CGEIT Exam Dumps - Certified in the Governance of Enterprise IT Exam

The first consideration with regard to the IT service desk that will remain centralized is the effect of regional differences on service delivery. This is because regional differences can pose various challenges and opportunities for the IT service desk, such as:

• Language and cultural barriers: The IT service desk staff should be able to communicate effectively and respectfully with customers from different countries and backgrounds, and understand their needs, preferences, and expectations. This may require hiring multilingual staff, providing language training, using translation tools, or outsourcing some services to local providers1.
• Time zone differences: The IT service desk should be able to provide timely and consistent support to customers across different time zones, and avoid delays or disruptions in service delivery. This may require extending the service hours, implementing shift work, using automation tools, or outsourcing some services to local providers2.
• Legal and regulatory differences: The IT service desk should be aware of and comply with the local laws and regulations that apply to the IT services they provide, such as data protection, privacy, security, taxation, and consumer rights. This may require conducting a risk assessment, obtaining legal advice, implementing policies and procedures, or outsourcing some services to local providers3.
• Technical and operational differences: The IT service desk should be able to adapt to the technical and operational requirements and challenges of the different regions they serve, such as network connectivity, bandwidth, infrastructure, devices, software, standards, and best practices. This may require conducting a feasibility study, investing in technology upgrades, implementing quality assurance measures, or outsourcing some services to local providers4.

The other options, identification of IT service desk functions that can be outsourced, enforcement of a standardized policy across all regions, and availability of adequate resources to provide support for new users are also important considerations for the IT service desk that will remain centralized, but they are not the first one. They are more related to the implementation and execution of the IT service desk strategy, rather than its design. They are also influenced by the regional differences factor, as they depend on the level of variation and complexity that the IT service desk faces in different regions. References := Five Ways to Provide a World Class Service Desk Experience, How to Run an IT Service Desk in a Hybrid or Remote World - Gartner, Best Practices for Building a Service Desk | Atlassian, The Top 18 Help Desk Metrics and Best Practices - HubSpot Blog

A due diligence process is the best way to enable a clear understanding of the vendor’s capabilities that will be critical to the enterprise’s strategy. A due diligence process is a systematic and comprehensive investigation and evaluation of the vendor’s background, reputation, performance, quality, reliability, security, compliance, and suitability for the enterprise’s needs and expectations. A due diligence process can help the enterprise:

• Verify the vendor’s claims and credentials, and validate the vendor’s references and testimonials
• Assess the vendor’s financial stability, legal status, and ethical standards
• Identify the vendor’s strengths, weaknesses, opportunities, and threats
• Compare the vendor’s offerings, capabilities, and prices with other vendors and market benchmarks
• Determine the risks and benefits of engaging with the vendor, and the mitigation and contingency plans
• Negotiate the terms and conditions of the contract, service level agreement (SLA), and key performance indicators (KPIs)

References:

• According to the CGEIT Review Manual 2022, "Due diligence is a comprehensive appraisal of a business undertaken by a prospective buyer or partner to establish its assets and liabilities and evaluate its commercial potential."1
• According to the ISACA article on Third-Party Vendor Selection: If Done Right, It’s a Win-Win2, “Once you have identified which processes can be outsourced as well as their inherent risks, you can begin performing due diligence on potential vendors. The level of due diligence should be tailored to the significance of the relationship as well as the potential risks it poses.”
• According to the Gartner article on How to Evaluate Technology Vendors in 4 Rigorous Steps1, “Evaluating vendors requires detailed objectives, criteria, prioritization and monitoring. Here’s help. When it comes to choosing a vendor, enterprise tech buyer teams can easily become bogged down in the details and documentation provided by sales teams.”

A balanced scorecard is a tool that helps to measure and communicate the value of IT initiatives to the board of directors. It aligns IT objectives with business goals, tracks performance indicators, and shows the contribution of IT to the enterprise value. A balanced scorecard can also help to identify gaps and areas for improvement in IT governance. References := CGEIT Review Manual, 7th Edition, Chapter 3: Benefits Realization, Section 3.3: Value Delivery Frameworks and Mechanisms, pp. 103-105.

A periodic service provider audit is a process of conducting an independent and objective assessment of the service provider’s performance, quality, compliance, and security in relation to the agreed service level agreement (SLA) and the enterprise’s expectations and requirements. A periodic service provider audit can help provide quality of service oversight by:

• Verifying and validating the service provider’s claims and credentials, and ensuring that they meet the contractual obligations and standards
• Identifying and evaluating the strengths, weaknesses, opportunities, and threats of the service provider’s services, processes, and controls
• Detecting and reporting any issues, gaps, or risks that may affect the quality of service delivery or the enterprise’s objectives and value
• Recommending and implementing corrective and preventive actions to address and resolve the issues, gaps, or risks
• Monitoring and measuring the outcomes and effectiveness of the corrective and preventive actions, and ensuring their alignment with the SLA

References:

• According to the CGEIT Review Manual 20221, “Service provider audits are a key mechanism for ensuring that service providers are meeting their contractual obligations and delivering value to the enterprise. Service provider audits should be conducted periodically or as needed to assess the performance, quality, compliance, and security of the service provider’s services, processes, and controls.”
• According to the ISACA article on IT Outsourcing: Audit Considerations2, “IT outsourcing audit is a process of examining and evaluating the IT outsourcing arrangements between an enterprise and its service providers. IT outsourcing audit aims to provide assurance that the IT outsourcing arrangements are aligned with the enterprise’s strategy, objectives, and risk appetite; that the service providers are delivering the expected services in accordance with the SLAs; that the service providers are complying with the applicable laws, regulations, and standards; and that the service providers are managing and mitigating the IT outsourcing risks effectively.”
• According to the PwC article on Service Provider Audits3, “Service provider audits are an essential tool for organizations to gain insight into their service providers’ operations, controls, risks, and compliance status. Service provider audits can help organizations ensure that their service providers are meeting their expectations and obligations; identify any areas of improvement or concern; enhance their relationship and communication with their service providers; and optimize their IT outsourcing strategy.”

• This is because training metrics are measurable values that indicate the effectiveness and impact of the training programs on the IT staff’s knowledge, skills, and performance1. By embedding training metrics into the annual performance appraisal process, the CIO can:

Embedding training metrics into the annual performance appraisal process can help to create a culture of learning, development, and accountability for IT-related training within the organization. It can also help to align the individual goals of the IT management team and direct employees with the organizational goals of IT governance.

The other options, developing training programs based on results of an IT staff survey of preferences, promoting IT-specific training awareness program, and researching and identifying training needs based on industry trends are not as effective as embedding training metrics into the annual performance appraisal process for ensuring that IT-related training is taken seriously by the IT management team and direct employees. They are more related to the design and delivery of the IT-related training, rather than its integration and evaluation. They may also not have a significant impact on the behavior and attitude of the IT management team and direct employees towards IT-related training, as they may not provide sufficient motivation, feedback, or recognition for participation or completion.

To reduce the complexity of its data assets while minimizing impact to the business during the transition, an enterprise should first review the information architecture. This review will provide a comprehensive understanding of the current state of data assets, their interdependencies, and how they are managed and utilized within the organization. It forms the basis for identifying redundancies, inefficiencies, and opportunities for simplification. While removing misaligned applications, reviewing classification and retention policies, and assessing information ownership are important, they should be guided by a thorough review of the information architecture to ensure a strategic and effective approach to simplification.

Establishing a data governance framework is the first strategic action in addressing the situation where financial data is being managed in a way that will negatively impact the enterprise’s ability to support regulatory reporting. This is because a data governance framework is a structured approach to managing and utilizing data in an organization. It includes policies, procedures, and standards that guide how data is collected, stored, managed, and used1. A data governance framework can help to:

• Improve data quality, accuracy, consistency, and completeness1
• Ensure data privacy, security, and compliance with regulatory requirements1
• Align data with business strategy, objectives, and priorities1
• Enhance data integration, accessibility, and usability1
• Define data roles and responsibilities and assign accountability1

By establishing a data governance framework, the enterprise can address the root cause of the problem, which is the lack of control and oversight over the financial data. A data governance framework can help to ensure that the financial data is properly managed and utilized to support regulatory reporting and other business needs.

The other options, assigning data responsibilities through a RACI chart, reviewing key risk indicators (KRIs) related to data management, and updating data management policies are not as effective as establishing a data governance framework for addressing the situation. They are more related to the implementation and execution of the data governance framework, rather than its design. They are also dependent on the existence of a data governance framework, as they require a clear understanding of the data landscape, goals, and standards of the organization.

 Including the update of documentation within the change management framework is the best way to prevent the recurrence of similar findings in the future. This is because the change management framework is a systematic and structured approach to managing changes in IT systems, applications, processes, and procedures. By incorporating the update of documentation as part of the change management process, the IT department can ensure that any changes are properly documented and communicated to the relevant stakeholders, and that the documentation is always aligned with the actual practices. This will help to avoid any discrepancies or inconsistencies between the procedures and what is actually done by system administrators, and thus reduce the risk of audit findings or non-compliance issues. Assigning the responsibility for periodic revisions and changes to process owners, requiring each IT employee to confirm compliance with IT procedures on an annual basis, and establishing high-level procedures to minimize process changes are all possible measures to improve the documentation quality, but they are not as effective or efficient as including the update of documentation within the change management framework. They may not address the root cause of the problem, which is the lack of coordination and integration between the documentation and the change management activities. References := Change Management Best Practices for IT Teams - Smartsheet, IT Documentation: Purpose and Best Practices - Helpjuice, IT Documentation Best Practices | IT Glue