Isaca CGEIT Exam Questions

Question 6 of 471

Which of the following should be the PRIMARY consideration when implementing IT governance in a small, newly established organization?

Approving enterprise architecture and standards

Defining IT project management methodology

Assigning a budget for IT governance applications

Assigning IT roles and responsibilities

Correct Answer: D

Question 7 of 471

An internal auditor conducts an assessment of a two-year-old IT risk management program. Which of the following findings should be of MOST concern to the
CIO?

Organizational responsibility for IT risk management is not clearly defined.

IT risk training records are not properly retained in accordance with established schedules.

None of the members of the IT risk management team have risk management-related certifications.

Only a few key risk indicators identified by the IT risk management team are being monitored and the rest will be on a phased schedule.

Correct Answer: A

The most concerning finding for the CIO should be that organizational responsibility for IT risk management is not clearly defined. Without clear responsibility, accountability, and ownership of the IT risk management process, it is difficult to ensure that the program is effectively implemented and managed. This can lead to a lack of coordination, missed risks, and an overall ineffective risk management program. Addressing this issue is foundational to improving all other aspects and effectiveness of the IT risk management program.

Question 8 of 471

An enterprise has discovered that there is significant duplication of IT investments. Which of the following would be MOST helpful in addressing this issue?

Establishing an IT steering committee

Delegating IT investment decisions to centralized IT

Maintaining an inventory of IT investments

Increasing the frequency of IT investment audits

Correct Answer: C

Maintaining an inventory of IT investments would be most helpful in addressing significant duplication of IT investments. With a comprehensive inventory, the enterprise can easily identify where duplications occur and take steps to consolidate or eliminate redundant investments. Without an accurate and up-to-date inventory, it would be difficult to track and manage IT resources effectively, leading to continued inefficiencies and wasted resources.

Question 9 of 471

A regulatory audit assessed an enterprise's main transactional application as noncompliant. In addition to fines and required corrections, an agreement was reached to implement a set of governance controls over IT. Accountability for these controls is BEST assigned to which of the following?

Internal audit director

CIO

The board of directors

Application users

Correct Answer: B

The accountability for implementing a set of governance controls over IT is best assigned to the CIO (Chief Information Officer). The CIO is responsible for overseeing the IT infrastructure and ensuring compliance with regulations. The role of the CIO includes managing risks associated with IT systems and ensuring that the enterprise's IT environment meets regulatory requirements. While internal audit directors provide oversight and the board of directors offers governance oversight, the day-to-day operational responsibility and accountability for IT governance controls lie with the CIO. Application users are responsible for using the system correctly, but not for implementing governance controls.

Question 10 of 471

An enterprise is planning a change in business direction. As a result, IT risk will significantly increase. Which of the following should be the CIO's FIRST course of action?

Plan for the corresponding IT reorganization.

Recommend delaying the business change.

Report the risk to executive management.

Implement IT changes to align with the plan.

Correct Answer: C

When there is a significant increase in IT risk due to a planned change in business direction, the CIO's first course of action should be to report the risk to executive management. This ensures that the top decision-makers are fully informed about the potential impacts on the organization's objectives and can make well-informed decisions on how to address the risk. Executive management is responsible for assessing and managing enterprise-wide risks and making strategic decisions, so their awareness of the increased IT risk is crucial before any further steps are taken.