Professional Documents
Culture Documents
COBIT-docx (1) - Changed by Me
COBIT-docx (1) - Changed by Me
Which is likely to suffer the most should the enterprise outsource its IT function?
A. Strategic alignment
B. Value delivery
C. Risk management
D. Performance measurement
Answer: A
Explanation/Reference:
Outsourcing agreements are unlikely to fully anticipate changes in business strategy as outsource
obligations are fixed in contractual language.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 2
The most important aspect of accountability for IT is?
A. Compensation plan
B. Performance measurement
C. Control processes
D. IT balanced scorecard
Answer: C
Explanation/Reference:
http://www.micropoll.com/akira/mpresult/671426-206759
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 3
What would typically be the greatest IT governance concern?
Answer: B
Explanation/Reference:
Staff retention is a persistent requirement needed to ensure availability of the resources needed to
execute strategy and delivery value. Failure to retain staff will negatively impact performance.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 4
What is the appropriate course of action for IT management to undertake?
A. Implement the additional systems and processes required by the prospect's standards and
architecture.
B. Halt the standardization effort until A's architecture and standards can be made compliant with
the prospect's architecture and standards.
Delaying implementation of strategy should never be a first alternative
C. Advise against accepting the prospect's business as its standards are inconsistent with those of
Company A.
D. Consult with the Board's IT strategy committee regarding a change in business strategy.
Answer: D
Explanation/Reference:
Where there are substantial barriers to implementing strategy, it is never inappropriate to consult
with the Board.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 5
In the above scenario, Company A's Sr. VP of Sales executed a contract with the prospect that
includes significant penalties for nonperformance.
A. Implement the additional systems and processes required by the prospect's standards and
architecture.
B. Halt the standardization effort until A's architecture and standards can be made compliant with
the prospect's architecture and standards.
C. Seek to outsource servicing the incompatible aspects of the prospect's business.
D. Advise for settlement of contract terms as soon as possible.
Answer: C
Explanation/Reference:
This is undoubtedly the most cost-effective way of meeting customer requirements with
minimum negative impact on the IT Strategy of system and process standardization.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 6
In the above scenario, do the Sr. VP's actions represent a failure of IT governance?
A. No, Governance of IT should not constrain the activities of the Sales organization.
B. Yes, the IT strategy was incompletely harmonized with the business strategy
C. Yes, IT should first review all IT requirements before the Sales organization makes
commitments.
D. No, IT must be able to adapt to changing business requirements.
Answer: D
Explanation/Reference:
IT failed in the execution of strategy by defining standards too narrowly and not anticipating
such customer requests.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 7
Who bears primary responsibility should the IT standardization initiative fail to deliver the
expected efficiencies in the Company A's business processes:
A. CEO
B. CIO
C. Business Process Owner.
D. Business Executive
Answer: B
Explanation/Reference;
The CIO is the principal manager or IT resources. It is the responsibility of the CIO to ensure
that business requirements are appropriately recognized and addressed.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 8
Should Company A fail to have a framework for IT governance, what is most likely to suffer?
Answer: B
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 9
Which finding would most likely motivate the Company’s adoption of a distinct IT governance
program.
A. There is significant unrecognized and unaddressed risk in the Company pharmacy unit’s
handling of customer health information.
B. The Company spends more on IT as a percentage of profit than the grocery industry as a
whole.
C. The Company’s management expense as a percentage of profit than the grocery industry as a
whole.
D. The company has experienced multiple year to year increases in the percent of revenue loss
due to spoilage or otherwise un-sellable inventory.
E. The Company’s long time (15+ years) CIO will soon retire.
Answer: D
Explanation/Reference:
The company has experienced multiple year to year increases in the percent of revenue loss due
to spoilage or otherwise un-sellable inventory.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 10
What is the most appropriate measure for the Board to use to track the value of the Company's IT
Governance program?
Answer: C
Explanation/Reference:
A governance program motivated in part by inventory management issues should be taking those
costs.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 11
Store operations depend on IT-staff maintained software that was developed in house twenty years
ago. What is the most compelling argument regarding modernization?
Answer: C
Explanation/Reference:
Such system inadequacies would have major financial impact. (Business & alignment response)
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 12
The Company has acquired the assets of a 100 store chain liquidated thru bankruptcy. The acquired
chain’s computer systems are vendor proprietary, leading edge systems. What should the Company
do with these systems?
A. Continue to operate them and contract with the vendor’s professional services to integrate
these systems with the Company’s financial and logistic systems.
B. Replace these new systems with the Company’s standard store system.
C. Implement a strategy whereby the system in the acquired stores is the basis for a new
Company standard store system.
D. Maintain a separate IT organization until the stores are re-branded and P&L reporting is
integrated.
Answer: B
Explanation/Reference:
Company focus on cost control emphasizes standardization.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 13
Despite the CFO’s certification of compliance with the bankcard industry’s security standards (PCI
DSS), the Company experienced a significant security breach that exposed card information of
more than 1M customers. What changes should be made in the Company's risk management
program.
Answer: D
Explanation/Reference:
Accountability for information security is suspect due to certification signoff by the CFO. Assign
accountability to CEO, given the CIO’s suspect participation
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 14
The IT department has developed much of the Company’s intellectual property (tools &
proprietary methods). What is the appropriate accountability? [Framework]
A. Management of Professional Services for the utilization of new tools & methods in client
engagements
B. The CIO for training of professional services staff in the use of new tools & methods
C. The CIO for a positive impact on profits from any newly developed tools or methods
D. Management of Professional Services for the selection of new tools & methods to be included
in the Portfolio.
Answer: C
Explanation/Reference:
IT value is determined by the value to delivers to the Business. IT must act to remove barrier to
the delivery of business value. If such barriers cannot be removed then IT should be foregoing
development of the subject tool.
QUESTION NO: 15
What should IT Management be doing in response to new Bank regulation regarding information
security? [Framework]
A. Monitor, evaluate and identify new market opportunities that will follow promulgation of the
new regulation
B. Determine the adequacy of the Portfolio to respond to the requirements of the new regulation
C. Do nothing until Management of Professional Services reports a Client requirement for new
security services
D. Ensure staff attendance at an industry conference focused on the new regulation
Answer: B
Explanation/Reference:
IT is best positioned to understand limits to capabilities of the portfolio. IT has obligation to
‘inform the business’ should the Portfolio be found wanting.
QUESTION NO: 16
The Company has determined to ‘productize’ and sell some tools currently used by the Company's
professional services staff. What must IT do to support this strategy? [Alignment]
Answer: D
Explanation/Reference:
While the development of product strategy is not an IT function, IT must provide input regarding
its capability to respond to anticipated requirements.
QUESTION NO: 17
The Company is considering converting most of its salaried consultants to ‘independent contractor’
status. What is the major IT challenge associated with such a move? [Resource Management /
Alignment]
Answer: C
Explanation/Reference:
Greater staff turnover means that without a reduction in the learning curve of the use of Company
products, service quality will suffer. One method to shorten learning curve is to lessen the level of
knowledge required to use the tools with increased level of tool automation.
QUESTION NO: 18
The Board believes that the Company is an acquisition target by a large manufacturer of computer
systems and discretely seeks an attractive offer. What should IT management recommend to
maximize value to the potential buyers? [Alignment]
Answer: A
Explanation/Reference:
Increases opportunity for reuse by the acquiring company while minimizing risk to current
operations, May otherwise make for more efficient IT operations.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 19
The IT infrastructure is currently unable to support new ways of communicating with clients
such as SMS or ‘twitter’. What is the best way for IT to acquire such communications capability?
Answer: A
Explanation/Reference:
Activities in support of strategic goals will always be given priority
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 20
Brokers are complaining that the nightly 2 hour maintenance window diminishes their opportunity
to enter and complete transactions for international clients. What is the best way to improve system
availability?
Answer: D
Explanation/Reference:
Modern transaction processing systems should support 7X24 processing allowing for
maintenance activities such as backup, routine software fixes / feature additions and patch
installation to occur in real time.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 21
Retail customers are complaining that the Company does not support online trading. The retail
unit does not have expertise in-house to develop and maintain a secure online trading system.
Answer: B
Explanation/Reference:
Where there is no competitive or strategic advantages, it’s generally better to buy vs build. Buying
services rather than owning software is likely to have a lower TCO (at least during transition
period)
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 22
Due to cost pressures brought about by new regulation, the Company seeks to relocate all data
processing to a Company operated off-shore facility. What is the major concern with this tactic?
Answer: A
Explanation/Reference:
Since the re-location is intended to avoid cost due regulation, it is necessary to implement controls
to ensure that the Company is compliant with those regulations
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 23
The Company is experiencing frequent disruptions in system operations.
What is the best way to address this problem?
A. Strengthen perimeter security with next generation firewalls and intrusion detection
B. Accelerate server maintenance and replacement
C. Add more capability to monitor the state of system and network resources
D. Resize servers, routers, disk arrays and other components
Answer: C
Explanation/Reference:
Resize servers, routers, disk arrays and other components
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 24
To support the modernization effort, the CIO anticipates that Company ‘messaging’ capabilities
will have to be upgraded to include some kind of ‘collaboration engine’ such as Sharepoint or
Lotus Domino. What is the best way to proceed?
A. Immediately include the new infrastructure in the IT architecture and the fund the component
out of the modernization budget
B. Wait until the need for the new component is apparent in a critical workflow and then include
acquisition and implementation of that component as part of the project to automate that critical
workflow
C. Collect ‘collaboration’ requirements from all current project teams. Implement common
component if it is cost effective solution to the collective collaboration requirement
D. Develop an infrastructure upgrade strategy to support the modernization program, the costs of
which are assigned to IT’s capital budget
Answer: C
Explanation/Reference:
Ensures the value of the collaboration engine will be appropriately assessed and that investment
decision made on that basis. Infrastructure components derive their value for that of the application
that they support.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 25
New regulation mandates that the Company support data exchange procedures for which the
Company anticipates significant cost but little, if any, financial benefit in the next five years. What
is the best approach to managing this investment?
A. Implement the applications that will leverage the new procedures so as to produce business
value
B. Initiate a project to implement the exchange capability but assign it minimum resources
C. Include support for the exchange capability in the portfolio of modernization projects
D. Delay implementation of the capability for as long as possible
Answer: C
Explanation/Reference:
Value management | governance response. Address the support requirements in the context of the
portfolio of Company investments.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 26
Recently, a ‘never event’ resulting in the death of a patient occurred at the hospital. Current
industry standards dictate that such an event should ‘never’ occur at a well-managed hospital.
The hospital could implement a very expensive application control to prevent a re-occurrence, but
the cost would have to be paid out of the modernization budget. What is the most appropriate
action?
A. Immediately implement the new application control as part of the modernization budget.
B. Delay implementation of the control until another cost center for the control is found.
C. Increase the priority of projects that would automate the suspect processes identified by the
root cause analysis of the event.
D. Do nothing and accept the risk of such events given their very low frequency and high
mitigation cost.
Answer: C
Explanation/Reference:
Priority is in the context of portfolio management. RCA will identify process failures that can be
avoided through automation.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 27
The company has not yet obtained expected benefits from the modernization program. What is
best course of action?
Answer: C
Explanation/Reference:
Lack of receipt of value indicates a problem in value planning or execution. This response
ensures project management until all capabilities required to receive business value are in place.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 28
The project to implement a highly visible medical support application is 25% complete but has
consumed 50% of its budget. What is the most appropriate course of action?
A. Increase the project budget as the application directly relates to Company mission
B. Increase the assumed level of project risk and re-evaluate the investment decision
C. Shelve the project in favor of those with greater likelihood of implementation success
D. Develop a plan to complete the project with the remaining budget
Answer: B
Explanation/Reference:
Value management response | ensures consideration of risk and value in context of portfolio of
investments.
QUESTION NO: 29
An Agency goal is to more easily integrate information collected at different times and by different
source s within the Agency. Which of the following measures would best indicate IT’s progress
toward this goal?
Answer: D
Explanation/Reference:
This would be a business consequence of goal satisfaction
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 30
The Agency continues to regularly experience incomplete data sharing despite improvement in
performance metrics. Which of the following is most likely to be the reason for this?
Answer: D
Explanation/Reference:
Inconsistency between metrics and ‘reality’ implies a deficiency in the metrics. The reported
metric reports time w/o control for ‘quality’
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 31
The Agency is concerned that many of its IT systems are ‘antiquated’. Which balanced scorecard
measure indicates readiness for an IT modernization program?
Answer: B
Explanation/Reference:
Recognition of Agency business processes and their relationship is essential to modernization of
IT
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 32
The Agency is a frequent cyber-warfare target. What measure best indicates the effectiveness of
IT’s security risk management?
Answer: C
Explanation/Reference:
Reflects the thoroughness of the Agency’s risk assessments, (Low number is better)
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 33
To ensure Agency flexibility when making work assignments, all relevant information and IT must
be accessible and transferable to any employee in any office. What measures satisfaction of this
goal?
A. # Of incidents where employee unable to recover critical data within one work day
B. Average time to provision an ‘Agency standard’ workstation
C. Minimum service level of field office WAN connection
D. Average user rating of satisfaction with IT services
Answer: A
Explanation/Reference:
Business outcome most closely related to the goal
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 34
How is the risk of a breach of electronically maintained client confidential information best
managed?
A. By the service provider s independently validated compliance with the Firm’s security
standards.
B. Service agreement requiring that the Outsource indemnify the Firm for all losses associated
with a breach of security.
C. Encryption of all data maintained at the data center.
D. Through regular audits of data center operations conducted by the Firm’s risk officer
Answer: D
Explanation/Reference:
The only alternative that provides flexibility sufficient to respond to a changing risk
environment.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 35
Individual Courts and Regulators have distinct requirements with respect to the security of
electronic filings.
What approach should the Firm take to ensure that its Attorneys have the capability to submit
electronic filings where ever such are allowed?
Answer: A
Explanation/Reference:
Most cost-effective alternative. Allows the Firm to ensure the technical competence of the
security implementation, while meeting jurisdictional requirements.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 36
One of the Firm’s offices has experienced a successful intrusion into its network by hackers, but
due to poor incident response is unable to determine what information may have been accessed or
modified. What action should immediately be taken?
A. Notify Clients of that office that there may have been a breach of Privileged
communication.
B. Isolate the office network from the Corporate WAN.
C. Notify Firm Attorney’s that there has been a hack and therefore review any recently
prepared documents or unexpected changes.
D. Have external auditors conduct a forensic analysis to determine the method and scope
of the intrusion.
Answer: B
Explanation/Reference:
Containment of significant but poorly understood risk is appropriate.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 37
Firm Attorneys regularly include client confidential information in unencrypted Internet email.
Cannons of attorney ethics do not require Attorneys to encrypt email or notify clients that they
are using insecure email. What is the Firm’s best course of action?
A. Adopt an enterprise email encryption solution that is only partially effective but easy
to implement
B. Inform clients of the practice but agree to any client request not to use such insecure
communication channels
C. Confirm that Firm malpractice polices include losses due to unintended breaches of
privileged communication
D. Inform clients of the practice and agree not to use such insecure communication
channels unless the Client accepts the risk of a confidentiality breach
Answer: A
Explanation/Reference:
Prevention of relatively low risk event s is undoubtedly more cost effective than other risk
treatment (avoidance or transfer)
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 38
The Firm is considering deploying a Client portal through which clients can submit required
documents, preview filings requiring signature, review billing records, and securely communicate
with Attorneys and other staff. What information is the most important to collect when evaluating
the risk associated with the portal?
A. Criteria
B. Auditable
C. People
D. Financial
E. Quality
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 40
COBIT processes are grouped into 4 domains of of which is Monitoring and?
A. Audit
B. Prudence
C. Correction
D. Support
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 41
In COBIT, IT Resources are; People, Application Systems, Data, Technical Infrastructure and?
A. Budgets
B. Facilities
C. Efficiency
D. Security
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 42
Information Criteria is Effectiveness, Efficiency, Confidentiality, Integrity, Availability,
Compliance and?
A. Reliability
B. Reuse
C. Accuracy
D. Accessibility
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 43
COBIT stands for Control Objectives for Information and Related?
A. Tools
B. Terminology
C. Terms
D. Technology
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 44
COBIT makes use of the Deming Cycle. This is make up of Plan, Do, Check?
A. Think
B. Review
C. Act
D. Assess
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 45
An IT Control Objective is defined as; ... control procedures in a particular IT?
A. Activity
B. Team
C. Organization
D. Review
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 46
COBIT Security Requirements are defined as; Confidentiality, Integrity and?
A. Appropriateness
B. Availability
C. Robustness
D. Secrecy
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 47
In which of the COBIT management domains does Manage third-party suppliers fall?
A. Delivery
B. Monitoring
C. Planning
D. Acquisition
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 48
ITIL directly maps/integrates with COBIT.
A. True
B. False
C. Sometimes
D. Depends
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 49
When IT is aligned with the enterprise's stated objectives, it provides several benefits. Which one
of the following IS NOT one of them?
QUESTION NO: 53
Which of the following statements is true?
1. An organization can be certified against both COBIT and ISO/IEC 20000.
2.COBIT and ITIL complement each other.
A. Both 1 and 2
B. 2 only
C. Neither 1 or 2
D. 1 only
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 54
Which of the following statements is true?
1. IT Processes are controlled by Control Objectives.
2. IT Processes are measured by Control Practices.
A. Neither 1 or 2
B. Both 1 and 2
C. 2 only
D. 1 only
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 55
SpinIT is a small but fast-growing record company that wants to move toward more internal
control and governance of IT. What is the best thing to do first?
QUESTION NO: 58
COBIT is an acronym that stands for:
QUESTION NO: 61
Which one of the following should not be included in the COBIT Cube?
A. IT Processes
B. IT Capabilities
C. IT Resources
D. Information Criteria
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 62
Which one of the following ISACA publications is focused on POS, "Manage the IT
Investment"?
A. VAL IT
B. COBIT Implementation Guide
C. COBIT Quickstart
D. Risk IT
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 63
How long is the official COBIT e-learning Foundation course?
A. 4 hours
B. 8 hours
C. 1 hours
D. 2 hours
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 64
Which of the following is not an IT resource, as defined by COBIT?
A. People
B. Infrastructure
C. Technology
D. Information
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 65
In which COBIT domain would you expect to find information on "Ensuring regulatory
compliance"?
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 69
What is driving the need for IT Governance?
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 70
Which of these statements is true?
1. An official COBIT Exam exists to test the understanding of COBIT at the Foundation level.
2. Official COBIT Foundation courses are recognized for CPE credits.
A. 1 only
B. Neither 1 or 2
C. Both 1 and 2
D. 2 only
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 71
Installing controls (such as firewall security) that provide protection against risks is called:
A. Risk Mitigation
B. Defense-in-Depth
C. Security Resource Management
D. Risk Avoidance
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 72
Match the following scenario with the correct benefit of IT Governance: Information is available
to the appropriate decision makers to monitor IT activities by using accurate performance
measures.
A. Information Sharing
B. Program Information Management
C. Global Communication
D. Transparency
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 74
A Maturity Model is useful because it:
A. 14
B. 34
C. 56
D. 49
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 78
Which of the following is not a RACI term?
A. Responsible
B. Accountable
C. Instructed
D. Consulted
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 79
Which of the following should not be included?
A. Accountable
B. Informed
C. Notified
D. Responsible
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 80
Read the following statement and select the right maturity level that corresponds to the
statement, Processes are documented and communicated.
A. Ceased
B. Defined
C. Optimized
D. Directed
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 81
Which of the following is not included in the COBIT CUBE?
A. Drivers
B. Resources
C. Processes
D. Information Criteria
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 82
In which COBIT domain would you expect to find information on "Manage third-party
services"?
A. Maturity Models
B. Benefit Realization Capture (BRC)
C. Mission Objective Measurement (MOM)
D. Key Performance Indicators (KPIs)
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 84
Integrity is an information criterion, as defined by COBIT, and is concerned with:
A. The CEO
B. IT Employees
C. The Board of Directors
D. The CIO
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 86
Which tool provides the best indicator of strategic alignment?
A. Balanced scorecard
B. CMM benchmark
C. Dashboards
Answer: A
Explanation/Reference:
Balanced scorecards explicitly connect business goals with IT performance measures. CMM rates
the maturity of process independent of any statement of business goals. IT metrics reflect the
performance of systems w/o any statement of business goals. Dashboards are merely a means to
display metrics
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 87
The COBIT IT Assurance Guide would be of primary interest to:
A. Management
B. Auditors
C. Security professionals
D. Functional managers
Answer: B
Explanation/Reference:
ISACA of its various publications; candidates should be familiar with what ISACA offers to whom.
While managers and security pros may be interested this doc, it s primary target is persons
conducting audits.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 88
The average level of programming effort per function point is a:
A. KPI
B. Process KGI
C. IT KGI
Answer: A
Explanation/Reference:
Functions points are measure of application complexity. This measure reflects performance at an
activity (application programming) level.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 89
Scheduling change is a:
A. IT Goal
B. Process Goal
C. Activity Goal
Answer: B
Explanation/Reference:
Change scheduling is an activity that is part of the manage change process. Authorization of
appropriately evaluated changes is the Process Goal and the related IT Goals include timely
response to changing business
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 90
Which of the following least describes COBIT?
A. Technologically neutral
B. Business oriented
C. Multi-stakeholder
D. Prescriptive
E. All or none
Answer: D
Explanation/Reference;
COBIT can be implemented piece meal and all COBIT objectives do not have to be achieved by
a single project. BY definition COBIT provides a business orientation. COBIT is not dependent
upon or limited to a specific information technology. COBIT assigns roles and responsibilities at
multiple levels in the organization. COBIT identifies governance tasks that need to be performed
(as opposed to describing task that have been performed)
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 91
From what perspective should the enterprise view “regulatory compliance”
A. Financial
B. Customer
C. Internal
D. Learning & growth
Answer: C
Explanation/Reference:
Regulatory compliance is property of company operations; operational aspects is dealt with in
balanced scorecards as an 'internal perspective' . Compliance may have financial and customer
aspects but those are not primary.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 92
Information ‘reliability’ is important for which business goal?
A. Business Goals
B. Infrastructure
C. Regulatory requirements
D. IT Goals
E. Technical capability
Answer: A
Explanation/Reference:
Business goals drive the IT goals which in turn creates requirements for the IT enterprise
architecture. Infrastructure is a component of the IT architecture and technical capability an
attribute of the people component of the architecture.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 94
IT enterprise architectures describe the relationship between all of the following except
A. Roles
B. Information
C. Processes
D. Customers
E. Applications
Answer: A
Explanation/Reference:
"Roles" identify groups of people as participants in the enterprise architecture. If IT processes
delivered value directly to customers, customer would be a part of the IT architecture. However,
it is not true in general that customers interact with company applications and information, so
'customers' is the appropriate answer.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 95
Alignment is addressed primarily during what phase of the operational lifecycle?
Answer: A
Explanation/Reference:
PO1 defines an IT strategic plan, an essential property of which is alignment with the business
strategic plan and goals. All the other phases follow the determination of strategic plans in the
governance lifecycle.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 96
Problem management is addressed primarily during what phase of the operational lifecycle?
Answer: C
Explanation/Reference:
DS10 | Manage Problems. While the Monitor & Evaluate phase may detect problems and
failures to resolve them, problem resolution is a general form of incident management.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 97
What best describes a “control” in COBIT?
Answer: B
Explanation/Reference:
COBIT does not define control. However glossary entries for 'control practices' and 'control
objectives' and 'internal control' makes it clear that for COBIT 'control' is related to the general
accomplishment of business objectives. The first and third references are too narrow.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 98
An IT control objective is associated with:
A. Business goal
B. Information criteria
C. IT process
D. Performance
Answer: B
Explanation/Reference:
The IT control objective is the result achieved by the control procedure in a given activity. This is
determined by the IT process that organizes the activity. Business goals and information criteria
are too general to identify such objectives. Performance is a retrospective attribute whereas
controls are forward looking.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 99
Which is least likely to be provided by an application control?
A. Accuracy
B. Completeness
C. Reliability
D. Integrity
E. Authorization
Answer: C
Explanation/Reference:
Reliability is a general property of the information system taken as a whole whereas application
deal with specific processing of subsets of data to support specific business functions.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 100
COBIT IT processes cover:
A. Application Controls
B. General Controls
C. Both application and general controls
Answer: B
Explanation/Reference:
The business is responsible for defining functional and control requirements for applications, use
of applications, and manual controls. COBIT IT processes include the implementation of those
control requirements that are shared across applications.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 101
Processes receive required inputs from:
Answer: B
Explanation/Reference:
The activities organized by an IT processes obtain information from business users, business
transactions, systems, and customers in addition to inter-process communication. Whereas Sr
Managers may provide input to an IT process, all process would not so depend upon them.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 102
Process maturity is a strategic goal:
A. True
B. False
Answer: B
Explanation/Reference:
Strategic goals relate to business objectives. Process maturity, in and of itself, does not create
value for the customer and thus is only indirectly related to business goals.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 103
Roles that are 'consulted' in RACI charts, must 'sign off' on process activities:
A. True
B. False
Answer: B
Explanation/Reference:
In RACI charts 'authorization' is limited to the 'accountable' role.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 104
When responding to complaints about reporting errors in customer reports, management should
focus on what information criteria?
A. Efficiency
B. Integrity
C. Compliance
D. Effectiveness
E. Reliability
Answer: D
Explanation/Reference:
'Effectiveness' refers to the timely delivery of correct, consistent and usable information to the
businesses process. When IT Goals are linked to IT processes (appendix I), it is clear that effectives
reflects customer values where as reliability is more an internal management perspective. Integrity
is a concept somewhat limited to the storage and transmission of information that does not include
creation. Efficiency and compliance are distracters.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 105
Which action is a success factors should help resolve the inability to gain support from the local
office’s business management, according to the COBIT 5 Implementation Guide?
A. Set up a regular Compliance forum which includes members of both local and Overseas
Business Management and local IT Management
B. Only implement improvements that add value to the local office.
C. Produce a RAG matrix for Governance related roles for the local office.
D. Ensure all resources a\'e full time and dedicated to the Governance Initiative
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 106
Which document is Inputs to Phase 1?
A. Seed one of the following Outline Business Case for the Governance Initiative.
B. A list of stakeholders at the local office and Overseas Head Office.
C. A report from HR on staff turnover.
D. Documented approval from the CEO to proceed.
Answer: C
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 107
Which reason is a root cause for the lack of current enterprise policy and direction within an
organization according to the COBIT 5 Implementation Guide?
A. Publish the key challenges and concerns in respect of the current state on the intranet.
B. Identify key governance issues related to this Initiative and issue to all IT staff.
C. Identify the benefits of the Governance Initiative and issue a newsletter to the local
office.
D. Create steering committees for relevant parts of the Initiative.
Answer: C
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 109
The following objective and action were defined for the GEIT initiative: Objective: “Identification
of any outstanding issues that will bring this Phase to an end.” Action: “To try and bring the
embedding of a compliance culture in the local office to a close, the IT Manager has collated the
outstanding work that has been delayed due to pockets of resistance to change. The report is to be
passed through to the Project review group for action.” Is this action an appropriate Phase 6 CE
task to address Objective 4?
A. No, because collating work unfinished due to resistance to change is a Phase 4 CE task.
B. Yes, because as this will prove the failure of the mentoring performed in a previous
Phase.
C. No, because collating work unfinished due to resistance to change is a Phase 5 CE task.
D. Yes, because changes can be enforced by local Senior Management when necessary.
Answer: D
------------------------------------------------------------------------------------------------------------------------------------------
The following objective and action were defined for the GEIT initiative: Objective: “Ensure the
improvements are embedded in the culture of the Financial Services Organization.” Action: “The
IT Manager has decided to run awareness sessions about the Change Management process and
its associated benefits for the Financial Services Organization.” Is this action an appropriate
Phase 6 CE task to address Objective 1?
A. Yes, because the awareness sessions will ensure all change requirements have been
addressed.
B. No, because the running of awareness sessions is a Phase 4 CE task.
C. Yes, because the awareness sessions will help to embed new working practices in the
Financial Services Organization.
D. No, because if the Change Management process is formally implemented then awareness
sessions are unnecessary.
Answer: C
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 111
Which reason is a root cause of resistance to change?
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
Answer: C
------------------------------------------------------------------------------------------------------------------------------------------
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 114
Which reason is a root cause for a lack of Senior Management buy-in to an improvement
initiative according to the COBIT 5 Implementation Guide?
Answer: C
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 115
The following objective and action were defined for the GEIT initiative: Objective: “Adopt
working behaviors to ensure the implementation is successful.” Action: “The IT GRC Manager
has held a session with HR and asked them to add standard compliance responsibilities to all job
descriptions at the Financial Services Organization.”. Is this action an appropriate Phase 6 CE task
to address Objective 2?
A. No, because once the Governance Initiative is complete then there is NO further
compliance requirement.
B. Yes, because updated job descriptions will ensure the local office will be compliant with
all future requirements from the Overseas Head Office.
C. Yes, because this will help to reward those involved in compliance initiatives in the
Financial Services Organization.
D. No, because only affected job descriptions should be amended to include compliance
responsibilities.
Answer: D
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 116
Which action is a success factor that should help to resolve the de-motivation of the IT staff
working on the Governance Initiative?
A. Ensure all resources are full time and dedicated to the Governance Initiative.
B. Arrange a training course for users of the change process.
C. Obtain compliance input from the Overseas Head Office auditors.
D. Produce a RAG matrix for Governance related roles for the local office.
Answer: B
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 118
Which reason is a root cause of the difficulty in understanding COBIT 5 and associated
frameworks, procedures and practices?
A. Set up a regular Compliance forum which includes members of both local and Overseas
Business Management and local IT Management.
B. Only implement improvements that add value to the local office.
C. Produce a RAG matrix for Governance related roles for the local office.
D. Ensure all resources are full time and dedicated to the Governance Initiative
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 120
Which action is a success factor which should help resolve the current lack of trust between the
local office IT function and Business Management, according to the COBIT 5 Implementation
Guide?
A. Produce a plan of expected changes for the year ahead which take account of the
compliance requirements
B. Ensure all resources are full time and dedicated to the Governance Initiative.
C. Only implement improvements that add value to the local office.
D. Educate the business by running a COBIT 5 training course.
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 121
Which reason is a root cause of why the cost of the IT Governance Initiative appears to exceed
any benefit, according to the COBIT 5 Implementation Guide?
A. assessment
B. measurement
C. innovation
D. performance management
Answer: B
------------------------------------------------------------------------------------------------------------------------------------------
A. To be the basis for the process dimension which outlines the structure of the 37 COBIT
processes
B. To be the basis for the process dimension which gives the specific process references on
each level
C. To contain the generic attributes for the levels two, three, four and five
D. To be the basis for the capability dimension which defines the rating method to conform
to ISO15504
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 126
What capability level is an established process?
A. Level 3
B. Level 1
C. Level 6
D. Level 2
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 127
What rating level must a process attain in order to pass an assessment?
A. F-Fully
B. P - Partially and or L - Largely
C. L - Largely and or F- Fully
D. P- Partially
Answer: C
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 128
How are Generic Practices used in the Process Assessment Model (PAM)?
A. 37 processes
B. 17 IT Goals and related Metrics
C. 211 Control Objectives
D. Four domains
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 130
Which process contains practices related to access control mechanisms (e.g., granting access to
systems)?
A. AP013
B. DSS05
C. DSS06
D. DSS02
Answer: C
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 131
How would you rate the following achievement of an attribute in a given process: “Some
evidence of an approach can be identified. Even though not all aspects of the achievement is
evident, the majority (75%) is achieved."
A. Fully
B. None
C. Partly
D. Largely
Answer: D
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 132
In a process the attribute "Process Definition" is largely achieved; all other attributes are "Fully
achieved". What is the adequate rating of the process?
A. Level 3
B. Level 4
C. Level 5
D. Level 2
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 133
In which step of the assessment process (as defined in the Self Assessment Guide) will the Goals
Cascade be used?
A. Monetary risk.
B. Regulatory risk.
C. Reputational risk.
D. All of the above.
Answer: D
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 135
According to "Assurance that Matters" by Norman Marks, what percentage of CAEs and audit
committee members see their primary job as providing assurance in a compliance environment?
(This answer will be found in the print or digital edition of the magazine, not the online version.)
A. 53 percent
B. 54 percent
C. 39 percent
D. 36 percent
Answer: D
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 136
In “Unraveling the Regulatory Knot,” audit committee member Fred Telling says internal auditors
need a 20/80 balance in focus on compliance, with 80 percent focused on the history, background,
and culture that spawned the underlying law and its implementing regulations.
A. True
B. False
Answer: B
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 137
According to "Unraveling the Regulatory Knot," the European Union's Solvency II Directive
requires companies operating in the E.U. to ___________ in order to reduce the risk of
insolvency.
A. True
B. False
Answer: B
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 139
According to "Aligning the Business," by Jonathan Ngah, procedures are a guide to achieve
organizational objectives, and should align with overall strategy.
A. True
B. False
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 140
According to "Aligning the Business," by Jonathan Ngah, red flags related to fraud, financial
reporting misstatements, and various compliance errors often appear in organizations lacking
clearly defined policies and procedures.
A. True
B. False
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 141
According to “Unraveling the Regulatory Knot,” by Russell Jackson, The IIA’s International
Standards for the Professional Practice of Internal Auditing (Standards) require internal auditors
to evaluate risk exposures related to “compliance with laws, regulations, policies, procedures, and
contracts.”
A. True
B. False
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 142
According to “Tools for IT Governance Assurance,” by Ian Sanderson, how does ISACA’s
Information Systems Audit and Assurance Standards treat the topic of materiality?
A. As principles-based.
B. As risk-based.
C. As control-based.
D. As process-based.
Answer: C
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 143
In “The Wisdom of the Crowd,” what does author Craig Guillot cite as one of the biggest risks
associated with crowd sourcing?
A. Confidentiality breaches.
B. Reputational harm.
C. Fraud.
D. Misinformation.
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 144
According to the 2012/2013 Global Fraud Report, as cited in “Starting Off on the Right Foot,”
what percentage of fraud is committed by insiders, when the perpetrator is known?
A. 73 percent.
B. 67 percent.
C. 32 percent.
D. 22 percent.
Answer: B
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 145
In “Tools for IT Governance Assurance,” what is one of the benefits of using COBIT as a
governance framework?
A. It is aligned with best practices in the information systems field, such as the IT Infrastructure
Library and ISO/IEC 27000 standards series. (Your Answer)
B. It is the basis for the IT controls mandated by the revised COSO Internal Control-Integrated
Framework.
C. It is required for compliance with The IIA’s standard on IT governance (Standard 2110.A2).
D. It supersedes IT governance and assurance standards, including the IT Infrastructure Library
and ISO/IEC 27000 standards series.
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 146
Which of the following is identified in “The Wisdom of the Crowd” as one of the most popular
types of crowd sourcing activities?
Answer: D
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 148
In “Starting Off on the Right Foot,” what does author Travis Waite advise internal auditors to
determine first when assessing whether an allegation of wrongdoing has merit?