Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 531:

  Which of the following is the BEST outcome measure to determine the effectiveness of IT nsk management processes?

  A. Frequency of updates to the IT risk register
  B. Time lag between when IT risk is identified and the enterprise's response
  C. Number of events impacting business processes due to delays in responding to risks
  D. Percentage of business users satisfied with the quality of risk training
  C. Number of events impacting business processes due to delays in responding to risks

  ---

  The number of events impacting business processes due to delays in responding to risks is the best outcome measure to determine the effectiveness of IT risk management processes, because it reflects the actual consequences and losses that result from inadequate or ineffective riskmanagement. Outcome measures are metrics that evaluate the results and benefits of a process or activity, rather than the inputs or outputs. Outcome measures help to assess whether the process or activity is achieving its objectives and delivering value to the organization. The number of events impacting business processes due to delays in responding to risks is an outcome measure that indicates how well the IT risk management processes are able to identify, analyze, evaluate, treat, monitor, and communicate IT risks in a timely and appropriate manner. A high number of such events would suggest that the IT risk management processes are not effective, and that they need to be improved or revised. A low number of such events would suggest that the IT risk management processes are effective, and that they are reducing the likelihood and impact of IT risks on the organization. References: How To Measure Risk Management KPI and Metrics - ERM Software

• Question 532:

  Which of the following is the BEST way to address an IT audit finding that many enterprise application updates lack appropriate documentation?

  A. Enforce change control procedures.
  B. Conduct software quality audits
  C. Review the application development life cycle.
  D. Add change control to the risk register.
  A. Enforce change control procedures.

  ---

  Change control procedures are a set of steps that ensure that any changes to a system, product, project, or document are authorized, documented, and tracked. Change control procedures help to maintain the quality, integrity, and security of the system or product, as well as to comply with relevant standards and regulations. By enforcing change control procedures, the enterprise can prevent unauthorized or undocumented updates that could compromise the functionality, performance, or reliability of the applications. References: What is a change control procedure? With benefits and steps What is a change control process? Steps and template Change Control | Risk Management and Audit Services - Harvard University

• Question 533:

  Which of the following is MOST important to document for a business ethics program?

  A. Guiding principles and best practices
  B. Violation response matrix
  C. Whistle-blower protection protocols.
  D. Employee awareness and training content
  A. Guiding principles and best practices

  ---

  Guiding principles and best practices are the most important elements to document for a business ethics program, because they provide the foundation and direction for the program. Guiding principles are the core values and beliefs that inform the ethical behavior and decision-making of the organization and its stakeholders. Best practices are the methods and techniques that have been proven to be effective and efficient in achieving the desired ethical outcomes. Documenting guiding principles and best practices helps to communicate the purpose, scope, and objectives of the business ethics program, as well as the roles and responsibilities, policies and procedures, standards and expectations, and evaluation and improvement mechanisms. Documenting guiding principles and best practices also helps to align the business ethics program with the organizational strategy and culture, and to foster a consistent and coherent ethical environment. References: How to Build a Business Ethics Program - Bizmanualz, A Guide for Business How to develop a Human rights Policy.

• Question 534:

  An enterprise is conducting a SWOT analysis as part of IT strategy development. Which of the following would be MOST helpful to identify opportunities and threats?

  A. Risk appetite
  B. Internal framework assessment
  C. Competitor analysis
  D. Critical success factors (CSF)
  C. Competitor analysis

  ---

  A SWOT analysis is a technique that analyzes strengths, weaknesses, opportunities, and threats of an organization or a project. Strengths and weaknesses are internal factors that can be controlled or influenced by the organization, while opportunities and threats are external factors that are influenced by the environment, market, or competitors. Therefore, to identify opportunities and threats, it is most helpful to conduct a competitor analysis, which is a process of researching and evaluating the strengths and weaknesses of the competitors in the same industry or market. A competitor analysis can help to identify the gaps, trends, and best practices in the market, and to discover potential areas for improvement, innovation, or differentiation. According to ISACA's CGEIT Domain: Framework for the Governance of Enterprise IT, "the enterprise should analyze its external environment to identify opportunities and threats that may affect its ability to achieve its strategic objectives." Furthermore, according to ISACA's article on IT Strategy, "a competitor analysis can help to understand how the enterprise compares with its peers in terms of IT capabilities, performance, and value." Therefore, a competitor analysis is the best way to identify opportunities and threats as part of IT strategy development.

• Question 535:

  The IT department has determined that problems with a business report are due to quality issues within a set of data to whom should IT refer the matter for resolution?

  A. Internal audit
  B. Data architect
  C. Business analyst
  D. Data steward
  D. Data steward

  ---

  A data steward is a subject matter expert who is responsible for defining and maintaining the integrity of a specific type of data or data domain. They help the organization build data glossaries, create and maintain data quality rules, and determine who has access to data. Data stewards also work closely with any system of record to ensure proper controls are in place and are maintained to ensure the data produced is of high quality. Therefore, if the IT department has determined that problems with a business report are due to quality issues within a set of data, they should refer the matter to the data steward for resolution. References: CGEIT Review Manual, Chapter 3: Benefits Realization, Section 3.2: IT Value Delivery Processes, Subsection 3.2.4: Data Quality Management, Page 103.

• Question 536:

  An enterprise has had the same IT governance framework in place for several years. Currently, large and small capital projects go through the same architectural governance reviews. Despite repeated requests to streamline the review process for small capital projects, business units have received no response from IT. The business units have recently escalated this issue to the newly appointed GO. Which of the following should be done FIRST to begin addressing business needs?

  A. Create a central repository for the business to submit requests.
  B. Explain the importance of the IT governance framework.
  C. Assess the impact of the proposed change.
  D. Assign a project team to implement necessary changes.
  C. Assess the impact of the proposed change.

  ---

  Assessing the impact of the proposed change is the first step to begin addressing business needs, as it helps to understand the current state of the IT governance framework, the gaps and issues that need to be resolved, and the potential benefits and risks of the change. An impact assessment can also provide a basis for prioritizing and planning the change, and for engaging and communicating with the stakeholders. References: CGEIT Exam Content Outline, Domain 1, Subtopic A: Governance Framework, Task 4: Ensure that a continual improvement process is in place to maintain and enhance the performance and maturity of IT governance.

• Question 537:

  While monitoring an enterprise's IT projects portfolio, it is discovered that a project is 75% complete, but all budgeted resources have been expended. Which of the following is the MOST important task to perform?

  A. Review the IT investments.
  B. Reorganize the IT projects portfolio.
  C. Re-evaluate the business case.
  D. Review the IT governance structure.
  C. Re-evaluate the business case.

  ---

  A business case is a document that justifies the initiation and continuation of a project based on its expected benefits, costs, risks, and alignment with the strategic objectives of the organization. If a project is experiencing a cost overrun, meaning that it has exceeded its initial budget, it is important to re-evaluate the business case to determine whether the project is still viable and worth pursuing. Re-evaluating the business case can help to identify the root causes of the cost overrun, assess the impact of the overrun on the project's value proposition, and decide whether to continue, modify, or terminate the project. Reviewing the IT investments, reorganizing the IT projects portfolio, and reviewing the IT governance structure are not the most important tasks to perform in this situation. They are more likely to be part of the portfolio management or governance processes that should be done regularly or periodically, not in response to a specific project issue. Moreover, they do not directly address the problem of the cost overrun or its implications for the project's feasibility and desirability. References: What is a Business Case?, How to Write a Business Case, Project Cost Overruns ?Reasons, How to Prevent and Manage

• Question 538:

  Facing financial struggles, a CEO mandated severe budget cuts. A decision was also made to immediately change the enterprise strategic focus to put more reliance on mobile, cloud, and wireless services in an effort to boost revenue. The IT steering committee has asked the CIO tosuggest adjustments to the current IT project portfolio to allow support for the new direction despite fewer funds. What should the CIO advise the committee to do FIRST?

  A. Ask business stakeholders to discuss their vision for the new strategy.
  B. Cancel projects with a net present value (NPV) below a defined threshold.
  C. Conduct a risk assessment against the potential new services.
  D. Start re-allocating budget to projects involving mobile or cloud.
  A. Ask business stakeholders to discuss their vision for the new strategy.

  ---

  As this is the first step to understand the scope, objectives, and expectations of the new direction, as well as to align the IT project portfolio with the business needs and priorities. Asking business stakeholders to discuss their vision can also help identify and address any gaps or issues in the current IT project portfolio, as well as to communicate and collaborate effectively with the business units. Canceling projects with a net present value (NPV) below a defined threshold, conducting a risk assessment against the potential new services, and starting re-allocating budget to projects involving mobile or cloud are possible actions to take after asking business stakeholders to discuss their vision, but they are not the first step. Canceling projects with a low NPV may help free up some funds for the new direction, but it may also affect the existing or planned benefits or outcomes of those projects. Conducting a risk assessment can help evaluate the feasibility and impact of the new services, as well as identify and mitigate any threats or uncertainties. Starting re-allocating budget can help support and enable the new services, but it may also disrupt or compromise the current or ongoing projects. These actions should be based on a clear and shared understanding of the new strategy and its implications for the IT project portfolio.

• Question 539:

  An IT steering committee wants the enterprise's mobile workforce to use cloud-based file storage to save non-sensitive corporate data, removing the need for remote access to that information. Before this change is implemented, what should be included in the data management policy?

  A. A mandate for periodic employee training on how to classify corporate data files
  B. A mandate for the encryption of all corporate data files at rest that contain sensitive data
  C. A process for blocking access to cloud-based apps if inappropriate content is discovered
  D. A requirement to scan approved cloud-based apps for inappropriate content
  D. A requirement to scan approved cloud-based apps for inappropriate content

  ---

  According to the web search results, a data management policy for cloud-based file storage should include a requirement to scan approved cloud-based apps for inappropriate content. This can help to prevent data leakage, compliance violations, and reputational damage. For example, one of the results describes how to use Microsoft Defender for Cloud Apps to create file policies that can monitor and control the data and files in your organization's cloud app use, and apply automated actions for governance and remediation. Another result explains how to use Google Cloud Storage's Bucket Lock feature to set a data retention policy for a bucket that governs how long objects in the bucket must be retained, and how to lock the policy to prevent itfrom being reduced or removed. A third result outlines the best practices and approval processes for using cloud computing services at Tufts University, and states that "the university reserves the right to scan any cloud computing service used by Tufts faculty, staff, or students for inappropriate content". References: File policies - Microsoft Defender for Cloud Apps Retention policies and retention policy locks | Cloud Storage | Google Cloud Cloud Computing Services Policy | Technology Services - Tufts University

• Question 540:

  Which of the following has the GREATEST impact on the design of an IT governance framework?

  A. IT performance metrics
  B. Resource allocation
  C. Business leadership
  D. Business risk
  D. Business risk

  ---

  Business risk has the greatest impact on the design of an IT governance framework, as it determines the level of control, oversight, and alignment that is required for the IT function to support the business objectives and mitigate the potential threats and vulnerabilities. Business risk is influenced by various factors, such as the industry, market, customer, competitor, regulatory, and environmental context of the enterprise. Therefore, the IT governance framework should be tailored to suit the specific risk profile and appetite of the enterprise, and to address the key risk areas and scenarios that could affect the business performance and value. According to COBIT 2019, one of the design factors that can influence the design of an enterprise's governance system is the risk profile. This design factor reflects the degree of risk exposure and tolerance that the enterprise has in relation to its use of information and technology. The risk profile can be assessed by considering various aspects, such as the likelihood and impact of risk events, the sources and types of risks, the risk appetite and thresholds, the risk management capabilities and maturity, and the risk culture and awareness. Based on the risk profile, the enterprise can decide on the appropriate governance objectives, components, enablers, practices, and activities that are needed to manage and mitigate the risks effectively. The other options, IT performance metrics, resource allocation, and business leadership, are also important for the design of an IT governance framework, but they are not as impactful as business risk. IT performance metrics are used to measure and monitor the effectiveness and efficiency of the IT function in delivering value to the business. Resource allocation is a process that optimizes the use of IT resources across multiple programs and projects in alignment with the business goalsand priorities. Business leadership is a role that provides strategic direction, guidance, and support for the IT function in achieving its objectives. However, these factors are more related to the implementation and execution of the IT governance framework, rather than its design. They are also influenced by the business risk factor, as they depend on the level of risk exposure and tolerance that the enterprise has. References: IT Governance: Definitions, Frameworks and Planning - ProjectManager, Resource Allocation Done Right: Best Practices for 2022 and Beyond, The Role of Business Leadership in Effective IT Governance, COBIT Design Factors: A Dynamic Approach to Tailoring Governance in ... - ISACA