MODULE 2

Chapter -1 Concepts of Governance and Management of Information Systems

1.Who is responsible for establishing right structure of decision-making accountabilities?

A. Senior management
B. Operational management
C. Chief information officer
D. IT steering committee

2. The MOST important benefit of implementing Governance of Enterprise IT is:

A. Monitor and measure enterprise performance
B. Provide guidance to IT to achieve business objectives
C. Run the companies to meet shareholders’ interest
D. Ensure strategic alignment of IT with business

3. The primary objective of Corporate Governance is:

A. Reduce IT cost in line with enterprise objectives and performance.
B. Optimise implementation of IT Controls in line with business needs
C. Implement security policies and procedures using best practices.
D. Increase shareholder value by enhancing economic performance.

4. The ultimate objective Governance of Enterprise IT is to ensure that IT activities in an

enterprise are directed and controlled to achieve business objectives for meeting the
needs of:
A. Shareholders
B. Stakeholders
C. Investors
D. Regulators

5. Which of the following is a key component of Corporate Governance?

A. Employee rights
B. Security policy
C. Transparency
D. Risk assessment

6. Effective Governance of Enterprise IT requires processes to ensure that:

A. risk is maintained at a level acceptable for IT management
B. the business strategy is derived from an IT strategy
C. IT governance is separate and distinct from the overall governance
D. the IT strategy extends the organization's strategies and objectives.

7. Business Governance helps the Board by enabling them to understand:

A. enterprise functions
B. risk assessment
C. key performance drivers
D. Key controls
8. The effectiveness of the IT governance structure and processes are directly dependent
upon level of involvement of
A. Heads of Business units
B. Internal auditor department
C. Technology management
D. Board/senior management

9. Which of the following is one of the key benefits of EGIT?

A. Identification of relevant laws, regulations and policies requiring compliance.
B. Improved transparency and understanding of IT’s contribution to business
C. Better utilization of human resources by using automation
D. Increased revenues and higher Return on investments.

10. Which of the following is the primary objective for implementing ERM?
A. Implement right level of controls.
B. Better availability of information.
C. Tighter security at lower cost.
D. Implement IT best practices.
Q. 6. Enterprise governance and Governance of Enterprise IT governance requires a
balance between:
A. Compliance and return on investment expected by shareholders
B. Profit maximization and wealth maximization as decided by board
C. IT risks and cost of implementing IT controls as set by IT
D. Conformance and performance goals as directed by the board.

Chap-2 GRC Frameworks and Risk Management Practices

1. The most important requirement for IT governance function to be effective is:

A. Monitoring
B. Evaluation
C. Directing
D. Managing

2. The MOST important benefit of implementing IT risk management process is that it

helps in:
A. optimizing internal control framework.
B. ensuring residual risk is at acceptable level.
C. prioritizing business functions for audit planning.
D. complying with regulatory requirements.

3. Which of the following is a major risk factor?

A. Existence of inflationary trends.
B. Vendor launches new software.
C. Board of directors elects new chairman.
D. Change in government post elections.

4. The level to which an enterprise can accept financial loss from a new initiative is:
A. Risk tolerance
B. Risk management
C. Risk appetite
D. Risk acceptance

5. Designing and implementing a control to reduce the likelihood and/or impact of risk
materializing is a:
A. Risk acceptance
B. Risk transfer
C. Risk treatment
D. Risk transfer

6. Which of the following is a valid risk statement?

A. Network service provider is unable to meet bandwidth.
B. Hacker attempts to launch attack on web site.
C. Application server crash due to power failure.
D. Delay in servicing customers due to network congestion.

7. Which of the following is primary reason for periodic review of risk? The changes in:
A. risk factors
B. risk appetite
C. budget
D. risk strategy

8. Which of the following is a strategic IT risk?

A. IS audit may not identify critical non-compliance.
B. Non-availability of networks impacting services to customers.
C. New application may not achieve expected benefits.
D. Defer replacement of obsolete hardware.

9. Which of the following is the most essential action after evaluation of inherent risks?
A. Evaluate implemented controls.
B. Update risk register.
C. Prepare heat map.
D. Prioritized evaluated risk.

Chap-3 Key Components of A Governance System

1.Which of the following is most important resource of the organization?
A. Policies and procedures
B. IT infrastructure and applications
C. Information and data
D. Culture, ethics and behaviour

2. Which of the following is most important characteristic of policies?

A. Must be limited in number.
B. Requires framework to implement.
C. Reviewed periodically.
D. Non-intrusive and logical.
3. Primary function of a process is to:
A. Act on input and generate output.
B. Define activities to be performed.
C. Focus on achieving business goals.
D. Comply with adopted standards.

4. Effective organizational structure focuses on:

A. Defining designations.
B. Delegating responsibility.
C. Defining escalation path.
D. Deciding span of control.

5. Prioritization of IT initiatives within organization is primarily based on:

A. Results of risk assessments
B. Expected benefit realization
C. Recommendations of CIO
D. Rate of obsolescence of IT

6. Primary objective of IT steering committee is to:

A. Align IT initiatives with business
B. Approve and manage IT projects
C. Supervise IT and business operations
D. Decide IT strategy for organization

7. Which of the following is best control for building requisite skills and competencies
within organization?
A. Hiring only highly qualified people
B. Outsourcing the critical operations
C. Conducting skill enhancement training
D. Defining skill requirements in job description
Chap 4 Key Components of A Governance System

1. Which of the following is best approach for monitoring the performance of IT resources?
A. Compare lag indicators against expected thresholds
B. Monitor lead indicators with industry best practices
C. Define thresholds for lag indicators based on long term plan
D. Lead indicators have corresponding lag indicator.

2. Performance monitoring using balance score card is most useful since it primarily
focuses on:
A. Management perspective
B. Product and services
C. Customer perspectives
D. Service delivery processes

3. Which of the following is considered as an example of a lead indicator?

A. Number of gaps with respect to industry standard.
B. Comparative market position of organization.
C. Percentage of growth achieved over three years.
D. Improvement in customer satisfaction survey.

4. The PRIMARY objective of base lining IT resource performance with business process
owners is to:
A. define and implement lead and lag indicators.
B. ensure resource planning is aligned with industry.
C. assess cost effectiveness of outsourcing contracts.
D. benchmark expected performance measurement.

5. Which of the following is BEST measure to optimize performance of skilled IT human

resources?
A. Include personal development plan in job description.
B. Document personal expectations during exit interviews.
C. Implement ‘Bring Your Own Device (BYOD)’ policy.
D. Monitor performance measure against baseline.

6. IT resource optimization plan should primarily focus on:

A. Reducing cost of resources
B. Ensuring availability
C. Conducting training programs
D. Information security issues

7. The PRIMARY objective of implementing performance measurement metrics for

information assets is to:
A. decide appropriate controls to be implemented to protect IT assets.
B. compare performance of IT assets with industry best practices.
C. determine contribution of assets to achievement of process goals.
D. determine span of control during life cycle of IT assets.

8. Which of the following is the PRIMARY purpose of optimizing the use of IT resources
within an enterprise?
A. To increase likelihood of benefit realization.
B. To ensure readiness for future change.
C. To reduce cost of IT investments.
D. To address dependency on IT capabilities.

9. While monitoring the performance of IT resources the PRIMARY focus of senior

management is to ensure that:
A. IT sourcing strategies focus on using third party services.
B. IT resource replacements are approved as per IT strategic plan.
C. key goals and metrics for all IT resources are identified.
D. resources are allocated in accordance with expected performance.

10. Organization considering deploying application using cloud computing services provided
by third party service provider. The MAIN advantage of this arrangement is that it will:
A. minimize risks associated with IT
B. help in optimizing resource utilization.
C. ensure availability of skilled resources.
D. reduce investment in IT infrastructure.

Chap 5 Business Continuity Management

1. Which of the following is MOST important to have in a disaster recovery plan?

A. Backup of compiled object programs
B. Reciprocal processing agreement
C. Phone contact list
D. Supply of special forms

2. Which of the following BEST describes difference between a DRP and a BCP? The
DRP:
A. works for natural disasters whereas BCP works for unplanned operating incidents
such as technical failures.
B. works for business process recovery and information systems whereas BCP
works only for information systems.
C. defines all needed actions to restore to normal operation after an un-planned
incident whereas BCP only deals with critical operations needed to continue
working after an un-planned incident.
D. is the awareness process for employees whereas BCP contains procedures to
recover the operation?

3. The MOST significant level of BCP program development effort is generally required
during the:
A. Early stages of planning.
B. Evaluation stage.
C. Maintenance stage.
D. Testing Stage.

4. An advantage of the use of hot sites as a backup alternative is:

A. The costs related with hot sites are low.
B. That hot sites can be used for a long amount of time.
C. That hot sites do not require that equipment and systems software be compatible
with the primary installation being backed up.
D. That hot sites can be made ready for operation within a short span of time.

5. All of the following are security and control concerns associated with disaster recovery
procedures EXCEPT:
A. Loss of audit trail.
B. Insufficient documentation of procedures.
C. Inability to restart under control.
D. Inability to resolve system deadlock.

6. As updates to an online order entry system are processed, the updates are recorded on
a transaction tape and a hard copy transaction log. At the end of the day, the order
entry files are backed up onto tape. During the backup procedure, the disk drive
malfunctions and the order entry files are lost. Which of the following are necessary to
restore these files?
A. The previous day's backup file and the current transaction tape
B. The previous day's transaction file and the current transaction tape
C. The current transaction tape and the current hardcopy transaction log
D. The current hardcopy transaction log and the previous day's transaction file

7. An IS auditor reviewing an organisation's information systems disaster recovery plan

should verify that it is:
A. Tested every 1 month.
B. Regularly reviewed and updated.
C. Approved by the chief executive officer
D. Approved by the top management

8. Which of the following offsite information processing facility conditions would cause an
IS auditor the GREATEST concern?
A. Company name is clearly visible on the facility.
B. The facility is located outside city limits from the originating city.
C. The facility does not have any windows.
D. The facility entrance is located in the back of the building rather than the front.

9. Which of the following methods of results analysis, during the testing of the business
continuity plan (BCP), provides the BEST assurance that the plan is workable?
A. Quantitatively measuring the results of the test
B. Measurement of accuracy
C. Elapsed time for completion of prescribed tasks
D. Evaluation of the observed test results