Free Practice Questions for Isaca CGEIT Exam

When conducting a risk assessment in support of a new regulatory requirement, the IT risk committee should first consider the risk profile of the enterprise. Understanding the overall risk landscape, including existing vulnerabilities, threats, and the impact of potential risks, provides a foundation for evaluating how new regulatory requirements will affect the organization. This initial step ensures that subsequent risk management efforts, including compliance activities, are aligned with the enterprise's risk appetite and strategic objectives. While cost, system readiness, and operational disruption are important considerations, they should be evaluated in the context of the enterprise's risk profile.

Security and privacyare paramount when implementing IoT on a global scale. IoT devices often introduce vulnerabilities and handle sensitive data across diverse jurisdictions, making security controls and privacy compliance essential from the outset.

While staffing, cost, and integration are important,security and privacyrepresent the greatest strategic and reputational risk if not addressed early in the strategy.

An IT summary dashboard is the best way for a CIO to provide progress updates on a newly implemented IT strategic plan to the board of directors, because it can help to communicate the key performance indicators (KPIs), benefits, risks, and issues of the IT strategic plan in a concise, visual, and interactive way. An IT summary dashboard can also help to align the IT strategic plan with the business strategy, value creation, and stakeholder expectations, and demonstrate the value and contribution of IT to the enterprise. Presenting IT critical success factors (CSFs), reporting results of key risk indicators (KRIs), and reporting results of stage-gate reviews are not as effective as presenting an IT summary dashboard, because they are more focused on specific aspects of the IT strategic plan, rather than providing a holistic and comprehensive overview. References:

IT Governance Dashboard, ISACA

What is an IT Dashboard?, Smartsheet

IT Strategy Dashboard, ClearPoint Strategy

Monitoring the adoption of a new IT strategy requires measurable indicators that track progress and alignment with strategic objectives. The CGEIT Review Manual 8th Edition highlights that key performance indicators (KPIs) are the primary tool for monitoring strategy implementation, as they measure performance against defined goals.

Extract from CGEIT Review Manual 8th Edition (Domain 4: Strategic Management):"Key performance indicators (KPIs) are essential for monitoring the implementation and adoption of an IT strategy. KPIs provide measurable data on progress toward strategic objectives, enabling the IT steering committee to assess effectiveness and make informed adjustments." (Approximate reference: Domain 4, Section on Strategy Monitoring)

Establishing KPIs (option B) allows the IT steering committee to track the strategy’s success, identify gaps, and ensure alignment with enterprise goals, making it the best approach for monitoring adoption.

Why not the other options?

A. Implement service level agreements (SLAs): SLAs are operational agreements for service delivery, not strategic monitoring tools.

C. Schedule ongoing audit reviews: Audits provide assurance but are periodic and not designed for ongoing strategy monitoring.

D. Establish key risk indicators (KRIs): KRIs focus on risk exposure, not on measuring strategy adoption or performance.

 Risk management is a crucial aspect of any cloud-based CRM system, as it involves identifying, assessing, and mitigating the potential risks that could affect the availability, performance, security, and compliance of the system. Before signing a contract for a new cloud-based CRM system, the CIO should ensure that the risk management responsibilities are clearly defined and allocated between the service provider and the customer, and that both parties accept and agree to them. This will help to avoid any confusion, conflict, or liability issues in case of any incidents or breaches that may occur in the future. Some of the risk management responsibilities that should be agreed upon and accepted are:

The scope and frequency of risk assessments and audits

The roles and responsibilities for risk monitoring and reporting

The escalation and resolution procedures for risk issues

The contingency and recovery plans for risk events

The security and privacy policies and standards for data protection

The service level agreements (SLAs) and key performance indicators (KPIs) for service quality and availability

References := Cloud-Based CRM: Best Practices for Implementation, The Best Contract Management Software, CRM Migration Best Practices: An Introductory Guide for HubSpot Agency Partners

Key performance indicators (KPIs) are metrics that measure the performance of a project, program, or investment against a set of targets, objectives, or benchmarks. KPIs can help an enterprise to determine whether a current program for IT infrastructure migration to the cloud is continuing to provide benefits by tracking the progress, efficiency, quality, and outcomes of the program. KPIs can also help to identify any gaps, issues, or risks that may affect the program’s success and enable timely corrective actions12.

Total cost of ownership (TCO) is the purchase price of an asset plus the costs of operation over its life span. TCO can help an enterprise to compare the costs and benefits of different IT infrastructure options, such as cloud versus on-premise, but it does not measure the ongoing performance or benefits of a chosen option3.

Key risk indicators (KRIs) are metrics that monitor and predict potential risks that may negatively impact an enterprise’s objectives or operations. KRIs can help an enterprise to identify and mitigate any risks associated with IT infrastructure migration to the cloud, such as security breaches, data loss, or service disruptions, but they do not measure the benefits or value of the program45.

Net present value (NPV) is the difference between the present value of cash inflows and the present value of cash outflows over a period of time. NPV is used to evaluate the profitability or return on investment of a project or investment by discounting the future cash flows to their present value. NPV can help an enterprise to decide whether to undertake an IT infrastructuremigration to the cloud based on its expected net value, but it does not measure the actual performance or benefits of the program16. References :=

3: Total Cost of Ownership: How It’s Calculated With Example - Investopedia

4: Key Risk Indicators (KRIs) - National Treasury

2: How to Develop Key Risk Indicators (KRIs) to Fortify Your Business | AuditBoard

5: How to Develop Effective Key Risk Indicators - Secureframe

1: Net Present Value (NPV) - Definition, Examples, How to Do NPV Analysis

6: NPV Formula - Learn How Net Present Value Really Works, Examples

Comprehensive and Detailed Explanation:

The CGEIT Review Manual 8th Edition, in its Governance of Enterprise IT domain, emphasizes that an ethics program requires a culture of accountability and responsibility to succeed. This culture ensures that ethical behavior is embedded in organizational values, encouraging employees to act with integrity. For example, leadership modeling ethical behavior fosters trust and compliance. The manual likely references COBIT 2019’s EDM01-Ensured Governance Framework Setting and Maintenance, which highlights cultural factors in governance.

Option A: Whistleblower processes are important but secondary to culture.

Option C: Roles and responsibilities support the program but are not the most critical.

Option D: Mission and vision statements are foundational but less directly tied to ethics.

Double Verification: The answer aligns with COBIT’s EDM01 and the CGEIT domain’s focus on ethical governance. Culture is a key ISACA factor for ethics programs.

ISACA CGEIT Review Manual 8th Edition, Domain 1: Governance of Enterprise IT (focus on ethics programs).

COBIT 2019, EDM01-Ensured Governance Framework Setting and Maintenance.

ISACA Glossary (for definitions of ethics program), available at https://www.isaca.org/resources/glossary.

According to the CGEIT exam content outline1, one of the subtopics under the domain of Governance of Enterprise IT is “Governance Strategy Alignment with Enterprise Objectives”. This subtopic covers the process of ensuring that the IT strategy is aligned with the business strategy and supports the achievement of enterprise goals and objectives. Therefore, the best course of action for the CIO in this situation is to align the business strategy with the IT strategy, which would help the IT team to meet the new demands and deliver value to the enterprise. References: 1: CGEIT Exam Content Outline | ISACA

Themost critical factor in aligning IT and enterprise resource managementis ensuring thatIT resources are mapped to business priorities. This guarantees that resource allocation supports strategic objectives and delivers maximum value.

Without this alignment, IT efforts may be misdirected, underutilized, or not supporting enterprise goals—even if sourcing and monitoring are in place.

The issue described in the question is the failure to deliver IT solutions on time due to insufficient resource allocation, which points to a problem in resource management, specifically in capacity and availability planning. According to the CGEIT Review Manual 8th Edition, effective IT resource management involves ensuring that IT resources (human, technological, and financial) are allocated efficiently to meet enterprise objectives. The manual emphasizes the importance of capacity planning to align resource availability with project demands, which directly addresses delays caused by resource shortages.

Extract from CGEIT Review Manual 8th Edition (Domain 2: IT Resources):"Capacity planning ensures that IT resources are sufficient to meet current and future business requirements in a cost-effective manner. It involves assessing the availability of resources, forecasting demand, and aligning resource allocation with strategic priorities to avoid bottlenecks and delays in delivery." (Approximate reference: Domain 2, Section on Resource Management)

Evaluating the availability and capacity planning process (option B) is the most direct approach to identifying and resolving resource allocation issues. This process involves reviewing current resource utilization, forecasting future needs, and ensuring that resources are allocated to high-priority projects to reduce time-to-market delays.

Why not the other options?

A. Implement a new IT change management procedure: Change management procedures focus on controlling changes to IT systems and services, not on addressing resource allocation or capacity issues. This option is unrelated to the root cause of the problem.

C. Benchmark IT staffing levels against similar organizations: While benchmarking can provide insights into staffing adequacy, it is a secondary step that does not directly address the immediate issue of resource allocation and capacity planning. It may be useful later but is not the first step.

D. Direct the PMO to review and prioritize IT projects: While project prioritization is important, it does not address the underlying issue of insufficient resource allocation. Prioritization may help focus efforts, but without adequate resources, delays will persist.

Concerns about unethical behavior, such as stealing confidential information, should be reported through established ethical reporting mechanisms to ensure impartiality and compliance with governance policies. The CGEIT Review Manual 8th Edition advises using ethics hotlines or similar channels to handle allegations of misconduct.

Extract from CGEIT Review Manual 8th Edition (Domain 1: Governance of Enterprise IT):"Allegations of unethical behavior, including the misuse of confidential information, should be reported through the enterprise’s ethics hotline or designated reporting channel. This ensures that concerns are handled impartially, in accordance with governance policies, and with appropriate escalation to senior management or the board." (Approximate reference: Domain 1, Section on Ethical Governance)

Reporting the concern to the ethics hotline (option B) is the best course of action, as it follows governance protocols, protects the IT director from retaliation, and ensures an independent investigation.

Why not the other options?

A. File a report with the local law enforcement agency: Involving law enforcement is premature without evidence and bypasses internal governance processes.

C. Discuss the concern with the chair directly: Confronting the chair risks escalation and lacks impartiality, potentially compromising the investigation.

D. Conduct an investigation to substantiate the chair’s activities: The IT director should not conduct an investigation personally, as this could compromise objectivity and governance protocols.

When IT staff fail to keep skills current despite available training, the issue often lies in a lack of targeted, individualized development plans. The CGEIT Review Manual 8th Edition recommends creating personalized skills development plans to ensure that training aligns with both individual and organizational needs.

Extract from CGEIT Review Manual 8th Edition (Domain 2: IT Resources):"To address skill gaps, enterprises should establish individualized skills development plans that align employee training with emerging technologies and business needs. These plans ensure that training is relevant, targeted, and effectively utilized to maintain a skilled workforce." (Approximate reference: Domain 2, Section on Skills Development)

Establishing an agreed-upon skills development plan with each employee (option D) ensures that training is tailored to the specific technologies critical to the business and that employees are accountable for skill development.

Why not the other options?

A. Provide incentives for IT staff to attend outside conferences and training: Incentives may encourage participation but do not ensure that training addresses specific skill gaps.

B. Require human resources (HR) to recruit new talent using an established IT skills matrix: Recruiting is a last resort and does not address the current staff’s skill deficiencies.

C. Create a standard-setting center of excellence for IT: A center of excellence may set standards but does not directly address individual skill development.

A balanced scorecard is a tool that helps to measure and communicate the value of IT initiatives to the board of directors. It aligns IT objectives with business goals, tracks performance indicators, and shows the contribution of IT to the enterprise value. A balanced scorecard can also help to identify gaps and areas for improvement in IT governance. References := CGEIT Review Manual, 7th Edition, Chapter 3: Benefits Realization, Section 3.3: Value Delivery Frameworks and Mechanisms, pp. 103-105.

When faced with new regulations, the first step is to assess the risk they pose to the enterprise, including the likelihood and impact of noncompliance, even if enforcement is historically weak. The CGEIT Review Manual 8th Edition underscores that risk evaluation is the initial step in addressing emerging risks to prioritize actions and allocate resources effectively.

Extract from CGEIT Review Manual 8th Edition (Domain 3: Risk Optimization):"Evaluating the impact of emerging risks, such as new regulations, is the first step in the risk management process. This involves assessing the potential consequences of noncompliance, including financial, operational, and reputational impacts, as well as the likelihood of enforcement." (Approximate reference: Domain 3, Section on Risk Assessment)

Evaluating the impact of the emerging risk (option C) allows the enterprise to understand the potential penalties, operational disruptions, and reputational damage, as well as the likelihood of enforcement given the agency’s history. This assessment informs whether mitigation plans, architecture updates, or other actions are necessary.

Why not the other options?

A. Develop mitigation plans for noncompliance: Mitigation plans are developed after assessing the risk’s impact and likelihood, as the assessment determines the scope and urgency of mitigation.

B. Update the enterprise architecture (EA): Updating the EA may be a subsequent action if the risk assessment identifies specific architectural gaps, but it is not the first step.

D. Perform benchmarking activities: Benchmarking is not directly relevant to assessing regulatory risk and is a secondary activity at best.

Outsourcing IT services requires a clear distinction between core and non-core processes to ensure that strategic capabilities are retained in-house while non-core activities are outsourced. The CGEIT Review Manual 8th Edition highlights that identifying core and non-core processes is the most essential consideration for outsourcing decisions.

Extract from CGEIT Review Manual 8th Edition (Domain 5: Benefits Realization):"The most critical consideration in outsourcing IT services is identifying core and non-core business processes. Core processes, which provide competitive advantage, should typically be retained, while non-core processes can be outsourced to improve efficiency and focus on strategic priorities." (Approximate reference: Domain 5, Section on Outsourcing Strategy)

Identification of core and non-core business processes (option A) ensures that outsourcing aligns with the enterprise’s strategic goals and avoids compromising critical capabilities.

Why not the other options?

B. Compliance with enterprise architecture (EA): EA compliance is important but secondary to determining what processes should be outsourced.

C. Alignment with existing human resources (HR) policies and practices: HR alignment is operational and less critical than strategic process identification.

D. Adoption of a diverse vendor selection process: Vendor selection follows the decision to outsource and is not the primary consideration.