CGEIT Question #420: Real Exam Question with Answer & Explanation

Question

Which of the following should be the PRIMARY governance objective for selecting key risk indicators (KRIs) related to legal and regulatory compliance?

Options

• AIdentifying the risk of noncompliance
• BDemonstrating sound risk management practices
• CMeasuring IT alignment with enterprise risk management (ERM)
• DEnsuring the effectiveness of IT compliance controls

Explanation

For legal and regulatory compliance, the primary objective of KRIs is to proactively identify and flag potential instances or conditions that could lead to noncompliance.

Common mistakes.

• B. While demonstrating sound risk management practices is a beneficial outcome, it is a broader objective; the specific primary purpose of KRIs for legal and regulatory compliance is to pinpoint noncompliance risks.
• C. Measuring IT alignment with ERM is important for overall risk strategy, but it is a higher-level objective compared to the direct, actionable purpose of compliance KRIs, which focus on specific regulatory adherence.
• D. Ensuring the effectiveness of IT compliance controls is a means to achieve compliance, and KRIs can help measure this, but the ultimate objective they serve in this context is to highlight where noncompliance risks might arise, indicating control failure or gaps.

Concept tested. KRI objective for compliance

No community discussion yet for this question.