COBIT

Question 1

COBIT Control Objectives for Information and RElated Technology
COBIT 5 five key principles

Answer 1

Stakeholder Drivers
Stakeholder Needs
   Value Creation 
    Realization of Benefits
    Optimization of Risk
    Optimal Use of Resources
Enterprise Goals
IT-RElated Goals
Enablers

Question 2

Corbett five COBE IT five

Answer 2

COBE IT has five principles
Asserts that value creation is the most basic stakeholder need and that’s the fundamental goal of any enterprise.
Value creation in this model is achieved by balancing three components
Realization of benefits
Optimization which is not minimization of risk optimal use of resources

Question 3

COBIT 5 What are the 5 Key Principles

Answer 3

1. Meeting stakeholder needs
2. Covering the Enterprise End to End
3. Applying a Single Integrated Framework (regardless of hardware and software used)
4. Enabling a Holistic Approach (enablers)
5. Separating Governance from Management

Question 4

Enabling a Holistic Approach - What are the seven categories of enablers that support comprehensive IT governance and management.

Answer 4

Notice they are like the control environment characteristics in COSO

1. Principles, Policies and Frameworks
2. Processes
3. Organizational Structures
4. Culture, Ethics and Behavior
5. Information
6. Services, infrastructure and applications
7. People, skills and competencies

Last three are classified as resources, the use of which must be optimized

Question 5

Of the seven categories of enablers, which are resources that must be optimized

Answer 5

Information
Services, Infrastructure and Applications
People, Skills and Competencies

Question 6

SEparating Governance from Management: What are the four responsibility areas that must be addressed

Answer 6

Plan
Build
Run
Monitor

Question 7

Goals for the Information Security Program

Answer 7

Confidentiality
Availability
Integrity

Question 8

Steps to Creating an Information Security Plan

Answer 8

Identify Threats
Identify Risks
Design Controls to Compensate
Incorporate the Controls into Coherent, Enterprise-Wide Plan
Set forth Policies So People Are Aware of Expectations, both internal and external users

Question 9

COBIT 5 - Steps in creating the information security plan. What are the two phases of risk analysis? P. 378

Answer 9

Determining the likelihood of risk
Determining the level of damage that good be done

Example: Sabotage could be very damaging but risk is low

Question 10

The Depreciation tax shield is?
Cash provided by recording depreciation.
A reduction in income taxes.

Answer 10

The answer is a reduction in income taxes.

Though it does contribute to cash flow, I guess the cash isn’t “provided” it’s just shielded from being an outflow.

Question 11

What are generic controls.

Answer 11

Generic IT controls can be classified in the traditional 3 ways that internal controls are.
Preventive
Detective
Corrective

Question 12

Preventative Controls two types

Answer 12

Physical and Logical

Question 13

Physical Controls are

Answer 13

preventative controls (there are two here) the other is logical

Question 14

Logical Controls Are _________ controls

Answer 14

There are 2 here the other is physical

Question 15

Physical Preventative Control Example

Answer 15

Fences
Locked Doors
Security
Segregation of Duties Policy

Question 16

What type of IT control is a segregation of duties policy

Answer 16

Physical preventive control (really?) It’s from the Gleim book.

Question 17

What are some examples of logical preventive controls.

Answer 17

These are all the input controls listed below. They make sure data is authorized, complete and accurate. There are online input and batch input controls.

Authorization (AP supervisor authorizes batch b4 submitted for recording)
Controls Programmed into the system - also known as edit routines
-Preformatting
Edit (field) checks
Limit (reasonableness) checks and range checks
Validity Checks
Sequence Checks
Closed Loop Verification
Check Digit Verification

Question 18

Edit Check - Other name for it, type of check

Answer 18

Also called field check, input control, preventative

No invalid characters e.g., no letters in social security numbers

Question 19

Limit Checks, other name, type, example

Answer 19

Reasonableness, preventative, input check

Hours worked cannot exceed 80 without authorization

Question 20

VALIDITY CHECKS

type, example

Answer 20

Input control, preventative

vendor must be in master file

Question 21

Sequence Checks type, example

Answer 21

input, preventative
sort files on a key before matching
accounts payable transaction file and master filed sorted according to vendor number and should be in order
done before matching

Question 22

Close-Loop Verifiation type, example

Answer 22

Input, Preventive

Sends input back to the computer after processing

Question 23

Check-Digit

Example, other name

Answer 23

Self Checking digits
Uses algorithm
used to catch keying errors such as dropped and transposed digits

Question 24

Zero balance checks type, example

Answer 24

input, preventative

reject anything where sum of all debits and credits does not equal 0

Question 25

Mutually Exclusive

There was a question that asked for the present value of two projects, what should you watch out for?

Answer 25

There was a lot of math figuring out the present value, then it asked which project to take. Both had present values, but if you failed to notice it said mutually exclusive and you could only pick one you’d have got it wrong.

Question 26

What is an internal rate of return?
time adjusted ROR
accounting ROR
payback period
net present value

Answer 26

notice that IRR is not a NPV, it’s a rate not a net

Question 27

Advantage of the IRR over the accounting ROR
recognition of salvage VU
emphasis on cash flows
recognition of time value of money

Answer 27

hey guess what accounting ROR considers salvage
accounting ROR cares about income, not cash flows so much
time value of money on 2 and 3

Question 28

Who cares about cash flows and who cares about net income.

Answer 28

IRR - cash flows

Accounting ROR - net income

Question 29

Formula for Accounting ROR

Answer 29

Annual Cash Flow - Depreciation

Question 30

How is salvage value handled in IRR and Accounting ROR

Answer 30

IRR discount it back - interesting though, do you discount it back if you figure out the depreciation, depreciation “shield”

Accounting - if you’re figuring the depreciation you take off the salvage value, as far as how ties are handled, I’m not sure

Question 31

Salvage Value
IRR?
Accounting ROR?

Answer 31

Yes both

Question 32

Depreciation
IRR
Accounting IRR

Answer 32

Yes both
IRR definitely use depreciation shield
Accounting ROR - use salvage to get the annual depreciation and add this to the cash flows

Question 33

ARR is not a cash flow calculation, it’s a net income calculation.
That being the case, I think you use salvage to get the depreciation, but ignore the incom tax effects of the depreciation shield

Answer 33

I have to get with this because I can’t get a straight answer out of the examples.

Question 34

Capital Budgeting - Two types of depreciation, one is relevant, other isn’t

Answer 34

Tax depreciation is relevant

Book is not

Question 35

Do not spend a lot of time on an accounting ROR question.

Tam is negotiating to purchase equipment that would cost $100,000 and would save $20,000 in after-tax cash costs (what should you notice here). Equipments useful life is 10 years with no residual value and would be depreciated by the straight line method. Accrual accounting ROR is what.

Answer 35

It says “after-tax” cash costs, now I would assume that means what you save in total cash after the depreciation is factored into the savings. But it doesn’t, it means we saved this much in cash expenses, but you haven’t considered the extra cost you’re going to have for depreciation on the new machine. So the calculation is:

Hey we have $20,000 less in expenses
But we have $10,000 more in depreciation
So we’re ahead by 10 grand or 10% of the $100,000.

Question 36

You figured out the accounting rate of return, now what do you compare it to.

Answer 36

I don’t know, I’m assuming the average cost of capital, or maybe it’s just that it’s positive.

Looks like compare it to company’s book rate of return.

Question 37

The accounting rate of return, why is it bad?

Answer 37

They can choose different methods of depreciation.
Comparing it to the company’s book rate is that the book rate is an average return on capital projects which are a combination of good and bad.

Question 38

When doing capital budgeting problems, must take into account not only the extra income, but what else?

Answer 38

The extra costs for depreciation.

Question 39

Accounting ROR

Answer 39

Average Increade in Accounting NEt INcome
divided by
Required Investment

denominator is not an average

Question 40

Detective Controls Definition

Answer 40

Call attention to errors that are already in the system before they cause a negative outcome

And

Call attention to someone trying to get into the system or using the system improperly

Question 41

Detective Controls Examples

Answer 41

Examination of Console logs
Examination of System logs (failed login attempts) - not really an error entered into the system now is it
Output Controls: Transaction logs, error listings, record counts, run-to-run totals

Question 42

What are OUtput Controls (other name, Example)

Answer 42

Detective Controls
Transaction Log
Error Listing
Record Counts
Run-to-Run Controls

Question 43

Run-to-Run Control. What type is it, what category is it.

Answer 43

Detective Output Control

The new financial balance should be the sum of the old balance plus the activity that was just processed.

Question 44

Error Listing - What type/category is it, example.

Answer 44

Detective Output Control

Exception report with all the transactions rejected by the system

Question 45

Record Count What Category/Type

Answer 45

Detective Output Control

Does the count - the records the user expected to be processed

Question 46

Transaction Log type/category/Example

Answer 46

Detective Output Control

Who logged into the application and did what

Question 47

Detective Output Controls Mneumonic

Answer 47

TERR2R
Transaction Logs
Error Listings (rejections)
Record Counts
Run-to-Run

Question 48

Distinguish Input From Output Controls - how

Answer 48

The input are narrow, specific, this field was entered wrong, this number was transposed, this batch total is wrong

The output are much more general and after the trigger is pulled. I really don’t see why. It’s touch because I just pulled up a slide that says “error reporting and handling is an input control” and the Gleim books says Error listings are output controls.

Question 49

Signatures on Batch forms or source documents
Online access controls
Unique Paswords

All of these are what type of control

Answer 49

Input authorization control

Question 50

What are these examples of?
Batch control totals
TOtal monetary items
total items
total documents
hash totals

Answer 50

Batch input controls

Question 51

Input, Processing, Output
There are many in the same category, it depends what the timing is
Don’t worry about input, processing, output or if you have to guess use the timing idea

Answer 51

If it’s immediate feedback, I’d say it’s an input control
If it’s after it’s entered then it’s a processing
All are built into the system

Question 52

If it’s a validity control it’s ___________, if. it’s a validation control it’s __________

Answer 52

Vendor exists

Validity = Input
Validation = Processing

Now how do you remember, I don’t know, validation sounds later?

Question 53

List of Processing Controls

Answer 53

Processing
Validation (it’s validity if it’s and input)
Completeness (are all the data there in the record)
Arithmetic (cross footing, zero balance dr and cr’s equal)
Sequence
Run-to-Run (can also be output, again if it occurs at the end it’s output)*
Key Integrity don’t know what this is

*So if you do a run-to-run along to way like check the batch total after each stage of processing then it’s a processing control, if you take the beginning balance, add the activity and check the ending balance it’s an output control

Question 54

Batch Controls Input

Answer 54

Management Release
Record Count - Batch is not released for processing until record count agrees
Financial Total - Batch is not released for processing unless total of patch - user calculated
HashTotal - Sum of numeric field - meaningless but shows all records have been entered, sum of SSI number, it says can follow through processing, but I don’t see examples of has totals as anything but input controls

Question 55

Input, Processing, Output 0 how to tell the difference

Answer 55

Look for the timing on some of them if before processing, input if during

Question 56

Two broad groups of IT Controls

Answer 56

General and Application