MD2 Exam Guide

AIS · Prof. Lanz · What to know and how to prepare

Format 40 MC Questions

Time Limit 1 Hour

Primary Focus Ch 19 + Ch 14 / 7

Skip entirely Ch 16 (Cybersecurity)

Do not study Chapter 16

Anything related to Ch 16 (cybersecurity reading material) is only on the final. Don't waste time on it for this exam.

High-Priority Topics

Chapter 19 — How to Audit

Primary Focus

The exam is about how to audit controls, building on Ch 7 & 14 from the first half of the semester — not nitpicking small details.
Think of it as the natural progression: designing controls → auditing controls.
You may be asked about using Excel for analysis — focus on the approach and logic, not specific function names.
Sample question: "How would you audit blockchain?" — answer: the same way you audit any technology resource, using General Controls (GCs) and pervasive controls from Ch 14.
Blockchain audit touchpoints: access/authorization, validation, objective transactions, completeness/accuracy.

COBIT — Know the Domains

Definitely Tested

Know the differences between frameworks (COBIT vs. COSO, etc.) and their synonyms.
Given a specific control, identify which of the five COBIT domains it belongs to (ref: Pg 14-5 in textbook).

Board / CEO Level

EDM — Evaluate, Direct, and Monitor

The board sets direction before doing anything. Aligns technology with the business mission. Does not execute — it directs.

Keyword: Governance

CIO Level — Management

APO — Align, Plan, and Organize

Board has set the vision. CIO turns it into action — planning the IT function to match business goals.

Keyword: Planning

CIO Level — Management

BAI — Build, Acquire, and Implement

Building or acquiring new systems. New technology is being developed or brought in.

Keyword: Building

CIO Level — Management

DSS — Deliver, Service, and Support

System is live — is it working as intended? Ongoing operations, service delivery, day-to-day support.

Keyword: Operating

CIO Level — Management

MEA — Monitor, Evaluate, and Assess

Monitoring everything that's running. Are controls effective? Are we meeting targets?

Keyword: Monitoring

Roger's Adoption Curve

Definitely a Question

Know the five adopter categories and their approximate percentages — at a high level, not deep detail.
Innovators (~2.5%), Early Adopters (~13.5%), Early Majority (34%), Late Majority (34%), Laggards (~16%).
Understand the mindset of each group — who absorbs risk, who waits for proof, who resists change.

Supporting Topics

Access Roles

Read the Question Carefully

Know all roles: User, Read-Only, Administrator, and any others from Ch 14.
Pay close attention to business size — the appropriate role setup differs for a small business vs. a large enterprise.
Strategy: read the question fully and think of your answer before looking at the choices. Then find it.

SOC Reports

High Level

Know what each SOC report type is and the key differences between them (SOC 1, SOC 2, SOC 3).
Know when you would use each type — what situation calls for a SOC 1 vs. SOC 2, etc.
No deep dive required — keep it at a conceptual level.

Blockchain

Don't Overthink It

Don't need deep blockchain expertise — focus on it as a database with encryption.
The risks remain the same as any other technology resource. Audit it the same way.
If the word "blockchain" appears in a question, apply standard IT audit thinking: GCs, access controls, completeness, accuracy.

Test-Taking Strategy (from Lanz)

Read the question fully and form your answer in your head first — then look at the choices.
Pay attention to business size context in any access/role question — it changes the right answer.
The exam is not trying to trick you on small details. Focus on understanding how to audit, not memorizing specifics.
Blockchain questions: don't be intimidated by the terminology — same risks, same audit approach.