$1.$ Organizations are expected to abide by any laws that apply to them. What is

this commonly called?

a$.$ accountability

b$.$ legal binding

c$.$ compliance

d$.$ regulatory compensation

$2.$ What entity is given the authority to create U$.$S$.$ regulations based on

implementing laws enacted by U$.$S$.$ Congress?

a$.$ American National Standards Institute

b$.$ Control Objectives for Information and related Technology $($COBIT$)$

c$.$ National Institute of Standards and Technology $($NIST$)$

d$.$ Regulatory agencies

$3.$ Which element does not constitute an audit finding?

a$.$ criteria

b$.$ circumstance

c$.$ summary

d$.$ impact

$4.$ Consider the following statements:

I. Aligning risk appetite and strategy$-$Helps manage the uncertainty with

consideration of the goals of the organization.

II$.$ Enhancing risk response decisions$-$Improves the ability to make better

decisions about how to manage risk.

III. Reducing operational surprises and losses$-$Enhances the organization$$s ability

to identify potential events or threats and react appropriately.

The above are all key components of:

a$.$ CAG

b$.$ ERM

c$.$ GAPP

d$.$ NCP

$5.$ What is risk arrogance?

a$.$ After performing a risk assessment, doing nothing and managing the

consequences of a risk if one is realize

b$.$ Seeking alternatives or not participating in the risky activity

c$.$ Transferring the risk to other parties

d$.$ Not adequately planning for or assessing risk

$6.$ An unauthorized user has gained access to data and viewed it$.$ What has

been lost?

a$.$ confidentiality

b$.$ availability

c$.$ integrity

d$.$ nonrepudiation

$7.$ Which of the following is the definition of compensating controls?

a$.$ The detailed recording, management, and updating regarding the details of an

information system.

b$.$ An analysis of threats and vulnerabilities against assets

c$.$ Determining the existence of relevant and appropriate security policies and

procedures.

d$.$ Alternative countermeasures to minimize risk.

$8.$ Which of the following is the definition of objectives?

a$.$ A documented conclusion that highlights deficiencies, abuse, fraud or other

questionable acts

b$.$ Actions or changes put in place to reduce a weakness or potential loss.

c$.$ A set of goals. Used as part of an assessment to determine what needs to be

accomplished to validate a control.

d$.$ An independent assessment that takes a well$-$defined approach to examining

an organization$$s internal policies, controls, and activities.

$9.$ Which of the following is the definition of risk assessment?

a$.$ Alternative countermeasures to minimize risk

b$.$ An analysis of threats and vulnerabilities against assets.

c$.$ An act of manipulating people into divulging information.

d$.$ A comparison between the actual and desired outcome.

$10.$ The general business goals provided by COBIT include $17$ goals across four

perspectives.

One of these four perspectives is:

a$.$ confidentiality

b$.$ acquire and implement

c$.$ learning and growth

d$.$ infrastructure