Isaca CGEIT - Certified in the Governance of Enterprise IT Exam

Internal audit is an independent and objective function that provides assurance and consulting services to the enterprise on the effectiveness and efficiency of its governance, risk management,and control processes1. By including internal audit as a stakeholder, the enterprise can benefit from its knowledge, expertise, and perspective on IT-related issues and risks, such as IT strategy alignment, IT performance measurement, IT value delivery, IT resource management, IT risk management, and IT compliance2. Internal audit can also provide input on the design, implementation, and evaluation of the IT governance framework, policies, standards, and procedures, as well as recommend improvements and best practices2. Therefore, internal audit provides input on relevant issues and control processes, which is the most important reason to include it as a stakeholder when establishing clear roles for the governance of IT.

The other options are not as important or accurate as option D. Internal audit does not have knowledge and technical expertise to advise on IT infrastructure, as this is not its primary role or responsibility. Internal audit is not accountable for the overall enterprise governance of IT, as this is the responsibility of the board of directors and senior management3. Internal audit does not implement controls over IT risks and security, as this is the responsibility of the IT function and other business units4.

This should be the IT steering committee’s primary concern, as moving to an external cloud service provider may introduce new or different risks to the enterprise, such as data security,privacy, compliance, availability, performance, vendor lock-in, and service level agreements12. The IT steering committee should update the business risk profile to reflect the current and potential risks associated with the cloud service provider, and to ensure that they are aligned with the enterprise’s risk appetite and tolerance12. The IT steering committee should also monitor and manage the risks throughout the cloud service lifecycle, and implement appropriate controls and mitigation strategies to protect the enterprise’s assets and interests12. The other options are not as important as updating the business risk profile, as they are not directly related to the strategic decision to reduce operating costs for the next year. Calculating the cost of the current solution, changing the IT steering committee charter, and revising the business’s balanced scorecard are possible actions that may be taken after updating the business risk profile, based on the identified risks and their levels3.

Assigning responsibility for vendor management is the best way to avoid the situation where the IT department outsourced application support and negotiated service level agreements (SLAs) directly with the vendor, but the business owner expectations were not met and senior management cancelled the contract. Vendor management is the process of managing the relationship with a supplier, also known as a vendor or a third party1. Vendor management involves selecting, contracting, monitoring, evaluating, and communicating with vendors to ensure that they deliver the goods and services that meet the business needs and objectives1. Assigning responsibility for vendor management helps to ensure that there is a clear and consistent governance structure, strategy, and policy for working with vendors2. It also helps to align the expectations and interests of all the stakeholders involved, such as the IT department, the business owners, and the senior management2. Assigning responsibility for vendor management also helps to avoid duplication of efforts, conflicts of interest, or gaps in oversight that could result in poor vendor performance, dissatisfaction, or risk exposure2.

References := 9 vendor management best practices for 2023 - Juro, Best Practices for Vendor Management | Smartsheet.

 Quantitative risk assessment is more objective than qualitative risk assessment because it uses numeric values and calculations to estimate the likelihood and impact of risks. Quantitative risk assessment is more appropriate when the risk assessment needs to be unbiased and consistent. References := ISACA, CGEIT Review Manual, 7th Edition, 2019, p. 90-91.

The best approach to assist an enterprise in planning for IT-enabled investments is enterprise architecture (EA). EA is a holistic and integrated view of the current and future state of the business, IT, and their alignment1. EA helps to identify and prioritize the business needs andobjectives, and to design and deliver the IT solutions that support them2. EA also helps to optimize the IT resources and processes, and to ensure that they are aligned with the business strategy and goals3. EA also helps to measure and monitor the IT performance and outcomes, and to evaluate the value and benefits of the IT investments4. EA also helps to manage the risks, costs, and complexity of the IT investments, and to ensure that they comply with the legal and regulatory requirements5.

IT process mapping, task management, and service level management are not as comprehensive or effective as EA in assisting an enterprise in planning for IT-enabled investments. IT process mapping is a visual representation of a process that shows the steps and their relationships6. It can help to understand how a process works, but it does not provide a strategic or architectural view of the business or IT. Task management is a process of managing individual or group tasks to achieve goals7. It can help to track and delegate work, but it does not address the alignment or optimization of IT with the business. Service level management is a process of defining, documenting, and agreeing on service levels within an IT service management system8. It can help to ensure that services are delivered at an agreed level, but it does not cover the design or delivery of IT solutions that meet the business needs. Therefore, EA is the best approach to assist an enterprise in planning for IT-enabled investments.

According to the CGEIT exam guide, a global IT program management office (PMO) is responsible for overseeing and coordinating the IT projects and programs across the enterprise, ensuring alignment with the enterprise’s strategy, objectives and governance framework. A PMO also helps to identify, assess, monitor and mitigate the risks associated with IT projects and programs, and to optimize the benefits and value delivered by IT investments. Therefore, the primary concern of the PMO should be the inability to reduce the impact to the risk level of the global portfolio, as this could jeopardize the overall performance and success of the enterprise’s IT initiatives. If several IT projects are being run within a specific region without knowledge of the PMO, this could create potential risks such as duplication of efforts, lack of integration, inconsistency of standards and practices, misalignment of expectations and requirements, and conflicts of interests or resources. These risks could negatively affect the quality, efficiency and effectiveness of the IT projects and programs, as well as their alignment with the enterprise’s strategy, objectives and governance framework. The PMO should be aware of all IT projects and programs within the enterprise, and ensure that they follow a consistent and transparent process of planning, execution, monitoring and control. The PMO should also ensure that the IT projects and programs are aligned with the enterprise’s risk appetite and tolerance, and that they are regularly assessed for their risks, benefits and value. References: CGEIT Exam Candidate Guide, page 14. CGEIT Certification, The Role of Program Management Offices (PMOs) in Driving Business Strategy Execution

 The requirements for security and privacy of information should be defined when issuing RFPs to ensure that potential vendors can meet the enterprise’s expectations and comply with relevant regulations. This will also help the enterprise to evaluate and compare the proposals based on the predefined criteria. References: CGEIT Review Manual (Digital Version) or CGEIT Review Manual (Print Version), Chapter 3: Benefits Realization, Section 3.2: IT Investment Management, Subsection 3.2.2: IT Investment Selection, Page 97-98.

According to the CGEIT exam guide, ERM is the process of identifying, assessing, responding to and monitoring enterprise risks in alignment with the enterprise’s risk appetite and tolerance. ERM helps to ensure that the enterprise achieves its objectives and creates value for its stakeholders. To apply ERM practices consistently, IT staff need to have a common understanding of the ERM framework, principles, processes and tools that are used by the enterprise. Therefore, the most effective corrective action for an assessment that reveals inconsistent ERM practices by IT staff is to require ERM orientation sessions. These sessions can help to educate and train IT staff on the ERM concepts, terminology, roles and responsibilities, and best practices that are relevant to their work. The other options are not as effective as ERM orientation sessions, as they do not address the root cause of the inconsistency, which is the lack of ERM knowledge and awareness among IT staff. References: CGEIT Exam Candidate Guide, page 15. CGEIT Certification, Enterprise-risk-management practices: Where’s the evidence?

 When prioritizing IT projects, the primary consideration for an enterprise should be the impact on the business due to expected project outcomes, because this would align the IT investments with the enterprise’s strategic objectives and value creation. The impact on the business can be assessed by using criteria such as return on investment (ROI), net present value (NPV), risk exposure, customer satisfaction, and competitive advantage12. References:= ISACA, CGEIT Review Manual, 7th Edition, 2019, page 31-32.

 Senior management regularly reviewing the IT portfolio is the best IT governance practice to support IT and enterprise strategic alignment, because it helps to ensure that the IT investments are aligned with the business strategy and goals, and that they deliver value to the enterprise. An IT portfolio is a collection of IT projects, programs, services, and assets that support the business objectives and processes of an organization1. Senior management regularly reviewing the IT portfolio helps to prioritize, monitor, and evaluate the IT investments based on their performance, benefits, costs, and risks2. It also helps to identify and address any gaps, issues, oropportunities for improvement in the IT portfolio2. Senior management regularly reviewing the IT portfolio also helps to communicate and collaborate with the IT department and other stakeholders, and to provide guidance and direction for the IT strategy and governance2.

References := IT Portfolio Management: A Simplified Guide | Planview, IT Governance – How to align IT and business strategy?

The aspect of information governance that best enables an enterprise to avoid duplication of records and promote consistency of data is data modeling. Data modeling is the process of creating and maintaining a logical representation of the data structures, relationships, and constraints that exist in an enterprise’s data sources, such as databases, applications, or systems. Data modeling can help ensure that the data is accurate, complete, and standardized across the enterprise, as well as facilitate the integration, analysis, and sharing of data. Data modeling can also help improve the data quality, security, and governance, as well as support the business processes and decisions that rely on data. What is Data Modeling? Definition & Best Practices provides an overview of data modeling and its benefits.

Portfolio management is the most useful technique for prioritizing IT improvement initiatives to achieve desired business outcomes. Portfolio management is the process of selecting, prioritizing, balancing, and monitoring the IT investments and initiatives that support the enterprise’s strategic objectives and deliver value to the stakeholders1. Portfolio management helps to align IT with business goals, optimize resource allocation, manage risks and dependencies, and measure performance and benefits1. By applying portfolio management, an enterprise can ensure that the IT improvement initiatives are consistent with its vision, mission, values, and priorities, and that they contribute to the desired business outcomes1. References: CGEIT Review Manual (Digital Version) or CGEIT Review Manual (Print Version), Chapter 3: Benefits Realization, Section 3.1: IT Portfolio Management, Page 83-84. What is IT portfolio management? A framework for aligning technology and business.

Enterprise architecture (EA) is the process of aligning business and IT strategies, processes, and resources to achieve organizational goals and objectives1. EA implementation involves a significant amount of change in the enterprise, such as introducing new technologies, standards, policies, roles, and responsibilities2. Therefore, managing the challenge of change is MOST important to the successful implementation of EA, as it requires effective communication, stakeholder engagement, change management, and governance mechanisms34. Without managing the challenge of change, EA implementation may face resistance, confusion, conflict, or failure. References :=

Entreprise Architecture: Critical Factors and Implementation | IEEE …5

A Review of Critical Success Factors of Enterprise Architecture …3

Critical Success Factors of Enterprise Architecture Implementation - IJOCIT1

EVALUATION OF ENTERPRISE ARCHITECTURE IMPLEMENTATION: A CRITICAL …4

This is the best way for the CIO to ensure that the IT objectives are delivered effectively by IT staff, as it aligns their work with the business objectives, communicates the desired outcomes and behaviors, motivates and empowers them, monitors and measures their progress and achievements, and provides feedback and recognition1. This answer is supported by the CGEIT Review Manual (Digital Version) or CGEIT Review Manual (Print Version), Chapter 2: IT Resources, Section 2.1: IT Strategy Development and Maintenance, Subsection 2.1.3: IT Strategy Implementation, Page 64-65. It is also confirmed by a CIO article that states that “including the IT objectives in staff performance plans” is one of the best practices for aligning IT with business goals1. The other options are not as effective as option C, as they do not directly link the IT objectives with the IT staff’s performance and incentives. Option A may helpto standardize and benchmark the IT objectives, but it does not ensure that they are delivered by the IT staff. Option B may help to improve the IT staff’s skills and knowledge, but it does not ensure that they are aligned with the IT objectives. Option D may help to demonstrate the CIO’s commitment and authority, but it does not ensure that the IT staff are aware of and adhere to the IT objectives.

 Business use cases are descriptions of the business processes, scenarios, and interactions that support the achievement of a specific business goal or objective1. By considering the business use cases supporting the digital strategy, the enterprise can ensure that the information architecture is aligned with and driven by the business needs and expectations2. The information architecture can also support the communication, collaboration, and decision-making processes among the stakeholders involved in the digital strategy2.

The other options are not as important as the business use cases supporting the digital strategy, as they are either specific aspects or outcomes of information architecture, but not comprehensive factors. Resource constraints related to implementing the digital strategy are the limitations and challenges that affect the availability and quality of the resources required for executing the digital strategy, such as time, money, people, technology, or data3. Resource constraints can affect the information architecture, but they are not the most important factor to consider, as they are only one of the many criteria that evaluate information architecture3. Changes to the legacy business and data architectures are the modifications and adaptations that are needed to update and improve the existing business and data structures, models, and systems to align with the digital strategy4. Changes to the legacy business and data architectures can affect the information architecture, but they are not the most important factor to consider, as they are only one of the many components that constitute information architecture4. The history of fraud incidents and their root causes are the records and analyses of the previous fraud events and their underlying factors that occurred within or against the enterprise5. The history of fraud incidents and their root causes can affect the information architecture, but they are not the most important factor to consider, as they are only one of the many sources of information that inform information architecture5.