Isaca CGEIT Online Practice
Questions and Exam Preparation
CGEIT Exam Details
Exam Code
:CGEIT
Exam Name
:Certified in the Governance of Enterprise IT
Certification
:Isaca Certifications
Vendor
:Isaca
Total Questions
:666 Q&As
Last Updated
:May 30, 2026
Isaca CGEIT Online Questions &
Answers
Question 281:
An enterprise has finalized a major acquisition and a new business strategy in line with stakeholder needs has been introduced to help ensure continuous alignment of IT with the new business strategy the CiO should FIRST
A. review the existing IT strategy against the new business strategy B. revise the existing IT strategy to align with the new business strategy C. establish a new IT strategy committee for the new enterprise D. assess the IT cultural aspects of the acquired entity
A. review the existing IT strategy against the new business strategy The first step that the CIO should do to help ensure continuous alignment of IT with the new business strategy is to review the existing IT strategy against the new business strategy. A review is a process of evaluating and comparing the current state and performance of the IT strategy with the desired state and expectations of the new business strategy. A review can help identify the strengths, weaknesses, opportunities, and threats of the IT strategy, as well as the gaps, risks, and issues that need to be addressed. A review can also provide insights and recommendations for improving and aligning the IT strategy with the new business strategy. According to COBIT 5, one of the seven enablers of IT governance is performance management, which includes reviewing and monitoring the achievement of IT-related goals and objectives. The review is also part of the IT governance domain: Strategic Alignment. The other options are not the first steps that the CIO should do to ensure continuous alignment of IT with the new business strategy. Revising the existing IT strategy to align with the new business strategy is a step that follows after reviewing the existing IT strategy, as it involves making changes and adjustments to the IT strategy based on the findings and recommendations of the review. Establishing a new IT strategy committee for the new enterprise is a step that may or may not be necessary depending on the existing governance structure and processes, and it does not directly address the alignment issue. Assessing the IT cultural aspects of the acquired entity is a step that may be relevant for integrating and harmonizing the IT functions and practices of both entities, but it does not ensure alignment with the new business strategy. References: 1: COBIT 5: A Business Framework for the Governance and Management of Enterprise IT, ISACA, page 312: CGEIT Review Manual 2023, ISACA, page 69.
Question 282:
The CIO of a financial services company is tasked with ensuring IT processes are in compliance with recently instituted regulatory changes. The FIRST course of action should be to:
A. align IT project portfolio with regulatory requirements. B. create an IT balanced scorecard. C. identify the penalties for noncompliance. D. perform a current state assessment.
D. perform a current state assessment. The first course of action for the CIO of a financial services company to ensure IT processes are in compliance with recently instituted regulatory changes should be to perform a current state assessment. This is because a current state assessment can help to evaluate the existing IT processes, policies, controls, and performance against the new regulatory requirements and identify any gaps, issues, or risks that need to be addressed. A current state assessment can also help to establish a baseline and a benchmark for measuring the progress and effectiveness of the compliance initiatives. Aligning IT project portfolio with regulatory requirements is not the first course of action, as it is a subsequent step after performing a current state assessment. Aligning IT project portfolio with regulatory requirements can help to prioritize and allocate resources for the IT projects that support the compliance objectives and deliver value to the business. However, aligning IT project portfolio with regulatory requirements requires a clear understanding of the current state and the desired state of the IT processes and compliance. Creating an IT balanced scorecard is not the first course of action, as it is a tool for monitoring and reporting the compliance outcomes and impacts. An IT balanced scorecard is a framework that measures and communicates the performance of the IT function in terms of financial, customer, internal process, and learning and growth perspectives. An IT balanced scorecard can help to align the IT strategy with the business strategy, track the progress and results of the IT initiatives, and demonstrate the value and contribution of IT to the business. However, creating an IT balanced scorecard does not provide a comprehensive analysis or improvement plan for the IT processes and compliance. Identifying the penalties for noncompliance is not the first course of action, as it is only a motivation factor for compliance. Identifying the penalties for noncompliance can help to raise awareness and urgency of the compliance issues and risks, as well as deter or prevent violations or breaches. However, identifying the penalties for noncompliance does not provide a detailed assessment or guidance for achieving compliance. References: IT Compliance: What You Need to Know | Smartsheet, How to Achieve Compliance section. IT Compliance Management Best Practices: 5 Tips from Experts - MetricStream, Tip 1: Assess your current state section. IT Compliance Checklist: How to Ensure Your Business Is Compliant - Blissfully, Step 1: Assess Your Current State section. IT Compliance Management - Definition and Overview | OpsCompass, How Do You Manage IT Compliance? section.
Question 283:
Which of the following is the MOST important reason for selecting IT key risk indicators (KRIs)?
A. Demonstrating the effectiveness of IT risk policies B. Assessing the current IT controls model C. Enabling comparison against similar IT KRIs D. Increasing the probability of achieving IT goals
D. Increasing the probability of achieving IT goals The most important reason for selecting IT key risk indicators (KRIs) is to increase the probability of achieving IT goals. IT KRIs are metrics that show the level of exposure or likelihood of occurrence of IT-related risks that may affect the achievement of IT objectives. By selecting and monitoring IT KRIs, the organization can identify and manage the potential threats and opportunities that may impact the IT performance and value. IT KRIs can also help to trigger corrective or preventive actions, communicate risk information, and support decision-making and improvement processes
Question 284:
Which of the following is the BEST way to ensure all enterprise employees understand the corporate code of business conduct?
A. Conduct scheduled and random compliance audits. B. Mandate annual ethics training that includes an exam. C. Require external business activities be documented and reported. D. Distribute a copy of the code and require a signature.
B. Mandate annual ethics training that includes an exam. The best way to ensure all enterprise employees understand the corporate code of business conduct is to mandate annual ethics training that includes an exam. This will help employees to learn the content and principles of the code, as well as test their knowledge and comprehension. Ethics training can also reinforce the importance of ethical behavior and the consequences of violating the code. According to a Harvard Business Review article, ethics training can help employees to develop ethical skills, such as moral awareness, moral reasoning, moral courage, and moral leadership. A code of conduct is not effective if employees do not know or understand it, or if they do not apply it in their daily work. Therefore, ethics training is essential to ensure employees are aware of and adhere to the corporate code of business conduct. References: CGEIT Review Manual (Digital Version) or CGEIT Review Manual (Print Version), Chapter 1: Governance of Enterprise IT, Section 1.1: IT Governance Frameworks andPrinciples, Subsection 1.1.2: IT Governance Principles, Page 14-15. Building an Ethical Company.
Question 285:
An enterprise has made the strategic decision to reduce operating costs for the next year and is taking advantage of cost reductions offered by an external cloud service provider. Which of the following should be the IT steering committee's PRIMARY concern?
A. Calculating the cost of the current solution B. Updating the business risk profile C. Changing the IT steering committee charter D. Revising the business's balanced scorecard
B. Updating the business risk profile This should be the IT steering committee's primary concern, as moving to an external cloud service provider may introduce new or different risks to the enterprise, such as data security,privacy, compliance, availability, performance, vendor lock-in, and service level agreements. The IT steering committee should update the business risk profile to reflect the current and potential risks associated with the cloud service provider, and to ensure that they are aligned with the enterprise's risk appetite and tolerance. The IT steering committee should also monitor and manage the risks throughout the cloud service lifecycle, and implement appropriate controls and mitigation strategies to protect the enterprise's assets and interests. The other options are not as important as updating the business risk profile, as they are not directly related to the strategic decision to reduce operating costs for the next year. Calculating the cost of the current solution, changing the IT steering committee charter, and revising the business's balanced scorecard are possible actions that may be taken after updating the business risk profile, based on the identified risks and their levels.
Question 286:
Which of the following provides the STRONGEST indication that IT governance is well established within an organizational culture?
A. IT performance metrics are defined in the balanced scorecard. B. Benefits of IT governance are realized throughout the organization. C. There is awareness of IT metrics throughout the organization. D. IT governance defines how IT projects should be assessed.
B. Benefits of IT governance are realized throughout the organization. The benefits of IT governance are realized throughout the organization when IT governance is well established within the organizational culture. This means that IT governance is not only a formal process, but also a shared value and practice among all stakeholders. IT governance benefits include improved alignment, performance, risk management, value creation and compliance. References: CGEIT Domain 1: Framework for the Governance of Enterprise IT
Question 287:
What is the BEST way for an IT governance board to establish standards of behavior for the adoption of artificial intelligence (Al)?
A. Direct the creation and approval of an ethical use policy. B. Review and update the data privacy policy to align with industry standards. C. Include specific ethics clauses in vendor agreements and contracts. D. Include ethics topics within onboarding and awareness training.
A. Direct the creation and approval of an ethical use policy. The best way for an IT governance board to establish standards of behavior for the adoption of artificial intelligence (AI) is to direct the creation and approval of an ethical use policy. An ethical use policy is a document that defines the principles, values, and guidelines for the responsible and ethical design, development, and deployment of AI systems and applications within the enterprise. An ethical use policy can help to ensure that AI is aligned with the enterprise's mission, vision, goals, and values, and that it respects the rights, dignity, and interests of all stakeholders, including customers, employees, partners, regulators, and society at large. An ethical use policy can also help to address the potential risks, challenges, and impacts of AI on various aspects such as privacy, security, fairness, accountability, transparency, trustworthiness, human dignity, human agency, social good, etc. According to ISACA's article on Developing an Artificial Intelligence Governance Framework, "an ethical use policy is essential for any enterprise that wants to adopt AI in a responsible and sustainable manner. An ethical use policy can help to establish trust and confidence in AI among the stakeholders and customers, and to avoid or mitigate any negative consequences or harms that may arise from AI." Furthermore, according to ISACA's article on Governance of Responsible AI: From EthicalGuidelines to Legal Frameworks, "an ethical use policy can provide a common framework and language for the governance of AI across different domains, sectors, and regions. An ethical use policy can also facilitate the compliance with existing laws and regulations that may apply to AI." Therefore, directing the creation and approval of an ethical use policy is the best way for an IT governance board to establish standards of behavior for the adoption of AI.
Question 288:
Which of the following is MOST helpful in determining whether an enterprise's quality assurance (QA) program is meeting business requirements?
A. Review the quality framework. B. Perform a SWOT analysis. C. Review service outage reports. D. Perform a quality audit.
D. Perform a quality audit.
Question 289:
An enterprise is assessing whether to utilize wearable technology. The enterprise has no prior experience with this technology and has asked the chief technology officer (CTO) to assess the impact to the enterprise. The CTO should FIRST:
A. understand the enterprise's risk tolerance. B. create an IT risk scorecard. C. prioritize wearable technology risk.
A. understand the enterprise's risk tolerance. The CTO should first understand the enterprise's risk tolerance before assessing the impact of wearable technology. This will help the CTO to align the assessment with the enterprise's objectives, culture, and appetite for risk. The other options are important steps in the assessment process, but they are not the first ones. Creating an IT risk scorecard and prioritizing wearable technology risk require a clear understanding of the enterprise's risk tolerance, which is the basis for defining risk criteria and thresholds. References: ISACA, CGEIT Review Manual, 7th Edition, Chapter Strategic Management, Section 2. Risk Optimization, p. 63-64.
Question 290:
Which of the following is the MOST important consideration when integrating a new vendor with an enterprise resource planning (ERP) system?
A. IT senior management selects the vendor. B. A vendor risk assessment is conducted C. ERP data mapping is approved by the enterprise architect. D. Procurement provides the terms of the contract.
B. A vendor risk assessment is conducted A vendor risk assessment is the most important consideration when integrating a new vendor with an ERP system, because it helps to identify and evaluate the potential risks or hazards associated with the vendor's operations and products and their impact on the organization. A vendor risk assessment can cover aspects such as security, compliance, quality, reliability, performance, and contingency plans. By conducting a vendor risk assessment, the organization can mitigate the risks and ensure a smooth and secure integration with the ERP system. The other options are not as important as a vendor risk assessment, because they are either dependent on or secondary to it. IT senior management selects the vendor based on the results of the vendor risk assessment and other criteria. ERP data mapping is approved by the enterprise architect afterthe vendor risk assessment confirms that the vendor's data is compatible and consistent with the ERP system. Procurement provides the terms of the contract after the vendor risk assessment validates that the vendor meets the organizational standards and obligations. References: Guide to Vendor Risk Assessment, 10 Risk Assessment Factors for ERP System Integration Projects, Ensuring Vendor Compliance and Third-Party Risk Mitigation
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Isaca exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your CGEIT exam preparations
and Isaca certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.