CGEIT Question #497: Real Exam Question with Answer & Explanation

Question

An internal auditor conducts an assessment of a two-year-old IT risk management program. Which of the following findings should be of MOST concern to the CIO?

Options

• AOrganizational responsibility for IT risk management is not clearly defined.
• BNone of the members of the IT risk management team have risk management-related
• COnly a few key risk indicators (KRIs) identified by the IT risk management team are being
• DIT risk training records are not properly retained in accordance with established schedules

Explanation

The most significant concern for a CIO regarding a two-year-old IT risk management program is the lack of clearly defined organizational responsibilities.

Common mistakes.

• B. While desirable, a lack of specific risk management certifications among team members is a training gap, not a foundational structural issue with the program's governance.
• C. Few key risk indicators (KRIs) being used indicates an issue with monitoring and measurement, which is less critical than the fundamental lack of responsibility for the entire program.
• D. Improper retention of IT risk training records is a compliance and documentation issue, which is less impactful than a lack of clear responsibility for the risk management program itself.

Concept tested. IT risk management program governance

No community discussion yet for this question.