Home > Glossary > Certified Information Systems Auditor > RACI Matrix

📖 What is RACI Matrix?

RACI Matrix is a responsibility assignment matrix used to clarify roles and responsibilities for tasks, milestones, or deliverables in a project. It identifies who is Responsible, Accountable, Consulted, and Informed for each activity to prevent confusion and overlap.

🥋 Sensei Says:

"Student, the most critical part of the RACI is that only one person can be 'Accountable' (A) for a task to ensure clear ownership."

📚 Certification: Certified Information Systems Auditor (CISA)

🔑 What are the Key Concepts of RACI Matrix?

▸ Responsible (R) refers to the individuals who perform the actual work to complete the task; multiple people can be assigned this role for one activity.
▸ Accountable (A) is the person who owns the task and ensures its completion; CISA emphasizes that only one person can be accountable to prevent ambiguity.
▸ Consulted (C) involves subject matter experts whose input is sought via two-way communication to ensure the task is performed accurately and meets requirements.
▸ Informed (I) represents stakeholders who are kept updated on progress or completion through one-way communication, without being directly involved in the execution.
▸ Audit Application involves using the RACI matrix to evaluate internal control adequacy and identify gaps in ownership or potential conflicts in segregation of duties.

🎯 How does RACI Matrix appear on the CISA Exam?

You may be asked to identify a governance flaw in a project where a task has multiple people listed as 'Accountable,' indicating a lack of clear ownership.

A scenario might describe a failure in a change management process; you must determine if the absence of a 'Consulted' role led to an overlooked technical dependency.

Expect questions where you must analyze a RACI matrix to ensure segregation of duties, specifically checking that the person performing the work is not the sole approver.

❓ Frequently Asked Questions

Can one person hold multiple roles in a RACI matrix for a single task?

Yes, an individual can be both Responsible and Accountable (R/A), particularly in smaller teams. However, from an audit perspective, this may increase risk by reducing the oversight provided by segregation of duties.

How does an auditor use the RACI matrix during a control review?

The auditor compares the documented RACI matrix against actual operational practices to verify that roles are being followed and ensures no critical tasks are missing an accountable owner.

Related Terms from Certified Information Systems Auditor

Threat Agent Non-Repudiation Phased Implementation Substantive Testing Separation of Duties (SoD) Disaster Recovery Plan (DRP)

📝 Related Study Guides

Deep Dive 10 min read

CISA Exam: What to Expect and How to Prepare in 2026

The CISA exam consists of 150 multiple-choice questions to be completed in 4 hours, requiring a scaled score of 450/800 to pass. Preparation requires mastering five domains focusing on IT auditing, governance, acquisition, operations, and asset protection. Success depends on a risk-based mindset and understanding frameworks like COBIT.

Deep Dive 10 min read

Mastering COBIT 2019 for the CISA Exam

COBIT 2019 is a comprehensive framework for the governance and management of enterprise IT. For CISA candidates, it provides the essential structure to evaluate how an organization aligns IT goals with business objectives, manages risk, and ensures value delivery through a clear distinction between governance and management activities.

Comparison 7 min read

Attribute vs. Variable Sampling: CISA Exam Guide

Attribute sampling is used for compliance testing to determine if a control is functioning (yes/no), while variable sampling is used for substantive testing to estimate a numerical value or monetary amount. For the CISA exam, remember that attribute sampling checks for existence, and variable sampling checks for value.