Question 1

2/ 2pts

A company is concerned with whether or not their workforce will successfully adapt to a new mobile application. The concern is related to:

Schedule feasibility

Technical feasibility

Legal feasibility

Economic feasibility

Legal feasibility

This concern could be classified as related to operational feasibility but that wasn't an option. Technical feasibility assessments need to be realistic. Technical feasibility focuses on 'can our organization given its staff and systems done this given the investment we are making' rather than on'could someone technically done this'. If our people can't adapt, and we aren't going to replace them, the project isn't feasible.

Incorrect

Question 2

0/ 2pts

Which of the following isNOTlisted in the slides as a reason to require IS personnel to take vacations or rotate jobs?

Fraud schemes may come to light

Cross training reduces excessive risk related to an individual

System documentation may be improved

New employees may not have all the credentials they claim

Fake credentials are an IS HR concern but required vacations and job rotation won't help with that problem. All the other answers are potentially impacted by having someone else step in and do nea person's job for a while.

Question 3

2/ 2pts

Which SDLC phase costs the most?

Certification

Investigation

Analysis

Maintenance

Implementation

If maintenance represents 80% of the cost of a system, it must be the largest cost in the list.

Question 4

2/ 2pts

Of the three kinds of cutovers described in the materials, which is considered the riskiest?

Parallel

Phased (by geography)

Phased (by application)

Cold Turkey

Running transactions in two systems and verifying the results strongly indicates a new system is functioning properly before an old system is retired. Phased implementations whether by geography - where one region converts before the others - or by module - where application parts are changed out over time - can require extra development to bridge between systems but can substantially reduce risk as compared to the cold turkey approach where all the parts of a system go live at the same time an old system is retired. Parallel processing can be costly but safe.

Question 5

2/ 2pts

Which of the following isNOTlisted in the materials as a reason to prevent developers from having access to live systems and data?

Logic to intended support nefarious activity might get past testing and allow fraud

The test environment may not have sufficient storage or computing power to adequately test an application

Data in the live system might be subject to privacy restrictions that forbid developer access

A developer might learn things that can help them implement nefarious code

This control (blocking developers from the live system) is often violated in practice. But the ideas here are real. Other controls such as account and data monitoring, validity testing, and managerial review can be employed to mitigate these risks. While an underpowered test environment may create risk, it is not a reason to block developers from accessing the production access.

Incorrect

Question 6

0/ 2pts

Which kind of testing involves the largest scope?

Unit testing

Module testing

Stress testing

System testing

Unit testing and module testing intentionally reduce the scope of a test. While system testing is not a bad answer because it implies that the whole system is tested, stress testing might be a better answer because it involves the whole system AND a large volume of transactions.

Question 7

2/ 2pts

Which of the following isNOTa phase in a traditional waterfall SDLC process as listed in the slides?

Testing

Maintenance

Analysis

Design

Implementation

Testing is done both during the coding/configuration phase (implementation) and in the maintenance phase. It may even be done in the design phase.

Incorrect

Question 8

0/ 2pts

Which of the following isNOTa key management practice identified in COBIT BAI06 Managed IT Changes?

Hint: this could be a memory/look it up question. But, instead you could figure it out: Consider the difference between change management and what auditors think of as SDLC.

Close and document the changes

Track and report change status

Evaluate, prioritize, and authorize change requests

Manage Emergency Changes

Mange stakeholder engagement

Managing stakeholder engagement is a key management practice int BAI11 - Managed Projects. Remember that auditors often separate change management from SDLC. If something is big enough to be considered a "Project" that calls for working with a variety of stakeholders to manage communication and expectations, it falls into the SDLC domain. Change management is more mundane. All systems have bugs and need to adapt to the environment over time. Changes even come up suddenly requiring emergency change protocols. Change management is a grind. It is tempting for practitioners to cut corners and skip control steps to get things done. As a result, most change management controls involve details and documentation.

Incorrect

Question 9

0/ 2pts

Which of the following is a widely recognized agile methodology?

CRM

SCRUM

SDLC

FISCAM

COBIT

Think of rugby. Everyone gets together and pushes from time to time, trying to move the pile. That takes agility.

Incorrect

Question 10

0/ 2pts

Which of the following is NOT a key management practice identified in COBIT's'BAI07 Managed IT Change Acceptance and Transitioning':

Early tech support

Test environment

Requirements management

Implementation planning

Acceptance testing

Notice the objective name. This objective, and the process that aims to meet it, focuses on systems that are close to ready for production.Identifying what a system is to do (requirements) begins early in the SDLC process and continues throughout. When systems go live - usually transitioning from and old system/process to a new one - lots of risks ensue. You didn't have to memorize the list to understand which one did not go with this particular COBIT process. Further, a separate objective (BAI02 Managed Requirements Definition) clearly addresses requirements management which is more a matter of how systems are developed so that projects will be efficiently executed and resulting systems will do what they should.

Remember: IT Auditors often differentiate SDLC from change management even though the to risk areas have lots in common.

See the slide "Key Control Objectives" in the SDLC deck.

Question 11

2/ 2pts

Which of the following is an Alignment metric (rather than an enterprise metric) in BAI06 - managed IT Changes?

Percent of products and services that meet or exceed targets in revenues and/or market share

Number of critical business processes supported by up-to-date infrastructure and applications

Percent of products and services that provide competitive advantage

Percent of products and services that meet or exceed customer satisfaction targets

Time to market for new products and services

If you look over the alternatives, 4 mention products and services provided by the organization. One talk about how IT supports operations (business processes) through infrastructure and applications. IS auditors need to consider the impact of IT processes on business processes. Business processes (and enterprise goals and metrics) are what the company is about. IT processes should be well managed, but the definition of well managed need to emphasize impact on business processes.

Question 12

2/ 2pts

Which one of the following isNOTincluded in COBIT2019?

Lists of key management practices

Metrics for assessing progress towards enterprise goals

A list of audit procedures

A list of enterprise goals

A list of alignment goals

COBIT can help auditors. It provides authoritative guidance on leading practices for managing IT and specifies details in ways auditors can use to develop audit criteria. But it does not speak directly to audits with planning details like audit procedures. COBIT2019 is a powerful resource to help IT managers deliver value through IT.

Question 13

2/ 2pts

Process maturity is an important concept. COBIT includes descriptions of maturity model levels. Maturity levels on the scale can be identified as being between 0 and 5. The following are descriptions for those levels but they are not in any particular order.

A- The process achieves its purpose, is well defined, its performance is measured to improve performance and continuous improvement is pursued.

B- The process achieves its purpose through the application of a basic, yet complete, set of activities that can be characterized as performed.

C- Lack of any basic capability. Incompletely approach to address governance and management purpose. May or may not be meeting the intent of any process practices.

D-The process more or less achieves its purpose through the application of an incomplete set of activities that can be characterized as initial or intuitivenot very organized.

E- The process achieves its purpose in a much more organized way using organizational assets. Processes typically are well defined.

F- The process achieves its purpose, is well defined, and its performance is (quantitatively) measured.

Which of the following list puts the maturity levels in the proper order from low maturity to high maturity?

C, B, D, F, E, A

C, D, B, E, F, A

A, B, C, D, E F (that is, the items are already in the correct order for levels 0-5)

C, D, E, B, A, F

Key ideas: Mature processes have grown to be systematic, documented, measured, and include features that lead to continuous improvement.

0 - 'Lack of capability' is really bad - lowest maturity.

1 - 'intuitive' and 'incomplete' processes may be somewhat effective, but they cannot be relied upon to reduce risk.

2 - 'achieves purpose, completed, performed': these phrases describe a process that is not in failure mode but is likely to fail over time as things change and people come and go.

3 - 'organized' and 'defined' are words that describe systems that include documented efforts.

4 - 'measured' is the key word distinguishing level 4 from less mature levels. Remember management needs to measure, auditors verify that management measures.

5 - 'continuous improvement' characterizes processes at the top of the maturity scale. This usually means including a mechanism for 'closing the loop' where measures are reviewed and consideration is given to what sorts of changes are desirable. Later the effect of those changes is assessed.

Partial

Question 14

0.4/ 2pts

Match the COBIT objective name with its corresponding COBIT Domain

Managed Performance and Conformance Monitoring

MEA

Ensured Benefits Delivery

DSS

Managed Strategy

BAI

Managed Projects

EDM

Managed Service Requests and Incidents

APO

All the EDM objectives begin with the word 'Ensured'. The rest all begin with 'Managed'.

The MEA items all are objectives related to effective monitoring of processes/controls.

Strategy is about planning (APO). Projects put systems in place (BAI). Ongoing service requests are part of service delivery (DSS).

Question 15

2/ 2pts

In COBIT, what does BAI stand for?

Buy, Access, and Install

Buy, Acquire, and Implement

Build, Access, and Install

Build, Acquire, and Implement

Build, Acquire, and Implement: Access is not a main part of putting new things into place, acquiring goes beyond just buying, and implementing goes beyond mere installation.