1. CISA Chapter 2
Kelompok 2:
Moch. Aqmal Rasyadan Reza Putra - 05211940000026
Ibadurrahman Ziaulhaq - 05211940000052
Ahmad Faiq - 05211940000070
Faros Nabilah Zaim - 05211940000079
2. 1. The Software Engineering Institute’s Capability
Maturity Model (CMM) is best described by which
of the following options?
A. Measurement of resources necessary to ensure a reduction in coding defects
B. Documentation of accomplishments achieved during program development
C. Relationship of application performance to the user’s stated requirement
D. Baseline of the current progress or regression
3. 1. The Software Engineering Institute’s Capability
Maturity Model (CMM) is best described by which
of the following options?
A. Measurement of resources necessary to ensure a reduction in coding defects
B. Documentation of accomplishments achieved during program development
C. Relationship of application performance to the user’s stated requirement
D. Baseline of the current progress or regression
5. 2. Which of the following options contains the
steps for business process reengineering (BPR) in
the proper sequence?
A. Diagnose, envision, redesign, reconstruct
B. Evaluate, envision, redesign, reconstruct, review
C. Envision, initiate, diagnose, redesign, reconstruct, evaluate
D. Initiate, evaluate, diagnose, reconstruct, review
6. 2. Which of the following options contains the
steps for business process reengineering (BPR) in
the proper sequence?
A. Diagnose, envision, redesign, reconstruct
B. Evaluate, envision, redesign, reconstruct, review
C. Envision, initiate, diagnose, redesign, reconstruct, evaluate
D. Initiate, evaluate, diagnose, reconstruct, review
7. Penjelasan
BPR Application Steps :
1. Envision (Visualize a need)
2. Initiate (Focus on planning the collection )
3. Diagnose (Reviewing each process to calculate the value it creates)
4. Redesign (Ensure that the strategic objectives are met)
5. Reconstruct (The implementation phase)
6. Evaluate (Monitoring to ensure that it works and is producing the strategic
value)
Ch.2 p117-118
8. 3. What is the name of the decentralized control
method enabling someone to make a decision
based on their own options?
A. Executive
B. Discretionary
C. Detailed
D. Mandatory
9. 3. What is the name of the decentralized control
method enabling someone to make a decision
based on their own options?
A. Executive
B. Discretionary
C. Detailed
D. Mandatory
10. 3. What is the name of the decentralized control
method enabling someone to make a decision
based on their own options?
A. Executive
B. Discretionary
C. Detailed
D. Mandatory
Ch.2 p108
11. 4. What would be the area of greatest interest
during an audit of a business process
reengineering (BPR) project?
A. The steering committee approves sufficient controls for fraud detection.
B. Planning methods include Program Evaluation Review Technique (PERT).
C. Risk management planning alignment of the project to business objectives.
D. Vendor participation, documentation, installation assistance, and training.
12. 4. What would be the area of greatest interest
during an audit of a business process
reengineering (BPR) project?
A. The steering committee approves sufficient controls for fraud detection.
B. Planning methods include Program Evaluation Review Technique (PERT).
C. Risk management planning alignment of the project to business objectives.
D. Vendor participation, documentation, installation assistance, and training.
13. Penjelasan
The steering committee provides guidance to IT concerning business objectives. A
risk management plan must be in use for every BPR project. The purpose of risk
management is to determine whether the project can actually fulfill a business
objective. The second part of risk management is to determine whether the
organization will be able to complete the project and generate the desired results.
Frankly, most major disasters are caused by a domino effect of a tiny failure
multiplying into numerous failures that become catastrophic. Overall, situations of
high risk require a method to ensure that the problem receives adequate
consideration and the appropriate level of effort to prevent an unfortunate outcome.
14. 5. What is the correct sequence for benchmark
processes in business process reengineering (BPR)
projects?
A. Plan, research, observe, analyze, adapt, improve
B. Research, test, plan, adapt, analyze, improve
C. Plan, observe, analyze, improve, test
D. Observe, research, analyze, adapt, plan, implement
15. 5. What is the correct sequence for benchmark
processes in business process reengineering (BPR)
projects?
A. Plan, research, observe, analyze, adapt, improve
B. Research, test, plan, adapt, analyze, improve
C. Plan, observe, analyze, improve, test
D. Observe, research, analyze, adapt, plan, implement
17. 6. The Capability Maturity Model (CMM) contains
five levels of achievement. Which of the following
options contains three of the levels in proper
sequence?
A. Initial, Managed, Repeatable
B. Initial, Managed, Defined
C. Defined, Managed, Optimized
D. Managed, Defined, Repeatable
18. 6. The Capability Maturity Model (CMM) contains
five levels of achievement. Which of the following
options contains three of the levels in proper
sequence?
A. Initial, Managed, Repeatable
B. Initial, Managed, Defined
C. Defined, Managed, Optimized
D. Managed, Defined, Repeatable
19. 7. The organization’s ___ is focused on exploiting
trends forecast in the next three to five years
A. Strategy
B. Long‐term planning
C. Operational plan
D. Managerial plan
20. 7. The organization’s ___ is focused on exploiting
trends forecast in the next three to five years
A. Strategy
B. Long‐term planning
C. Operational plan
D. Managerial plan
21. Penjelasan
Sebuah strategi memberikan jawaban atas “bisnis apa” yang diinginkan
organisasi. Strategi ini didasarkan pada perencanaan skenario dan peramalan
untuk mengubah struktur, prioritas, lokasi, dan staf organisasi. Ini bisa
menghasilkan keputusan untuk membeli, menjual, atau mengkonsolidasikan.
22. 8. Which of these is not the purpose of the ISO 15489
standard for a records management system?
A. Define the legal definition of the minimum handling requirements for data
records.
B. Provide a legal standard of negligence and culpability.
C. Eliminate the need for a detailed classification list of each data set.
D. Define governance responsibilities during the life cycle of data.
23. 8. Which of these is not the purpose of the ISO 15489
standard for a records management system?
A. Define the legal definition of the minimum handling requirements for data
records.
B. Provide a legal standard of negligence and culpability.
C. Eliminate the need for a detailed classification list of each data set.
D. Define governance responsibilities during the life cycle of data.
24. Penjelasan
ISO 15489-1:2016 mendefinisikan konsep dan prinsip dari mana pendekatan untuk
pembuatan, penangkapan, dan pengelolaan arsip dikembangkan. Bagian ISO 15489 ini
menjelaskan konsep dan prinsip yang berkaitan dengan hal-hal berikut:
a) catatan, metadata untuk catatan dan sistem catatan;
b) kebijakan, tanggung jawab yang diberikan, pemantauan dan pelatihan yang mendukung
pengelolaan arsip yang efektif;
c) analisis berulang dari konteks bisnis dan identifikasi persyaratan catatan;
d) pengendalian catatan;
e) proses untuk membuat, menangkap dan mengelola catatan.
25. 9. What is the primary technique for reporting
compliance with key requirements in operations?
A. Technical recommendations from IT
B. Identify business issues and governance objectives
C. COBIT performance framework
D. Individual elements created from contracts and regulations
26. 9. What is the primary technique for reporting
compliance with key requirements in operations?
A. Technical recommendations from IT
B. Identify business issues and governance objectives
C. COBIT performance framework
D. Individual elements created from contracts and regulations
27. Penjelasan
Menggunakan compliance matrix poin poin yang telah klien
komitmenkan dalam kontrak yang ditandatangani, service-level
yang diiklankan, dan poin spesifik dalam peraturan akan
menentukan elemen layanan paling penting yang diperlukan
untuk mendukung operasi bisnis.
28. 10. Which of these strategies is used in business
process reengineering with an incremental approach?
A. Bottom‐up
B. End‐state
C. Unconstrained
D. Top‐down
29. 10. Which of these strategies is used in business
process reengineering with an incremental approach?
A. Bottom‐up
B. End‐state
C. Unconstrained
D. Top‐down
30. Penjelasan
Pendekatan inkremental menggunakan pemodelan bottom-up
dari proses yang ada. Fokusnya adalah membuat perubahan
bertahap pada proses saat ini dengan mengidentifikasi peluang
untuk perbaikan.
31. 11. During the selection of a BPR project, which of the
following is the ideal target with the highest return?
A. Marginal process
B. Nonworking process
C. Working process
D. Excluded process
32. 11. During the selection of a BPR project, which of the
following is the ideal target with the highest return?
A. Marginal process
B. Nonworking process
C. Working process
D. Excluded process
34. 12. Who sets the priorities and objectives of the IT
balanced scorecard (BSC)?
A. Chief information officer (CIO)
B. Chief financial officer (CFO)
C. Chief executive officer (CEO)
D. IT steering committee
35. 12. Who sets the priorities and objectives of the IT
balanced scorecard (BSC)?
A. Chief information officer (CIO)
B. Chief financial officer (CFO)
C. Chief executive officer (CEO)
D. IT steering committee
36. Penjelasan
BSC dimaksudkan untuk memberikan pendekatan pemersatu
tentang bagaimana CEO mengharapkan proses bisnis untuk
berinteraksi di seluruh organisasi. IT BSC adalah bagian dari
scorecard perusahaan CEO secara keseluruhan. CEO atau COO
akan mengendalikan keputusan untuk menghilangkan
pemborosan dan mencegah keputusan yang diarahkan sendiri
oleh manajer departemen.
37. 13. Which of the following is not an advantage of a
mature project management office (PMO)??
A. Advanced planning assistance
B. Master project register
C. Coordination of projects across departments
D. Independent projects
38. 13. Which of the following is not an advantage of a
mature project management office (PMO)??
A. Advanced planning assistance
B. Master project register
C. Coordination of projects across departments
D. Independent projects
39. Penjelasan
A. Within a mature PMO will be a pool of technical specialists, these specialists
will know how to run advanced project‐planning software.
B. Mature PMOs have a master project register of all projects that consume
more than 40 hours of resources in the organization
C.
D. Independent Projects run contrary to PMO in that that they are “independent”
40. 14. Which of the following business process
reengineering (BPR) risks are likely to occur during the
design phase?
A. Transition risk, skill risk, financial risk
B. Management risk, technical risk, HR risk
C. Technical risk, detection risk, audit risk
D. Scope risk, skill risk, political risk
41. 14. Which of the following business process
reengineering (BPR) risks are likely to occur during the
design phase?
A. Transition risk, skill risk, financial risk
B. Management risk, technical risk, HR risk
C. Technical risk, detection risk, audit risk
D. Scope risk, skill risk, political risk
42. Penjelasan
A. Transition risk ada pada fase implementasi
B. Management risk ada pada fase operasi
C. Tidak berhubungan secara langsung dengan fase desain
D. Scope risk ( Serious problems will arise if the scope is improperly defined),
skill risk, political risk (Sabotage is always possible from people fearing a loss of
power or resistant to change)
43. 15. What is the primary purpose of recurring employee
drug screening and recurring criminal background
checks?
A. Determine if a person is eligible to work
B. Prevent individuals from violating the law
C. Enforce minimum governance controls for all employees
D. Monitor for changes in employee behavior
44. 15. What is the primary purpose of recurring employee
drug screening and recurring criminal background
checks?
A. Determine if a person is eligible to work
B. Prevent individuals from violating the law
C. Enforce minimum governance controls for all employees
D. Monitor for changes in employee behavior
45. Penjelasan
Tujuan utama dari pengecekan narkotika dan catatan kriminal adalah untuk
memenuhi syarat untuk bekerja dan mereka masih memenuhi syarat untuk tetap
dalam pekerjaan mereka, sedangkan jawaban lain merupakan pengawasan
secara lanjut, bukan tujuan utama
46. 16. Which of the following statements is not true
concerning the use of a records management system?
A. Provides a list of each data file to be protected
B. Is not necessary for evidence of proper record keeping
C. Contains meta‐data describing acceptable and unacceptable handling
procedures
D. Details the foundation of all security control decisions determined by
management
47. 16. Which of the following statements is not true
concerning the use of a records management system?
A. Provides a list of each data file to be protected
B. Is not necessary for evidence of proper record keeping
C. Contains meta‐data describing acceptable and unacceptable handling
procedures
D. Details the foundation of all security control decisions determined by
management
48. Penjelasan
A. Complete RMS listing of each controlled data set currently under protection.
B. The absence of a records management system (RMS) indicates that a
governance control failure is present or has occurred.
C&D. ISO 15489–based records management system (RMS) using
well‐documented administrative policies and procedures
49. 17. Which type of charge‐back scheme is notorious for
violating separation of duties or for attempting to
exceed authority?
A. Sponsor pays
B. Actual usage billing
C. Charge‐back
D. Budgeted cost
50. 17. Which type of charge‐back scheme is notorious for
violating separation of duties or for attempting to
exceed authority?
A. Sponsor pays
B. Actual usage billing
C. Charge‐back
D. Budgeted cost
51. Penjelasan
A. In exchange for funding the project, the sponsor may demand more authority
over decisions. This method is notorious for creating shadow support
organizations.
B. Mainframe charge‐back schemes are particularly effective for usage billing
C. Individual departments receive a direct charge for system use. This is
designed to be a pay‐as‐you‐go style of accounting for IT expenses.
52. 18. Why is change control considered a governance
issue?
A. Proper implementation of change control reduces the need for separate test
and production systems.
B. Change control increases the trust factor.
C. It allows management to save time by granting more authority to
administrators.
D. It forces separation of duties to ensure that at least two people agree with the
decision.
53. 18. Why is change control considered a governance
issue?
A. Proper implementation of change control reduces the need for separate test
and production systems.
B. Change control increases the trust factor.
C. It allows management to save time by granting more authority to
administrators.
D. It forces separation of duties to ensure that at least two people agree with the
decision. The purpose is to reduce questionable decisions.
54. Penjelasan
A. Separate test and production systems ada pada level manajemen bukan
governance
B. tidak berpengaruh secara langsung terhadap level pemegang keputusan
tertinggi
C. Change control membatasi autoritas admin
D. It forces separation of duties to ensure that at least two people agree with the
decision.
55. 19. What is the advantage of using precedence diagram
analysis during projects for business process
reengineering (BPR)?
A. It charts a detailed sequence of individual activities.
B. It shows the ripple effect of changes.
C. It is used to perform root cause analysis.
D. It enables the use of decision tree reporting
56. 19. What is the advantage of using precedence diagram
analysis during projects for business process
reengineering (BPR)?
A. It charts a detailed sequence of individual activities.
B. It shows the ripple effect of changes.
C. It is used to perform root cause analysis.
D. It enables the use of decision tree reporting
57. Penjelasan
Precedence diagram analysis menunjukkan ripple effect dari perubahan dan
menyediakan jalur kritis untuk menggambarkan tugas spesifik minimum yang
diperlukan untuk menyelesaikan tujuan proyek. Teknik CPM merupakan tools
yang berharga untuk menunjukkan apa yang harus dicapai versus apa yang
diminta. Tugas ketergantungan tinggi dapat dilakukan, sementara tugas
ketergantungan rendah dapat dibatalkan dari proyek.
58. 20. Which statement about the Capability Maturity
Model is not true?
A. Level 3 provides quantitative measurement of the process output.
B. Level 3 processes have published objectives, measurements, and standards
that are in effect across departmental boundaries.
C. Level 5 provides maximum control in outsourcing because the definition of
requirements is very specific.
D. Level 5 maturity converts a product into a commodity and allows a company
to pay less and demand unquestionable adherence to management’s authority.
59. 20. Which statement about the Capability Maturity
Model is not true?
A. Level 3 provides quantitative measurement of the process output.
B. Level 3 processes have published objectives, measurements, and standards
that are in effect across departmental boundaries.
C. Level 5 provides maximum control in outsourcing because the definition of
requirements is very specific.
D. Level 5 maturity converts a product into a commodity and allows a company
to pay less and demand unquestionable adherence to management’s authority.
60. Penjelasan
Pengukuran kualitatif (berbasis opini) terjadi pada level 3, dan pengukuran
kuantitatif (berbasis penghitungan) berada pada level 4. Level 5 secara efektif
mengubah produk menjadi komoditas dengan maksud untuk memanfaatkan
setiap persen dari peningkatan. Semua pekerja dianggap hanya melakukan apa
yang diperintahkan dan tidak memiliki wewenang. Pada level 5, perusahaan
memiliki kendali paling besar dan dapat memutuskan untuk melakukan
outsourcing dengan pekerja bergaji lebih rendah.
61. 21. Which of the following statements has the best
correlation to the definition of strategy?
A. Defines the techniques to be used in support of the business objective
B. Defines the necessary procedures to accomplish the goal
C. Defines guidelines to follow in a recipe for success
D. Defines what business an organization is in for the next three years
62. 21. Which of the following statements has the best
correlation to the definition of strategy?
A. Defines the techniques to be used in support of the business objective
B. Defines the necessary procedures to accomplish the goal
C. Defines guidelines to follow in a recipe for success
D. Defines what business an organization is in for the next three years
63. Penjelasan
Strategi mendefinisikan bisnis utama perusahaan untuk 3 sampai 5 tahun ke
depan. Dengan menggunakan informasi ini, perusahaan dapat mengembangkan
atau mengadopsi standar pendukung dan kemudian membuat prosedur tingkat
rendah untuk mencapai tujuan strategis.
64. 22. Which of the following is not considered a control
failure?
A. Using a policy that lacks a detective mechanism to identify violations
B. Modifying an ineffective procedure outside of change control
C. Testing to discover how many policy violations have occurred
D. Implementing a policy or standard without consequences of failure
65. 22. Which of the following is not considered a control
failure?
A. Using a policy that lacks a detective mechanism to identify violations
B. Modifying an ineffective procedure outside of change control
C. Testing to discover how many policy violations have occurred
D. Implementing a policy or standard without consequences of failure
66. Penjelasan
Semua opsi yang tersedia kecuali opsi C yaitu testing menunjukkan bahwa ada
kegagalan kontrol. Kontrol efektif minimum harus mencakup tindakan
pencegahan, detektif, dan korektif
67. 23. Which of the following is not cited in the text as a
reason that balanced scorecard (BSC) implementations
could fail?
A. Politics of losing the department budget
B. Top management providing full support
C. Lack of BSC training and awareness
D. Empire building by the department head
68. 23. Which of the following is not cited in the text as a
reason that balanced scorecard (BSC) implementations
could fail?
A. Politics of losing the department budget
B. Top management providing full support
C. Lack of BSC training and awareness
D. Empire building by the department head
69. Penjelasan
Tujuan utama menggunakan BSC adalah untuk memastikan bahwa setiap orang
di bawah manajemen CEO, COO, dan CFO memahami arahan terpadu utama.
BSC dirancang untuk menghindari monopoli oleh kepala divisi, wakil presiden,
dan direktur tingkat departemen. Deliverables nomor satu adalah memotong
pemborosan dengan menghilangkan keputusan yang diarahkan sendiri di bawah
level C dan mengembalikan kendali ke CEO atau eksekutif tertinggi.
70. 24. A shadow organization refers to two groups
performing similar functions under different
departments. What does the presence of a shadow
organization indicate?
A. Twice the support coverage
B. A relationship of trust and proper delegation of authority
C. Executive distrust or failure to integrate
D. A sponsor who is cooperating as a team player with separation of duties
71. 24. A shadow organization refers to two groups
performing similar functions under different
departments. What does the presence of a shadow
organization indicate?
A. Twice the support coverage
B. A relationship of trust and proper delegation of authority
C. Executive distrust or failure to integrate
D. A sponsor who is cooperating as a team player with separation of duties
72. Penjelasan
Organisasi bayangan menunjukkan kegagalan integrasi yang disebabkan oleh
ketidakpercayaan eksekutif atau konflik serupa. Hal ini menciptakan konflik
tambahan dengan skala yang tidak efisien. Masalah termasuk strategi yang
saling bertentangan dan sponsor melanggar pemisahan tugas atau melebihi
otoritas normal mereka. Organisasi bayangan dikenal karena duplikasi usaha,
menciptakan biaya gabungan yang tinggi bagi organisasi.
73. 25. Which of the following statements is true
concerning the steering committee?
A. Steering committee membership is composed of directors from each
department.
B. The steering committee focuses the agenda on IT issues.
C. Absence of a formal charter indicates a lack of controls.
D. The steering committee conducts formal management oversight reviews.
74. 25. Which of the following statements is true
concerning the steering committee?
A. Steering committee membership is composed of directors from each
department.
B. The steering committee focuses the agenda on IT issues.
C. Absence of a formal charter indicates a lack of controls.
D. The steering committee conducts formal management oversight reviews.
75. Penjelasan
Komite pengarah harus disahkan oleh piagam formal. Kurangnya komite
pengarah menunjukkan bahwa TI tidak diatur oleh keselarasan formal dengan
tujuan bisnis. Investasi teknologi tidak dikelola dengan baik karena portofolio
investasi harus dikelola. Tujuan dari komite pengarah adalah untuk
menyampaikan masalah bisnis yang harus dipertimbangkan dan tujuan yang
harus dipenuhi oleh TI. Keanggotaan individu dalam komite pengarah harus
ditunjuk secara resmi.