Free CGEIT Practice Quiz

Which of the following MOST accurately reflects key areas of the governance of enterprise IT?

1. Evaluate, direct, monitor

   Evaluate, direct, monitor describes the governance domain as designated in COBIT. This helps to determine how accountability is established at the governance level.

2. Initiate, plan, execute, monitor, control

   These are key phases in the project management process.

3. Requirement analysis, design, development, implementation, support

   These are key phases in the system development life cycle.

4. Plan, do, check, act

   Plan, do, check, act is a management method used for the continuous improvement of business processes.

Which of the following MOST likely makes the decision on a request by a business unit to implement an application that is not on the enterprise’s list of approved technology standards?

1. The IS audit committee

   The IS audit committee’s mandate does not include exceptions to approved standards.

2. The enterprise investment committee

   The enterprise investment committee may consider the investment request related to this application implementation, but not the request for an exception to standards.

3. The IT steering committee

   The IT steering committee may consider an appeal or escalation, but it is not the primary decision-making body with respect to architecture exceptions.

4. The IT architecture review board

   The IT architecture review board is the correct answer. One of the roles of the IT architecture review board is to enforce architecture compliance and to consider exception or dispensation requests.

The effectiveness of IT governance is BEST determined by:

1. evaluating activities of the board’s IT oversight committee.

   Evaluating activities of the board’s IT oversight committee will determine the extent of involvement of the board in the process of IT governance; however, evaluating stakeholder satisfaction directly provides better insight into the effectiveness of IT governance.

2. determining the percentage of projects delivered on time and within budget.

   Determining the percentage of projects delivered on time and within budget helps to determine stakeholder satisfaction; however, it is not a holistic view.

3. evaluating stakeholder satisfaction.

   IT governance is the responsibility of executives and the board of directors and consists of the leadership, organizational structures, and processes ensuring that enterprise IT sustains and extends the enterprise’s strategies and objectives.

4. complying with international standards.

   Complying with international standards may be a good practice but does not ensure stakeholder satisfaction.

Who is ULTIMATELY responsible for establishing accountability for information systems controls?

1. Executive management

   Executive management is ultimately responsible for establishing accountability of information systems controls. Accountability establishes the ability to map a given activity or event back to the responsible party.

2. The data owner

   The data owner classifies information. Data classification is directly linked to organizational data handling policies and procedures and establishes access, process, storage, distribution and retention requirements.

3. The business process owner

   The business process owner is similar to the data owner and classifies information. Data classification is directly linked to organizational data handling policies and procedures and will establish access, process, storage, distribution and retention requirements. Business process owners do not establish accountability for information systems controls.

4. The system custodian

   The system custodian enforces access, process, storage, distribution and retention requirements in alignment with the data classification and data owner approvals. System custodians do not establish accountability for information systems controls.

How does the governance function BEST ensure that project resource gaps are identified?

1. It requires reporting of return on investment.

   Return on investment is a measure of operating performance and efficiency, computed in its simplest form by dividing net income by the total investment over the period being considered. This does not identify resource gaps.

2. It requires reporting of net present value.

   Net present value is calculated by using an after-tax discount rate of an investment and a series of expected incremental cash outflows (the initial investment and operational costs) and cash inflows (cost savings or revenues) that occur at regular periods during the life cycle of the investment. This does not identify resource gaps.

3. It requires reporting of process maturity.

   Process maturity is an indication of how close a developing process is to being complete and capable of continuous improvement through quantitative measurement and feedback. This does not identify resource gaps.

4. It requires reporting of earned value.

   Earned value looks at the project plan, actual work and work completed and compares it to the budget to determine whether the amount of work and budget used is in alignment with the budget and plan. This will show how much time and budget should have been used versus actual time and cost. If more time and/or money has been spent then has been budgeted for the amount of work completed, it might be an indication that there is a resource gap.

Which of the following is the MOST important to include in an IT policy regarding the governance of third-party IT services?

1. Inclusion of third-party audit clause into all contractual terms

   Not all third-party services require audit clauses, nor will all third parties accept this clause. In some cases, statements of compliance by an independent firm may be sufficient.

2. Alignment of third-party services with internal service level agreements

   The most important factor for governing third-party IT services is the vendor’s ability to support internal service level agreements. When third-party services fail to meet internal service levels, then IT services will not create the expected value that the enterprise expects.

3. Requirement of third-party personnel signing a nondisclosure agreement

   Due to the nature of the services provided, not all third-party services will require nondisclosure agreements.

4. Mandatory clause to procure onshore cloud services

   Not all third-party services require onshore cloud services.

Changing which of the following has the GREATEST impact on IT portfolio management?

1. Project structure

   The project management structure has a limited impact on IT portfolio management because projects are managed as part of programs, not as portfolios.

2. Business strategy

   The target state of the business informs business strategy. Clarity regarding business strategy and goals—or conversely, lack of clarity—has the greatest impact on IT portfolio management.

3. Key goal indicators

   An investment plan is important in terms of the portfolio mix, but does not have the greatest impact on IT portfolio management.

4. Key performance indicators

   A changing risk environment has the second biggest impact on IT project portfolio management after the business strategy.

The decision to hold a rejected program for future consideration or to fund it is MOST closely related to:

1. program management.

   A program is a structured grouping of interdependent projects that is both necessary and sufficient to achieve a desired business outcome and create value. These projects can include, but are not limited to, changes in the nature of the business, business processes and the work performed by people as well as the competencies required to carry out the work, the enabling technology and the organizational structure. Program management concerns itself with the delivery and initiation, planning, controlling and execution of programs and projects.

2. governance of enterprise IT.

   Governance of enterprise IT is a governance view that ensures information and related technology support and enable the enterprise strategy and achievement of enterprise objectives; this also includes the functional governance of IT (i.e., ensuring that IT capabilities are provided efficiently and effectively).

3. operations management.

   Operations management addresses service delivery and support.

4. portfolio management.

   A portfolio is a grouping of “objects of interest” (investment programs, IT services, IT projects, other IT assets or resources) managed and monitored to optimize business value. The evaluation and selection of programs to fund is a typical portfolio management practice process of aligning, planning and organizing.

Which of the following BEST helps risk owners in assessing risk when performing a qualitative risk assessment?

1. Threat landscape

   Knowing the threat landscape helps in identifying risk relevant to the organization.

2. Vulnerability assessment

   Knowing the current vulnerabilities helps in identifying risk relevant to the organization.

3. Risk appetite and tolerance levels

   Level of risk appetite and risk tolerance help in determining risk response options and cost-benefit analysis for the controls when mitigating risk.

4. Criticality of information asset

   Understanding the criticality of the information asset best helps when assessing the impact to the organization while assessing risk.

Which of the following options is MOST essential in the risk management life cycle?

1. Updating the inventory of information assets

   Updating the inventory of information assets does not address risk; it is one input to the process.

2. Designing controls to mitigate IT risk

   Risk mitigation is one of four possible risk responses. Designing controls is only one step of the process. Assigning the risk owner will help determine the risk response.

3. Reporting IT risk to senior management

   IT risk reporting needs to be connected with enterprise risk management for appropriate decision making.

4. Assigning risk owners to identified risk

   All identified risk must have a risk owner. The risk owner is the business unit or executive that is accountable if the IT risk is realized.