Riemens Charles Kendall Roberts Chuck Rowe Alexander Samarin Merve Sarac Hiroharu Sawada Jorge Serrano Rodriguez Mark Stanley Conrad Stanton Hamilton Michael Stewart Jo Stewart-Rattray Robert Ernest Stroud Vaclav Stverka Lennard-Peter Abdun-Nur Sutherland Chandra Sekaran Swaminathan Ichiro Tabata Hideyuki Tanaka Bernard Chee Kian Tang Choon Meng Teo Andrei Tinca Giancarlo Turati Paul van Domburg Vatsaraman Venkatakrishnan Oliver Von Salis Karyn Waller Shinichi Watanabe Todd Weinman Alberto Zapico

Donor Paul Aaron Zoran Abraham Vivek Jacob Abraham Sufian Abu Jolanta Adamska Iyabo Monsurat Adeleke-Adedeji Sanjiv Kumar Agarwala Martin Faith Agwogie Asaf Zaki Ahmad Azubike Edward Ahubelem Olufemi Steven Ajibi Adesina Kabir Ajina Edward Akayesi Ahmad Marwan Alanazy Ingo Albrecht Waseem Al-Otaibi

Abdulaziz Ebrahim Husain Al-Terki James Michael Anderson Horacio Eduardo Antonelli Matterson Roberto Apollonio Matthew Archibald Henri Arendsen Mohammed Bachiri Christopher Bagot Azamodeen Baksh Gintautas Balciunaitis Hamza Moosa Baqer Andreas Barattiero Cheryl Barker Christopher Barker Donald O’Gillvray St Philip Barnett Robert Barton Jo-Anne Bellemer Bernie Bengler Robert Benjamin Paul Berkebile Glauco Bertocchi Suresh Bhatt Milind Madhav Bhide Laszlo Miklos Biro Khaled Bohsali Mario Bojilov Charan Kumar Bommireddipalli Richard Bonello Bettssy Botero Gallego Robert Boyle David Brachio David Breeding Ricardo Bria Wayne Brisson Suellen Brittingham Brian Michael Brotschi Jason Leonard Bunston Renato Burazer Michael Burgher Harijs Buss Chester Butkiewicz Mark Alexander Butzke Sriram Narayanan Cadambi Fernando Calvillo Jose Campos Mario Carbajal Jorge Carballeira Bruno Carbone Paul Casey Herve Cavey David Lars Chamberlain William Gerard Champ Victor Sze-Tin Chan Joseph Kasion Chang-Wailing Chun-Hung Cheng Melanie Cheong Douglas Childes Ashley Aleong Choo Tim Sandra Choyce Rajeev Ramchand Chugh Henny Claessens Robert Clarke James Rickard Cogley Kunle Coker Mark Connelly Marc Cooreman Philippe Copello Franois Corminboeuf P.J. Corum John Allen Curran Gordon Curtis Dominic Cuscuna Bernard Czaja John Joseph Czaplewski Karl Dahlberg Deborah Dahlin Ashit Dalal Mark D'Andrea Sabyasachi Dash Clive Davids

William Davidson Rodney Owain Davies Heraldo de Barros Erik De Vries Umberto DeLucilla John Joseph DeMauro John Bernard Dempsey Richard Micheal Denny Amiel Abary Diaz Kenneth Richard Diedrich Xinhao Ding Satyavan Domb Bohdan Dombchewskyj Kieran Doorley Darrell Doyle Doug Drummond John D’Souza Salih Ali Durul Mary Erlanger Cesar Vengco Esteban John Kenji Eto Tomoyasu Eto Dieter Fabritius David Fairman Hamad Isa Fakhro Tao Feng Gavin Bryan Ferreiro Cherrie Mae Arciaga Ferreria Chiomento Uwe Fiedler Kenneth Glenn Fitzpatrick Gregory Fouquet Philip Francisca Norihisa Fujita Yoshio Fukasawa Andre Gagnon Ramses Gallego Fredrik Galtung Louis Gamon Eduardo Garcia Martinez John Generelli Frank Gerber Peter Goelet Gerry Nelson Gibbs Khristian Gibson Marc Giesbers Anthony John Gilli David Alwyn Gittens Hubert Darnell Glover John Cameron Glover Sandeep Narayan Godbole Jean-Marc Goeders Tsung Foong Goh Bonnie Anne Goins Julio Golcher Vaso Golijanin Jason Gonzales David Goodwin Ajit Vasant Gore Kathy Robertson Green Roger Scott Greenwell Gerd Karl Grimberger Stefan Gross Klaus-Peter Grosser Marisol Guasca Carlos Alejandro Guichon Testa Glen Decreto Gumban Suresh Gummalam Tod Gene Gunther Ruchi Gupta Michael Robert Guthrie Stewart Frank Gwyn Joseph Hachem Daniel Hadaway Barry George Hadfield Aftab Faizy Haider Walid Halik Husni Loutfi Hammoud Dorina Hamzo Lars Hansen Yonosuke Harada

Aris Budiman Hartono Joan Hash Bassam Farid Hassan Masahiko Hayakawa William Joseph Hellrung Kenneth Henry Johan Hermans Brian Michael Hickie Achyut Keshav Hirve Jennifer Hong Lavon Hopkins Adrian Howe Peter Hundal Adnan Hussain Donna Hutcheson Ryozo Inoue David Taiwo Isiavwe Manabu Isogai Lakshminarayanan Iyengar Venugopal Iyengar Babu Jayendran Michael Jimenez Mayowa Anthony Jimoh Allan Jagath Monesh Jinadasa Anne-Marie Joannette Thomas Joerger Joseph. K. Josekutty Geogy George Joseph Thomas Joseph Rohini Joshi Itticheria Joshua Zhan Jovanovski Aenan Juring Carlos Justiniano Masatoshi Kajimoto William Lynn Kalahar Asouma Kamagate Deepak Kamalasanan Michael Kamens Ramzi Kanso Jacqueline Kapres Parikshat Kapur Spiros Karasavvidis Yasushi Kasahara Eugene N’da Kassi Iftikhar Fazlehussain Kathawala Ravi Shankar Balakrishnan Kavaseri Tomohide Kawawaki Rabia Khanfir Dong Won Kim Jonathan King William Lewis King Yoshihiro Kitsutaka Wayne George Kloeden Chris William Kmosko Petr Knize Wade Richard Koeller Abdul Aziz D. Kone Gregory Gerard Koval Michael Krasny Wayne Carvel Kreisel Unni Krishnan Kevin Ka Kui Chi Choi Kuok Flavio Rattes La Terza Stefan Laager Louis Labelle Dmitry Lakomkin Russell Lamosek Richard Larson Tak Wa Lau Lee Frederick Laubach George Edward Lawless Jacinthia Lawson Adrian Lee Jean Legare Robert Leigh Vincent Chee Hung Leung Jean-Charles Leynadier Ku-Chuan Lin

Robert Lluis Michael Loch Khoon Chiang Loo Clovis Inacio Lopes Pereira Roberto Lopez Escalera R. Jose Maria Lopez Sanchez Allyson Lyles Alexandre Maamar Sasawat Malaivongs Charles-Robert Manterfield Massimo Vito Angelo Manzari Peter Manzo Stephen Marks Price Edward Martin David Martinez Sergey Martinov Aggrippa Gerald Masamha Mohd Abdul Mateen Alfonso Mateluna Concha Mark Mathre Eiichi Matsubara Michael Mauro Alfred Max John Mayor Boris Mazets Joan Gathoni Mburu Omanjo Keith McAninch Jacqueline McCaulley Michael McCrain Robert McFarland Joseph McGinley Alisdair McKenzie Ross Oliver Donald McNaughton Sean McPoland Ravi Shanker Medicherla Rudy Meert Alfonso Mendez Jorge Merida Munoz Michael Meyer Stelios Angelo Michas Brian-Liam Baikie Miller Jean Milzi Mohamed Ali Mirghani Djordjije Mitrevski Masami Mitsubori H. L. Mobley Willem Ewoud Modderman Anup Mody Zoltan Mohos John Paul Molina Guennadi Momot Eric Richard Mone Armanda Moore Lakshman Krishna Moorthi Jeffrey Moskowitz Alexander Mosyagin Adel Ilyas Moubarak Adamu Musa Mshelia Gary Murphy Shawn Patrick Murray Robert John Muscat Ralf Mutzke Natarajan Nagarajan Nirmala Nagarajan Sudeep Nair Motohiko Nakamura John Downy Solomon Nallathambi Chandramohan Narayan Gangadharan Narayanan Nelly Nauman Ella Netes Peter Lee Newing Chung Hin Ngai Howard Nicholson Gertjan Nickolson Roman Nikitin Takahiro Nishimura Stephen Norkunas Stephen Nthenge Clare Teresa Nugent Hazel Nyathi Ben Simiyu Nyongesa

Young Seok Ock John Tanko Ogazuma Henry Oh Kehinde Peter Olofinmoyin Chanroutie Omadath-Heetai Nosa Omoma Drew O’Neill Carmen Ozores Fernandes Petros Panagiotidis David Paolantonio Pramod Shashikant Paranjape Rachel Paredez Hugh Parkes Michael Parkinson Chien Parkyn Sean Pascoe Vincent Pearce Vicente Peirats Marjorie Perry John Perumal Lesley Petersen Robert Walter Peterson Shueh Miin Phang Tajjud-deen Phillipps Tino Piazzardi Andre Pitkowski Dennis Keith Platt John Poff Alida Polanco Olguin Mihaela Popescu Roberto Porras Leon Ren Powers Richard Pray Wagner Roberto Pugliese Rajesh Kantesh Purohit Kishor Rabi Francisco Vicente Ramon-Mira Paul Randazzo Venkataraman Ranganathan Sree Krishna Rao Stewart Redfield Michael Gerard Redmond Nijel Redrick Kostja Reim Gerardo Renzetti Alan Sergio Reyna Mendoza Jack Riegel Royice Robbins Jim Robert Marie Ghislaine Robinson Daniel Alfredo Rojas Ruiz Facundo Rojo Gil Rafael Roldos Patricia Aneta Rowe-Seale Michael John Rowley Patrick Rozario Cornel Ruston Noam Sabo Babatunde Muhammed Tajudeen Sadiku Kenji Saitou Milton Eric Sambolin Maurice Alan Samuels Sylma Sanchez Anthony Saranchak Gautam Sarnaik Mugdha Satish Satarkar Mikhail Saykov Chad Schieken Martin Schlaeppi Joshua James Schmidt Ekkehard Scholz Nicolas Terence Schroeyens Ted Schuyt Steven Schwartz Horst Schweitzer Robert Schwind Paul Byron Scott Tshitego Moses Segaetsho Daniel Seider AbdulGhaffar Mohammad Setareh Alexander Setiadji

Mayank Jitendra Shah Yen Shan Diana Jean Sharkey Ady Sharma Akira Shibata Makoto Shibata Minoru Shibuya Mahito Shimomura Takashi Shitamichi William Shorrock Pablo Silberfich Romildo Klement Silva Stefano Silvestri Thomas Sinnott Robert Brian Skadowski Marek Skalicky Edward Joseph Slusarski Peter Smithson Rebecca Snevel Russell Snyder Folarin Sogeke Sandeep Sokhey Ibrahima Sow Chaz Sowers Sridharaan Erugur Srinivasan Ivan Stanchin Jaroslaw Stawiany Klaus Peter Steinbrecher Robert Bryan Stout Hans Manfred Strauss Vilvanathan Subramanian Katsutoshi Sugiyama Rawin Sukhpool Guangsheng Sun Santosh Lokanathan Sundaram Stig Jarle Sunde Hartono Ari Susetyo Leonard Sutton Ching Kwong Sze Olanrewaju Tiamiyu Taiwo Jinichi Takemura Ameliana Tanjaya Tanujaya Martin Tapia Alexandru Tasca Yoshito Tashiro Kenneth Taylor Tammy Taylor Tazaki Teruo Hiroshi Terai Mladen Tercelj David Terpening Samuel Nam Lei Tham Deborah Thurman Horst Tisson Scott Tompkins Aminullah Tora Javier Torner Nayef Trad Daniella Traino Mamadou Sidiki Traore Matt Troniak Larry Truax Hanson Tsui Deborah Tucker Elena Turin Martin Unterberger Martin Urban Luis Uria Fumio Utsumi Pavel Uvarov Marcel van Dijk Michiel Van Hulsteijn Steve VanArsdale Alejandro Vazquez-Nava Huib Vellekoop Angelo Quentin Veney Chris Verdonck Sylvain Viau Juan Guillermo Villa Jason Edward James Viola Manuel Jose Viscasillas Robert Vitali Jon Voiculescu

James Muresia Wafula Julian Andrew Wakim Ichiro Wakita Philipp Walther Nathan Wang Hoyt Warren Richard Lawrence Way Ian Lawrence Webster Esper Boutros Wehbe Winston Washington Weir Kennet Westby Robert Philip White Dominic Ivor Williams Daniel Williams Ming Wu Jens Wudick Takumi Yabuki Kenichi Yamashita Prabhaker Reddy Yasa Virginia Yue Ka Wei Yuen Jason Chee-Mun Yuen Michael Wai-Kee Yung Ilya Zabegaev Muhammad Naveed Zakarya Douglas Ziegenfuss Roman Zillek Christopher Zoladz Peter Zuong

Chapters Platinum Greater Houston Chapter Los Angeles Chapter National Capital Area Chapter

Gold Birmingham Chapter Detroit Chapter Greater Kansas City Chapter New York Metropolitan Chapter North Texas Chapter Silicon Valley Chapter Vancouver Chapter

Silver Austin Chapter Denver Chapter Greater Cincinnati Chapter Greater Hartford Chapter Jacksonville Chapter Kentuckiana Chapter New England Chapter San Francisco Chapter South Carolina Midlands Chapter Toronto Chapter Tulsa Chapter Virginia Chapter West Florida Chapter

Donor

Courion Corporation Credant Cyber-Ark Software Dell SecureWorks Deloitte EnterpriseGRC Solutions EVault FishNet Security Glenfis AG Greenlight Technologies Hitachi ID Systems HP IBM Intel IronStratus ISACA San Francisco Chapter Lewis University McAfee Microsoft Modulo Security NetIQ Northwestern University Oracle PCI Security PowerTech Protiviti Qualys Regis University SafeNet Security Innovation Sensage Sonatype Symantec TechTarget Thawte Thomson Reuters Villanova University Vormetric

Affiliates American Institute of Certified Public Accountants (AICPA) ASIS International Center for Internet Security Commonwealth Association of Corporate Governance FIDA Inform Information Security Forum Information Systems Security Association Institut de la Gouvernance des Systemes d'Information Institute of Management Accountants Inc. ISACA Chapters ITGI Japan Norwich University Solvay Brussels School of Economics and Management University of Antwerp Management School

New Jersey Chapter Orange County Chapter Ottawa Valley Chapter Philadelphia Chapter Phoenix Chapter Rhode Island Chapter

Corporate Sponsors and Donors Accuvant ACL AlertEnterprise Application Security Black Duck Software BrightTALK BWise BV CA Technologies Client and Friends Adaptive GRC ConsETI

21

History of ISACA and the IT Governance Institute ISACA’s journey began in 1967, when a small, but visionary, group of professionals realized that their work auditing controls for computer systems was becoming increasingly vital to the overall operational success of their enterprises. Together they discussed the benefits of developing a centralized source of information and guidance for their growing field. In 1969, the group formalized and incorporated as the EDP Auditors Association (EDPAA). The organization’s name was changed to Information Systems Audit and Control Association (ISACA) in 1994. ISACA now goes by its acronym only, to reflect the broad range of professionals it serves. Now, with more than 100,000 members in 170 countries, ISACA is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, governance and management of enterprise IT (GEIT), and IT-related risk and compliance. The nonprofit, independent ISACA hosts international conferences, publishes the ISACA Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT and business skills and knowledge through the globally respected Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) designations. ISACA continually updates and expands the practical guidance and product family based on the COBIT framework. This helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business. Affiliated with ISACA, the IT Governance Institute (ITGI) was created in 1998 as a nonprofit, independent entity. In the years since their inception, ISACA and ITGI have been drivers of extensive innovation and, as a result, have become pace-setting global organizations for IT governance, security, risk, control and assurance professionals.

3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA ISACA Phone: +1.847.253.1545 ITGI Phone: +1.847.660.5700 Fax: +1.847.253.1443