Isaca Updated CGEIT Exam Questions and Answers by safiyah

 The first step to address the issue of complaints from business executives regarding the amount their units are being charged for IT services should be to quantify consumption and service level agreement (SLA) achievements per business unit. This will help the CIO to understand the actual usage and performance of IT services by each business unit, as well as to justify and communicate the chargeback rates based on the value and quality of IT services delivered. Quantifying consumption and SLA achievements can also help identify and address any inefficiencies, discrepancies, or gaps in IT service delivery or chargeback methods.

Agreeing to reduce charge rates and improve relationship management with the business, looking into outsourcing of support functions to drive down the cost structure, and asking the CFO about budget revisions for the business units’ IT expenditures are possible steps to take after quantifying consumption and SLA achievements, but they are not the first step. Agreeing to reduce charge rates without understanding the underlying causes of the complaints may result in underfunding or underpricing of IT services, which may affect their quality and sustainability. Improving relationship management with the business is important, but it should be based on transparent and accurate information about IT service consumption and chargeback. Looking into outsourcing of support functions may reduce the cost structure, but it may also introduce new risks and challenges for IT governance and management. Asking the CFO about budget revisions may help align IT expenditures with business priorities, but it may not address the root causes of the dissatisfaction with IT chargeback.

References := IT Chargeback Drives Efficiency - Uptime Institute Blog; What is IT governance? A formal way to align IT & business strategy; Chargeback vs. IT Governance – HEIT Management.

According to the web search results, a request for proposal (RFP) is a formal document that solicits proposals from potential vendors for a product or service. The RFP process is intended toensure a fair, transparent and objective selection of the best vendor that meets the requirements and expectations of the project sponsor and the enterprise. The RFP process typically involves the following steps1:

Planning and preparation: Define the scope, objectives, budget, timeline and evaluation criteria of the project. Identify the stakeholders and decision makers involved in the RFP process. Research the market and potential vendors. Develop the RFP document that outlines the project details, requirements, expectations and instructions for the vendors.

Issuing and advertising: Distribute the RFP document to the potential vendors, either directly or through public channels. Provide a deadline for submitting proposals and a contact person for inquiries. Advertise the RFP opportunity to attract more qualified vendors.

Receiving and reviewing: Receive the proposals from the vendors by the deadline. Review and evaluate the proposals based on the predefined criteria, such as technical capabilities, experience, references, pricing, etc. Shortlist the most suitable vendors for further consideration.

Negotiating and awarding: Conduct negotiations with the shortlisted vendors to clarify any questions, concerns or issues. Discuss the terms and conditions of the contract, such as scope, deliverables, schedule, payment, etc. Select the best vendor that offers the most value and benefit to the project and the enterprise. Award the contract to the chosen vendor and notify the other vendors of the decision.

Managing and monitoring: Manage and monitor the performance and progress of the vendor throughout the project lifecycle. Ensure that the vendor meets the contractual obligations and delivers quality results on time and within budget. Provide feedback and support to the vendor as needed. Resolve any conflicts or disputes that may arise.

A project sponsor who circumvents the RFP selection process violates the established policies and procedures of the enterprise, as well as undermines the integrity and credibility of the RFP process. The most likely reason for this control gap is a lack of accountability for policy adherence, which means that there is no clear assignment of roles and responsibilities for following and enforcing the policies, or no effective mechanisms for monitoring and reporting policy compliance, or no adequate consequences for policy violations. A lack of accountability for policy adherence can lead to poor governance, increased risk, reduced value and damaged reputation for both the project sponsor and the enterprise23. Therefore, it is essential to establish and maintain a strong culture of accountability for policy adherence within the enterprise, as well as to implement appropriate controls and measures to ensure compliance with policies. References: The RFP process: The Ultimate Step-by-Step Guide, Criteria and Methodology for GRC Platform Selection, The Ultimate RFP Guide: Steps, Guidelines & Template, Guidebook: Crafting a Driven Request for Proposals (RFP)

An enterprise code of ethics is a set of principles and values that guide the behavior and decision-making of the organization and its members. It can help to incorporate desired organizational behaviors into the IT governance framework by establishing a common understanding and expectation of what is acceptable and unacceptable, and by promoting a culture of integrity, accountability, and responsibility. References := ISACA, CGEIT Review Manual, 7th Edition, 2019, page 17.

Mapping of business objectives to IT risk is the most important factor to address in a risk self-assessment for current IT services, because it helps to align the IT risk management strategy with the business strategy and goals. Mapping of business objectives to IT risk also helps to identify and prioritize the key IT risks that could affect the achievement of the business objectives, and to determine the appropriate risk responses and controls. Mapping of business objectives to IT risk also helps to communicate the value and benefits of IT risk management to the business stakeholders, and to foster a risk-aware culture within the organization. One of the sources that supports this answer is A Comprehensive Guide To Risk And Control Self -Assessment RCSA, which states that “RCSA aims to include the use of risk management techniques, business processes, and cultures in staff work and businesses to achieve objectives.”