Isaca Updated CGEIT Exam Questions and Answers by lilia

The main reason for an enterprise to implement an IT risk management framework is the need to enable IT risk-aware decisions by executives, as it helps to ensure that the IT risks are aligned with the enterprise strategy, objectives, and risk appetite. IT risk management also provides a consistent and structured approach to identify, analyze, treat, and monitor IT-related business risks, and to communicate and report them to the relevant stakeholders12. References := CGEIT Exam Content Outline, Domain 4, Subtopic B: IT Risk Management, Task 1: Ensure that an IT risk management framework exists to identify, analyze, mitigate, manage, monitor, and communicate IT-related business risk, and that the framework for IT risk management is in alignment with the enterprise risk management (ERM) framework.

 Appointing an IT representative to the business risk committee is the best way to address senior management’s concern about IT investment risks, as it would ensure that IT risks are properly identified, assessed, and communicated to the business stakeholders. The IT representative would also be able to align IT risk management with the enterprise’s risk appetite and strategy, and provide input and feedback on the IT investment decisions. The other options are not as effective, as they do not involve direct collaboration and communication between IT and business on risk matters. References: : CGEIT Review Manual (Digital Version), Chapter 4: Risk Optimization, Section 4.3: IT Risk Management, Subsection 4.3.1: IT Risk Management Overview, Page 153 : CGEIT Review Manual (Digital Version), Chapter 4: Risk Optimization, Section 4.3: IT Risk Management, Subsection 4.3.2: IT Risk Management Process, Page 156 : CGEIT Review Manual (Digital Version), Chapter 4: Risk Optimization, Section 4.3: IT Risk Management, Subsection 4.3.5: Roles and Responsibilities for IT Risk Management, Page 161

 Documenting and communicating key management practices across divisions is the best way to facilitate the adoption of strong IT governance practices throughout a multi-divisional enterprise. This can help to ensure that all divisions are aware of and aligned with the corporate IT governance framework, policies, and standards. It can also promote collaboration, coordination, and consistency among the divisions, as well as transparency, accountability, and trust. According to one of the web search results1, “communication is a critical success factor for IT governance implementation” and “effective communication can help to create a shared understanding of IT governance objectives, roles, responsibilities, and benefits among stakeholders.” Ensuring each divisional policy is consistent with corporate policy, ensuring divisional governance fosters continuous improvement processes, and mandating data standardization across the distributed enterprise are not the best ways to facilitate the adoption of strong IT governance practices throughout a multi-divisional enterprise. They are more likely to be part of the implementation or improvement of IT governance practices, rather than the facilitation of them. They may also encounter resistance or challenges from the divisions due to different business needs, cultures, or preferences. References := IT Governance Practices For Improving Strategic And Operational …

Delaying the control review of a payroll system project until after its implementation increases the risk of discovering control weaknesses or errors that could have been prevented or corrected earlier. This would result in increased cost to mitigate the deficiencies and ensure the system’s reliability and compliance. References: CGEIT Domain 4: Risk Optimization