COBIT-docx (1) - Changed by Me

QUESTION NO: 1
Which is likely to suffer the most should the enterprise outsource its IT function?
A. Strategic alignment
B. Value delivery
C. Risk management
D. Performance measurement
Answer: A
Explanation/Reference:
Outsourcing agreements are unlikely to fully anticipate changes in business strategy as outsource
obligations are fixed in contractual language.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 2
The most important aspect of accountability for IT is?
A. Compensation plan
B. Performance measurement
C. Control processes
D. IT balanced scorecard
Answer: C
http://www.micropoll.com/akira/mpresult/671426-206759
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 3
What would typically be the greatest IT governance concern?
A. Management of software licenses

B. Effective staff recruitment, retention & training program
C. Bandwidth reservation
D. Thorough and cost-effective disaster recovery planning
Answer: B
Staff retention is a persistent requirement needed to ensure availability of the resources needed to
execute strategy and delivery value. Failure to retain staff will negatively impact performance.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 4
What is the appropriate course of action for IT management to undertake?
A. Implement the additional systems and processes required by the prospect's standards and
architecture.
B. Halt the standardization effort until A's architecture and standards can be made compliant with
the prospect's architecture and standards.
Delaying implementation of strategy should never be a first alternative
C. Advise against accepting the prospect's business as its standards are inconsistent with those of
Company A.
D. Consult with the Board's IT strategy committee regarding a change in business strategy.
Answer: D
Where there are substantial barriers to implementing strategy, it is never inappropriate to consult
with the Board.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 5
In the above scenario, Company A's Sr. VP of Sales executed a contract with the prospect that
includes significant penalties for nonperformance.
What is the appropriate action for IT management to undertake?
A. Implement the additional systems and processes required by the prospect's standards and
architecture.
B. Halt the standardization effort until A's architecture and standards can be made compliant with
the prospect's architecture and standards.
C. Seek to outsource servicing the incompatible aspects of the prospect's business.
D. Advise for settlement of contract terms as soon as possible.
Answer: C
This is undoubtedly the most cost-effective way of meeting customer requirements with
minimum negative impact on the IT Strategy of system and process standardization.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 6
In the above scenario, do the Sr. VP's actions represent a failure of IT governance?
A. No, Governance of IT should not constrain the activities of the Sales organization.
B. Yes, the IT strategy was incompletely harmonized with the business strategy
C. Yes, IT should first review all IT requirements before the Sales organization makes
commitments.
D. No, IT must be able to adapt to changing business requirements.
Answer: D
IT failed in the execution of strategy by defining standards too narrowly and not anticipating
such customer requests.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 7
Who bears primary responsibility should the IT standardization initiative fail to deliver the
expected efficiencies in the Company A's business processes:
A. CEO
B. CIO
C. Business Process Owner.
D. Business Executive
Answer: B
Explanation/Reference;
The CIO is the principal manager or IT resources. It is the responsibility of the CIO to ensure
that business requirements are appropriately recognized and addressed.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 8
Should Company A fail to have a framework for IT governance, what is most likely to suffer?
A. Compliance with regulation and business mandates.

B. Success of its 'low cost service provider' strategy
C. Security of customer data.
D. The operational efficiency of the IT organization.
Answer: B
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 9
Which finding would most likely motivate the Company’s adoption of a distinct IT governance
program.
A. There is significant unrecognized and unaddressed risk in the Company pharmacy unit’s
handling of customer health information.
B. The Company spends more on IT as a percentage of profit than the grocery industry as a
whole.
C. The Company’s management expense as a percentage of profit than the grocery industry as a
whole.
D. The company has experienced multiple year to year increases in the percent of revenue loss
due to spoilage or otherwise un-sellable inventory.
E. The Company’s long time (15+ years) CIO will soon retire.
Answer: D
The company has experienced multiple year to year increases in the percent of revenue loss due
to spoilage or otherwise un-sellable inventory.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 10
What is the most appropriate measure for the Board to use to track the value of the Company's IT
Governance program?
A. Company stock price

B. Store employee productivity
C. Unit sales and inventory cost
D. Profit margin
Answer: C
A governance program motivated in part by inventory management issues should be taking those
costs.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 11
Store operations depend on IT-staff maintained software that was developed in house twenty years
ago. What is the most compelling argument regarding modernization?
A. No change is needed, the current system is ‘tried and true’

B. Systems need to be replaced due to difficulty in finding experienced RPG and COBOL
programmers to maintain them.
C. Systems need to be replaced as the use of the older systems delays introducing new products
and services.
D. Security of the older systems is ‘suspect’
Answer: C
Such system inadequacies would have major financial impact. (Business & alignment response)
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 12
The Company has acquired the assets of a 100 store chain liquidated thru bankruptcy. The acquired
chain’s computer systems are vendor proprietary, leading edge systems. What should the Company
do with these systems?
A. Continue to operate them and contract with the vendor’s professional services to integrate
these systems with the Company’s financial and logistic systems.
B. Replace these new systems with the Company’s standard store system.
C. Implement a strategy whereby the system in the acquired stores is the basis for a new
Company standard store system.
D. Maintain a separate IT organization until the stores are re-branded and P&L reporting is
integrated.
Answer: B
Company focus on cost control emphasizes standardization.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 13
Despite the CFO’s certification of compliance with the bankcard industry’s security standards (PCI
DSS), the Company experienced a significant security breach that exposed card information of
more than 1M customers. What changes should be made in the Company's risk management
program.
A. Mandate an increased level of security monitoring

B. Provide additional security training for developer and system admin staff
C. Outsource the management of the Company's network security
D. Add ‘zero breach’ goal to the CEO’s management targets
E. Add ‘zero breach’ goal to the CIO’s management targets
Answer: D
Accountability for information security is suspect due to certification signoff by the CFO. Assign
accountability to CEO, given the CIO’s suspect participation
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 14
The IT department has developed much of the Company’s intellectual property (tools &
proprietary methods). What is the appropriate accountability? [Framework]
A. Management of Professional Services for the utilization of new tools & methods in client
engagements
B. The CIO for training of professional services staff in the use of new tools & methods
C. The CIO for a positive impact on profits from any newly developed tools or methods
D. Management of Professional Services for the selection of new tools & methods to be included
in the Portfolio.
Answer: C
IT value is determined by the value to delivers to the Business. IT must act to remove barrier to
the delivery of business value. If such barriers cannot be removed then IT should be foregoing
development of the subject tool.
QUESTION NO: 15
What should IT Management be doing in response to new Bank regulation regarding information
security? [Framework]
A. Monitor, evaluate and identify new market opportunities that will follow promulgation of the
new regulation
B. Determine the adequacy of the Portfolio to respond to the requirements of the new regulation
C. Do nothing until Management of Professional Services reports a Client requirement for new
security services
D. Ensure staff attendance at an industry conference focused on the new regulation
Answer: B
IT is best positioned to understand limits to capabilities of the portfolio. IT has obligation to
‘inform the business’ should the Portfolio be found wanting.
QUESTION NO: 16
The Company has determined to ‘productize’ and sell some tools currently used by the Company's
professional services staff. What must IT do to support this strategy? [Alignment]
A. Rewrite tools to reduce dependence Company infrastructure

B. Plan for increase in size of the Help Desk support staff
C. Determine technical procedures required to protect products from piracy and unlicensed use
D. Hire a consultant to determine requirements of the anticipated 3rd party customers
Answer: D
While the development of product strategy is not an IT function, IT must provide input regarding
its capability to respond to anticipated requirements.
QUESTION NO: 17
The Company is considering converting most of its salaried consultants to ‘independent contractor’
status. What is the major IT challenge associated with such a move? [Resource Management /
Alignment]
A. A lower Staff commitment to report upon deficiencies in current Portfolio

B. Increased user support requirements due to Staff turnover
C. Need for increased tool automation due to lower experience and sophistication level of staff
D. Protection of IP especially monitoring for unauthorized use of tools
Answer: C
Greater staff turnover means that without a reduction in the learning curve of the use of Company
products, service quality will suffer. One method to shorten learning curve is to lessen the level of
knowledge required to use the tools with increased level of tool automation.
QUESTION NO: 18
The Board believes that the Company is an acquisition target by a large manufacturer of computer
systems and discretely seeks an attractive offer. What should IT management recommend to
maximize value to the potential buyers? [Alignment]
A. Reduce Portfolio's dependence on Company infrastructure

B. Delay starting any new initiatives
C. Reduce IT staff headcount
D. Re-prioritize strategic plans to focus on initiatives that can be completed in the near term
Answer: A
Increases opportunity for reuse by the acquiring company while minimizing risk to current
operations, May otherwise make for more efficient IT operations.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 19
The IT infrastructure is currently unable to support new ways of communicating with clients
such as SMS or ‘twitter’. What is the best way for IT to acquire such communications capability?
A. Show how the new infrastructure supports a strategic business goal

B. Contract with ISP or other service provide for the capability
C. Implement risk based controls that ensure appropriate use of such protocols
D. Assign appropriate task responsibilities to the CTO
Answer: A
Activities in support of strategic goals will always be given priority
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 20
Brokers are complaining that the nightly 2 hour maintenance window diminishes their opportunity
to enter and complete transactions for international clients. What is the best way to improve system
availability?
A. Upgrade hardware and reduce maintenance activities

B. Segment resources serving international clients and perform maintenance on a
different schedule
C. Add system administration staff to shorten maintenance window
D. Upgrade transaction processing systems
Answer: D
Modern transaction processing systems should support 7X24 processing allowing for
maintenance activities such as backup, routine software fixes / feature additions and patch
installation to occur in real time.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 21
Retail customers are complaining that the Company does not support online trading. The retail
unit does not have expertise in-house to develop and maintain a secure online trading system.
What is the best way for it to acquire that expertise?
A. Share application components used by institutional customers for online trading

B. Contract for services from an existing online brokerage
C. Hire new staff with the requisite skills
D. Training existing development staff in required protocols and tools
Answer: B
Where there is no competitive or strategic advantages, it’s generally better to buy vs build. Buying
services rather than owning software is likely to have a lower TCO (at least during transition
period)
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 22
Due to cost pressures brought about by new regulation, the Company seeks to relocate all data
processing to a Company operated off-shore facility. What is the major concern with this tactic?
A. Additional resource requirements for compliance monitoring may not be recognized

B. Security
C. Disruption and errors introduced during migration
D. Expected cost savings may not be realized
Answer: A
Since the re-location is intended to avoid cost due regulation, it is necessary to implement controls
to ensure that the Company is compliant with those regulations
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 23
The Company is experiencing frequent disruptions in system operations.
What is the best way to address this problem?
A. Strengthen perimeter security with next generation firewalls and intrusion detection
B. Accelerate server maintenance and replacement
C. Add more capability to monitor the state of system and network resources
D. Resize servers, routers, disk arrays and other components
Answer: C
Resize servers, routers, disk arrays and other components
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 24
To support the modernization effort, the CIO anticipates that Company ‘messaging’ capabilities
will have to be upgraded to include some kind of ‘collaboration engine’ such as Sharepoint or
Lotus Domino. What is the best way to proceed?
A. Immediately include the new infrastructure in the IT architecture and the fund the component
out of the modernization budget
B. Wait until the need for the new component is apparent in a critical workflow and then include
acquisition and implementation of that component as part of the project to automate that critical
workflow
C. Collect ‘collaboration’ requirements from all current project teams. Implement common
component if it is cost effective solution to the collective collaboration requirement
D. Develop an infrastructure upgrade strategy to support the modernization program, the costs of
which are assigned to IT’s capital budget
Answer: C
Ensures the value of the collaboration engine will be appropriately assessed and that investment
decision made on that basis. Infrastructure components derive their value for that of the application
that they support.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 25
New regulation mandates that the Company support data exchange procedures for which the
Company anticipates significant cost but little, if any, financial benefit in the next five years. What
is the best approach to managing this investment?
A. Implement the applications that will leverage the new procedures so as to produce business
value
B. Initiate a project to implement the exchange capability but assign it minimum resources
C. Include support for the exchange capability in the portfolio of modernization projects
D. Delay implementation of the capability for as long as possible
Answer: C
Value management | governance response. Address the support requirements in the context of the
portfolio of Company investments.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 26
Recently, a ‘never event’ resulting in the death of a patient occurred at the hospital. Current
industry standards dictate that such an event should ‘never’ occur at a well-managed hospital.
The hospital could implement a very expensive application control to prevent a re-occurrence, but
the cost would have to be paid out of the modernization budget. What is the most appropriate
action?
A. Immediately implement the new application control as part of the modernization budget.
B. Delay implementation of the control until another cost center for the control is found.
C. Increase the priority of projects that would automate the suspect processes identified by the
root cause analysis of the event.
D. Do nothing and accept the risk of such events given their very low frequency and high
mitigation cost.
Answer: C
Priority is in the context of portfolio management. RCA will identify process failures that can be
avoided through automation.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 27
The company has not yet obtained expected benefits from the modernization program. What is
best course of action?
A. Advise patience as total return should increase with time

B. Increase the hurdle rate for the higher risk investments
C. Delay closing projects until demonstration of value delivery
D. Increase the modernization budget
Answer: C
Lack of receipt of value indicates a problem in value planning or execution. This response
ensures project management until all capabilities required to receive business value are in place.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 28
The project to implement a highly visible medical support application is 25% complete but has
consumed 50% of its budget. What is the most appropriate course of action?
A. Increase the project budget as the application directly relates to Company mission
B. Increase the assumed level of project risk and re-evaluate the investment decision
C. Shelve the project in favor of those with greater likelihood of implementation success
D. Develop a plan to complete the project with the remaining budget
Answer: B
Value management response | ensures consideration of risk and value in context of portfolio of
investments.
QUESTION NO: 29
An Agency goal is to more easily integrate information collected at different times and by different
source s within the Agency. Which of the following measures would best indicate IT’s progress
toward this goal?
A. Number of systems compliant with Agency metadata standards

B. Time required to complete information request
C. Number of analyst tools available for use in consolidating data
D. Time to complete complaint / filing
Answer: D
This would be a business consequence of goal satisfaction
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 30
The Agency continues to regularly experience incomplete data sharing despite improvement in
performance metrics. Which of the following is most likely to be the reason for this?
A. Staff are inexperienced in the use of new systems

B. Information architecture is incomplete
C. Staff are motivated to keep control over information that they collect
D. Collected performance metrics measure efficiency rather than effectiveness
Answer: D
Inconsistency between metrics and ‘reality’ implies a deficiency in the metrics. The reported
metric reports time w/o control for ‘quality’
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 31
The Agency is concerned that many of its IT systems are ‘antiquated’. Which balanced scorecard
measure indicates readiness for an IT modernization program?
A. % of service contracts meeting SLA w/o dispute

B. % of agency business processes identified in EA
C. % of IT staff W/ certified skills and system knowledge
D. % of users satisfied with help desk support
Answer: B
Recognition of Agency business processes and their relationship is essential to modernization of
IT
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 32
The Agency is a frequent cyber-warfare target. What measure best indicates the effectiveness of
IT’s security risk management?
A. % compliance with federal information processing standards (FIPS)

B. # of reported security incidents
C. # of incidents relating to un-anticipated threats
D. % of systems current on all vendor patches
Answer: C
Reflects the thoroughness of the Agency’s risk assessments, (Low number is better)
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 33
To ensure Agency flexibility when making work assignments, all relevant information and IT must
be accessible and transferable to any employee in any office. What measures satisfaction of this
goal?
A. # Of incidents where employee unable to recover critical data within one work day
B. Average time to provision an ‘Agency standard’ workstation
C. Minimum service level of field office WAN connection
D. Average user rating of satisfaction with IT services
Answer: A
Business outcome most closely related to the goal
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 34
How is the risk of a breach of electronically maintained client confidential information best
managed?
A. By the service provider s independently validated compliance with the Firm’s security
standards.
B. Service agreement requiring that the Outsource indemnify the Firm for all losses associated
with a breach of security.
C. Encryption of all data maintained at the data center.
D. Through regular audits of data center operations conducted by the Firm’s risk officer
Answer: D
The only alternative that provides flexibility sufficient to respond to a changing risk
environment.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 35
Individual Courts and Regulators have distinct requirements with respect to the security of
electronic filings.
What approach should the Firm take to ensure that its Attorneys have the capability to submit
electronic filings where ever such are allowed?
A. Provision a suite of security services to be used as determined by individual Attorneys

B. Implement a global security standard that encompasses the security requirements of all
jurisdictions
C. Allow offices in different jurisdictions to independently implement the appropriate security
procedures as required by the relevant Courts and Agencies
D. Support with a global standard the most common security requirements; defer electronic flings
in jurisdictions not supported by that standard.
Answer: A
Most cost-effective alternative. Allows the Firm to ensure the technical competence of the
security implementation, while meeting jurisdictional requirements.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 36
One of the Firm’s offices has experienced a successful intrusion into its network by hackers, but
due to poor incident response is unable to determine what information may have been accessed or
modified. What action should immediately be taken?
A. Notify Clients of that office that there may have been a breach of Privileged
communication.
B. Isolate the office network from the Corporate WAN.
C. Notify Firm Attorney’s that there has been a hack and therefore review any recently
prepared documents or unexpected changes.
D. Have external auditors conduct a forensic analysis to determine the method and scope
of the intrusion.
Answer: B
Containment of significant but poorly understood risk is appropriate.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 37
Firm Attorneys regularly include client confidential information in unencrypted Internet email.
Cannons of attorney ethics do not require Attorneys to encrypt email or notify clients that they
are using insecure email. What is the Firm’s best course of action?
A. Adopt an enterprise email encryption solution that is only partially effective but easy
to implement
B. Inform clients of the practice but agree to any client request not to use such insecure
communication channels
C. Confirm that Firm malpractice polices include losses due to unintended breaches of
privileged communication
D. Inform clients of the practice and agree not to use such insecure communication
channels unless the Client accepts the risk of a confidentiality breach
Answer: A
Prevention of relatively low risk event s is undoubtedly more cost effective than other risk
treatment (avoidance or transfer)
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 38
The Firm is considering deploying a Client portal through which clients can submit required
documents, preview filings requiring signature, review billing records, and securely communicate
with Attorneys and other staff. What information is the most important to collect when evaluating
the risk associated with the portal?
A. Likelihood of intrusion attempts

B. Level of client use
C. Impact on Attorney productivity
D. Cost of appropriate security
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 39
COBIT presents the Governance Cube. The three main areas of this cube are IT Processes, IT
Resources and?
A. Criteria
B. Auditable
C. People
D. Financial
E. Quality
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 40
COBIT processes are grouped into 4 domains of of which is Monitoring and?
A. Audit
B. Prudence
C. Correction
D. Support
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 41
In COBIT, IT Resources are; People, Application Systems, Data, Technical Infrastructure and?
A. Budgets
B. Facilities
C. Efficiency
D. Security
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 42
Information Criteria is Effectiveness, Efficiency, Confidentiality, Integrity, Availability,
Compliance and?
A. Reliability
B. Reuse
C. Accuracy
D. Accessibility
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 43
COBIT stands for Control Objectives for Information and Related?
A. Tools
B. Terminology
C. Terms
D. Technology
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 44
COBIT makes use of the Deming Cycle. This is make up of Plan, Do, Check?
A. Think
B. Review
C. Act
D. Assess
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 45
An IT Control Objective is defined as; ... control procedures in a particular IT?
A. Activity
B. Team
C. Organization
D. Review
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 46
COBIT Security Requirements are defined as; Confidentiality, Integrity and?
A. Appropriateness
B. Availability
C. Robustness
D. Secrecy
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 47
In which of the COBIT management domains does Manage third-party suppliers fall?
A. Delivery
B. Monitoring
C. Planning
D. Acquisition
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 48
ITIL directly maps/integrates with COBIT.
A. True
B. False
C. Sometimes
D. Depends
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 49
When IT is aligned with the enterprise's stated objectives, it provides several benefits. Which one
of the following IS NOT one of them?
A. Compliance with regulatory requirements

B. Enabling of cost-effective administration and management
C. Value addition to business products and services
D. Optimal use of resources
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 50
Select the correct statement.
A. KPIs are lead indicators.

B. KPIs are lag indicators.
C. KPIs and KGIs are synonymous.
D. KGIs are lead indicators.
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 51
Easy Credit Cards Inc. in the US plans to set up a transaction center in the Philippines. Which
one of the following would be the best approach for resource optimization?
A. Employing cheaper resources

B. Reducing cost while delivering better service
C. Providing faster and more reliable service
D. Planning for disaster recovery in the event of a disaster
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 52
Balancing value and cost:
A. All answers apply

B. Achieving regulatory compliance
C. Managing complexity
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 53
Which of the following statements is true?
1. An organization can be certified against both COBIT and ISO/IEC 20000.
2.COBIT and ITIL complement each other.
A. Both 1 and 2
B. 2 only
C. Neither 1 or 2
D. 1 only
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 54
Which of the following statements is true?
1. IT Processes are controlled by Control Objectives.
2. IT Processes are measured by Control Practices.
A. Neither 1 or 2
B. Both 1 and 2
C. 2 only
D. 1 only
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 55
SpinIT is a small but fast-growing record company that wants to move toward more internal
control and governance of IT. What is the best thing to do first?
A. Start with an audit, as defined by the Assurance Guide.

B. Start implementing the 10 processes of the domain: Plan & Organize.
C. Start implementing the four processes of the domain: Monitor & Evaluate.
D. Start using COBIT Quickstart.
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 56
Describe how COBIT defines resources in an IT environment.
A. Technology, Applications, Software, Networks

B. Applications, Information, Infrastructure, People
C. Technology, Information, Infrastructure, Networks
D. Applications, Infrastructure, Networks, People
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 57
Which of the following is not a process defined by COBIT?
A. Monitor & Evaluate

B. Acquire & Integrate
C. Delivers & Support
D. Plan & Organize
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 58
COBIT is an acronym that stands for:
A. Control Objectives for Information and related Technology

B. Clear Objectives Before Integrating Technology
C. Cross Organizational Business Information Technology
D. Control and Observe Information Technology
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 59
Security" is:
A. Not mentioned by COBIT

B. An IT challenge
C. An IT resource
D. An information criteria
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 60
Organizations find it convenient to use COBIT because:
A. COBIT is positioned centrally at the detailed level.

B. It relates to other frameworks (COSO, CMM, and so on).
C. Implementing COBIT makes ITIL obsolete.
D. All options are correct.
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 61
Which one of the following should not be included in the COBIT Cube?
A. IT Processes
B. IT Capabilities
C. IT Resources
D. Information Criteria
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 62
Which one of the following ISACA publications is focused on POS, "Manage the IT
Investment"?
A. VAL IT
B. COBIT Implementation Guide
C. COBIT Quickstart
D. Risk IT
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 63
How long is the official COBIT e-learning Foundation course?
A. 4 hours
B. 8 hours
C. 1 hours
D. 2 hours
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 64
Which of the following is not an IT resource, as defined by COBIT?
A. People
B. Infrastructure
C. Technology
D. Information
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 65
In which COBIT domain would you expect to find information on "Ensuring regulatory
compliance"?
A. Plan and Organize

B. Acquire and Implement
C. Deliver and Support
D. Monitor and Evaluate
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 66
IOU Company has cross-functional teams that deliver projects late. Developers are unable to
understand the terms used by the business managers and vice versa.
How does COBIT help in this situation?
A. COBIT manages complexity by introducing the PO processes.

B. COBIT defines a model for efficient cross-functional coordination.
C. COBIT helps better communicate using a common language.
D. COBIT introduces internal controls & processes to provide assurance.
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 67
All potential users can benefit from COBIT content as an overall approach to managing and
governing IT, together with more detailed standards, such as:
A. CMM for solution delivery

B. ISO/IEC 27002 for information security
C. ITIL for service delivery
D. All answers are correct
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 68
Predefined measures that determine how well an IT process enables the achievement of goals are
called:
A. Critical Success Factors (CSFs)

B. Key Goal Indicators (KGI)/ Outcome Measures
C. Key Performance Indicators (KPIs)
D. Performance Indicators
E. Mission Objective Measurement (MOM)
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 69
What is driving the need for IT Governance?
A. All answers apply

B. Balancing value and cost
C. Managing complexity
D. Achieving regulatory compliance
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 70
Which of these statements is true?
1. An official COBIT Exam exists to test the understanding of COBIT at the Foundation level.
2. Official COBIT Foundation courses are recognized for CPE credits.
A. 1 only
B. Neither 1 or 2
C. Both 1 and 2
D. 2 only
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 71
Installing controls (such as firewall security) that provide protection against risks is called:
A. Risk Mitigation
B. Defense-in-Depth
C. Security Resource Management
D. Risk Avoidance
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 72
Match the following scenario with the correct benefit of IT Governance: Information is available
to the appropriate decision makers to monitor IT activities by using accurate performance
measures.
A. Confidence of the top management

B. Easier Auditing
C. More reliable services
D. More transparency
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 73
Ensuring that information about appropriate IT functions, services, and value delivered is
available at all levels needing that information is called:
A. Information Sharing
B. Program Information Management
C. Global Communication
D. Transparency
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 74
A Maturity Model is useful because it:
A. Defines the capability targets to be achieved.

B. Trains staff to improve performance.
C. Obtains certification from an external party.
D. Identifies critical operational issues that need to be addressed.
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 75
IOU Company has started to implement COBIT, but they are not sure whether "people" is an IT
resource:
A. No, COBIT does not include "people" as an IT resource.

B. Yes, COBIT includes "people" as an IT resource.
C. It depends on whether the number of IT staff exceeds the company threshold.
D. It depends on whether people are internal, outsourced, or contracted.
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 76
COBIT is published by:
A. International Organization for Standardizations (ISO)

B. IT Governance Institute (ITGI)
C. Paul Sarbanes & Michael Oxley (SOX)
D. United Kingdom's Office of Government Commerce (OGC)
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 77
How many IT processes are defined by COBIT?
A. 14
B. 34
C. 56
D. 49
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 78
Which of the following is not a RACI term?
A. Responsible
B. Accountable
C. Instructed
D. Consulted
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 79
Which of the following should not be included?
A. Accountable
B. Informed
C. Notified
D. Responsible
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 80
Read the following statement and select the right maturity level that corresponds to the
statement, Processes are documented and communicated.
A. Ceased
B. Defined
C. Optimized
D. Directed
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 81
Which of the following is not included in the COBIT CUBE?
A. Drivers
B. Resources
C. Processes
D. Information Criteria
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 82
In which COBIT domain would you expect to find information on "Manage third-party
services"?
A. Plan and Organize

B. Monitor and Evaluate
C. Acquire and Implement
D. Deliver and Support
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 83
A method that helps an organization make a systematic attempt to improve by measuring
proficiency in a focus area is:
A. Maturity Models
B. Benefit Realization Capture (BRC)
C. Mission Objective Measurement (MOM)
D. Key Performance Indicators (KPIs)
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 84
Integrity is an information criterion, as defined by COBIT, and is concerned with:
A. Provision of appropriate information

B. Protection of sensitive information
C. Safeguarding of necessary resources
D. Accuracy and completeness of information
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 85
According to COBIT, who is responsible for IT Governance?
A. The CEO
B. IT Employees
C. The Board of Directors
D. The CIO
Answer:
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 86
Which tool provides the best indicator of strategic alignment?
A. Balanced scorecard
B. CMM benchmark
C. Dashboards
Answer: A
Balanced scorecards explicitly connect business goals with IT performance measures. CMM rates
the maturity of process independent of any statement of business goals. IT metrics reflect the
performance of systems w/o any statement of business goals. Dashboards are merely a means to
display metrics
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 87
The COBIT IT Assurance Guide would be of primary interest to:
A. Management
B. Auditors
C. Security professionals
D. Functional managers
Answer: B
ISACA of its various publications; candidates should be familiar with what ISACA offers to whom.
While managers and security pros may be interested this doc, it s primary target is persons
conducting audits.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 88
The average level of programming effort per function point is a:
A. KPI
B. Process KGI
C. IT KGI
Answer: A
Functions points are measure of application complexity. This measure reflects performance at an
activity (application programming) level.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 89
Scheduling change is a:
A. IT Goal
B. Process Goal
C. Activity Goal
Answer: B
Change scheduling is an activity that is part of the manage change process. Authorization of
appropriately evaluated changes is the Process Goal and the related IT Goals include timely
response to changing business
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 90
Which of the following least describes COBIT?
A. Technologically neutral
B. Business oriented
C. Multi-stakeholder
D. Prescriptive
E. All or none
Answer: D
Explanation/Reference;
COBIT can be implemented piece meal and all COBIT objectives do not have to be achieved by
a single project. BY definition COBIT provides a business orientation. COBIT is not dependent
upon or limited to a specific information technology. COBIT assigns roles and responsibilities at
multiple levels in the organization. COBIT identifies governance tasks that need to be performed
(as opposed to describing task that have been performed)
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 91
From what perspective should the enterprise view “regulatory compliance”
A. Financial
B. Customer
C. Internal
D. Learning & growth
Answer: C
Regulatory compliance is property of company operations; operational aspects is dealt with in
balanced scorecards as an 'internal perspective' . Compliance may have financial and customer
aspects but those are not primary.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 92
Information ‘reliability’ is important for which business goal?
A. Increased market share

B. Service availability
C. Transparency
D. Lowering process costs
Answer: B
Reliability relates to the provisioning of information to management so that it can exercise
governance and fiduciary responsibility. Transparency is essential to these functions.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 93
The IT enterprise architecture is determined by:
A. Business Goals
B. Infrastructure
C. Regulatory requirements
D. IT Goals
E. Technical capability
Answer: A
Business goals drive the IT goals which in turn creates requirements for the IT enterprise
architecture. Infrastructure is a component of the IT architecture and technical capability an
attribute of the people component of the architecture.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 94
IT enterprise architectures describe the relationship between all of the following except
A. Roles
B. Information
C. Processes
D. Customers
E. Applications
Answer: A
"Roles" identify groups of people as participants in the enterprise architecture. If IT processes
delivered value directly to customers, customer would be a part of the IT architecture. However,
it is not true in general that customers interact with company applications and information, so
'customers' is the appropriate answer.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 95
Alignment is addressed primarily during what phase of the operational lifecycle?
A. Plan and organize

B. Acquire and implement
C. Deliver and support
D. Monitor and evaluate
Answer: A
PO1 defines an IT strategic plan, an essential property of which is alignment with the business
strategic plan and goals. All the other phases follow the determination of strategic plans in the
governance lifecycle.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 96
Problem management is addressed primarily during what phase of the operational lifecycle?
A. Plan and organize

B. Acquire and implement
C. Deliver and support
D. Monitor and evaluate
Answer: C
DS10 | Manage Problems. While the Monitor & Evaluate phase may detect problems and
failures to resolve them, problem resolution is a general form of incident management.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 97
What best describes a “control” in COBIT?
A. A process that ensures specific outcomes

B. Policies and procedures that provide assurance of business objectives
C. An automated process that prevents or detects undesirable events
Answer: B
COBIT does not define control. However glossary entries for 'control practices' and 'control
objectives' and 'internal control' makes it clear that for COBIT 'control' is related to the general
accomplishment of business objectives. The first and third references are too narrow.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 98
An IT control objective is associated with:
A. Business goal
B. Information criteria
C. IT process
D. Performance
Answer: B
The IT control objective is the result achieved by the control procedure in a given activity. This is
determined by the IT process that organizes the activity. Business goals and information criteria
are too general to identify such objectives. Performance is a retrospective attribute whereas
controls are forward looking.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 99
Which is least likely to be provided by an application control?
A. Accuracy
B. Completeness
C. Reliability
D. Integrity
E. Authorization
Answer: C
Reliability is a general property of the information system taken as a whole whereas application
deal with specific processing of subsets of data to support specific business functions.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 100
COBIT IT processes cover:
A. Application Controls
B. General Controls
C. Both application and general controls
Answer: B
The business is responsible for defining functional and control requirements for applications, use
of applications, and manual controls. COBIT IT processes include the implementation of those
control requirements that are shared across applications.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 101
Processes receive required inputs from:
A. Other processes exclusively

B. As a result of process activity
C. Sr. Management
D. None of the above
Answer: B
The activities organized by an IT processes obtain information from business users, business
transactions, systems, and customers in addition to inter-process communication. Whereas Sr
Managers may provide input to an IT process, all process would not so depend upon them.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 102
Process maturity is a strategic goal:
A. True
B. False
Answer: B
Strategic goals relate to business objectives. Process maturity, in and of itself, does not create
value for the customer and thus is only indirectly related to business goals.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 103
Roles that are 'consulted' in RACI charts, must 'sign off' on process activities:
A. True
B. False
Answer: B
In RACI charts 'authorization' is limited to the 'accountable' role.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 104
When responding to complaints about reporting errors in customer reports, management should
focus on what information criteria?
A. Efficiency
B. Integrity
C. Compliance
D. Effectiveness
E. Reliability
Answer: D
'Effectiveness' refers to the timely delivery of correct, consistent and usable information to the
businesses process. When IT Goals are linked to IT processes (appendix I), it is clear that effectives
reflects customer values where as reliability is more an internal management perspective. Integrity
is a concept somewhat limited to the storage and transmission of information that does not include
creation. Efficiency and compliance are distracters.
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 105
Which action is a success factors should help resolve the inability to gain support from the local
office’s business management, according to the COBIT 5 Implementation Guide?
A. Set up a regular Compliance forum which includes members of both local and Overseas
Business Management and local IT Management
B. Only implement improvements that add value to the local office.
C. Produce a RAG matrix for Governance related roles for the local office.
D. Ensure all resources a\'e full time and dedicated to the Governance Initiative
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 106
Which document is Inputs to Phase 1?
A. Seed one of the following Outline Business Case for the Governance Initiative.
B. A list of stakeholders at the local office and Overseas Head Office.
C. A report from HR on staff turnover.
D. Documented approval from the CEO to proceed.
Answer: C
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 107
Which reason is a root cause for the lack of current enterprise policy and direction within an
organization according to the COBIT 5 Implementation Guide?
A. Weak enterprise risk management

B. IT budget committed to infrastructure.
C. Overly optimistic goals.
D. Best practices are copied and are NOT adopted.
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 108
In a GEIT initiative it is unclear how the business is going to be kept informed in respect of the
progress. Which CE task is executed to keep the all units informed of progress during Phase 2?
A. Publish the key challenges and concerns in respect of the current state on the intranet.
B. Identify key governance issues related to this Initiative and issue to all IT staff.
C. Identify the benefits of the Governance Initiative and issue a newsletter to the local
office.
D. Create steering committees for relevant parts of the Initiative.
Answer: C
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 109
The following objective and action were defined for the GEIT initiative: Objective: “Identification
of any outstanding issues that will bring this Phase to an end.” Action: “To try and bring the
embedding of a compliance culture in the local office to a close, the IT Manager has collated the
outstanding work that has been delayed due to pockets of resistance to change. The report is to be
passed through to the Project review group for action.” Is this action an appropriate Phase 6 CE
task to address Objective 4?
A. No, because collating work unfinished due to resistance to change is a Phase 4 CE task.
B. Yes, because as this will prove the failure of the mentoring performed in a previous
Phase.
C. No, because collating work unfinished due to resistance to change is a Phase 5 CE task.
D. Yes, because changes can be enforced by local Senior Management when necessary.
Answer: D
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 110
The following objective and action were defined for the GEIT initiative: Objective: “Ensure the
improvements are embedded in the culture of the Financial Services Organization.” Action: “The
IT Manager has decided to run awareness sessions about the Change Management process and
its associated benefits for the Financial Services Organization.” Is this action an appropriate
Phase 6 CE task to address Objective 1?
A. Yes, because the awareness sessions will ensure all change requirements have been
addressed.
B. No, because the running of awareness sessions is a Phase 4 CE task.
C. Yes, because the awareness sessions will help to embed new working practices in the
Financial Services Organization.
D. No, because if the Change Management process is formally implemented then awareness
sessions are unnecessary.
Answer: C
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 111
Which reason is a root cause of resistance to change?
A. Resistant to acknowledge weaknesses.

B. Priorities NOT allocated appropriately.
C. IT budget already committed to infrastructure.
D. Continual improvement NOT part of the working culture.
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 112

The following objective and action were defined for the GEIT initiative: Objective: “The need to
keep the Head Office informed of issues.” Action: “The IT Manager has decided to produce an
escalation process that will ensure all issues are raised directly with the Head Office.” Is this action
an appropriate Phase 6 CE task to address Objective 3?
A. No, because issues should be passed to Internal Audit for resolution.

B. Yes, because all process changes should be enforced by Head Office Senior Management
to bring the current Governance Initiative to a close.
C. Yes, because this approach will ensure quick resolution of issues.
D. No, because issues that can NOT be resolved within the local office should be sent to the
Overseas Head Office.
Answer: C
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 113

Which is a success factor that should help to resolve the concern raised over the overall value of
the Governance Initiative?
A. Seek to second a compliance resource from the Overseas Head Office.

B. Produce a RAG matrix for Governance related roles for the local office.
C. Arrange a training course for users of the change process
D. Issue a compliance article on the Intranet site in business terms.
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 114
Which reason is a root cause for a lack of Senior Management buy-in to an improvement
initiative according to the COBIT 5 Implementation Guide?
A. Continual improvement is NOT part of the culture.

B. Best practices are copied and are NOT adopted.
C. Poor perception of the credibility of the IT function.
D. Lack of dedicated resources.
Answer: C
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 115
The following objective and action were defined for the GEIT initiative: Objective: “Adopt
working behaviors to ensure the implementation is successful.” Action: “The IT GRC Manager
has held a session with HR and asked them to add standard compliance responsibilities to all job
descriptions at the Financial Services Organization.”. Is this action an appropriate Phase 6 CE task
to address Objective 2?
A. No, because once the Governance Initiative is complete then there is NO further
compliance requirement.
B. Yes, because updated job descriptions will ensure the local office will be compliant with
all future requirements from the Overseas Head Office.
C. Yes, because this will help to reward those involved in compliance initiatives in the
Financial Services Organization.
D. No, because only affected job descriptions should be amended to include compliance
responsibilities.
Answer: D
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 116
Which action is a success factor that should help to resolve the de-motivation of the IT staff
working on the Governance Initiative?
A. Organize a road show with the Business Management- Revisiting stakeholders.

B. Produce a RAG matrix for Governance related roles for the local office.
C. Arrange a training course for users of the change process.
D. Ensure all resources a\'e full time and dedicated to the Governance Initiative
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 117
Which action is a success factor that should help to resolve the lack of take up of the change
management process?
A. Ensure all resources are full time and dedicated to the Governance Initiative.
B. Arrange a training course for users of the change process.
C. Obtain compliance input from the Overseas Head Office auditors.
D. Produce a RAG matrix for Governance related roles for the local office.
Answer: B
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 118
Which reason is a root cause of the difficulty in understanding COBIT 5 and associated
frameworks, procedures and practices?
A. Lack of business understanding of IT issues.

B. Lack of knowledge.
C. Insufficient dedicated resources
D. NOT enough consideration of how they do things at the organization.
Answer: B
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 119
Which action is a success factor should help resolve the inability to gain support from the local
office's business management, according to the COBIT 5 Implementation Guide?
A. Set up a regular Compliance forum which includes members of both local and Overseas
Business Management and local IT Management.
B. Only implement improvements that add value to the local office.
C. Produce a RAG matrix for Governance related roles for the local office.
D. Ensure all resources are full time and dedicated to the Governance Initiative
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 120
Which action is a success factor which should help resolve the current lack of trust between the
local office IT function and Business Management, according to the COBIT 5 Implementation
Guide?
A. Produce a plan of expected changes for the year ahead which take account of the
compliance requirements
B. Ensure all resources are full time and dedicated to the Governance Initiative.
C. Only implement improvements that add value to the local office.
D. Educate the business by running a COBIT 5 training course.
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 121
Which reason is a root cause of why the cost of the IT Governance Initiative appears to exceed
any benefit, according to the COBIT 5 Implementation Guide?
A. There is poor communication about the expected successes of the Initiative.

B. Budget funds have already been spent on another initiative (e.g., a takeover) and this is
seen as a further drain on resources.
C. There is a perception that there is a lack of required compliance skills.
D. A recent takeover has left uncertainty and the threat of further changes.
Answer: B
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 122
Which activity is a Continual Improvement tasks performed during Phase 1?
A. Raise local Management's awareness of the importance of the Initiative.

B. Raise awareness of compliance issues with the local office.
C. Understand full impact of the Governance Initiative.
D. Identify other project dependencies such as the Security and HR projects
Answer: C
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 123
Which reason is a root cause for a lack of Senior Management buy-in to an improvement
initiative according to the COBIT 5 Implementation Guide?
A. Continual improvement is NOT part of the culture.

B. Lack of dedicated resources.
C. Poor perception of the credibility of the IT function
D. Best practices a\'e copied and are NOT adopted
Answer: C
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 124
Identify the missing word(s) in the following sentence: "Process [ ? ] is a process attribute for a
Predictable process."
A. assessment
B. measurement
C. innovation
D. performance management
Answer: B
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 125

What is the purpose of the Process Reference Model?
A. To be the basis for the process dimension which outlines the structure of the 37 COBIT
processes
B. To be the basis for the process dimension which gives the specific process references on
each level
C. To contain the generic attributes for the levels two, three, four and five
D. To be the basis for the capability dimension which defines the rating method to conform
to ISO15504
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 126
What capability level is an established process?
A. Level 3
B. Level 1
C. Level 6
D. Level 2
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 127
What rating level must a process attain in order to pass an assessment?
A. F-Fully
B. P - Partially and or L - Largely
C. L - Largely and or F- Fully
D. P- Partially
Answer: C
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 128
How are Generic Practices used in the Process Assessment Model (PAM)?
A. To assess processes only at level 6

B. To assess processes from levels 2 to 5
C. To assess process at all levels of the Capability Model
D. To assess processes only at level 1
Answer: B
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 129
The Process Reference Model contains:
A. 37 processes
B. 17 IT Goals and related Metrics
C. 211 Control Objectives
D. Four domains
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 130
Which process contains practices related to access control mechanisms (e.g., granting access to
systems)?
A. AP013
B. DSS05
C. DSS06
D. DSS02
Answer: C
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 131
How would you rate the following achievement of an attribute in a given process: “Some
evidence of an approach can be identified. Even though not all aspects of the achievement is
evident, the majority (75%) is achieved."
A. Fully
B. None
C. Partly
D. Largely
Answer: D
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 132
In a process the attribute "Process Definition" is largely achieved; all other attributes are "Fully
achieved". What is the adequate rating of the process?
A. Level 3
B. Level 4
C. Level 5
D. Level 2
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 133
In which step of the assessment process (as defined in the Self Assessment Guide) will the Goals
Cascade be used?
A. 3.4 Step 4 Record and Summaries the Capability Levels

B. Step 1 Decide on process to assess—scoping
C. Step 3 Determine Whether Capability Levels 2 to 5 for the Selected Processes Are
Being Achieved
D. Step 2 Determine Whether the Selected Process Is a Level 1 Capab
Answer: B
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 134
As discussed in “Starting Off on the Right Foot,” which area should risk assessments conducted
for fraud investigations include:
A. Monetary risk.
B. Regulatory risk.
C. Reputational risk.
D. All of the above.
Answer: D
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 135
According to "Assurance that Matters" by Norman Marks, what percentage of CAEs and audit
committee members see their primary job as providing assurance in a compliance environment?
(This answer will be found in the print or digital edition of the magazine, not the online version.)
A. 53 percent
B. 54 percent
C. 39 percent
D. 36 percent
Answer: D
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 136
In “Unraveling the Regulatory Knot,” audit committee member Fred Telling says internal auditors
need a 20/80 balance in focus on compliance, with 80 percent focused on the history, background,
and culture that spawned the underlying law and its implementing regulations.
A. True
B. False
Answer: B
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 137
According to "Unraveling the Regulatory Knot," the European Union's Solvency II Directive
requires companies operating in the E.U. to ___________ in order to reduce the risk of
insolvency.
A. Have sufficient insurance.

B. Have adequate capital holdings.
C. Comply with all relevant regulations.
D. Follow international risk management standards.
Answer: B
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 138
According to “The Wisdom of the Crowd,” crowd sourcing is widespread in internal audit.
A. True
B. False
Answer: B
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 139
According to "Aligning the Business," by Jonathan Ngah, procedures are a guide to achieve
organizational objectives, and should align with overall strategy.
A. True
B. False
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 140
According to "Aligning the Business," by Jonathan Ngah, red flags related to fraud, financial
reporting misstatements, and various compliance errors often appear in organizations lacking
clearly defined policies and procedures.
A. True
B. False
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 141
According to “Unraveling the Regulatory Knot,” by Russell Jackson, The IIA’s International
Standards for the Professional Practice of Internal Auditing (Standards) require internal auditors
to evaluate risk exposures related to “compliance with laws, regulations, policies, procedures, and
contracts.”
A. True
B. False
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 142
According to “Tools for IT Governance Assurance,” by Ian Sanderson, how does ISACA’s
Information Systems Audit and Assurance Standards treat the topic of materiality?
A. As principles-based.
B. As risk-based.
C. As control-based.
D. As process-based.
Answer: C
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 143
In “The Wisdom of the Crowd,” what does author Craig Guillot cite as one of the biggest risks
associated with crowd sourcing?
A. Confidentiality breaches.
B. Reputational harm.
C. Fraud.
D. Misinformation.
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 144
According to the 2012/2013 Global Fraud Report, as cited in “Starting Off on the Right Foot,”
what percentage of fraud is committed by insiders, when the perpetrator is known?
A. 73 percent.
B. 67 percent.
C. 32 percent.
D. 22 percent.
Answer: B
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 145
In “Tools for IT Governance Assurance,” what is one of the benefits of using COBIT as a
governance framework?
A. It is aligned with best practices in the information systems field, such as the IT Infrastructure
Library and ISO/IEC 27000 standards series. (Your Answer)
B. It is the basis for the IT controls mandated by the revised COSO Internal Control-Integrated
Framework.
C. It is required for compliance with The IIA’s standard on IT governance (Standard 2110.A2).
D. It supersedes IT governance and assurance standards, including the IT Infrastructure Library
and ISO/IEC 27000 standards series.
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 146
Which of the following is identified in “The Wisdom of the Crowd” as one of the most popular
types of crowd sourcing activities?
A. Assessing enterprise risk.

B. Fraud investigations.
C. Crowd funding.
D. All of the above.
Answer: D
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 147
In “Tools for IT Governance Assurance,” which of the following is not a way that the COBIT 5
for Assurance guidance can be useful for internal auditors:
A. It allows auditors to gain insight into current best practices on assurance.

B. It demonstrates how to use COBIT 5 components and concepts for planning, performing, and
reporting on IT audit engagements.
C. It views the role of audit from a value-added perspective that looks at whether the
organization is delivering the required benefits defined by stakeholders.
D. It provides a checklist of risks that auditors must provide coverage for in their audit plans.
Answer: D
------------------------------------------------------------------------------------------------------------------------------------------
QUESTION NO: 148
In “Starting Off on the Right Foot,” what does author Travis Waite advise internal auditors to
determine first when assessing whether an allegation of wrongdoing has merit?
A. The complainant’s credibility and motives.

B. The channel through which the complaint was made.
C. The organization’s policy with regard to the alleged malfeasance.
D. The complainant’s level of authority in the organization.
Answer: A
------------------------------------------------------------------------------------------------------------------------------------------

COBIT-docx (1) - Changed by Me

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

COBIT-docx (1) - Changed by Me

Uploaded by

Copyright:

Available Formats

QUESTION NO: 1

A. Management of software licenses

What is the appropriate action for IT management to undertake?

A. Compliance with regulation and business mandates.

A. Company stock price

A. No change is needed, the current system is ‘tried and true’

A. Mandate an increased level of security monitoring

A. Rewrite tools to reduce dependence Company infrastructure

A. A lower Staff commitment to report upon deficiencies in current Portfolio

A. Reduce Portfolio's dependence on Company infrastructure

A. Show how the new infrastructure supports a strategic business goal

A. Upgrade hardware and reduce maintenance activities

What is the best way for it to acquire that expertise?

A. Share application components used by institutional customers for online trading

A. Additional resource requirements for compliance monitoring may not be recognized

A. Advise patience as total return should increase with time

A. Number of systems compliant with Agency metadata standards

A. Staff are inexperienced in the use of new systems

A. % of service contracts meeting SLA w/o dispute

A. % compliance with federal information processing standards (FIPS)

A. Provision a suite of security services to be used as determined by individual Attorneys

A. Likelihood of intrusion attempts

A. Compliance with regulatory requirements

A. KPIs are lead indicators.

A. Employing cheaper resources

A. All answers apply

A. Start with an audit, as defined by the Assurance Guide.

A. Technology, Applications, Software, Networks

A. Monitor & Evaluate

A. Control Objectives for Information and related Technology

A. Not mentioned by COBIT

A. COBIT is positioned centrally at the detailed level.

A. Plan and Organize

How does COBIT help in this situation?

A. COBIT manages complexity by introducing the PO processes.

A. CMM for solution delivery

A. Critical Success Factors (CSFs)

A. All answers apply

A. Confidence of the top management

A. Defines the capability targets to be achieved.

A. No, COBIT does not include "people" as an IT resource.

A. International Organization for Standardizations (ISO)

A. Plan and Organize

A. Provision of appropriate information

A. Increased market share

A. Plan and organize

A. Plan and organize

A. A process that ensures specific outcomes

A. Other processes exclusively

A. Weak enterprise risk management

QUESTION NO: 110

A. Resistant to acknowledge weaknesses.

QUESTION NO: 112

A. No, because issues should be passed to Internal Audit for resolution.

QUESTION NO: 113

A. Seek to second a compliance resource from the Overseas Head Office.

A. Continual improvement is NOT part of the culture.

A. Organize a road show with the Business Management- Revisiting stakeholders.

A. Lack of business understanding of IT issues.

A. There is poor communication about the expected successes of the Initiative.

A. Raise local Management's awareness of the importance of the Initiative.

A. Continual improvement is NOT part of the culture.

QUESTION NO: 125