Most Recent Isaca CGEIT Exam Dumps

The best way to address the issue of duplicate purchases caused by different acquisition methods of business and IT is to establish a centralized procurement approval process. A centralized procurement approval process is a process that organizations use to obtain approval for purchases that they intend to make. The process typically involves several steps, such as identifying a need, requesting a quote, obtaining quotes, and obtaining approval from a designated authority. By centralizing the procurement approval process, the organization can avoid duplication, inconsistency, and inefficiency in purchasing decisions. A centralized procurement approval process can also help the organization to achieve the following benefits :

Visibility and control: The organization can have a clear view of all purchase requests and transactions, and can monitor and manage the budgets, requesters, and suppliers.

Better purchasing power: The organization can leverage its volume and history to negotiate better prices and discounts with vendors, and can establish long-term relationships with preferred suppliers.

Standardization: The organization can implement and enforce policies and standards for data quality, security, privacy, and usage, and can create a single source of truth for purchasing information.

Eliminates maverick spending: The organization can identify and prevent individual spending that goes against the purchasing policies or that results in duplicate or unnecessary purchases.

Therefore, establishing a centralized procurement approval process is the best way to address the issue of duplicate purchases caused by different acquisition methods of business and IT.Reference: Centralized vs. Decentralized Purchasing: Key Differences | Pipefy, Centralizing Procurement: What Companies Need to Consider, What is the Procurement Approval Process: Detailed Guide

The most important thing to review during IT strategy development is the current business environment, as it reflects the internal and external factors that affect the enterprise's performance, objectives, and needs. The current business environment includes the analysis of the enterprise's strengths, weaknesses, opportunities, and threats (SWOT), as well as the assessment of the market trends, customer demands, competitor actions, and regulatory requirements. Reviewing the current business environment can help align the IT strategy with the business strategy, as well as identify and prioritize the IT initiatives and investments that can support and enable the enterprise's goals and value proposition.

Industry best practices, IT balanced scorecard, and data flows that indicate areas requiring IT support are also important things to review during IT strategy development, but they are not the most important thing. Industry best practices are the methods or techniques that have been proven to be effective or efficient in achieving a desired outcome or result in a specific domain or context. Industry best practices can help benchmark and improve the IT strategy, as well as adopt or adapt the best solutions or innovations from other enterprises or sectors. IT balanced scorecard is a set of metrics that measure the performance of IT in relation to the enterprise's vision, strategy, and goals. IT balanced scorecard can help evaluate and communicate the effectiveness and efficiency of IT strategy, as well as its contribution to customer satisfaction, business value, and innovation. Data flows that indicate areas requiring IT support are the diagrams or models that show how data is collected, processed, stored, and distributed within or across the enterprise's processes or systems. Data flows can help identify and address the gaps or issues in IT service delivery or data management, as well as optimize or integrate the data systems or tools.

Information ownership is the assignment of roles and responsibilities for data protection to individuals or groups within the organization. Information owners are accountable for ensuring that data is properly classified, secured, and used in accordance with the organization's policies and standards. Information ownership facilitates governance oversight of data protection measures by providing clear lines of authority and accountability for data assets.Reference:

ISACA CGEIT Review Manual 2021, page 86: ''Information ownership is the assignment of roles and responsibilities for the protection of information to individuals or groups within the enterprise.''

ISACA CGEIT Review Questions, Answers & Explanations Manual 2021, page 11, question 14: ''The correct answer is A. Information ownership is the assignment of roles and responsibilities for the protection of information to individuals or groups within the enterprise. Information owners are accountable for ensuring that information is properly classified, secured, and used in accordance with the enterprise's policies and standards. Information ownership facilitates governance oversight of data protection measures by providing clear lines of authority and accountability for information assets.''

The first step for the IT steering committee to review proposals for projects that implement emerging technologies is to understand how the emerging technologies will influence risk across the enterprise. Emerging technologies are new or evolving technologies that have the potential to create significant value or disruption for the enterprise, such as artificial intelligence, blockchain, cloud computing, etc. Emerging technologies can also introduce new or increased risks, such as security, privacy, compliance, ethical, operational, strategic, etc. Therefore, the IT steering committee should understand the nature, scope, and impact of these risks, and how they affect the enterprise's risk appetite, tolerance, and profile. By understanding the risk implications of emerging technologies, the IT steering committee can evaluate the proposals more effectively and objectively, and ensure that they align with the enterprise's strategy, goals, and governance framework.According to ISACA's CGEIT Domain 4: Risk Optimization1, ''the enterprise should identify and assess the risks associated with emerging technologies and their potential impact on the enterprise's objectives and performance.'' Furthermore, according to ISACA's article on Emerging Tech Risk2, ''the IT steering committee should have a clear understanding of the risk landscape of emerging technologies and how they affect the enterprise's risk posture and appetite.'' Therefore, understanding how the emerging technologies will influence risk across the enterprise is the best first step for the IT steering committee to review proposals for projects that implement emerging technologies.Reference:

Emerging Tech Risk - ISACA

IT Governance: Definitions, Frameworks and Planning - ProjectManager

What is IT governance? A formal way to align IT & business strategy | CIO

CGEIT Domain 4: Risk Optimization

The CIO's first course of action should be to report the risk to executive management, as they are ultimately responsible for the strategic direction and risk appetite of the enterprise. Reporting the risk will help to ensure that executive management is aware of the potential impact and consequences of the change in business direction, and that they can make informed decisions about how to proceed. Reporting the risk will also help to establish a clear communication channel and a collaborative relationship between the IT function and the business function, which are essential for effective IT governance and risk management.

Recommending delaying the business change is not the first course of action, as it may not be feasible or desirable for the enterprise. The CIO should not interfere with the business objectives or priorities without first understanding the rationale and expectations of executive management. The CIO should also not assume that the risk is unacceptable or unmanageable without conducting a proper risk assessment and analysis.

Implementing IT changes to align with the plan is not the first course of action, as it may be premature or inappropriate for the IT function to act on the change in business direction without first consulting with executive management and other stakeholders. The CIO should not initiate or approve any IT changes without first understanding the scope, requirements, benefits, and risks of the change, and without following the established change management process and procedures.

Planning for the corresponding IT reorganization is not the first course of action, as it may be unnecessary or counterproductive for the IT function to restructure its resources, roles, and responsibilities without first communicating with executive management and other stakeholders. The CIO should not assume that the change in business direction will require a major IT reorganization without first evaluating the current and future state of the IT environment, and without considering the impact on the IT performance, efficiency, and effectiveness.