Isaca Updated CGEIT Exam Questions and Answers by laila

• This is because IT is a key enabler and driver of business strategy, and it needs to understand and align with the strategic vision, goals, and priorities of the enterprise1. By ensuring IT has knowledgeable representation and is included in the strategic planning process, the enterprise can:
• B. Increase the IT budget and approve an IT staff level increase to ensure resource availability for the strategy change. This is not the first step to prepare for the change in the enterprise’s board of directors’ strategy, as it may be premature or unnecessary to do so without a clear understanding and agreement of the scope, impact, and implications of the strategy change. Increasing the IT budget and staff level may also create inefficiencies or wastages if they are not aligned with the actual needs and priorities of the strategy change2.
• C. Initiate an IT service awareness campaign to business system owners and implement service level agreements (SLAs). This is not the first step to prepare for the change in the enterprise’s board of directors’ strategy, as it may not be relevant or effective to do so without a clear definition and communication of the strategy change. Initiating an IT service awareness campaign and implementing SLAs are more related to the delivery and management of IT services, rather than the planning and alignment of IT strategy3.
• D. Outsource both IT operations and IT development and implement controls based on a standardized framework. This is not the first step to prepare for the change in the enterprise’s board of directors’ strategy, as it may introduce new risks and challenges for IT governance, such as loss of control, dependency, compatibility, security, compliance, and cost issues4. Outsourcing both IT operations and development may also reduce the involvement and ownership of IT in the strategic planning process, which could affect its alignment and responsiveness to the strategy change4. Outsourcing should be carefully considered and evaluated based on the specific needs and circumstances of the enterprise, and should be complemented by a robust governance and management framework4.

Establishing a data governance framework is the first strategic action in addressing the situation where financial data is being managed in a way that will negatively impact the enterprise’s ability to support regulatory reporting. This is because a data governance framework is a structured approach to managing and utilizing data in an organization. It includes policies, procedures, and standards that guide how data is collected, stored, managed, and used1. A data governance framework can help to:

• Improve data quality, accuracy, consistency, and completeness1
• Ensure data privacy, security, and compliance with regulatory requirements1
• Align data with business strategy, objectives, and priorities1
• Enhance data integration, accessibility, and usability1
• Define data roles and responsibilities and assign accountability1

By establishing a data governance framework, the enterprise can address the root cause of the problem, which is the lack of control and oversight over the financial data. A data governance framework can help to ensure that the financial data is properly managed and utilized to support regulatory reporting and other business needs.

The other options, assigning data responsibilities through a RACI chart, reviewing key risk indicators (KRIs) related to data management, and updating data management policies are not as effective as establishing a data governance framework for addressing the situation. They are more related to the implementation and execution of the data governance framework, rather than its design. They are also dependent on the existence of a data governance framework, as they require a clear understanding of the data landscape, goals, and standards of the organization.

The value of an enterprise’s information asset base is the amount of benefits or advantages that the enterprise can derive from its information assets, such as data, documents, records, and reports. Information assets are valuable and sensitive resources that need to be protected, managed, and used effectively and efficiently to support and achieve the enterprise’s objectives and goals1. To maximize the value of an enterprise’s information asset base, the best way is to seek additional opportunities to leverage existing information assets. This means finding new or innovative ways to use or reuse the information assets to create more value for the enterprise, such as improving performance, quality, customer satisfaction, innovation, or competitive advantage23. For example, an enterprise can leverage its existing information assets by analyzing them to generate insights, combining them to create new products or services, sharing them with partners or stakeholders to enhance collaboration, or monetizing them to generate revenue23.

The other options are not the best ways to maximize the value of an enterprise’s information asset base. Facilitating widespread user access to all information assets may increase the availability and utilization of the information assets, but it may also compromise their confidentiality and integrity. Not all information assets are appropriate or relevant for all users, and some may contain sensitive or confidential data that need to be restricted or protected1 . Therefore, facilitating widespread user access to all information assets may not maximize their value, but rather increase their risk. Regularly purging information assets to minimize maintenance costs may reduce the storage and management expenses of the information assets, but it may also eliminate their potential value or usefulness. Not all information assets are obsolete or redundant, and some may have long-term or strategic value for the enterprise1 . Therefore, regularly purging information assets to minimize maintenance costs may not maximize their value, but rather decrease their availability. Implementing an automated information management platform may improve the efficiency and effectiveness of the information asset management process, but it may not necessarily increase the value of the information asset base. An automated information management platform is a tool or system that helps to collect, store, process, analyze, and distribute information assets. However, it does not guarantee that the information assets are used or leveraged in optimal ways to create more value for the enterprise23. Therefore, implementing an automated information management platform may not maximize the value of the information asset base, but rather facilitate its management. References:

• 2: https://www.gartner.com/smarterwithgartner/why-and-how-to-value-your-information-as-an-asset
• 1: https://www.cio.com/article/202183/what-is-data-governance-a-best-practices-framework-for-managing-data-assets.html
• 3: https://www.gartner.com/en/publications/infonomics
• : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
• : https://www.isaca.org/resources/isaca-journal/issues/2017/volume-3/it-asset-valuation-risk-assessment-and-control-implementation-model
• : https://www.ibm.com/topics/information-management-systems

The first action taken by a newly formed IT governance committee to ensure reports are compliant with regulations and identify key IT risks should be to develop and monitor IT key risk indicator (KRI) triggers. IT KRIs are metrics that measure the likelihood and impact of IT-related risks on the enterprise’s objectives and goals. IT KRI triggers are thresholds or values that indicate when a risk is approaching or exceeding an acceptable level, requiring attention or action from the IT governance committee. Developing and monitoring IT KRI triggers can help the committee to identify, prioritize, and manage IT risks, as well as to ensure compliance with regulations and policies.

Directing the development of a reporting communication plan, training end users on regulation requirements, and implementing a mechanism to ensure reporting escalation are also important actions for the IT governance committee, but they are not the first step. A reporting communication plan is a document that defines the purpose, scope, format, frequency, audience, and distribution of IT reports, as well as the roles and responsibilities of the report creators and recipients. A reporting communication plan can help the committee to communicate effectively and efficiently with the stakeholders about IT performance, issues, and risks. Training end users on regulation requirements is a process that educates the end users on the rules and standards that apply to their use of IT systems and data, as well as the consequences of non-compliance. Training end users can help the committee to raise awareness and ensure adherence to regulations and policies. Implementing a mechanism to ensure reporting escalation is a procedure that defines the criteria, process, and channels for escalating IT reports to higher levels of authority or responsibility when necessary. Implementing a reporting escalation mechanism can help the committee to ensure timely and appropriate response and resolution of IT issues or risks.

References := Integrating KRIs and KPIs for Effective Technology Risk Management; Performance Measurement Metrics for IT Governance; State and Impact of Governance of Enterprise IT in Organizations: Key Findings of an International Study.