Chapter-6 Examination

Name: ___________

Chapters Marks Pass/Fail Pass Marks Full Marks

Chapter 3 13marks 25marks

1. As a part of internal control, access management conforming to the segregation of duties
is implemented. During the development of the information system, which of the
following is an appropriate process in which the design of access management is started?
a) Requirements definition
b) Programming
c) Test
d) After operation start

2. During a systems audit, systems auditors who are independent of the audit target inspect
and evaluate the information systems comprehensively from an objective viewpoint. As
a result of the systems audit requested by the management of a company, some problems
are found in the effectiveness of the current information systems. Who are the most
appropriate persons to whom the systems auditor gives advice and makes
recommendations?
a) Stockholders b) Jurisdictional authority
c) Management d) System users

3. Which of the following is an act that is inappropriate in light of the code of professional
ethics of a systems auditor?
a) Checking the findings of a business operations audit by an auditor
b) Audit based on a contingent fee contract
c) Joint audit with another auditor having specialized knowledge
d) Checking the contents of an audit report of another auditor who performed the audit
the previous year

4. Which of the following is an explanation of facility management?

a) It refers to the monitoring of compliance with SLAs and their periodical reviewing,
for the purpose of maintaining and managing IT service levels.
b) It refers to a method for optimizing ownership, operation, maintenance, etc. of
buildings and physical IT infrastructures from a business standpoint.
c) It refers to the continuous improvement of business processes to increase the quality
of products and services.
d) It refers to sharing and managing information across the departments and the
companies that participate in the series of processes from component procurement to
manufacturing, distribution, and sales.

5. Within IT service management, IT service continuity management is an activity for

minimizing negative impacts of disasters, etc. on business. Which of the following
corresponds to the A (Act) of the PDCA cycle in IT service continuity management?
a) Creating recovery plans that define recovery methods for the continuation of IT
services
b) Implementing regular education and training for staff members, assuming that
disasters occur
c) Reviewing and testing the content of recovery plans to verify them
d) Revising recovery plans if necessary, based on the results of reviewing and testing
6. A company implements service level management for the operation of a new system.
Which of the following is an appropriate description concerning the goals of service
level management?
a) A third party independent from the users and the provider monitors the service to
prevent degradation of the service level.
b) The users and the provider agree on the service level, and maintain and improve it.
c) The quality level of the provided service is raised, on the condition that no additional
cost is incurred.
d) The users determine the level to which the provided service contributes to the
business.

7. In IT service management, which of the following is appropriate as a process for

resolving the root causes of incidents and preventing their recurrence?
a) Incident management
b) Change management
c) Problem management
d) Release management

8. Which of the following is the term for the assignment of employees’ role that applies
mutual restraint among employees for the purpose of reducing the risk of misconduct
or errors in work from the standpoint of internal control?
a) Delegation of authority
b) Segregation of duties
c) Monitoring
d) Diversification of risk

9. Which of the following is an appropriate description concerning evaluations in systems

audit?
a) Areas for which there is no audit evidence are evaluated through inference.
b) Evaluation must be based on audit evidence.
c) Evaluation is performed according to the views of the system user department.
d) Evaluation is performed according to the views of the audited department.

10. Which of the following is the most appropriate as a method for verifying that controls
for information system risk are properly implemented and operated?
a) BCP
b) ITIL
c) IT governance
d) Systems audit

11. Which of the following is the person who audits the financial documents that are created by a
company?
a) Accounting auditor
b) System auditor
c) Legal profession
d) Certified tax accountant.
12. Among the management functions for service support, which of the following is the process of
identifying all IT assets such as hardware and software, and creating and maintaining an up-to-date
record of those IT assets including related documentation or such other information?
a) Configuration management
b) Incident management
c) Problem management
(d) Release management

13. Which of the following is the framework that describes a collection of best practices of IT service
management?
a) ISO 14001
b) ISO 27001
c) ITIL
d) PMBOK

14. For confidential information that is managed in an information system, which of the following is an
appropriate measure that is performed from the facility management perspective against leakage?
a) Installation of antivirus software
b) Entrance and exit control for a building that has a computer room
c) ID and password management for information systems
d) Encryption of electronic documents

15. Which of the following is an appropriate description of internal control?

a) A process that is performed by all persons within a company in order to ensure the effectiveness
and efficiency of business operations, reliability of financial reporting, compliance, and safeguarding
of assets
b) A process where a manager who is entrusted with business management raises funds from a
financial institution and buys shares from the shareholders of a parent company in order to obtain a
controlling interest.
c) An approach to both work and personal life outside of work where an attempt is made to sacrifice
neither work nor personal life and to keep a good balance between both of them in a fulfilling way
d) A measure taken by an organization in order to achieve the target of organizational activities, and a
method that aims for the optimization of business activities and systems

16. Which of the following is an activity that is performed by a service provider and is effective for the
improvement of availability?
a) Measurement of response time
b) Monitoring of failure occurrence
c) Management of the server configuration used by the organization
d) Recording of the modification history of a program

17. Which of the following is the most appropriate explanation of IT governance?

a) It is the organizational abilities of a company to control the creation and execution of its IT
strategy with the purpose of building competitive superiority, and to lead it in the ideal direction.
b) It is the implementation and management of a good quality IT service that meets
business needs.
 c) It is an activity that a third party that is not an involved party nor its management
verifies that implementation and operation of risk control concerning information
systems are appropriate.
d) It is the application of the knowledge, skills, tools, and techniques to project activities
in order to meet the requirements of the project.

18. When an audit is classified as a business operations audit, systems audit, or information
security audit, which of the following is an appropriate combination of the classifications
of audit and descriptions A through D concerning the purpose of the audits?
A It evaluates whether financial statements accurately show information such as the
assets and profit and loss of the organization.
B It evaluates whether controls for risks concerning information systems are
implemented and operated appropriately on the basis of a risk assessment, including
from the perspective of information security.
C It evaluates the status of implementation and operation of appropriate controls on the
basis of a risk assessment so that risk management concerning information security is
implemented effectively.
D It evaluates the implementation status of all operations except accounting operations,
such as organization’s manufacturing and sales

19. Which of the following is an appropriate activity for planning and implementing the
points described below in order to maintain and preserve the project room and equipment
used for system development?
A chamber to ensure confidentiality of test data is set up within a project room, and
entrance and exit is controlled. The server that is set up for testing is connected to an
uninterruptible power supply in order to prevent data loss due to a power outage.
a) Asset management
b) Environment management system
c) Quality management system
d) Facilities management

20. Which of the following activities aims at the maintenance and improvement of the
service level through monitoring and review of the service status in order to implement
the terms of agreement of an SLA?
a) CSR
b) ERP
c) SLM
d) SWOT
21. Which of the following is appropriate as an example of an item for evaluating the service
level of a service desk that receives queries from system users over the telephone?
a) Cost of the service
b) Number of system failures
c) Availability of the system
d) Response time for queries

22. Which of the following is the main task of a service desk?

a) Investigating and analyzing system utilization to evaluate the IT service level
b) Investigating the cause of bugs to improve the quality of application software
c) Conducting interviews to collect computerization needs for future system planning
d) Responding to inquiries, such as system failures, for enhanced user convenience

23. Which of the following is the role of a system auditor?

a) Undertaking the operations, monitoring, and maintenance of the information systems owned by a
company
b) Proposing and implementing a computerization strategy in a company in accordance with the
management principles
c) Undertaking collectively the implementation and installation of information systems
d) Verifying or assessing the information system of an organization from an independent and
professional standpoint.

24. Among the policies of facility management concerning an information system in a BCP (Business
Continuation Plan), which of the following is the policy that is based on the assumption that a data
center stops for a long period of time because of a huge earthquake?
a) A backup center for periodic synchronization of the data is located at a remote site.
b) A UPS is connected to the servers as a backup power-supply in the data center.
c) The servers are installed on an upper floor in preparation for a tsunami.
d) The various types of redundant equipment or devices are installed in the data center

25. Which of the following is an appropriate segregation of duties in view of internal control?
a) A single activity is performed by several persons on the basis of division of labor.
b) The managers give authority to their subordinates because of long absence.
c) The remaining activity of a person on an early shift is transferred to another person.
d) The rules are set forth so as not to be approved by the applicants themselves.