QUESTION NO: 1

Which is likely to suffer the most should the enterprise outsource its IT function?
A. Strategic alignment
B. Value delivery
C. Risk management
D. Performance measurement
Answer: A
Explanation/Reference:
Outsourcing agreements are unlikely to fully anticipate changes in business strategy as outsource
obligations are fixed in contractual language.

QUESTION NO: 2
The most important aspect of accountability for IT is?
A. Compensation plan
B. Performance measurement
C. Control processes
D. IT balanced scorecard
Answer: C
Explanation/Reference:
http://www.micropoll.com/akira/mpresult/671426-206759

QUESTION NO: 3
What would typically be the greatest IT governance concern?
A. Management of software licenses
B. Effective staff recruitment, retention & training program
C. Bandwidth reservation
D. Thorough and cost effective disaster recovery planning
Answer: B
Explanation/Reference:
Staff retention is a persistent requirement needed to ensure availability of the resources needed to
execute strategy and delivery value. Failure to retain staff will negatively impact performance.

QUESTION NO: 4
What is the appropriate course of action for IT management to undertake?
A. Implement the additional systems and processes required by the prospect's standards and
architecture.
B. Halt the standardization effort until A's architecture and standards can be made compliant with
the prospect's architecture and standards.
Delaying implementation of strategy should never be a first alternative
C. Advise against accepting the prospect's business as its standards are inconsistent with those of
Company A.
D. Consult with the Board's IT strategy committee regarding a change in business strategy.
Answer: D
Explanation/Reference:
Where there are substantial barriers to implementing strategy, it is never inappropriate to consult
with the Board.

QUESTION NO: 5
In the above scenario, Company A's Sr. VP of Sales executed a contract with the prospect that
includes significant penalties for nonperformance.
What is the appropriate action for IT management to undertake?
A. Implement the additional systems and processes required by the prospect's standards and
architecture.
B. Halt the standardization effort until A's architecture and standards can be made compliant with
the prospect's architecture and standards.
C. Seek to outsource servicing the incompatible aspects of the prospect's business.
D. Advise for settlement of contract terms as soon as possible.
Answer: C
Explanation/Reference:
This is undoubtedly the most cost effective way of meeting customer requirements with
minimum negative impact on the IT Strategy of system and process standardization.

QUESTION NO: 6
In the above scenario, do the Sr. VP's actions represent a failure of IT governance?
A. No, Governance of IT should not constrain the activities of the Sales organization.

B. Yes, the IT strategy was incompletely harmonized with the business strategy
C. Yes, IT should first review all IT requirements before the Sales organization makes
commitments.
D. No, IT must be able to adapt to changing business requirements.
Answer: D
Explanation/Reference:
IT failed in the execution of strategy by defining standards too narrowly and not anticipating
such customer requests..

QUESTION NO: 7
Who bears primary responsibility should the IT standardization initiative fail to deliver the
expected efficiencies in the Company A's business processes:
A. CEO
B. CIO
C. Business Process Owner.
D. Business Executive
Answer: B
Explanation/Reference;
The CIO is the principal manager or IT resources. It is the responsibility of the CIO to ensure
that business requirements are appropriately recognized and addressed.

QUESTION NO: 8
Should Company A fail to have a framework for IT governance, what is most likely to suffer?
A. Compliance with regulation and business mandates.
B. Success of its 'low cost service provider' strategy
C. Security of customer data.
D. The operational efficiency of the IT organization.
Answer: B

QUESTION NO: 9
Which finding would most likely motivate the Companys adoption of a distinct IT governance
program.

A.
There is significant unrecognized and unaddressed risk in the Company pharmacy units
handling of customer health information.
B.
The Company spends more on IT as a percentage of profit than the grocery industry as a
whole..
C.
The Companys management expense as a percentage of profit than the grocery industry
as a whole.
D.
The company has experienced multiple year to year increases in the percent of revenue
loss due to spoilage or otherwise un-sellable inventory.
E.
The Companys long time (15+ years) CIO will soon retire.
Answer: D
Explanation/Reference:
The company has experienced multiple year to year increases in the percent of revenue loss due
to spoilage or otherwise un-sellable inventory.

QUESTION NO: 10
What is the most appropriate measure for the Board to use to track the value of the Company's IT
Governance program?
A.
B.
C.
D.

Company stock price

Store employee productivity
Unit sales and inventory cost
Profit margin

Answer: C
Explanation/Reference:
A governance program motivated in part by inventory management issues should be taking those
costs.

QUESTION NO: 11
Store operations depend on IT-staff maintained software that was developed in house twenty
years ago. What is the most compelling argument regarding modernization?
A.
No change is needed, the current system is tried and true
B.
Systems need to be replaced due to difficulty in finding experienced RPG and COBOL
programmers to maintain them.
C.
Systems need to be replaced as the use of the older systems delays introducing new
products and services.
D.
Security of the older systems is suspect

Answer: C
Explanation/Reference:
Such system inadequacies would have major financial impact. (Business & alignment response)

QUESTION NO: 12
The Company has acquired the assets of a 100 store chain liquidated thru bankruptcy. The
acquired chains computer systems are vendor proprietary, leading edge systems. What should
the Company do with these systems?
A.
Continue to operate them and contract with the vendors professional services to integrate
these systems with the Companys financial and logistic systems.
B.
Replace these new systems with the Companys standard store system.
C.
Implement a strategy whereby the system in the acquired stores is the basis for a new
Company standard store system.
D.
Maintain a separate IT organization until the stores are re-branded and P&L reporting is
integrated.
Answer: B
Explanation/Reference:
Company focus on cost control emphasizes standardization.

QUESTION NO: 13
Despite the CFOs certification of compliance with the bankcard industrys security standards
(PCI DSS), the Company experienced a significant security breach that exposed card information
of more than 1M customers. What changes should be made in the Company's risk management
program.
A.
B.
C.
D.
E.

Mandate an increased level of security monitoring

Provide additional security training for developer and system admin staff
Outsource the management of the Company's network security
Add zero breach goal to the CEOs management targets
Add zero breach goal to the CIOs management targets

Answer: D
Explanation/Reference:
Accountability for information security is suspect due to certification signoff by the CFO. Assign
accountability to CEO, given the CIOs suspect participation

QUESTION NO: 14
The IT department has developed much of the Companys intellectual property (tools &
proprietary methods). What is the appropriate accountability? [Framework]
A.
Management of Professional Services for the utilization of new tools & methods in client
engagements
B.
The CIO for training of professional services staff in the use of new tools & methods
C.
The CIO for a positive impact on profits from any newly developed tools or methods
D.
Management of Professional Services for the selection of new tools & methods to be
included in the Portfolio.
Answer: C
Explanation/Reference:
IT value is determined by the value to delivers to the Business. IT must act to remove barrier to
the delivery of business value. If such barriers cannot be removed then IT should be foregoing
development of the subject tool.

QUESTION NO: 15
What should IT Management be doing in response to new Bank regulation regarding information
security? [Framework]
A.
Monitor, evaluate and identify new market opportunities that will follow promulgation of
the new regulation
B.
Determine the adequacy of the Portfolio to respond to the requirements of the new
regulation
C.
Do nothing until Management of Professional Services reports a Client requirement for
new security services
D.
Ensure staff attendance at an industry conference focused on the new regulation
Answer: B
Explanation/Reference:
IT is best positioned to understand limits to capabilities of the portfolio. IT has obligation to
inform the business should the Portfolio be found wanting.

QUESTION NO: 16
The Company has determined to productize and sell some tools currently used by the
Company's professional services staff. What must IT do to support this strategy? [Alignment]

A.
B.
C.
use
D.

Rewrite tools to reduce dependence Company infrastructure

Plan for increase in size of the Help Desk support staff
Determine technical procedures required to protect products from piracy and unlicensed
Hire a consultant to determine requirements of the anticipated 3rd party customers

Answer: D
Explanation/Reference:
While the development of product strategy is not an IT function, IT must provide input regarding
its capability to respond to anticipated requirements.

QUESTION NO: 17
The Company is considering converting most of its salaried consultants to independent
contractor status. What is the major IT challenge associated with such a move? [Resource
Management / Alignment]
A.
B.
C.
staff
D.

A lower Staff commitment to report upon deficiencies in current Portfolio

Increased user support requirements due to Staff turnover
Need for increased tool automation due to lower experience and sophistication level of
Protection of IP especially monitoring for unauthorized use of tools

Answer: C
Explanation/Reference:
Greater staff turnover means that without a reduction in the learning curve of the use of
Company products, service quality will suffer. One method to shorten learning curve is to lessen
the level of knowledge required to use the tools with increased level of tool automation.

QUESTION NO: 18
The Board believes that the Company is an acquisition target by a large manufacturer of
computer systems and discretely seeks an attractive offer. What should IT management
recommend to maximize value to the potential buyers? [Alignment]
A.
B.
C.
D.

Reduce Portfolio's dependence on Company infrastructure

Delay starting any new initiatives
Reduce IT staff headcount
Re-prioritize strategic plans to focus on initiatives that can be completed in the near term

Answer: A

Explanation/Reference:
Increases opportunity for reuse by the acquiring company while minimizing risk to current
operations, May otherwise make for more efficient IT operations.

QUESTION NO: 19
The IT infrastructure is currently unable to support new ways of communicating with clients
such as SMS or twitter. What is the best way for IT to acquire such communications
capability?
A.
B.
C.
D.

Show how the new infrastructure supports a strategic business goal

Contract with ISP or other service provide for the capability
Implement risk based controls that ensure appropriate use of such protocols
Assign appropriate task responsibilities to the CTO

Answer: A
Explanation/Reference:
Activities in support of strategic goals will always be given priority

QUESTION NO: 20
Brokers are complaining that the nightly 2 hour maintenance window diminishes their
opportunity to enter and complete transactions for international clients. What is the best way to
improve system availability?
A.
Upgrade hardware and reduce maintenance activities
B.
Segment resources serving international clients and perform maintenance on a different
schedule
C.
Add system administration staff to shorten maintenance window
D.
Upgrade transaction processing systems

Answer: D
Explanation/Reference:
Modern transaction processing systems should support 7X24 processing allowing for
maintenance activities such as backup, routine software fixes / feature additions and patch
installation to occur in real time.

QUESTION NO: 21

Retail customers are complaining that the Company does not support online trading. The retail
unit does not have expertise in-house to develop and maintain a secure online trading system.
What is the best way for it to acquire that expertise?
A.
B.
C.
D.

Share application components used by institutional customers for online trading

Contract for services from an existing online brokerage
Hire new staff with the requisite skills
Training existing development staff in required protocols and tools

Answer: B
Explanation/Reference:
Where there is no competitive or strategic advantages, it s generally better to buy vs build.
Buying services rather than owning software is likely to have a lower TCO (at least during
transition period)

QUESTION NO: 22
Due to cost pressures brought about by new regulation, the Company seeks to relocate all data
processing to a Company operated off-shore facility. What is the major concern with this tactic?
A.
B.
C.
D.

Additional resource requirements for compliance monitoring may not be recognized

Security
Disruption and errors introduced during migration
Expected cost savings may not be realized

Answer: A
Explanation/Reference:
Since the re-location is intended to avoid cost due regulation, it is necessary to implement
controls to ensure that the Company is compliant with those regulations

QUESTION NO: 23
The Company is experiencing frequent disruptions in system operations.
What is the best way to address this problem?
A.
B.
C.
D.

Strengthen perimeter security with next generation firewalls and intrusion detection
Accelerate server maintenance and replacement
Add more capability to monitor the state of system and network resources
Resize servers, routers, disk arrays and other components

Answer: C
Explanation/Reference:
Resize servers, routers, disk arrays and other components

QUESTION NO: 24
To support the modernization effort, the CIO anticipates that Company messaging capabilities
will have to be upgraded to include some kind of collaboration engine such as Sharepoint or
Lotus Domino. What is the best way to proceed?
A.
Immediately include the new infrastructure in the IT architecture and the fund the
component out of the modernization budget
B.
Wait until the need for the new component is apparent in a critical workflow and then
include acquisition and implementation of that component as part of the project to automate that
critical workflow
C.
Collect collaboration requirements from all current project teams. Implement common
component if it is cost effective solution to the collective collaboration requirement
D.
Develop an infrastructure upgrade strategy to support the modernization program, the
costs of which are assigned to ITs capital budget
Answer: C
Explanation/Reference:
Ensures the value of the collaboration engine will be appropriately assessed and that investment
decision made on that basis. Infrastructure components derive their value for that of the
application that they support.

QUESTION NO: 25
New regulation mandates that the Company support data exchange procedures for which the
Company anticipates significant cost but little, if any, financial benefit in the next five years.
What is the best approach to managing this investment?
A.
Implement the applications that will leverage the new procedures so as to produce
business value
B.
Initiate a project to implement the exchange capability but assign it minimum resources
C.
Include support for the exchange capability in the portfolio of modernization projects
D.
Delay implementation of the capability for as long a possible
Answer: C
Explanation/Reference:

Value management | governance response. Address the support requirements in the context of the
portfolio of Company investments.

QUESTION NO: 26
Recently, a never event resulting in the death of a patient occurred at the hospital. Current
industry standards dictate that such an event should never occur at a well managed hospital.
The hospital could implement a very expensive application control to prevent a re-occurrence,
but the cost would have to be paid out of the modernization budget. What is the most appropriate
action?
A.
Immediately implement the new application control as part of the modernization budget.
B.
Delay implementation of the control until another cost center for the control is found.
C.
Increase the priority of projects that would automate the suspect processes identified by
the root cause analysis of the event.
D.
Do nothing and accept the risk of such events given their very low frequency and high
mitigation cost.
Answer: C
Explanation/Reference:
Priority is in the context of portfolio management. RCA will identify process failures that can be
avoided through automation.

QUESTION NO: 27
The company has not yet obtained expected benefits from the modernization program. What is
best course of action?
A.
B.
C.
D.

Advise patience as total return should increase with time

Increase the hurdle rate for the higher risk investments
Delay closing projects until demonstration of value delivery
Increase the modernization budget

Answer: C
Explanation/Reference:
Lack of receipt of value indicates a problem in value planning or execution. This response
ensures project management until all capabilities required to receive business value are in place.

QUESTION NO: 28

The project to implement a highly visible medical support application is 25% complete but has
consumed 50% of its budget. What is the most appropriate course of action?
A.
B.
C.
D.

Increase the project budget as the application directly relates to Company mission
Increase the assumed level of project risk and re-evaluate the investment decision
Shelve the project in favor of those with greater likelihood of implementation success
Develop a plan to complete the project with the remaining budget

Answer: B
Explanation/Reference:
Value management response | ensures consideration of risk and value in context of portfolio of
investments.

QUESTION NO: 29
An Agency goal is to more easily integrate information collected at different times and by
different source s within the Agency. Which of the following measures would best indicate ITs
progress toward this goal?
A.
B.
C.
D.

Number of systems compliant with Agency metadata standards

Time required to complete information request
Number of analyst tools available for use in consolidating data
Time to complete complaint / filing

Answer: D
Explanation/Reference:
This would be a business consequence of goal satisfaction

QUESTION NO: 30
The Agency continues to regularly experience incomplete data sharing despite improvement in
performance metrics. Which of the following is most likely to be the reason for this?
A.
B.
C.
D.

Staff are inexperienced in the use of new systems

Information architecture is incomplete
Staff are motivated to keep control over information that they collect
Collected performance metrics measure efficiency rather than effectiveness

Answer: D
Explanation/Reference:

Inconsistency between metrics and reality implies a deficiency in the metrics. The reported
metric reports time w/o control for quality

QUESTION NO: 31
The Agency is concerned that many of its IT systems are antiquated. Which balanced scorecard
measure indicates readiness for an IT modernization program?
A.
B.
C.
D.

% of service contracts meeting SLA w/o dispute

% of agency business processes identified in EA
% of IT staff W/ certified skills and system knowledge
% of users satisfied with help desk support

Answer: B
Explanation/Reference:
Recognition of Agency business processes and their relationship is essential to modernization of
IT

QUESTION NO: 32
The Agency is a frequent cyber-warfare target. What measure best indicates the effectiveness of
ITs security risk management?
A.
B.
C.
D.

% compliance with federal information processing standards (FIPS)

# of reported security incidents
# of incidents relating to un-anticipated threats
% of systems current on all vendor patches

Answer: C
Explanation/Reference:
Reflects the thoroughness of the Agencys risk assessments, (Low number is better)

QUESTION NO: 33
To ensure Agency flexibility when making work assignments, all relevant information and IT
must be accessible and transferable to any employee in any office. What measures satisfaction of
this goal?
A.
B.
C.

# Of incidents where employee unable to recover critical data within one work day
Average time to provision an Agency standard workstation
Minimum service level of field office WAN connection

D.

Average user rating of satisfaction with IT services

Answer: A
Explanation/Reference:
Business outcome most closely related to the goal

QUESTION NO: 34
How is the risk of a breach of electronically maintained client confidential information best
managed?
A.
By the service provider s independently validated compliance with the Firms security
standards.
B.
Service agreement requiring that the Outsource indemnify the Firm for all losses
associated with a breach of security.
C.
Encryption of all data maintained at the data center.
D.
Through regular audits of data center operations conducted by the Firms risk officer
Answer: D
Explanation/Reference:
The only alternative that provides flexibility sufficient to respond to a changing risk
environment.

QUESTION NO: 35
Individual Courts and Regulators have distinct requirements with respect to the security of
electronic filings.
What approach should the Firm take to ensure that its Attorneys have the capability to submit
electronic filings where ever such are allowed?
A.
Provision a suite of security services to be used as determined by individual Attorneys
B.
Implement a global security standard that encompasses the security requirements of all
jurisdictions
C.
Allow offices in different jurisdictions to independently implement the appropriate
security procedures as required by the relevant Courts and Agencies
D.
Support with a global standard the most common security requirements; defer electronic
flings in jurisdictions not supported by that standard.
Answer: A
Explanation/Reference:

Most cost effective alternative. Allows the Firm to ensure the technical competence of the
security implementation, while meeting jurisdictional requirements.

QUESTION NO: 36
One of the Firms offices has experienced a successful intrusion into its network by hackers, but
due to poor incident response is unable to determine what information may have been accessed
or modified. What action should immediately be taken?
A.
Notify Clients of that office that there may have been a breach of Privileged
communication.
B.
Isolate the office network from the Corporate WAN.
C.
Notify Firm Attorneys that there has been a hack and therefore review any recently
prepared documents or unexpected changes.
D.
Have external auditors conduct a forensic analysis to determine the method and scope of
the intrusion.
Answer: B
Explanation/Reference:
Containment of significant but poorly understood risk is appropriate.

QUESTION NO: 37
Firm Attorneys regularly include client confidential information in unencrypted Internet email.
Cannons of attorney ethics do not require Attorneys to encrypt email or notify clients that they
are using insecure email. What is the Firms best course of action?
A.
Adopt an enterprise email encryption solution that is only partially effective but easy to
implement
B.
Inform clients of the practice but agree to any client request not to use such insecure
communication channels
C.
Confirm that Firm malpractice polices include losses due to unintended breaches of
privileged communication
D.
Inform clients of the practice and agree not to use such insecure communication channels
unless the Client accepts the risk of a confidentiality breach
Answer: A
Explanation/Reference:
Prevention of relatively low risk event s is undoubtedly more cost effective than other risk
treatment (avoidance or transfer)

QUESTION NO: 38
The Firm is considering deploying a Client portal through which clients can submit required
documents, preview filings requiring signature, review billing records, and securely
communicate with Attorneys and other staff. What information is the most important to collect
when evaluating the risk associated with the portal?
A.
B.
C.
D.

Likelihood of intrusion attempts

Level of client use
Impact on Attorney productivity
Cost of appropriate security

Answer: A

QUESTION NO: 39
COBIT presents the Governance Cube. The three main areas of this cube are IT Processes, IT
Resources and?
A.
B.
C.
D.
E.

Criteria
Auditable
People
Financial
Quality

Answer:

QUESTION NO: 40
COBIT processes are grouped into 4 domains of of which is Monitoring and?
A.
B.
C.
D.

Audit
Prudence
Correction
Support

Answer:

QUESTION NO: 41
In COBIT, IT Resources are; People, Application Systems, Data, Technical Infrastructure and?

A.
B.
C.
D.

Budgets
Facilities
Efficiency
Security

Answer:

QUESTION NO: 42
Information Criteria is Effectiveness, Efficiency, Confidentiality, Integrity, Availability,
Compliance and?
A.
B.
C.
D.

Reliability
Reuse
Accuracy
Accessibility

Answer:

QUESTION NO: 43
COBIT stands for Control Objectives for Information and Related?
A.
B.
C.
D.

Tools
Terminology
Terms
Technology

Answer:

QUESTION NO: 44
COBIT makes use of the Deming Cycle. This is make up of Plan, Do, Check?
A.
B.
C.
D.

Think
Review
Act
Assess

Answer:

QUESTION NO: 45
An IT Control Objective is defined as; ... control procedures in a particular IT?
A.
B.
C.
D.

Activity
Team
Organization
Review

Answer:

QUESTION NO: 46
COBIT Security Requirements are defined as; Confidentiality, Integrity and?
A.
B.
C.
D.

Appropriateness
Availability
Robustness
Secrecy

Answer:

QUESTION NO: 47
In which of the COBIT management domains does Manage third-party suppliers fall?
A.
B.
C.
D.

Delivery
Monitoring
Planning
Acquisition

Answer:

QUESTION NO: 48
ITIL directly maps/integrates with COBIT.
A.
B.
C.

True
False
Sometimes

D.

Depends

Answer:

QUESTION NO: 49
When IT is aligned with the enterprise's stated objectives, it provides several benefits. Which one
of the following IS NOT one of them?
A.
B.
C.
D.

Compliance with regulatory requirements

Enabling of cost-effective administration and management
Value addition to business products and services
Optimal use of resources

Answer:

QUESTION NO: 50
Select the correct statement.
A.
B.
C.
D.

KPIs are lead indicators.

KPIs are lag indicators.
KPIs and KGIs are synonymous.
KGIs are lead indicators.

Answer:

QUESTION NO: 51
Easy Credit Cards Inc. in the US plans to set up a transaction center in the Philippines. Which
one of the following would be the best approach for resource optimization?
A.
B.
C.
D.

Employing cheaper resources

Reducing cost while delivering better service
Providing faster and more reliable service
Planning for disaster recovery in the event of a disaster

Answer:

QUESTION NO: 52

Balancing value and cost:

A. All answers apply
B. Achieving regulatory compliance
C. Managing complexity
Answer:

QUESTION NO: 53
Which of the following statements is true?
1. An organization can be certified against both COBIT and ISO/IEC 20000.
2.COBIT and ITIL complement each other.
A.
B.
C.
D.

Both 1 and 2
2 only
Neither 1 or 2
1 only

Answer:

QUESTION NO: 54
Which of the following statements is true?
1. IT Processes are controlled by Control Objectives.
2. IT Processes are measured by Control Practices.
A.
B.
C.
D.

Neither 1 or 2
Both 1 and 2
2 only
1 only

Answer:

QUESTION NO: 55
SpinIT is a small but fast-growing record company that wants to move toward more internal
control and governance of IT. What is the best thing to do first?
A. Start with an audit, as defined by the Assurance Guide.
B. Start implementing the 10 processes of the domain: Plan & Organize.

C. Start implementing the four processes of the domain: Monitor & Evaluate.
D. Start using COBIT Quickstart.
Answer:

QUESTION NO: 56
Describe how COBIT defines resources in an IT environment.
A.
B.
C.
D.

Technology, Applications, Software, Networks

Applications, Information, Infrastructure, People
Technology, Information, Infrastructure, Networks
Applications, Infrastructure, Networks, People

Answer:

QUESTION NO: 57
Which of the following is not a process defined by COBIT?
A.
B.
C.
D.

Monitor & Evaluate

Acquire & Integrate
Delivers & Support
Plan & Organize

Answer:

QUESTION NO: 58
COBIT is an acronym that stands for:
A.
B.
C.
D.

Control Objectives for Information and related Technology

Clear Objectives Before Integrating Technology
Cross Organizational Business Information Technology
Control and Observe Information Technology

Answer:

QUESTION NO: 59
Security" is:

A.
B.
C.
D.

Not mentioned by COBIT

An IT challenge
An IT resource
An information criteria

Answer:

QUESTION NO: 60
Organizations find it convenient to use COBIT because:
A.
B.
C.
D.

COBIT is positioned centrally at the detailed level.

It relates to other frameworks (COSO, CMM, and so on).
Implementing COBIT makes ITIL obsolete.
All options are correct.

Answer:

QUESTION NO: 61
Which one of the following should not be included in the COBIT Cube?
A.
B.
C.
D.

IT Processes
IT Capabilities
IT Resources
Information Criteria

Answer:

QUESTION NO: 62
Which one of the following ISACA publications is focused on POS, "Manage the IT
Investment"?
A.
B.
C.
D.

VAL IT
COBIT Implementation Guide
COBIT Quickstart
Risk IT

Answer:

QUESTION NO: 63
How long is the official COBIT e-learning Foundation course?
A.
B.
C.
D.

4 hours
8 hours
1 hours
2 hours

Answer:

QUESTION NO: 64
Which of the following is not an IT resource, as defined by COBIT?
A.
B.
C.
D.

People
Infrastructure
Technology
Information

Answer:

QUESTION NO: 65
In which COBIT domain would you expect to find information on "Ensuring regulatory
compliance"?
A.
B.
C.
D.

Plan and Organize

Acquire and Implement
Deliver and Support
Monitor and Evaluate

Answer:

QUESTION NO: 66
IOU Company has cross-functional teams that deliver projects late. Developers are unable to
understand the terms used by the business managers and vice versa.
How does COBIT help in this situation?

A.
B.
C.
D.

COBIT manages complexity by introducing the PO processes.

COBIT defines a model for efficient cross-functional coordination.
COBIT helps better communicate using a common language.
COBIT introduces internal controls & processes to provide assurance.

Answer:

QUESTION NO: 67
All potential users can benefit from COBIT content as an overall approach to managing and
governing IT, together with more detailed standards, such as:
A.
B.
C.
D.

CMM for solution delivery

ISO/IEC 27002 for information security
ITIL for service delivery
All answers are correct

Answer:

QUESTION NO: 68
Predefined measures that determine how well an IT process enables the achievement of goals are
called:
A.
Critical Success Factors (CSFs)
B.
Key Goal Indicators (KGI)/ Outcome Measures
C.
Key Performance Indicators (KPIs)
D. Performance Indicators
E.
Mission Objective Measurement (MOM)
Answer:

QUESTION NO: 69
What is driving the need for IT Governance?
A.
B.
C.
D.

All answers apply

Balancing value and cost
Managing complexity
Achieving regulatory compliance

Answer:

QUESTION NO: 70
Which of these statements is true?
1. An official COBIT Exam exists to test the understanding of COBIT at the Foundation level.
2. Official COBIT Foundation courses are recognized for CPE credits.
A.
B.
C.
D.

1 only
Neither 1 or 2
Both 1 and 2
2 only

Answer:

QUESTION NO: 71
Installing controls (such as firewall security) that provide protection against risks is called:
A.
B.
C.
D.

Risk Mitigation
Defense-in-Depth
Security Resource Management
Risk Avoidance

Answer:

QUESTION NO: 72
Match the following scenario with the correct benefit of IT Governance: Information is available
to the appropriate decision makers to monitor IT activities by using accurate performance
measures.
A.
B.
C.
D.

Confidence of the top management

Easier Auditing
More reliable services
More transparency

Answer:

QUESTION NO: 73
Ensuring that information about appropriate IT functions, services, and value delivered is
available at all levels needing that information is called:
A.
B.
C.
D.

Information Sharing
Program Information Management
Global Communication
Transparency

Answer:

QUESTION NO: 74
A Maturity Model is useful because it:
A.
B.
C.
D.

Defines the capability targets to be achieved.

Trains staff to improve performance.
Obtains certification from an external party.
Identifies critical operational issues that need to be addressed.

Answer:

QUESTION NO: 75
IOU Company has started to implement COBIT, but they are not sure whether "people" is an IT
resource:
A.
B.
C.
D.

No, COBIT does not include "people" as an IT resource.

Yes, COBIT includes "people" as an IT resource.
It depends on whether the number of IT staff exceeds the company threshold.
It depends on whether people are internal, outsourced, or contracted.

Answer:

QUESTION NO: 76
COBIT is published by:
A. International Organization for Standardizations (ISO)
B. IT Governance Institute (ITGI)
C. Paul Sarbanes & Michael Oxley (SOX)

D. United Kingdom's Office of Government Commerce (OGC)

Answer:

QUESTION NO: 77
How many IT processes are defined by COBIT?
A.
B.
C.
D.

14
34
56
49

Answer:

QUESTION NO: 78
Which of the following is not a RACI term?
A.
B.
C.
D.

Responsible
Accountable
Instructed
Consulted

Answer:

QUESTION NO: 79
Which of the following should not be included?
A.
B.
C.
D.

Accountable
Informed
Notified
Responsible

Answer:

QUESTION NO: 80
Read the following statement and select the right maturity level that corresponds to the
statement, Processes are documented and communicated.

A.
B.
C.
D.

Ceased
Defined
Optimized
Directed

Answer:

QUESTION NO: 81
Which of the following is not included in the COBIT CUBE?
A.
B.
C.
D.

Drivers
Resources
Processes
Information Criteria

Answer:

QUESTION NO: 82
In which COBIT domain would you expect to find information on "Manage third-party
services"?
A.
B.
C.
D.

Plan and Organize

Monitor and Evaluate
Acquire and Implement
Deliver and Support

Answer:

QUESTION NO: 83
A method that helps an organization make a systematic attempt to improve by measuring
proficiency in a focus area is:
A.
B.
C.
D.

Maturity Models
Benefit Realization Capture (BRC)
Mission Objective Measurement (MOM)
Key Performance Indicators (KPIs)

Answer:

QUESTION NO: 84
Integrity is an information criterion, as defined by COBIT, and is concerned with:
A.
B.
C.
D.

Provision of appropriate information

Protection of sensitive information
Safeguarding of necessary resources
Accuracy and completeness of information

Answer:

QUESTION NO: 85
According to COBIT, who is responsible for IT Governance?
A.
B.
C.
D.

The CEO
IT Employees
The Board of Directors
The CIO

Answer:

QUESTION NO: 86
Which tool provides the best indicator of strategic alignment?
A. Balanced scorecard
B. CMM benchmark
C. Dashboards
Answer: A
Explanation/Reference:
Balanced scorecards explicitly connect business goals with IT performance measures. CMM
rates the maturity of process independent of any statement of business goals. IT metrics reflect
the performance of systems w/o any statement of business goals. Dashboards are merely a
means to display metrics

QUESTION NO: 87

The COBIT IT Assurance Guide would be of primary interest to:

A.
B.
C.
D.

Management
Auditors
Security professionals
Functional managers

Answer: B
Explanation/Reference:
ISACA of its various publications; candidates should be familiar with what ISACA offers to
whom. While managers and security pros may be interested this doc, it s primary target is
persons conducting audits.

QUESTION NO: 88
The average level of programming effort per function point is a:
A. KPI
B. Process KGI
C. IT KGI
Answer: A
Explanation/Reference:
Functions points are measure of application complexity. This measure reflects performance at an
activity (application programming) level.

QUESTION NO: 89
Scheduling change is a:
A. IT Goal
B. Process Goal
C. Activity Goal
Answer: B
Explanation/Reference:
Change scheduling is an activity that is part of the manage change process. Authorization of
appropriately evaluated changes is the Process Goal and the related IT Goals include timely
response to changing business

QUESTION NO: 90
Which of the following least describes COBIT?
A.
B.
C.
D.
E.

Technologically neutral
Business oriented
Multi-stakeholder
Prescriptive
All or none

Answer: D
Explanation/Reference;
COBIT can be implemented piece meal and all COBIT objectives do not have to be achieved by
a single project. BY definition COBIT provides a business orientation. COBIT is not dependent
upon or limited to a specific information technology. COBIT assigns roles and responsibilities at
multiple levels in the organization. COBIT identifies governance tasks that need to be
performed (as opposed to describing task that have been performed)

QUESTION NO: 91
From what perspective should the enterprise view regulatory compliance
A.
B.
C.
D.

Financial
Customer
Internal
Learning & growth

Answer: C
Explanation/Reference:
Regulatory compliance is property of company operations; operational aspects is dealt with in
balanced scorecards as an 'internal perspective' . Compliance may have financial and customer
aspects but those are not primary.

QUESTION NO: 92
Information reliability is important for which business goal?
A.
B.
C.
D.

Increased market share

Service availability
Transparency
Lowering process costs

Answer: B
Explanation/Reference:
Reliability relates to the provisioning of information to management so that it can exercise
governance and fiduciary responsibility. Transparency is essential to these functions.

QUESTION NO: 93
The IT enterprise architecture is determined by:
A.
B.
C.
D.
E.

Business Goals
Infrastructure
Regulatory requirements
IT Goals
Technical capability

Answer: A
Explanation/Reference:
Business goals drive the IT goals which in turn creates requirements for the IT enterprise
architecture. Infrastructure is a component of the IT architecture and technical capability an
attribute of the people component of the architecture.

QUESTION NO: 94
IT enterprise architectures describe the relationship between all of the following except
A.
B.
C.
D.
E.

Roles
Information
Processes
Customers
Applications

Answer: A
Explanation/Reference:
"Roles" identify groups of people as participants in the enterprise architecture. If IT
processes delivered value directly to customers, customer would be a part of the IT
architecture. However, it is not true in general that customers interact with
company applications and information, so 'customers' is the appropriate answer.

QUESTION NO: 95

Alignment is addressed primarily during what phase of the operational lifecycle?

A.
B.
C.
D.

Plan and organize

Acquire and implement
Deliver and support
Monitor and evaluate

Answer: A
Explanation/Reference:
PO1 defines an IT strategic plan, an essential property of which is alignment with the business
strategic plan and goals. All the other phases follow the determination of strategic plans in the
governance lifecycle.

QUESTION NO: 96
Problem management is addressed primarily during what phase of the operational lifecycle?
A.
B.
C.
D.

Plan and organize

Acquire and implement
Deliver and support
Monitor and evaluate

Answer: C
Explanation/Reference:
DS10 | Manage Problems. While the Monitor & Evaluate phase may detect problems and
failures to resolve them, problem resolution is a general form of incident management.

QUESTION NO: 97
What best describes a control in COBIT?
A. A process that ensures specific outcomes
B. Policies and procedures that provide assurance of business objectives
C. An automated process that prevents or detects undesirable events
Answer: B
Explanation/Reference:
COBIT does not define control. However glossary entries for 'control practices' and 'control
objectives' and 'internal control' makes it clear that for COBIT 'control' is related to the general
accomplishment of business objectives. The first and third references are too narrow.

QUESTION NO: 98
An IT control objective is associated with:
A.
B.
C.
D.

Business goal
Information criteria
IT process
Performance

Answer: B
Explanation/Reference:
The IT control objective is the result achieved by the control procedure in a given activity. This
is determined by the IT process that organizes the activity. Business goals and information
criteria are too general to identify such objectives. Performance is a retrospective attribute
whereas controls are forward looking.

QUESTION NO: 99
Which is least likely to be provided by an application control?
A.
B.
C.
D.
E.

Accuracy
Completeness
Reliability
Integrity
Authorization

Answer: C
Explanation/Reference:
Reliability is a general property of the information system taken as a whole whereas application
deal with specific processing of subsets of data to support specific business functions.

QUESTION NO: 100

COBIT IT processes cover:
A. Application Controls
B. General Controls
C. Both application and general controls
Answer: B
Explanation/Reference:

The business is responsible for defining functional and control requirements for applications, use
of applications, and manual controls. COBIT IT processes include the implementation of those
control requirements that are shared across applications.

QUESTION NO: 101

Processes receive required inputs from:
A.
B.
C.
D.

Other processes exclusively

As a result of process activity
Sr. Management
None of the above

Answer: B
Explanation/Reference:
The activities organized by an IT processes obtain information from business users, business
transactions, systems, and customers in addition to inter-process communication. Whereas Sr
Managers may provide input to an IT process, all process would not so depend upon them.

QUESTION NO: 102

Process maturity is a strategic goal:
A. True
B. False
Answer: B
Explanation/Reference:
Strategic goals relate to business objectives. Process maturity, in and of itself, does not create
value for the customer and thus is only indirectly related to business goals.

QUESTION NO: 103

Roles that are 'consulted' in RACI charts, must 'sign off' on process activities:
A. True
B. False
Answer: B
Explanation/Reference:
In RACI charts 'authorization' is limited to the 'accountable' role.

QUESTION NO: 104

When responding to complaints about reporting errors in customer reports, management should
focus on what information criteria?
A.
B.
C.
D.
E.

Efficiency
Integrity
Compliance
Effectiveness
Reliability

Answer: D
Explanation/Reference:
'Effectiveness' refers to the timely delivery of correct, consistent and usable information to the
businesses process. When IT Goals are linked to IT processes (appendix I), it is clear that
effectives reflects customer values where as reliability is more an internal management
perspective. Integrity is a concept somewhat limited to the storage and transmission of
information that does not include creation. Efficiency and compliance are distracters.

QUESTION NO: 105

Which action is a success factors should help resolve the inability to gain support from the local
offices business management, according to the COBIT 5 Implementation Guide?
A. Set up a regular Compliance forum which includes members of both local and Overseas
Business Management and local IT Management
B. Only implement improvements that add value to the local office.
C. Produce a RAG matrix for Governance related roles for the local office.
D. Ensure all resources a\'e full time and dedicated to the Governance Initiative
Answer: A

QUESTION NO: 106

Which document is Inputs to Phase 1?
A.
B.
C.
D.

Seed one of the following Outline Business Case for the Governance Initiative.
A list of stakeholders at the local office and Overseas Head Office.
A report from HR on staff turnover.
Documented approval from the CEO to proceed.

Answer: C

QUESTION NO: 107

Which reason is a root cause for the lack of current enterprise policy and direction within an
organization according to the COBIT 5 Implementation Guide?
A.
B.
C.
D.

Weak enterprise risk management

IT budget committed to infrastructure.
Overly optimistic goals.
Best practices are copied and are NOT adopted.

Answer: A

QUESTION NO: 108

In a GEIT initiative it is unclear how the business is going to be kept informed in respect of the
progress. Which CE task is executed to keep the all units informed of progress during Phase 2?
A. Publish the key challenges and concerns in respect of the current state on the intranet.
B. Identify key governance issues related to this Initiative and issue to all IT staff.
C. Identify the benefits of the Governance Initiative and issue a newsletter to the local
office.
D. Create steering committees for relevant parts of the Initiative.
Answer: C

QUESTION NO: 109

The following objective and action were defined for the GEIT initiative: Objective:
Identification of any outstanding issues that will bring this Phase to an end. Action: To try and
bring the embedding of a compliance culture in the local office to a close, the IT Manager has
collated the outstanding work that has been delayed due to pockets of resistance to change. The
report is to be passed through to the Project review group for action. Is this action an
appropriate Phase 6 CE task to address Objective 4?
A. No, because collating work unfinished due to resistance to change is a Phase 4 CE task.

B. Yes, because as this will prove the failure of the mentoring performed in a previous
Phase.
C. No, because collating work unfinished due to resistance to change is a Phase 5 CE task.
D. Yes, because changes can be enforced by local Senior Management when necessary.
Answer: D

QUESTION NO: 110

The following objective and action were defined for the GEIT initiative: Objective: Ensure the
improvements are embedded in the culture of the Financial Services Organization. Action: The
IT Manager has decided to run awareness sessions about the Change Management process and
its associated benefits for the Financial Services Organization. Is this action an appropriate
Phase 6 CE task to address Objective 1?
A. Yes, because the awareness sessions will ensure all change requirements have been
addressed.
B. No, because the running of awareness sessions is a Phase 4 CE task.
C. Yes, because the awareness sessions will help to embed new working practices in the
Financial Services Organization.
D. No, because if the Change Management process is formally implemented then awareness
sessions are unnecessary.
Answer: C

QUESTION NO: 111

Which reason is a root cause of resistance to change?
A.
B.
C.
D.

Resistant to acknowledge weaknesses.

Priorities NOT allocated appropriately.
IT budget already committed to infrastructure.
Continual improvement NOT part of the working culture.

Answer: A

QUESTION NO: 112

The following objective and action were defined for the GEIT initiative: Objective: The need to
keep the Head Office informed of issues. Action: The IT Manager has decided to produce an

escalation process that will ensure all issues are raised directly with the Head Office. Is this
action an appropriate Phase 6 CE task to address Objective 3?
A. No, because issues should be passed to Internal Audit for resolution.
B. Yes, because all process changes should be enforced by Head Office Senior Management
to bring the current Governance Initiative to a close.
C. Yes, because this approach will ensure quick resolution of issues.
D. No, because issues that can NOT be resolved within the local office should be sent to the
Overseas Head Office.
Answer: C

QUESTION NO: 113

Which is a success factor that should help to resolve the concern raised over the overall value of
the Governance Initiative?
A.
B.
C.
D.

Seek to second a compliance resource from the Overseas Head Office.

Produce a RAG matrix for Governance related roles for the local office.
Arrange a training course for users of the change process
Issue a compliance article on the Intranet site in business terms.

Answer: A

QUESTION NO: 114

Which reason is a root cause for a lack of Senior Management buy-in to an improvement
initiative according to the COBIT 5 Implementation Guide?
A.
B.
C.
D.

Continual improvement is NOT part of the culture.

Best practices are copied and are NOT adopted.
Poor perception of the credibility of the IT function.
Lack of dedicated resources.

Answer: C

QUESTION NO: 115

The following objective and action were defined for the GEIT initiative: Objective: Adopt
working behaviors to ensure the implementation is successful. Action: The IT GRC Manager
has held a session with HR and asked them to add standard compliance responsibilities to all job

descriptions at the Financial Services Organization.. Is this action an appropriate Phase 6 CE

task to address Objective 2?
A. No, because once the Governance Initiative is complete then there is NO further
compliance requirement.
B. Yes, because updated job descriptions will ensure the local office will be compliant with
all future requirements from the Overseas Head Office.
C. Yes, because this will help to reward those involved in compliance initiatives in the
Financial Services Organization.
D. No, because only affected job descriptions should be amended to include compliance
responsibilities.
Answer: D

QUESTION NO: 116

Which action is a success factor that should help to resolve the de-motivation of the IT staff
working on the Governance Initiative?
A.
B.
C.
D.

Organize a road show with the Business Management- Revisiting stakeholders.

Produce a RAG matrix for Governance related roles for the local office.
Arrange a training course for users of the change process.
Ensure all resources a\'e full time and dedicated to the Governance Initiative

Answer: A

QUESTION NO: 117

Which action is a success factor that should help to resolve the lack of take up of the change
management process?
A.
B.
C.
D.

Ensure all resources are full time and dedicated to the Governance Initiative.
Arrange a training course for users of the change process.
Obtain compliance input from the Overseas Head Office auditors.
Produce a RAG matrix for Governance related roles for the local office.

Answer: B

QUESTION NO: 118

Which reason is a root cause of the difficulty in understanding COBIT 5 and associated
frameworks, procedures and practices?
A.
B.
C.
D.

Lack of business understanding of IT issues.

Lack of knowledge.
Insufficient dedicated resources
NOT enough consideration of how they do things at the organization.

Answer: B

QUESTION NO: 119

Which action is a success factor should help resolve the inability to gain support from the local
office's business management, according to the COBIT 5 Implementation Guide?
A. Set up a regular Compliance forum which includes members of both local and Overseas
Business Management and local IT Management.
B. Only implement improvements that add value to the local office.
C. Produce a RAG matrix for Governance related roles for the local office.
D. Ensure all resources are full time and dedicated to the Governance Initiative
Answer: A

QUESTION NO: 120

Which action is a success factor which should help resolve the current lack of trust between the
local office IT function and Business Management, according to the COBIT 5 Implementation
Guide?
A. Produce a plan of expected changes for the year ahead which take account of the
compliance requirements
B. Ensure all resources are full time and dedicated to the Governance Initiative.
C. Only implement improvements that add value to the local office.
D. Educate the business by running a COBIT 5 training course.
Answer: A

QUESTION NO: 121

Which reason is a root cause of why the cost of the IT Governance Initiative appears to exceed
any benefit, according to the COBIT 5 Implementation Guide?

A. There is poor communication about the expected successes of the Initiative.

B. Budget funds have already been spent on another initiative (e.g., a takeover) and this is
seen as a further drain on resources.
C. There is a perception that there is a lack of required compliance skills.
D. A recent takeover has left uncertainty and the threat of further changes.
Answer: B

QUESTION NO: 122

Which activity is a Continual Improvement tasks performed during Phase 1?
A.
B.
C.
D.

Raise local Management's awareness of the importance of the Initiative.

Raise awareness of compliance issues with the local office.
Understand full impact of the Governance Initiative.
Identify other project dependencies such as the Security and HR projects

Answer: C

QUESTION NO: 123

Which reason is a root cause for a lack of Senior Management buy-in to an improvement
initiative according to the COBIT 5 Implementation Guide?
A.
B.
C.
D.

Continual improvement is NOT part of the culture.

Lack of dedicated resources.
Poor perception of the credibility of the IT function
Best practices a\'e copied and are NOT adopted

Answer: C

QUESTION NO: 124

Identify the missing word(s) in the following sentence: "Process [ ? ] is a process attribute for a
Predictable process."
A.
B.
C.
D.

assessment
measurement
innovation
performance management

Answer: B

QUESTION NO: 125

What is the purpose of the Process Reference Model?
A. To be the basis for the process dimension which outlines the structure of the 37 COBIT
processes
B. To be the basis for the process dimension which gives the specific process references on
each level
C. To contain the generic attributes for the levels two, three, four and five
D. To be the basis for the capability dimension which defines the rating method to conform
to ISO15504
Answer: A

QUESTION NO: 126

What capability level is an established process?
A.
B.
C.
D.

Level 3
Level 1
Level 6
Level 2

Answer: A

QUESTION NO: 127

What rating level must a process attain in order to pass an assessment?
A.
B.
C.
D.

F-Fully
P - Partially and or L - Largely
L - Largely and or F- Fully
P- Partially

Answer: C

QUESTION NO: 128

How are Generic Practices used in the Process Assessment Model (PAM)?
A.
B.
C.
D.

To assess processes only at level 6

To assess processes from levels 2 to 5
To assess process at all levels of the Capability Model
To assess processes only at level 1

Answer: B

QUESTION NO: 129

The Process Reference Model contains:
A.
B.
C.
D.

37 processes
17 IT Goals and related Metrics
211 Control Objectives
Four domains

Answer: A

QUESTION NO: 130

Which process contains practices related to access control mechanisms (e.g., granting access to
systems)?
A.
B.
C.
D.

AP013
DSS05
DSS06
DSS02

Answer: C

QUESTION NO: 131

How would you rate the following achievement of an attribute in a given process: Some
evidence of an approach can be identified. Even though not all aspects of the achievement is
evident, the majority (75%) is achieved."
A. Fully
B. None
C. Partly

D. Largely
Answer: D

QUESTION NO: 132

In a process the attribute "Process Definition" is largely achieved; all other attributes are "Fully
achieved". What is the adequate rating of the process?
A.
B.
C.
D.

Level 3
Level 4
Level 5
Level 2

Answer: A

QUESTION NO: 133

In which step of the assessment process (as defined in the Self Assessment Guide) will the Goals
Cascade be used?
A. 3.4 Step 4 Record and Summaries the Capability Levels
B. Step 1 Decide on process to assessscoping
C. Step 3 Determine Whether Capability Levels 2 to 5 for the Selected Processes Are Being
Achieved
D. Step 2 Determine Whether the Selected Process Is a Level 1 Capab
Answer: B

QUESTION NO: 134

As discussed in Starting Off on the Right Foot, which area should risk assessments conducted
for fraud investigations include:
A. Monetary risk.
B. Regulatory risk.
C. Reputational risk.
D. All of the above.
Answer: D

QUESTION NO: 135

According to "Assurance that Matters" by Norman Marks, what percentage of CAEs and audit
committee members see their primary job as providing assurance in a compliance environment?
(This answer will be found in the print or digital edition of the magazine, not the online version.)
A. 53 percent
B. 54 percent
C. 39 percent
D. 36 percent
Answer: D

QUESTION NO: 136

In Unraveling the Regulatory Knot, audit committee member Fred Telling says internal
auditors need a 20/80 balance in focus on compliance, with 80 percent focused on the history,
background, and culture that spawned the underlying law and its implementing regulations.
A. True
B. False
Answer: B

QUESTION NO: 137

According to "Unraveling the Regulatory Knot," the European Union's Solvency II Directive
requires companies operating in the E.U. to ___________ in order to reduce the risk of
insolvency.
A. Have sufficient insurance.
B. Have adequate capital holdings.
C. Comply with all relevant regulations.
D. Follow international risk management standards.
Answer: B

QUESTION NO: 138

According to The Wisdom of the Crowd, crowd sourcing is widespread in internal audit.

A. True
B. False
Answer: B

QUESTION NO: 139

According to "Aligning the Business," by Jonathan Ngah, procedures are a guide to achieve
organizational objectives, and should align with overall stragety.
A. True
B. False
Answer: A

QUESTION NO: 140

According to "Aligning the Business," by Jonathan Ngah, red flags related to fraud, financial
reporting misstatements, and various compliance errors often appear in organizations lacking
clearly defined policies and procedures.
A. True
B. False
Answer: A

QUESTION NO: 141

According to Unraveling the Regulatory Knot, by Russell Jackson, The IIAs International
Standards for the Professional Practice of Internal Auditing (Standards) require internal auditors
to evaluate risk exposures related to compliance with laws, regulations, policies, procedures,
and contracts.
A. True
B. False
Answer: A

QUESTION NO: 142

According to Tools for IT Governance Assurance, by Ian Sanderson, how does ISACAs

Information Systems Audit and Assurance Standards treat the topic of materiality?
A. As principles-based.
B. As risk-based.
C. As control-based.
D. As process-based.
Answer: C

QUESTION NO: 143

In The Wisdom of the Crowd, what does author Craig Guillot cite as one of the biggest risks
associated with crowd sourcing?
A. Confidentiality breaches.
B. Reputational harm.
C. Fraud.
D. Misinformation.
Answer: A

QUESTION NO: 144

According to the 2012/2013 Global Fraud Report, as cited in Starting Off on the Right Foot,
what percentage of fraud is committed by insiders, when the perpetrator is known?
A. 73 percent.
B. 67 percent.
C. 32 percent.
D. 22 percent.
Answer: B

QUESTION NO: 145

In Tools for IT Governance Assurance, what is one of the benefits of using COBIT as a
governance framework?
A. It is aligned with best practices in the information systems field, such as the IT Infrastructure
Library and ISO/IEC 27000 standards series. (Your Answer)

B. It is the basis for the IT controls mandated by the revised COSO Internal Control-Integrated
Framework.
C. It is required for compliance with The IIAs standard on IT governance (Standard 2110.A2).
D. It supersedes IT governance and assurance standards, including the IT Infrastructure Library
and ISO/IEC 27000 standards series.
Answer: A

QUESTION NO: 146

Which of the following is identified in The Wisdom of the Crowd as one of the most popular
types of crowd sourcing activities?
A. Assessing enterprise risk.
B. Fraud investigations.
C. Crowd funding.
D. All of the above.
Answer: D

QUESTION NO: 147

In Tools for IT Governance Assurance, which of the following is not a way that the COBIT 5
for Assurance guidance can be useful for internal auditors:
A. It allows auditors to gain insight into current best practices on assurance.
B. It demonstrates how to use COBIT 5 components and concepts for planning, performing, and
reporting on IT audit engagements.
C. It views the role of audit from a value-added perspective that looks at whether the
organization is delivering the required benefits defined by stakeholders.
D. It provides a checklist of risks that auditors must provide coverage for in their audit plans.
Answer: D

QUESTION NO: 148

In Starting Off on the Right Foot, what does author Travis Waite advise internal auditors to
determine first when assessing whether an allegation of wrongdoing has merit?
A. The complainants credibility and motives.
B. The channel through which the complaint was made.

C. The organizations policy with regard to the alleged malfeasance.

D. The complainants level of authority in the organization.

Answer: A

QUESTION NO: 149

Which of the following is the most significant concern in the management of IT?

a)
b)
c)
d)

Making technology work correctly

Keeping IT running
Keeping up to date with the latest solutions
Supporting developers with toolkits

Answer: B

QUESTION NO: 150

What is an essential attribute of successful performance management?

a)
b)
c)
d)

Frequently achieved targets

Setting achievable gols
Threatening sanctions if targets are not met
Metrics defined and aproved by the stakeholders

Answer: D

QUESTION NO: 151

Which of the following is a common reason why IT projects exceed budget
expectations or deadlines?

a)
b)
c)
d)

Cost of IT specialists
Unavailability of the lastest technology
Underestimation of the effort required
Lack of automation of development tools

Answer: C

QUESTION NO: 152

Which one of the following is a common problem encountered while trying to align
IT and the business?

a)
b)
c)
d)

Use of an external IT consultant for project management

Communication gaps between the business and IT
Inadequacy of problem management practices
Rushing to develop too quickly

Answer:

QUESTION NO: 153

Which of the following is a principle of IT Governance?

a)
b)
c)
d)

Accountability
Reliability
Availability
Probability

Answer:

QUESTION NO: 154

Which of one of these is a strategic objective?

a)
b)
c)
d)

Delivering on time and budget

Zero faults
Developing systems in house
Devising strategies to achieve stated goals

Answer:

QUESTION NO: 155

Which of the following is a potential benefit of strategic alignment?

a)
b)
c)
d)

Cost-effective administration and management

Use of the latest technology
Being first to market
Delivery on time and within budget

Answer:

QUESTION NO: 156

Which of the following is an important component of risk management?

a)
b)
c)
d)

Taking no risks
Canceling any initiative that is risky
Understanding the appetite for risks
Using old tried and testes systems

Answer:

QUESTION NO: 157

Which of the following represents an organizational perspective of a balanced
scorecard?

a)
b)
c)
d)

A
A
A
A

dashboard
metric
bonus scheme
costumer

Answer:

QUESTION NO: 158

Which of the following is a characteristic of a control framework?

a)
b)
c)
d)

Strict rules
Penalty for noncompliance
Process orientation
Measurement system

Answer:

QUESTION NO: 159

Which of the following is a key benefit of IT Governance?

a)
b)
c)
d)

Lower IT costs
Responsiveness of IT
Greater use of technology
Increased budget for IT projects

Answer:

QUESTION NO: 160

Which of the following is the best way to use COBIT?

a)
b)
c)
d)

To improve all IT process

As a mandatory standard
As a guide for the business to maximize the benefits of IT
To help prioritize which IT process to focus on

Answer:

QUESTION NO: 161

How does the COBIT Framework help an organization implement IT Governance?

a)
b)
c)
d)

It
It
It
It

contains ready-made work programs

provides policies and standards that can be mandated
provides good practice and guidance
has controls that can be implemented as they are

Answer:

QUESTION NO: 162

Which of the following is a component of the COBIT Framework?

a)
b)
c)
d)

Policies
Audit Programs
Implementation Guidance
IT Resources

Answer:

QUESTION NO: 163

What is a Control Objective?

a) A metric to be achieved by implementing control procedures in a particular

activity
b) A level of maturity to be achieved by implementing control procedures in a
particular activity
c) A statement of the desired result on purpose to be achieved by implementing
control procedures in a particular activity
d) A critical success factor to be achieved by implementing control procedures
in a particular activity

Answer:

QUESTION NO: 164

What tool within COBIT helps the business and IT understand the business
requirements for information?

a)
b)
c)
d)

Information Criteria
Critical Success Factor
Control Objective
Maturity Model

Answer:

QUESTION NO: 165

Which of the following is a fiduciary requirement within the COBIT Information
Criteria?

a)
b)
c)
d)

Security
Integrity
Availability
Operational effectiveness

Answer:

QUESTION NO: 166

Which of the following is a COBIT security requirement?

a)
b)
c)
d)

Compliance
Availability
Reliability
Efficiency

Answer:

QUESTION NO: 167

Which of the following is a COBIT Information Criteria?

a)
b)
c)
d)

Fiduciary
Quality
Effectiveness
Security

Answer:

QUESTION NO: 168

What do Key Goal Indicators (KGIs) measure?

a)
b)
c)
d)

Maturity levels
Process performance
Degree of control
The achievement of an objective

Answer:

QUESTION NO: 169

Which of the following is a COBIT IT Resource?

a)
b)
c)
d)

Database
Infrastructure
Operating System
Contractor

Answer:

QUESTION NO: 170

Which COBIT IT Resource can be defined as the automated user systems and
manual procedures that process information?

a)
b)
c)
d)

Applications
Process
Systems
Technology

Answer:

QUESTION NO: 171

Which of the following is a key feature of resource optimization?

a)
b)
c)
d)

Hiring low cost manpower

Retaining hardware to minimize replacement costs
Buying only proven products
Optimizing costs

Answer:

QUESTION NO: 172

Maturity Models help organizations to:

a)
b)
c)
d)

Meet goals and objectives

Evaluate controls
Determine the capability of the current process
Define performance measures

Answer:

QUESTION NO: 173

How can COBIT be used along with other international best practices and
standards, such as ITIL and ISO 17799?

a)
b)
c)
d)

To integrate the deployment of the required standards

As an implementation method
To validate the appropriateness of the other standard
As another view of the same area to support an approach

Answer:

QUESTION NO: 174

Which framework is increasingly accepted as the standard response for generally
assessing IT controls?

a)
b)
c)
d)

ITIL
COBIT
ISO 17799
CMM

Answer:

QUESTION NO: 175

Which IT process within COBIT should ensure timely definition of operational
requirements and service levels?

a)
b)
c)
d)

AI1-Identify Automated Solutions

PO1-Define a Strategic Plan
DS2-Manage third-party services
AI4-Develop and maintain procedures

Answer:

QUESTION NO: 176

Which part of the COBIT toolset will help the business and IT understand how to
measure results?

a)
b)
c)
d)

Management Guidelines
Framework
Control Objectives
IT Governance Implementation Guide

Answer:

QUESTION NO: 177

Key Performance Indicators are factors that:

a)
b)
c)
d)

Indentify key controls

Identify key process
Positively influence the process outcome
Focus on control practices

Answer:

QUESTION NO: 178

Which level of maturity in the COBIT processes is usually associated with a process
being "standardized, documented and communicated"

a)
b)
c)
d)

Level
Level
Level
Level

Answer:

3
2
4
1

defined
repeatable
managed
initial

QUESTION NO: 179

Which of the following is a stage in the COBIT Audit Guidelines structure?

a)
b)
c)
d)

Planning and organization

Maturity modeling
Setting metrics
Evaluation

Answer:

QUESTION NO: 180

COBIT's definition of fiduciary requirements differ from that of COSO in that COBIT
expands the scope to include:

a)
b)
c)
d)

Security
All information
Operations
Systems development

Answer:

QUESTION NO: 181

COBIT is a framework that focuses on:

a)
b)
c)
d)

How to do it rather than what needs to be achieved

What needs to be achieved rather than to do it
What needs to be organized rather than what needs to achieved
What needs to be implemented rather than how measure it

Answer:

QUESTION NO: 182

The COBIT Framework treats information as the result of the combined application
of IT Resources that are managed by:

a)
b)
c)
d)

Information Criteria
Control Objectives
IT Process
Metrics

Answer:

QUESTION NO: 183

The COSO Framework is a framework to help organizations establish and
determine:

a)
b)
c)
d)

Accounting standards
Auditing standards
Investment decisions
The effectiveness of the internal controls

Answer:

QUESTION NO: 184

Which of the following COBIT IT Processes addresses the need for "program and
project risk assessment"?

a)
b)
c)
d)

PO1 - Define a strategic IT Plan

PO8 - Manage quality
PO9 - Assess and manage IT risks
PO10 - Manage projects

Answer:

QUESTION NO: 185

Which COBIT resource provides benchmarking capabilities?

a) COBIT Quickstart

b) COBIT Security Baseline

c) IT Governance Implementation Guide
d) COBIT Online

Answer:

QUESTION NO: 186

The percentage of projects completed on time and on budget is a COBIT KGI?

a) True
b) False

Answer:

QUESTION NO: 187

Which of the following aspects of COBIT can be benchmarked in COBIT Online?

a)
b)
c)
d)

Use
Use
Use
Use

of
of
of
of

IT Resources
Information Criteria
KGIs and KPIs
Domains

Answer:

QUESTION NO: 188

COBIT QuickStart is most useful for:

a)
b)
c)
d)

Senior management
Small and medium sized enterprises (SMEs)
Auditors
Control Specialists

Answer: