Internal Controls Midterm (Ch. 5, 6, 13)
You're a senior IT manager who wants to develop an IT Balanced Scorecard (IBS) for your firm. The CEO doesn't understand why you're dedicating company resources towards this project and asks you pitch it to him and the CFO. How should you sell this to them? (pg 139 - 145) a.) The IBS will allow them to assess the IT investment plans with regards to the firm's strategic goals. b.) An IBS is mandated for COBIT 5 compliance. c.) An IT Balanced Scorecard will allow management to compare employee performance in the IT department d.) An IBS will allow end-users to rate the quality of the service provided by IT
A
Which of the following is NOT an objective for the Future Orientation perspective of an IT Balanced Scorecard? A) Training and educating IT personnel for future IT challenges B) Researching for emerging technologies and their potential value to the organization C) Automating business processes D) Improving service capabilities
C
The MAIN reason why an IT Steering Committee fosters an effective, high-performance IT department is because it: A) Reviews proposed capital budgets B) Helps to allocate resources to the most important business functions C) Reviews IT performance metrics for efficiency and effectiveness D) Mitigates the obstacles in IT effectiveness
D
The best choice for the focus and use of a Management Information System is: A. Assisting management in accounting B. Providing executives internal and external information C. Helping management in making decision through interactive tools D. To provide reports in predefined formats to facilitate decision-making
D
A corporation has a strict code of ethics that each employee must read and sign. In addition, management often emphasizes the importance of speaking up whenever an employee sees something that violates the company's code of ethics. What component of the COSO ERM framework does this represent? A) Governance and Culture B) Strategy & Objective-Setting C) Performance D) Review and Revision
A
Assume that you are a manager at an airline company. Given the recent cyberattacks that have impacted the government (ie. SolarWinds), you have concerns about the possibility of several of your flights being hijacked, so you decide to cancel the flights. What kind of risk response is the manager most likely making? A. Avoid B- Accept C- Share D-reduce
A
Assume you own a chain of high-end retail stores and utilize a set of IT programs such as a customer database and inventory management system. You recently invested in these applications to try to solve an issue with inventory stock outs. The customer database is used to track customers by unique ID and use that information and purchase history to send targeted advertising and special promotions. The inventory management system is used to reorder inventory and track sales by unique inventory IDs. As the owner, you want to measure the operational efficiency and effectiveness. Which metric would NOT be appropriate? A) Measuring percent of your budget for IT applications allocated to updating the capabilities of the customer database system and inventory management system B) Measuring the occurrences of inventory stock outs, pre and post IT implementation C) Measuring timeliness and accuracy of inventory reorder requests from the inventory management system D) Measuring the amount of time and monetary cost for using the IT systems per employee
A
COBIT and ISO/IEC 27002 are strategies and frameworks designed to assist firms with IT business strategy and providing organization internal control strategies. Which answer best describes when it is the most appropriate to utilize COBIT or ISO/IEC 27002. The answer does not assume that both strategies will be used simultaneously. A) COBIT and ISO/IEC 27002 framework and strategy can be used jointly or separately. When using one or both of these strategies the following organizational goals are most appropriate to these strategies. COBIT is appropriate when the goal of the organization is not only to understand and align IT and business objectives but also to address the areas of regulatory compliance and risk management. ISO/IEC 27002 framework should be chosen when IT senior management targets an information security architecture that provides generic security measure to comply with federal laws and regulations. B) COBIT and ISO/IEC 27002 are appropriate when Senior Management targets an information security architecture that provides generic security measures to comply with federal laws and regulations. C) COBIT and ISO/IEC 27002 are appropriate when the goal of the organization is not only to understand and align IT and business objectives but also to address the areas of regulatory compliance and risk management. D) COBIT and ISO/IEC 27002 are appropriate because they are IT governance framework that helps organizations meet today's business challenges in the areas of regulatory compliance, risk management, and alignment of the IT strategy with organization goals.
A
During the process of an operational planning, which of one statement is incorrect? A) During the Demand Phase, sine the ICO is the true expert on technology, the priority is to have the CIO onboard to carry out the IT strategy. B) During project initiation, a cost-benefit analysis is performed. C) During technical review, Technical Steering Committee is established so that the right solution is selected. D) During financial management, the potential investment falls within budget.
A
Given the implementation of ERM, in the event of a manager told to commit more company hours in community outreach but is paid only by his profits and losses, what is NOT one way the A) Implement ethical approach to aid community while hoping for future customers. B) Realign compensation package to align with social outreach and financial objectives. C) Give division executive full rights over company to leverage responsibilities according to their discretion. D) Implement automated IT software that can deliver solutions with existing products being sold.
A
In order to ensure that the IT governance structure you implemented for a client is implemented and followed effectively after the project is completed, you should make sure you do the following: i. weekly staff meetings ii. have resources for the organization to ensure coordination and execution are continued efficiently iii. get management support iv. access the company's performance measures a. ii and iv b. i, iii, and iv c only ii d. all of the above
A
QUAY Company is trying to implement IT Governance. Which of the following is the main purpose of IT Governance? A) To align the IT strategy with the business strategy B) To have good control in IT department C) To manage risk in the company D) To mitigate risk in the IT department
A
Snack Factory is opening a new business and they would like to have the best IT General Controls. They heard numerous negative experience of their competitors regarding IT General Controls and they would like to start their business in the right direction by eliminating this issue. What is the best risk-based approach to assessing IT General Controls? A) GAIT B) COSO C) ISAKA D) GAO
A
Suppose you are asked by a beer company client for some practices according to the Enterprise Management Team that they can apply in order to better improve the management of the organization's risks. Which of the following is the best suggestion that the client should take? A. Come up with a manual with different ways to react and response that corresponds to each of the business risks and scenarios that was identified B. Ask the Board of Directors to come to meetings once every quarter and to not question about management's risk related decisions C. Do not easily hire new people into the company in order to build a close and trustworthy relationship among the people in the company already D. If the risk management performance is unsuccessful, make sure to note it down for your own reference going forward
A
The Information Technology Infrastructure Library (ITIL) is a framework which provides standardized methods for selection, planning, delivery of Information Technology services and programs. Business utilize these standard practices to assist their organizations in improving efficiency. The ITIL model provides efficient business services by implementing five core guidelines. Which answer best describes these five core guidelines? A) Strategy, Design, Transition, Operation and Continuous Improvement. B) Strategy, Development, Transition, Operation and Continuous Improvement. C) Design, Strategy, Transition and Operation D) COBIT-5, Design, Strategy, Transition and Operations.
A
The MOST IMPORTANT rule in the design and implementation of a metric is that: A. The area that is to be measured will help develop the metrics to produce more relevant data in that area. B. The measures are applied to processes, not to individuals. C. To provide best practices in IT services management. D. To provide best practice recommendations for the management of information security.
A
The correct statement for ABC company risk appetite would be: A) ABC company says it does not accept risks that could result in a significant loss of its revenue base. B) ABC management has not taken action to reduce the impact or likelihood of an adverse event. C) ABC company defines risk appetite in the Control environment component of the COSO ERM framework. D) ABC management considers risk appetite for setting risk capacity.
A
Which of the following IT performance metrics is NOT a good way to prove that a new IT project will be a worthy investment? A) We are measuring the daily call volume of each individual call agent (i.e. how many calls does each agent take per day?) for the next 3 months. B) We are measuring the average talk time across all agents who are stationed on the Eastern Seaboard of our company C) We are measuring customer satisfaction on a scale of 1-10 after the call and taking an average of those numbers for the next three months D) We are contacting customers from a randomized list and asking them how their latest customer experience was. We will collect that information and use it blindly (not connected to the call agent) to get a metric on our customer agents effectiveness
A
Which of the following businesses organizations would be most likely to utilize robust and up-to-date COBIT framework to guide their IT systems? A) A Hospital B) A small independent convenience store C) Walt Disney World Hotel and Resorts D) All of the Above
A
Which of the following is a false statement regarding IT governance for projects? A) In the stage of demand management, IT resources are spent on various potential projects, which will then go through the approval process. B) In the stage of project initiation, the business should conduct a cost and benefit analysis of the project. C) In the stage of technical review, the technical committee will approve new solutions. D) In the stage of vendor management, there are 4 vendors that will be approved by the IT steering committee.
A
Which of the following is not an advantage of an Enterprise Risk Management (ERM) Framework? A) Helps eliminate all risks in an Organization B) Helps Board and Management to optimize outcomes for the Organization C) Gives better information to the Organization to improve Decision Making D) Helps implement controls in an Organization
A
Which of the following is not essential in the process of designing and implementing a metric? A) Measure individual performance regularly to evaluate the productivity of each employee B) Identify a measure that is able to pass the reliability and validity tests C) Measure the area that could generate useful information to help develop the metric D) Avoid individual measurement and apply the measures to processes instead
A
Which of the following is not the purpose of IT activities be aligned with business objectives? a. To make regulatory compliance and adequate implementation of IT control b. To achieve IT governance maturity and a higher return on IT investment c. To incorporate IT into the enterprise risk management program d. To develop the right requirements and work together for successful delivery of the promised benefits
A
Which of the following least likely explains the purpose of COSO ERM? A. To determine how controls should be implemented in order to bring risk to an acceptable level. B. To help the organization achieve their goals and objectives considering their risk appetite. C. When a company uses an effective ERM, this will help the board and management be better equipped to optimize outcomes D. ERM integrates the business strategy, which should be aligned with the organizations mission and vision, and performance to better understand the overall risk to the organization and will result in better decision making.
A
Which of the following operational planning steps is designed to filter out non-essential projects as well as align infrastructure for approved projects? a. Technical Review b. Projection Initiation c. Financial Management d. Demand Management
A
Which of the following step is the MOST critical for a company developing an IT balanced scorecard (IBS). A) Develop a full understanding of the company's objectives and goals B) Ensure that management and stakeholders are informed about the development C) Brainstorm potential metrics for measurement D) Draft a preliminary IBS because it is essential to obtain management feedback
A
You just joined the IT department at a startup. You want to make a name for yourself and tell your manager that you would like to come up with an IT strategy for the business. He is a bit hesitant. Which of these is NOT a reason that you would use in your argument to convince your manager? A) It will save costs since an IT audit will no longer be needed. B) An IT strategy will end up in reduced costs since we will only spend on technology that increases value in the long run. C) It will help the department to be more aligned with the business strategy of the organization. D) It will help to provide a framework for evaluating technology investments.
A
Which one of the options describe the key trait of COBIT? (Page 136 of textbook) A) The goal is to help organization to improve the quality of the IT management service. It serves either the end-user or customer. B) The goal is to help address areas of regulatory compliance and risk management. C) The goal is to help organization select the appropriate security measures by utilizing available domains of security controls. This approach would provide a generic security measures that comply with federal laws and regulations. D) The IT framework adapts 5 core guidelines that are related to Strategy, Design, Transition, Operation, and Continuous Improvement.
B
Which situation would IT risk insurance not be useful? A: Small business that leverages Amazon Web Services to store all data related to the business. Amazon Web Services is subsequently hacked and all data is lost in the cloud B: Large family business that uses old, outdated computers that eventually crash and all data is lost C: Due to a large hurricane, the hardware storing sensitive customer information for a regional bank is damaged from the water D: A new tech company that backs all data up to an outside vendor. The outside vendor subsequently is hacked and the data is held for ransom
B
Why might a successfully implemented IT product or service be discontinued from an organization? A) IT product or service aligns with overall business objective B) The cost of maintaining the IT product or service is high C) Measuring the operational effectiveness and efficiency of the IT product or service is simple D) Payback period is longer than expected
B
As a member of the IT Steering Committee, you are assigned to help ensure integration of the business objectives and goals with the IT strategy, so you are LEAST likely to perform which of the following task? a. Reviewing business and technology strategies and plans b. Monitoring status, schedule, and milestones for all major projects c. Reviewing project budgets and return on assets d. Resolving conflicts between business and technology groups
C
Assume you are the Chief Risk Officer for a high end retail company that sells luxury goods both online and in stores. You are tasked by the Board of Directors to perform a risk assessment and report the findings to the board. These risk assessments according to company policy are evaluated every other year, which coincides when new designers are brought into the business to make seasonal releases. When new products are designed and sold you include risks pertaining to third parties that help in the manufacturing of these luxury goods. For guidance pertaining to risks with online sales and data you refer to COBIT and ISO/IEC. Which of the following would be the most useful improvement when doing your risk assessment? A. Referring to guidance set forth by the U.S Government Accountability Office B. Changing the company policy to do yearly risk assessments in addition to "on demand" risk assessments when situations arise C. Choose to only refer to COBIT to save time, especially since these are not required to be followed. D. Prioritizing looking at risks for commonly used applications such as QuickBooks
B
Which of the following is NOT used as a metric to measure service capability improvement? A. Professional Development B. Managerial Development C. Technology Renewal D. Organization Development
B
Corporate governance officers and senior management respond and react to identified and residual risks with the action they deem most fit to protect the firm and the shareholders. Which answer best describes the category or categories these officers and management responses would fall under? A) Avoid and prevent B) Avoid and Transfer C) Avoid, Prevent, Transfer, and Reduce D) Prevent and Reduce
C
Which of the following is correct about the IT Steering Committee? A. The committe only needs to be composed of members from the IT department of the organization. B. IT Steering Committee makes sure that every constituency in the organization agrees on the business priorities. C. After IT Steering Committee established the IT strategy, the strategy is set and does not need to be furthur communicated with base management or users. D. IT Steering Committee only needs to focus on the technological issues, and does not need to consider the business strategy of an organization.
B
Which of the following is the correct order of the governance process? A) Demand Management, Technical Review, Project Initiation, Procurement and Vendor management, Financial Management B) Demand Management, Project Initiation, Technical Review, Procurement and Vendor Management, Financial Management C) Technical Review, Project Initiation, Demand Management, Procurement and Vendor Management, , Financial Management D) Demand Management, Project Initiation, Technical Review, Financial Management, Procurement and Vendor Management,
B
Which of the following objectives does not provide values contributing to IT-Generated Business Value? a. Business Value of IT Projects b. Internal cost of quality c. Sales to outsiders or third parties d. Management of IT investment
B
Assume you own a chain of high-end retail stores and utilize a set of IT programs such as a customer database and inventory management system. You recently invested in these applications to try to solve an issue with inventory stock outs. The customer database is used to track customers by unique ID and use that information and purchase history to send targeted advertising and special promotions. The inventory management system is used to reorder inventory and track sales by unique inventory IDs. As the owner, you want to measure the business value these programs have on your business. Which metric would be the HIGHEST priority? A) Measuring the ROI, after IT implementation B) Measuring the occurrences of inventory stock outs, pre and post IT implementation C) Measuring the change in sales figures pre and post IT implementation D) Measuring employee satisfaction and attitudes with using new IT applications
B
Corporation ABC has just finished implementing a new set of IT system. In order to evaluate whether the implementation was successful and whether it fits the ABC's overall strategic goal, a CPA as a member of ABC's accounting department is conducting an IBS. The first thing he/she should do is: A) Define the company's objectives and goals. B) Have management on board to be aware of the concept of IBS. C) Collect data and coordinate it related to corporate goals D) Communicate the IBS development process to shareholders.
B
During a risk assessment process, company A identified a risk relating to potential damage to its operating system if wrong data is entered. To respond to the risk, Company A decides to outsource the update of system to Company B and implement a control which can conduct reconciliations of data inputs in the system. What risk responses does Company A have? A. Prevent and avoid B. Reduce and transfer C. Prevent and transfer D. Avoid and reduce
B
Louise wanted to focus on IT and its uses in her business. Her goal was to implement IT services that would allow her to manage daily tasks in her business, specifically focusing on IT management services that focus on the end-users of her products. Which of the following IT governance frameworks should Louise look to for guidance? A) COBIT B) ITIL C) COSO D) ISO/IEC 27002
B
Suppose you are a consultant specializing in ERM implementation. Which of the following potential clients would benefit MOST from the implementation of ERM? A: Small "mom and pop" bakery that has recently begun shipping baked goods internationally. B: Popular restaurant chain primarily serving communities on the east coast. C: Local pediatrician providing service to patients from all over northern New Jersey. D: Boutique clothing store with three locations in Boston, each within ten minutes from the others.
B
Suppose you are hired by a grocery store to help develop their IT strategy - which piece of information will be most critical to your successful development of their IT strategy? A: The grocery store is only willing to hire three additional staff members to be involved in IT. B: The grocery store's business objective is to provide an efficient self-checkout service, setting them apart from their competition. C: The grocery store has consistently met market demands in the produce department. D: The grocery store has a well-established IT steering committee.
B
Suppose you're a staff auditor conducting an IT risk assessment for an online brokerage. This is an entirely new client, and the audit manager wants you to do research on the IT department's staff to get a sense of the team's experience level. Which of the following findings would cause the most concern with regards to the quality and adherence to the firm's IT control policies? (Inspired by PowerPoint slides 11 & 12; TB pg. 158) A) The IT department head has a Master's in Finance from NYU Stern and majored in computer science at MIT. B) Two of the three IT managers, who report to the head of IT, were previously terminated from their roles at Microsoft and Facebook for "mishandling user data" C) Many of the entry-level IT staff members were part of cybersecurity clubs during their undergraduate studies. D) All members of IT are documented to have undergone training on the firm's IT controls and policies, including haven passed a written test with a score of at least 75% before starting actual work tasks.
B
The CEO of Tech Corp. feels that their current IT strategy is not effective and has hired you to revise it. During your revision, you notice the following: i) IT resources are being allocated evenly to all of the organization's projects ii) The company has revised & altered one of its main objectives to put focus more on building stronger customer relationships iii) The company has a structured plan in place to implement the IT strategy iv) The company's executives are part of the IT Steering Committee and have contributed to the development of the strategy Which of the following is the MAIN reason(s) for the failure of Tech's IT strategy? A) ii B) i and ii C) i, ii and iv D) All of the above
B
The Wilt Dasney Company accounts for 30% of its revenues from IT service management. This is the only part of the company that deals directly with the customers. Dasney management would like to improve the quality of IT management services it delivers to customer. Which IT governance framework is the best choice? A) COBIT B) ITIL C) ISO/IEC 27002 D) Joint Framework
B
What is the relationship between Risk Appetite and Risk Capacity? A) Both Risk Appetite and Risk Capacity are the same amount of risk an Organization will take on. Risk Appetite = Risk Capacity. B) Risk Appetite is the amount of risk an Organization is willing to tolerate in pursuit of value. Risk Capacity is the amount of risk an Organization is able to tolerate. Risk Appetite < Risk Capacity. C) Risk Appetite is the amount of risk an Organization is able to tolerate. Risk Capacity is the amount of risk an Organization is willing to tolerate in pursuit of value. Risk Appetite > Risk Capacity. D) None of the Above.
B
Which IT framework is best suitable for auditors and help organizations meet regulatory compliances? A) IT Infrastructure library ITIL B) COBIT C) ISO/IES D) Sarbanes Oxley-SOX
B
Which of the following BEST distinguish Cybersecurity risk from other risks? a. Cybersecurity threat is one of the most important threats that affect the company security. b. Cybersecurity can never be decreased to zero percent as compared with other risks. c. Cybersecurity is a topic that being constantly talked about during meetings. d. Cybersecurity is benefited from the ERM framework.
B
Which of the following actions under an IT Balanced scorecard would better position IT for the future? A) Increasing employee turnover B) Conducting development workshops C) Hiring new executives D) Conducting research on IT best practices
B
A company has implemented a new IT project in order to support their goal of more effective customer service. Which of the following would not be a good metric for the company to use to evaluate the performance of this project? A) The average amount of time it takes for customers to receive a response to their inquiries B) The number of positive and negative customer reviews that the company receives C) The number of inquiries that each individual employee responds to per day D) The cost of implementing the project
C
A company has recently completed a risk assessment and has discovered that their current risk level is below the company's risk capacity and regulatory requirements, but above the company's risk appetite. What should the company do? A) The company does not need to make any changes to risk level since it is below the company's risk capacity. B) The company does not need to make any changes to the risk level since it is below the regulatory requirements. C) The company should implement stronger controls to reduce the risk level below the company's risk appetite. D) The company should reduce existing controls so that the risk level is the same as their risk capacity.
C
All of the following are main functions of the COBIT framework EXCEPT: A) Allowing management to benchmark its environment and compare it to other organizations. B) Helping create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use. C) Providing guidelines for best practices in the IT services management field D) Supporting the need to research, develop, publicize, and promote up-to-date internationally accepted IT control objectives
C
Given the statements below about COBIT and ISO, which one is false? A) ISO helps organizations related to information security while COBIT focuses on helping organizations align IT and address the areas of regulatory compliance and risk management. B) Both ISO and COBIT oversees an organizations IT system. C) COBIT is applicable to all organization no matter the size or type. ISO is applicable to public or private organizations. D) IT auditors will need to provide evidence to support their internal control assessment and opinions by using COBIT.
C
Imagine you were the IT Steering Committee of a supermarket, which one of the following does NOT play a role in accomplishing the organization's goal? A) Host weekly internal staff meetings to ensure effective communication, including that between IT and the organization. B) Prepare annual operational plan that identify the IT projects, such as changes made to the inventory information system. C) Grant every staff person the resources he needs to initiate new projects with value added potentials to the supermarket. D) Evaluate every new technical updates and changes made to the check-out system before their implementation to ensure compliance with technology standard.
C
Implementing a joint IT framework for controlling financial investments is key in organizational financial practices, what is one way this is implemented? A) Improve the quality, quantity, and accessibility of planning data, such as risk areas and past audits. B) Examine potential audit projects and choose those that have the greatest risk exposure to be performed first. C) Monitoring specific software services and events while forecasting income and expense. D) Provide a framework for allocating audit resources to achieve maximum benefits.
C
Lysol Company is trying to determine if their IT Resources are used appropriately. Which of the following are necessary to ensure that IT Resources are used appropriately? I. IT Project aligns with business strategy II. Projects has business justification III. Senior management supports the project A) I, II B) II, III C) All of the Above D) I, III
C
QWE Coffee is a small local coffee shop that sells freshly brewed coffee everyday. For the past few years QWE has only used simple accounting methods such as manually writing down revenues and expenses. However, due to its recent success and thus increasing amounts of daily transactions, the owner of QWE Coffee is thinking about implementing an IT system that will enable better and more automated accounting processes. QWE Coffee decides to hire you, a CPA, to conduct a risk assessment process to determine potential threats and risks related to its new system. Among the four guidances for risk assessment listed below, which one is a less suitable choice? A. COBIT B. GAO C. NIST D. ISO/IEC
C
Suppose the company is going through an annual review of their IT requirement, which of the other department within the organization should the IT department work the closest to in order to be up to date with the current regulation? A. External auditors B. Legal team C. Compliance officers D. Risk management team
C
Suppose you work for an insurance company and a national magnet manufacturer, MagneCo., who conducts all of their sales online, wants to be covered under your company's IT and Cyber Insurance Package. What controls, if missing, might lead you as the underwriter to deny coverage? (PowerPoint Slides 18-22; TB pg 170-171) A) All purchases of materials must go through a three-way match to be approved. B) Manufacturing and IT tasks are performed on separate floors on the company's property. C) Customer data is stored on-site and backed-up daily to the firm's back-up site. D) Each IT employee desktop is only unlockable using that employee's ID badge, their unique 18-digit alphanumerical PIN in the event that they misplace their badge, or the ID badge of their supervisor
C
The Blue Cup Company is a small family business in Greenwich Village. They heard that last year several similar businesses went out of the market because of cyber crimes that resulted in significant losses. The Blue Cup would like to protect themselves from cyber crimes. The Blue Cup heard about Cyber Insurance. Which events can Cyber Insurance protects against? I) A hacker leaked confidential information about clients. II) A employee stole money from the cash register III) An employee failed to encrypt data properly IV) Potential profits lost due to cyber crimes A) II, III B) I,II,IV C) I,III D) All of the above
C
The ultimate goal for the financial management process is: A. Monitoring specific activities and events B. Forecasting income/expenses which are used for measuring financial activities C. Financial investments are controlled, and they are incorporated in cost/benefit analysis and ultimately within the budget. D. Building a project estimate
C
There are four types of risk responses following the identification of risks, including avoidance, prevention, reduction, and transfer. Which of the following matches the question to the risk response correctly? A) Is the risk too expensive to avoid? - Reduction B) Can the risk be partially reduced? - Reduction C) Are the controls in place cost effective? - Prevention D) Will other risks be reduced as well from the implemented controls? - Avoidance
C
When a manager is considering deploying a technology, what point he should first take into consideration? a. The new system should comply with the laws and regulations. b. The new system should have efficient controls to be set up c. The new system can coordinate with business strategy and keep each part of the company on the same page. d. The IT department should choose which system to use and report to the management team.
C
Which COSO-ERM component would be most relevant during a 2021 corporate meeting for a large, international bank? A: Risk response planning B: Objective setting C: Monitoring D: Evaluation of internal environment
C
Which following statement about IT Governance Frameworks is WRONG? A) ITIL is a library of best practice processes for IT service management. B) One of the core guidelines of ITIL involves constantly looking for improvement of the overall process and service provision. C) COBIT is a framework that helps organizations to meet its internal control standards. D) COBIT allows management to compare its environment with those of the other organizations.
C
Which of the following IT governance framework would be preferred when a senior IT manager wants to address issues related to the information security measures? A) ITIL B) COBIT C) ISO/IEC 27002 D) None of the above
C
Which of the following is NOT true about COBIT framework? a. It helps organizations meet today's business challenges in the area of regulatory compliance with organizational goals b. COBIT framework is now on its fifth edition c. It is a global standard providing best practice recommendations regarding the management of information security d. The emphasis of the framework is to ensure that technology provides businesses with relevant, timely, and quality information
C
Which of the following is a characteristic of quality information that depicts that the information contains all the relevant and important aspects of the corresponding activity to enable effective as well as efficient decision making? a. Verifiable b. Reliable c. Complete d. Relevant
C
Which of the following is incorrect about Enterprise Risk Management: A. The ERM - Integrated Framework is an effective tool for senior management to set goals and strategies B. The objectives of ERM typically include: Strategic, Operations, Reporting, and Compliance objectives. C. The ERM takes a controls-based approach when evaluating internal controls. D. The ERM risk-based approach results from the addition of four elements to the previous Internal Control - Integrated Framework.
C
Which of the following is incorrect about IT Performance Metrics A. Metrics that are developed should only be applied to data that are both measurable and meaningful. B. Data should be compiled over a predefined period, and results should be provided to management on a regular basis. C. Survey data from other organizations cannot be presented to encourage adoption of a metrics frame of mind. D. It is vital that the measures are applied to events and processes, and never to individuals.
C
Which of the following is incorrect about the IT strategy? A. IT strategy is the guidance that aligns with the organization's goals. B. Although it is costly to implement IT strategic plan, it is worth of investing in technology since appropriate IT strategy adds business value. C. The ultimate responsibility for setting and implementing the IT strategy should rest with the organization's IT management. D. It is not easy to implement the strategy and do it right.
C
You are the new manager of a transportation company that is entrusted with sensitive customer information. The CEO of your company suggests that you should inquire about implementing The COBIT Framework. Based on your IT background, why is COBIT not the framework to pursue? a. COBIT is not compatible with any other framework b. a transportation company does not need an IT framework at all c. there is a better framework available d. COBIT is not an accepted IT practice or control objective
C
You're the head of your division, and you see additional demand for your division's product in the coming quarters. The increase in demand you're forecasting will far exceed your division's capacity. What should be your first move in addressing this? (pg 149) a.) Put together a valuation of the project based on the NPV of the cash flows expected from building new capacity to meet the demand. b.) Reallocate your division's budget towards finding and securing additional facilities and personnel to meet the expected demand. c.) Pitch the need for investment in additional capacity to senior business and IT management. d.) Wait for the demand to materialize before taking actions.
C
Z corporation is a computer manufacturer that is considering acquisitions in order to expand its business, and assume you, are responsible for reviewing the company's business, IT plan, and come up with the overall IT investment strategy. Additionally, two different department heads come up to you with opposing preferences on the use of the cloud and implementation of a new system, and you help them come up with strategies to resolve the conflict. Which of the following choices most likely would resemble this role in the organization? A- Board of Directors B- Chief information officer (CIO) C- IT Steering Committee D- Chief Executive Officer (CEO)
C
A consultant has recommended to a company's CEO that they should have insurance to help reduce IT risks of the company. The CEO thinks this is a great idea and asks if the insurance will prevent all losses and risk. How should the consultant respond? A) Insurance will prevent all losses and risk. B) Insurance can prevent losses but cannot prevent all risk. C) Insurance can prevent risk but cannot prevent all losses. D) Insurance cannot prevent all losses or all risks. It will only help reduce risk and allow the company to recover their losses.
D
A grocery store chain has hired a consultant to perform a risk assessment over their operations. Following the risk assessment it is clear that there are several risks that are more prominent than others. One of the risks outlined in the assessment centers on the implementation of the new self-checkout technology. The grocery store is considering the implementation of this technology because of the efficiency it will create through the reduction of congestion at typical cashier lanes. The risk assessment revealed that the new technology puts the grocery store at risk for mistakes made by customers (e.g. failing to scan every item, failing to input the correct product codes, etc.) and by the technology itself (e.g. incorrect product codes inputs). Which of the following is the LEAST likely response to the self-checkout technology risks described? A: Instead of implementing the new self-checkout technology, the grocery store will continue to use trained cashiers. B: Product codes are sampled and tested at least once every day by the stock employees and management and compared for accuracy. C: The risk of theft and improper product codes is already built into management's shrinkage assessment, therefore no additional response is necessary. D: Every time a customer uses the self-checkout technology, a manager will input their management PIN for the transaction to be processed, allowing management to observe the accuracy of the customer's transaction.
D
All of the following are ways to assure IT helps generate business value EXCEPT: A) Keeping relevant information in front of the Board and senior management B) Deciding the level of service required by IT C) Creating metrics to measure business value to address functions of the IT department D) Focusing specifically on reduced costs by measuring the cost of IT
D
Assume that Netflix, the streaming service, has put companies such as Blockbuster, a rental DVD company, out of business by staying up to date on emerging technologies and trends. Netflix, which once had a DVD business segment, was discontinued due to demand, and they took over the market. With the continued focus on providing customers with an excellent service, making advancements in their technology, and monitoring the automated business process, they have been able to support millions of devices that are streaming their services. With this in mind, which of the following statements is true in regards to Netflix's strategy: A-The performance of IT is providing business value to the organization by automating the business processes. B- Netflix is focusing on the future by staying up to date on emerging technologies. C- The End user service satisfaction is crucial in evaluating the overall IT department strategy. D- all of the above statements are part of Netflix's IT strategy.
D
Assume you are an executive manager of a manufacturing company. You are leading a meeting about formulating a new ERM strategy for the company and starting asking what the focus of the ERM should be. One by one people around the table put their opinions; Person A says ERM is all about controls, we cant properly manage risk without many effective controls. Person B says its about identifying all the risks, we cant property manage risk without knowing what the risk is. Person C says its about making sure the board and management are on board because otherwise it wont be effective. Lastly, Person D says its about achieving the company's goals while staying within the risk tolerance. Which person has the correct view of ERM? A. Person A B. Person B C. Person C D. Person D
D
Getting a cyber-insurance policy to address the risks associated with hacking, data destruction, theft, extortion and other types of cybersecurity risks can be classified as which of the following risk response technique? a. Avoidance b. Prevention c. Reduction d. Transfer
D
Joseph, owner of BOGO Inc., is structuring an operating plan to ensure the successful implementation of his new IT project in his business. He has three vendors he needs to choose from for this project. He takes his list of the vendors and the software needed for the project to his company's IT Steering Committee. Which phase of the governance process is Joseph on? A) Demand Management B) Project Initiation C) Technical Review D) Procurement and vendor management
D
Suppose you are hired by an organization to help determine the feasibility of a potential IT program to be implemented in the coming months. Which group within the organization would you likely work with in this assessment? A: The IT Steering Committee B: The Board of Directors C: The Internal Audit Function D: The Technical Steering Committee
D
The COSO-ERM was created to assist in the management of risks in an unpredictable business landscape. The eight interrelated components of the COSO-ERM provides organizations a basis for internal controls to assist organizations with achieving the firm's ERM objectives. Please choose which unit or units do the eight interrelated components of the COSO-ERM apply to. A) Entity Level B) Subsidiary and Business Unit C) Subsidiary D) Entity, Division, Business Unit and Subsidiary
D
What is the best potential ways for a company to decide a system/process that CPAs can protect company assets within the firm's information systems? A. Manage administrative access and segregation of duties. Only provide authorization to licensed CPAs. B. Dispose of client data immediately after finishing any engagement. C. Work in the office, never take sensitive data off-site, etc. D. Use automatic screen locking, two-factor authentication, backup all data, etc.
D
Which of the following is LEAST likely a major advantage of an effective IT Governance structure? A) Greater compliance with privacy-related regulations B) Management is held responsible for delivering and developing an aligned IT strategy C) Mitigation of possible threats to business information breaches D) Supplies a structured approach for yielding a positive return on IT investment
D
Which of the following is a core guideline related to ITIL? I. Design II. Operation III. Continuous Improvement A. I B. I and III C. II and III D. All of the above
D
Which of the following is a false statement about the IT Steering Committee? A. The IT Steering Committee can help ensure integration of the business and the IT strategic plan. B. The IT Steering committee should be composed of members of senior management and the CIO. C. The IT Steering Committee is responsible for determining the overall IT investment strategy. D. The IT Steering Committee must keep the processes and establishment of new IT strategies confidential.
D
Which of the following is incorrect about IT Governance Frameworks A. The three widely recognized and best practice IT-related frameworks include: IT infrastructure Library, COBIT, and British Standard International Organization for Standardization/International Electrotechnical Commission 27002. B. IT Infrastructure Library was developed as a library of best practice processes for IT service management. C. COBIT is an IT governance framework that helps organizations meet today's business challenges in the areas of regulatory compliance, risk management, and alignment of the IT strategy with organizational goals. D. The ISO/IEC 27002 framework is a U.S. national standard that provides best practice recommendations related to the management of information security.
D
Which of the following is incorrect about Reduction and Retention of Risks A. The reduction method is frequently used with insurance to lessen the premiums. B. The risk should be spread physically so that there is a reasonably even distribution of exposure to loss over several locations. C. A study should be made to determine the maximum exposure to loss D. A premium charge should be made against operations that are inadequate to cover losses.
D
Which of the following is not a correct management question intended to identify internal or external events? A. What could go wrong? B. What can be done about it? C. What is the potential harm? D. What makes it necessary?
D
Which of the following is not a resource to assist in the identification and evaluation of IT-related risks? A. NIST.gov. B. GAO.gov. C. Expected loss approach D. Agile Project Management
D
Which of the following is not an operating plan governance process needed to ensure the effective use of resources and delivery of IT projects? A. Demand Management B. Technical Review C. Procurement and Vendor Management D. Communication Strategies
D
Which of the following is not one of the ways of National Institute of Standards and Technology (NIST) guidelines that assist federal agencies and organizations in improving their overall IT security? A) Promote a top-down approach related to information security B) Allow for making risk-based determinations, while ensuring cost-effective implementations C) Provide a standard framework for managing and assess organizations' IS risks D) Monitor and review risks, risk treatments, risk objectives, obligations, and criteria
D
Which of the following is true about IT Steering Committee? a. The committee should be composed of 6 members of senior management b. COO oversees the IT strategy and the computer systems required to support the objectives and goals of the organization c. Developing communication strategies is not the task of IT Steering Committee d. One of its major tasks is reviewing project budges and ROIs
D
Which of the following statement is not true about building an IT balances scorecard (IBS)? a) Only IT management needs to be on board from the start. b) Business evaluation metrics (e.g., ROI) implemented for corporate performance measurement need to be collected and analyzed. c) The IBS development process and its underlying rationale needs to be communicated to only shareholders. A) a and b B) a and c C) b and c D) a, b and c
D
Why is there a need for a balanced scorecard to have four perspectives? A) An organization's financials are not the only perspective that needs to be measured and evaluated. B) Looking at all four perspectives allows a much broader understanding of an organization and all the elements that it takes to align their objectives. C) To evaluate the organizations operational efficiency and effectiveness, the business value IT is providing, the performance of IT and their readiness for future challenges, and deliverance value products and services to end-users. D) All of the above.
D
XYZ company integrated ERM. The limitations of enterprise risk management (ERM) include all of the following except: A) Well-designed ERM can break down B) Cost-benefit constraints C) Elimination of all risks D) Decreased performance variability
D
You are the new CIO of a fitness startup and you have been tasked with creating IT performance metrics for the organization. The metrics you create should: A) Apply to specific employees so they can have metrics to better their performance. B) Align with the CEO's wishes even though his desired metrics are not exactly measurable. C) Measure every step in the business process so the organization can improve its efficiency. D) Closely align to the objectives of the organization.
D
Among the five governance processes, which one of them is required to be approved by both management and IT? A) Demand management B) Project initiation C) Technical review D) Procurement and vendor mgt. E) Financial management
E