Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 411:

  An executive sponsor of a partially completed IT project has learned that the financial assumptions supporting the project have changed. Which of the following governance actions should be taken FIRST?

  A. Schedule an interim project review.
  B. Request a risk assessment.
  C. Re-evaluate the project in the portfolio.
  D. Request an update to the business case
  D. Request an update to the business case

  ---

  The first governance action that should be taken when the financial assumptions supporting a project have changed is to request an update to the business case. The business case is the document that justifies the initiation, continuation, or termination of a project based on its expected costs, benefits, and risks. A change in the financial assumptions may affect the viability and value of the project, and therefore, the business case should be revised to reflect the new situation. The updated business case will then inform the subsequent governance actions, such as scheduling an interim project review, requesting a risk assessment, or re-evaluating the project inthe portfolio. According to one source, "The business case is a living document and should be reviewed and updated periodically as new information becomes available." References: ISACA, CGEIT Review Manual, 27th Edition, 2020, page 14; Tips for Agile Project Governance

• Question 412:

  Which of the following BEST enables effective enterprise risk management (ERM)?

  A. Risk register
  B. Risk ownership
  C. Risk tolerance
  D. Risk training
  B. Risk ownership

  ---

  According to the CGEIT exam content outline, one of the subtopics under the domain of Risk Optimization is "Risk Ownership and Accountability". This subtopic covers the process of assigning and communicating the roles and responsibilities for risk management to the appropriate stakeholders, such as business owners, process owners, or risk owners. Risk ownership is the best way to enable effective enterprise risk management (ERM), as it ensures that the risks are identified, assessed, treated, monitored, and reported by the people who have the authority, knowledge, and interest to manage them. Risk ownership also fosters a risk-aware culture and promotes accountability and transparency for risk management. The other options are not as effective as risk ownership to enable ERM. A risk register is a tool that records and tracks the information about the risks, such as their description, category, impact, likelihood, status, and action plan. A risk register is useful for documenting and communicating the risks, but it does not ensure that the risks are managed properly by the responsible parties. A risk tolerance is a measure that defines the acceptable level of variation from the expected outcome or objective. A risk tolerance is important for setting the boundaries and criteria for risk management, but it does not guarantee that the risks are aligned with the business strategy and objectives. A risk training is a program that provides education and awareness on risk management concepts, methods, and tools. A risk training is beneficial for enhancing the skills and competencies of the risk management staff and stakeholders, but it does not ensure that they perform their roles and responsibilities effectively. References: 1: CGEIT Exam Content Outline | ISACA 2: Risk Ownership - ISACA 3: Risk Ownership: The First Step in Enterprise Risk Management - ERM 4: What Is a Risk Register?and Free Template - ProjectManager.com 5: What Is Risk Tolerance? Definition and Examples - Talend 6: IT Risk Management Training | ISACA

• Question 413:

  Which of the following is the BEST course of action to enable effective resource management?

  A. Conduct an enterprise risk assessment.
  B. Implement a cross-training program.
  C. Assign resources based on business priorities.
  D. Assign resources based on risk appetite.
  C. Assign resources based on business priorities.

  ---

  The best course of action to enable effective resource management is to assign resources based on business priorities. Resource management is the process of enhancing efficiency and guiding the use of such project-critical resources as employees, equipment, and tools. To manage resources effectively, it is important to align them with the business objectives and goals, and to allocate them according to the urgency and importance of the tasks. By assigning resources based on business priorities, the organization can ensure that the most critical and valuable projects are completed on time and within budget, and that the resources are used optimally and productively. References: 10 Best Practices for Effective Resource Management - Float, What Is Resource Management? Definition, Jobs, and More, 10 Key Principles of Effective Resource Management - eResource Scheduler

• Question 414:

  Which of the following is the MOST effective way to manage risks within the enterprise?

  A. Assign individuals responsibilities and accountabilities for management of risks.
  B. Make staff aware of the risks in their area and risk management techniques.
  C. Provide financial resources for risk management systems.
  D. Document procedures and reporting processes.
  A. Assign individuals responsibilities and accountabilities for management of risks.

  ---

  Assigning individuals responsibilities and accountabilities for management of risks is the most effective way to manage risks within the enterprise, as it ensures that the risk owners and stakeholders are clearly identified, involved, and accountable for the risk management activities and outcomes. Assigning responsibilities and accountabilities also helps to establish roles and expectations, delegate authority, and monitor performance and compliance. References: CGEIT Exam Content Outline, Domain 4, Subtopic B: IT Risk Management, Task 2: Ensure that appropriate senior level management sponsorship for IT risk management exists.

• Question 415:

  Which of the following should be the PRIMARY governance objective for selecting key risk indicators (KRIs) related to legal and regulatory compliance?

  A. Identifying the risk of noncompliance
  B. Demonstrating sound risk management practices
  C. Measuring IT alignment with enterprise risk management (ERM)
  D. Ensuring the effectiveness of IT compliance controls
  A. Identifying the risk of noncompliance

  ---

  Key risk indicators (KRIs) are metrics that measure the likelihood and impact of potential or actual risks. KRIs related to legal and regulatory compliance are designed to help the enterprise monitor and manage the risk of violating laws, regulations, standards, or ethical practices that apply to its operating environment. The primary governance objective for selecting KRIs related to legal and regulatory compliance should be to identify the risk of noncompliance, which means assessing the probability and severity of compliance breaches, as well as the root causes and consequences of such breaches. By identifying the risk of noncompliance, the enterprise can take proactive measures to prevent, mitigate, or remediate compliance issues, and to ensure that its compliance program is effective, efficient, and aligned with its business objectives and strategies. References: CGEIT Exam Content Outline | ISACA, CGEIT Review Manual (Digital Version), Compliance Metrics and KPIs For Measuring Compliance Effectiveness -- RiskOptics, 11 Key Compliance KPIs + Examples (and Why You Should Track Them ...

• Question 416:

  An enterprise experiencing issues with data protection and least privilege is implementing enterprise-wide data encryption in response. Which of the following is the BEST approach to ensure all business units work toward remediating these issues?

  A. Develop key performance indicators (KPIs) to measure enterprise adoption.
  B. Integrate data encryption requirements into existing and planned projects.
  C. Assign owners for data governance initiatives.
  D. Mandate the creation of a data governance framework.
  D. Mandate the creation of a data governance framework.

  ---

  A data governance framework is a set of policies, standards, roles, and processes that define how data is collected, stored, accessed, and used within an enterprise. A data governance framework can help address data protection and least privilege issues by establishing clear rules and responsibilities for data owners, custodians, and users. A data governance framework can also enable data encryption as a key control to protect sensitive data from unauthorized access or disclosure. Therefore, mandating the creation of a data governance framework is the best approach to ensure all business units work toward remediating these issues. References: CGEIT Review Manual (Digital Version), Chapter 4: Risk Optimization, Section 4.3: IT Risk Management, Subsection 4.3.2: IT Risk Management Process, Page 156 : CGEIT Review Manual (Digital Version), Chapter 5: Resource Optimization, Section 5.2: Information Resource Management, Subsection 5.2.1: Information Resource Management Overview, Page 183 : A Guide to Selecting and Adopting a Privacy Framework1

• Question 417:

  IT senior management has just received a survey report indicating that more than one third of the organization's key IT staff plan to retire within the next 12 months. Which of the following is the MOST important governance action to prepare for this possibility?

  A. Engage human resources (HR) for recruitment of new staff.
  B. Request the development of a succession plan.
  C. Review motivation drivers for key IT staff.
  D. Evaluate lower-level staff as succession candidates.
  B. Request the development of a succession plan.

  ---

  A succession plan is a process of identifying and preparing potential candidates to take over key roles in an organization when the current incumbents leave or retire. A succession plan is an important governance action to prepare for the possibility of losing a large portion of the organization's key IT staff, as it can help to ensure the continuity and stability of the IT function and its alignment with the business objectives and strategies. A succession plan can also help to mitigate the risks and challenges associated with talent shortages, knowledge gaps, and leadership transitions. A succession plan should be developed in collaboration with the human resources (HR) department, the IT senior management, and the board of directors, and should include the following steps: Identify the critical IT roles and their competencies, responsibilities, and performance expectations Assess the current IT staff and their readiness, potential, and interest to assume higher- level or more complex roles Conduct a gap analysis to determine the difference between the current and future skills and capabilities needed for the IT function Develop a talent pipeline and a talent pool of internal and external candidates who can fill the critical IT roles Provide learning and development opportunities for the identified candidates, such as training, coaching, mentoring, job rotation, or shadowing Monitor and evaluate the progress and performance of the candidates and provide feedback and support Review and update the succession plan periodically to reflect any changes in the business or IT environment References: Succession planning: a guide to get it right - Workable, Succession Planning:Template, Process, Best Practices [2023] - Valamis, Succession Planning: Best Practices- GitHub Pages

• Question 418:

  A newly hired CIO has been told the enterprise has an established IT governance process, but finds it is not being followed. To address this problem, the CIO should FIRST

  A. gain an understanding of the existing governance process and corporate culture.
  B. replace the current governance process with one the CIO has successfully used before.
  C. establish personal relationships with executive-level peers to leverage goodwill,
  D. engage audit to review current governance processes and validate the ClO's concerns.
  A. gain an understanding of the existing governance process and corporate culture.

  ---

  The first step for the newly hired CIO to address the problem of IT governance process not being followed is to gain an understanding of the existing governance process and corporateculture. This will help the CIO to identify the root causes of the problem, such as lack of awareness, commitment, alignment, communication, or accountability. It will also help the CIO to assess the strengths and weaknesses of the current process, as well as the opportunities and threats for improvement. By understanding the existing governance process and corporate culture, the CIO can also build trust and rapport with the stakeholders, and tailor the solutions to fit the specific needs and context of the enterprise. References: CGEIT Review Manual (Digital Version) or CGEIT Review Manual (Print Version), Chapter 1: Governance of Enterprise IT, Section 1.2: IT Governance Implementation, Subsection 1.2.1: IT Governance Implementation Process, Page 27-28. What is CGEIT? A certification for seasoned IT governance professionals.

• Question 419:

  When assessing the impact of a new regulatory requirement, which of the following should be the FIRST course of action?

  A. Update affected IT policies.
  B. Assess the budget impact of the new regulation.
  C. Map the regulation to business processes.
  D. Implement new regulatory requirements.
  C. Map the regulation to business processes.

  ---

  The first course of action when assessing the impact of a new regulatory requirement is to map the regulation to business processes. This means identifying and analyzing which business processes are affected by the new regulation, how they are affected, and what changes are needed to comply with the regulation. Mapping the regulation to business processes helps to understand the scope, complexity, and priority of the regulatory compliance project, and to align the IT and business objectives and strategies. It also helps to identify the stakeholders, roles, responsibilities, and risks involved in the compliance process, and to communicate and coordinate with them effectively. The other options are not as important as mapping the regulation to business processes, as they are dependent on the outcome of this step. Updatingaffected IT policies, assessing the budget impact of the new regulation, and implementing new regulatory requirements are subsequent steps that should be done after mapping the regulation to business processes. References: How to Map Regulations to Business Processes. CGEIT Certification | Certified in Governance of Enterprise IT | ISACA.

• Question 420:

  Which of the following BEST facilitates the adoption of an IT governance program in an enterprise?

  A. Defining clear roles and responsibilities for the participants
  B. Using a comprehensive business case for the initiative
  C. Communicating the planned IT strategy to stakeholders
  D. Addressing the behavioral and cultural aspects of change
  D. Addressing the behavioral and cultural aspects of change

  ---

  Facilitating the adoption of an IT governance program in an enterprise requires addressing the behavioral and cultural aspects of change. This approach recognizes that the success of such a program depends not only on the structural and strategic elements but also on how well the people within the organization accept and adapt to the changes. Addressing cultural aspects involves engaging stakeholders, fostering a governance mindset, and overcoming resistance to change, thereby ensuring a smoother and more effective implementation. While defining roles, building business cases, and communicating strategies are critical, they must be complemented by efforts to manage the human side of change.