Certified in the Governance of Enterprise IT (CGEIT) — Question 98

An internal auditor conducts an assessment of a two-year-old IT risk management program. Which of the following findings should be of MOST concern to the
CIO?

Answer options

• A. Organizational responsibility for IT risk management is not clearly defined.
• B. IT risk training records are not properly retained in accordance with established schedules.
• C. None of the members of the IT risk management team have risk management-related certifications.
• D. Only a few key risk indicators identified by the IT risk management team are being monitored and the rest will be on a phased schedule.

Correct answer: A

Explanation

The correct answer, A, highlights a lack of clear organizational responsibility for IT risk management, which can lead to accountability issues and inadequate risk responses. Options B and C, while important, deal with compliance and qualifications but do not fundamentally impact the governance structure. Option D indicates monitoring issues but does not address the core responsibility framework needed for effective risk management.