Isaca Updated CGEIT Exam Questions and Answers by tiago

The best way to address the issue of duplicate purchases caused by different acquisition methods of business and IT is to establish a centralized procurement approval process. A centralized procurement approval process is a process that organizations use to obtain approval for purchases that they intend to make. The process typically involves several steps, such as identifying a need, requesting a quote, obtaining quotes, and obtaining approval from a designated authority. By centralizing the procurement approval process, the organization can avoid duplication, inconsistency, and inefficiency in purchasing decisions. A centralized procurement approval process can also help the organization to achieve the following benefits :

Visibility and control: The organization can have a clear view of all purchase requests and transactions, and can monitor and manage the budgets, requesters, and suppliers.

Better purchasing power: The organization can leverage its volume and history to negotiate better prices and discounts with vendors, and can establish long-term relationships with preferred suppliers.

Standardization: The organization can implement and enforce policies and standards for data quality, security, privacy, and usage, and can create a single source of truth for purchasing information.

Eliminates maverick spending: The organization can identify and prevent individual spending that goes against the purchasing policies or that results in duplicate or unnecessary purchases.

Therefore, establishing a centralized procurement approval process is the best way to address the issue of duplicate purchases caused by different acquisition methods of business and IT. References: Centralized vs. Decentralized Purchasing: Key Differences | Pipefy, Centralizing Procurement: What Companies Need to Consider, What is the Procurement Approval Process: Detailed Guide

Understanding the enterprise’s risk tolerance is the most important step for the CTO to create the appropriate risk policies for IT, as it would help to define the acceptable level of risk exposure and the risk appetite for mobile applications. Risk tolerance is the degree of uncertainty that an enterprise is willing to accept in pursuit of its objectives, and it reflects the enterprise’s culture, strategy, and stakeholder expectations. Risk policies for IT should be aligned with the enterprise’s risk tolerance, as well as its mission, vision, and goals. The other options are not as important, as they are more related to the implementation or measurement of risk management, rather than the establishment of risk policies. References: : CGEIT Review Manual (Digital Version), Chapter 4: Risk Optimization, Section 4.3: IT Risk Management, Subsection 4.3.1: IT Risk Management Overview, Page 153 : CGEIT Review Manual (Digital Version), Chapter 4: Risk Optimization, Section 4.3: IT Risk Management, Subsection 4.3.2: IT Risk Management Process, Page 156 : Proactive IT Risk Management in an Era of Emerging Technologies

 Quality management is the process of ensuring that the products and services delivered by an organization meet or exceed the expectations and requirements of the customers and stakeholders. Quality management practices include planning, implementing, monitoring, and improving the quality standards and processes for an organization. Applying effective quality management practices can help to manage continuous improvement of governance-related processes, by ensuring that the processes are aligned with the organizational goals and objectives, that the processes are performed consistently and efficiently, that the processes are measured and evaluated for their effectiveness and value, and that the processes are continuously reviewed and enhanced for improvement123. References: What is Quality Management? Definition, Principles, Tools & Examples. Quality Management: The Importance of ISO. Continuous Improvement and a Business Process Governance Framework.

The security status of a new business acquisition is a critical factor that can affect the value, performance, and reputation of the acquiring company. Therefore, it is essential to conduct a thorough IT risk assessment of the target company as part of the overall due diligence process. An IT risk assessment can help to identify and evaluate the current and potential cybersecurity threats, vulnerabilities, and controls in the target company’s IT environment, as well as the compliance with relevant laws and regulations. An IT risk assessment can also help to estimate the costs and efforts required to remediate any security gaps or issues, and to align the security policies and standards of both parties. By integrating IT risk assessment into the due diligence process, the acquiring company can make informed decisions about the feasibility, valuation, and integration of the new business acquisition12. References: Due diligence for Mergers and Acquisitions through a cybersecurity lens. Microsoft Security tips for mitigating risk in mergers and acquisitions.