Hello, this is me!

Nur Imroatun Sholihat

Your friend in learning IT audit Digital transformation advocate a-pat-on-your-shoulder storyteller

About me


I'mNur Imroatun Sholihat

IT Auditor and Storyteller

So I heard you are curious about IT and/or auditing. I'm your go-to buddy in this exciting journey. My typical professional life consists of performing (and studying!) IT audit and managing the award-winning magazine, Auditoria. Armed with a Master's in Digital Transformation from UNSW Sydney, I'm currently wearing multiple hats—ambassador at IIA Indonesia's Young Leader Community, mentor at ISACA Global, Head of Public Relations at MoF-Cybersecurity Community, and trainer at IIA Indonesia. You'll also find me sharing insights on my YouTube channel, speaking at seminars, and crafting content on LinkedIn. Let's connect and dive into the world of IT and auditing together!


IT Auditor


IT governance, cybersecurity, application--my daily struggle, seriously :D



Writing keeps me sane :)

Content Creator


Creating Youtube videos and LinkedIn posts, hopefully useful

IT Officer


performing IT services--sometimes about people forgot to plug their cords, sometimes serious incidents :p




In case you only have 15 seconds to read this *wink, here’s the summary: to remain grounded amidst a sea of flashy buzzwords is a luxury.

I got inspired to write this on my way back from buying my favorite seblak (a Sundanese savory and spicy dish with wet crackers as the main ingredient) while raindrop was suddenly pouring over me. I saw some people had to work under the rain with nothing on top of their heads. Under this kind of circumstance, it is a luxury to be able to rush home and worry about nothing. Wait. I said luxury? Why did this word instead of privilege pop up in my mind?

Ever since I don’t exactly remember when, I rarely call something that not everybody has access to/opportunity of a privilege anymore. I used to call everything which wasn't near to a problem for me but still was considered one for some people as a privilege. For example, in this pandemic situation, the option to work from home when some people have to go out to earn money was called a privilege. Now I name it a whole luxury.

My standard on luxury has become lower and lower and for me that’s self-betterment. I realized that even the “basic requirements” in my life are out of the range of some people. A roof over my head, clean clothes, 3-meals a day, health facilities, internet access—who says everyone has access to them? Tertiary education experience, a stable job—the opportunities I casually didn't deem beds of roses. The realization I got from thinking about them humbled me every time.

(P.S.: I recently came across an article about global education statistics *tried to post the link but I can’t find it again. Globally, the percentage of individuals with college degrees was less than 8%. I was taken aback. Indeed, the saying "privilege is invisible to those who have it" was also applied to me and I felt sorry about that.)

From time to time, the list of what I called luxuries simultaneously expanded and shifted. Back then when I was a teenager, everything extravagant is a luxury. When I entered college, I remember mentioning having idealism as a luxury. I also remember saying that finding what you genuinely want to do in life as early as possible (and even better if we can live according to the results) is a luxury. Some years ago, because I found that being left with no choices could be a thorny situation, having choices slid up on my “what are luxuries” leaderboard.

Now, as I work in the information technology field, there is something I would like to call a luxury: the ability to remain grounded amidst the sea of flashy buzzwords. We live in an era where we hear (and maybe use) a fair amount of jargon. In the period where someone is regarded as knowledgeable when they mention sophisticated tech terms, it exerts oneself to be undistracted. 

After some people (especially the influential ones) talked about the tech buzzwords, what usually happened next is those things seemed too splendid to be unimplemented. The truth is, I have seen a lot of cases where technology implementation was rushed while the fundamental stuff was nowhere near steady. I've witnessed that technology adoptions were done hastily just because they were fancy yet no one carefully analyzed/calculated the cost and benefits in advance. I’ve heard here and there that the necessary requirements to make them effective hadn’t been established while the decision to invest in the new technologies was made. I wouldn’t even go deeper with the benefits realization and investment payback because in that kind of situation, what do we expect? :)

(Have you ever seen memes of a boy trying to skip some stair-steps which were widely used to represent how humans sometimes skip the important parts for whatever "shiny" stuff represented by the step which was aimed to? High five if you laughed over them 😊).

I know to be updated with technology advancement information is something highly necessary. I agreed that it’s essential to understand what’s going on in the tech world so we could react appropriately—anticipate and respond to the risks and/or leverage the tech in case it is beneficial. However, to be easily dazzled by the buzzwords and lose sight of what’s truly important is something I consider harmful. Imagine investing a great sum of money on something for the sake of following the trends while the expected benefits are uncertain and the risks haven’t been properly assessed (or even more addressed).

For those reasons, I can say that the ability to remain grounded amidst the sea of fancy buzzwords is a luxury. The ability to prioritize the fundamental things while having the serenity to not feel missed out is such a luxury. In the IT world, maybe that’s one of the highest kinds of luxuries ever existed. 

Your "hey I am back writing about IT again even though the IT part is microscopic" friend,



*In the tech world, it's not that having the most sophisticated tool that I called a luxurious life, it's knowing what's really needed.

*I remember my high school counselor ever advised the students: ojo nggumunan (don't be too easily impressed). Now I understand its hidden meaning even more.

image source: wallpaperaccess.com


Halo, teman-teman semuanya. Apa kabar?

Jumlah kasus Covid-19 varian Omicron sedang menanjak nih. Semoga semuanya dalam keadaan sehat dan jika ada yang sedang dalam kondisi kurang sehat, semoga segera diberi kesembuhan. Aamiin. *virtual hug to everyone :)

Beberapa bulan yang lalu, saya mengikuti ujian kompetensi IT Auditor yang diselenggarakan oleh Badan Nasional Sertifikasi Profesi (BNSP). Berhubung akhirnya sudah mendapatkan berkas sertifikatnya, saya akan menuliskan pengalaman mengikuti ujian tersebut. Siapa tahu di antara teman-teman ada yang akan mengikuti ujian dimaksud dan penasaran bagaimana prosesnya.

Pertama, pastikan kita memenuhi persyaratan dasar yaitu minimal telah menyelesaikan pendidikan diploma tiga (D3) atau memiliki sertifikat pelatihan berbasis kompetensi yang sesuai dengan skema sertifikasi IT auditor atau telah berpengalaman kerja pada lingkup yang sesuai dengan skema sertifikasi IT auditor minimal 1 tahun secara berkelanjutan. Setelah itu kita bisa langsung mengajukan permohonan sertifikasi melalui TUK (Tempat Uji Kompetensi) yang telah diverifikasi oleh LSP TIK Indonesia. Pemohon sertifikasi akan diminta melengkapi formulir permohonan dan formulir asesmen mandiri serta membayar biaya pendaftaran. 

Pemohon juga diminta menyerahkan (tetapi waktu itu mungkin karena mekanisme ujiannya adalah daring, saya hanya perlu mengunggah dokumen-dokumen tersebut di formulir yang disediakan):

a. pas foto 3x4 (3 lembar)

b. fotokopi KTP/KK (1 lembar) copy

c. copy ijazah terakhir (1 lembar)

d. copy sertifikat yang relevan dengan skema sertifikasi IT auditor

e. CV pengalaman/keterangan kerja yang relevan dengan skema sertifikasi IT auditor

f. portofolio yang relevan dengan skema sertifikasi IT auditor (bila ada)

(Keterangan selengkapnya dapat dilihat di Panduan Uji Kompetensi Skema Sertifikasi IT Auditor)

Calon peserta yang memenuhi syarat akan mendapatkan waktu pelaksanaan ujian. Ujian saat itu menggunakan mekanisme daring di mana saya diwawancarai oleh assessor melalui aplikasi Zoom. Pertanyaan yang diajukan seputar pengalaman melakukan audit TI dengan memuat aspek-aspek sesuai dengan unit kompetensi yang dipersyaratkan (sesuai gambar di bawah ini). Saya juga diminta mempresentasikan salah satu kegiatan audit TI yang pernah dikerjakan. Total waktu wawancara dan presentasi adalah sekitar 40 menit. Kabar baiknya, jika teman-teman sudah memiliki pengalaman audit TI, sesi wawancara dan presentasi ini tidak akan terasa sulit kok :)

sumber: sertifikasi.lsptik.or.id

Saya mendapatkan hasil ujian sekitar satu bulan setelah tanggal ujian dengan hasil dinyatakan kompeten. Oleh karena itu, saya berhak mendapatkan sertifikat kompetensi IT Auditor.  

Demikian pengalaman saya mengikuti ujian sertifikasi IT Auditor oleh BNSP. Apabila ada yang ingin ditanyakan, dipersilakan untuk menuliskannya di kolom komentar atau menghubungi melalui platform apa pun di mana saya tergabung. Stay safe, everyone. 


source: westfloridaisaca.org

Halo semuanya. Saya berharap teman-teman semua sehat dan bahagia selalu ya. Dengan rendah hati saya sampaikan bahwa mulai bulan ini saya mendapatkan gelar CGEIT (Certified in the Governance of Enterprise IT). Saya berkomitmen untuk selalu menuliskan tips lulus setiap ujian sertifikasi yang saya ikuti sebagai ungkapan kesyukuran dan juga untuk membantu setiap kandidat ujian sertifikasi di luar sana. Jadi, inilah tips lulus ujian CGEIT versi saya :


(P.S.: beberapa di antaranya mirip dengan tips untuk lulus ujian CISA yang diposting sebelumnya karena saya yakin keduanya memerlukan persiapan yang serupa)


1. Kalibrasi Ulang Pola Pikir


Satu hal yang paling saya sadari dari materi CGEIT adalah sudut pandang dan cara berpikirnya sedikit berbeda dari yang saya miliki. Sementara sebagai praktisi terkadang saya harus berpikir praktis, ujian CGEIT mengharuskan kita untuk berpikir secara strategis dan ideal. Jadi sebelum memulai perjalanan belajar, saya mengkalibrasi ulang pola pikir. Saya juga mempersiapkan diri untuk berpikir berdasarkan peran yang diberikan misalnya komite audit, CIO, CEO, dll, serta memahami jargon/istilah yang digunakan oleh mereka.


2. Pelajari CGEIT Review Manual dan CGEIT Review Questions, Answers & Explanations Manual (QAE)


Seperti yang saya sebutkan dalam post tentang tips ujian CISA, review manual dan QAE adalah dua referensi sakral untuk semua orang yang ingin meraih sertifikasi ISACA. Luangkan waktu untuk membaca kedua buku ini dari sampul ke sampul terutama QAE karena memperkenalkan kita pada jenis pertanyaan yang akan kita hadapi. Pahami penjelasan dari jawaban-jawaban yang disarankan buku tersebut untuk mendapatkan logika, perspektif, dan kearifan yang ditetapkan ISACA. Saya juga mengidentifikasi kesenjangan pengetahuan saya dan membuatnya menjadi catatan. Saya membacanya lagi saat waktu luang.


Oh ya, pastikan mempelajari versi terbaru dari buku-buku ini ya. Aaat ini, CGEIT Review Manual terbaru adalah edisi ke-8 dan QAE Review edisi ke-5.


Saya membuat catatan hal-hal yang belum saya ketahui

3. Peroleh Pengetahuan dan Pengalaman di Bidang Tata Kelola TI

Memiliki pengetahuan dan pengalaman di bidang tata kelola TI tentu sangat penting dalam menyelesaikan soal-soal ujian CGEIT. Untuk mendapatkan pengetahuan yang dibutuhkan, saran saya banyaklah membaca referensi terkait tata kelola TI, mendiskusikannya dengan orang lain, atau bergabung dengan komunitas (atau apa pun. Pilih cara favorit teman-teman untuk menyerap pengetahuan). Sementara itu, menjawab beberapa pertanyaan ujian CGEIT mengharuskan kandidat untuk tidak hanya dibekali dengan pengetahuan tetapi juga pengalaman sehingga paparan di kehidupan nyata pasti akan bermanfaat. Pengalaman membentuk logika, perspektif, dan kebijaksanaan yang akan memudahkan kita menemukan jawabannya.


Selain itu, menurut saya, penting untuk meningkatkan eksposur terhadap istilah TI dan bahasa Inggris (terutama ketika TI bukan jurusan dan bahasa Inggris bukan bahasa pertama kita).  Familiarity with IT terms and English is advantageous!


4. Paparan terhadap COBIT itu Membantu


Jika saya harus menyebutkan satu hal yang paling membantu saya mempelajari materi CGEIT adalah bahwa saya sebelumnya telah terpapar ke kerangka kerja COBIT 5 dan COBIT 201. Pemahaman terhadap kerangka kerja tersebut mempercepat proses pembelajaran saya karena CGEIT dan COBIT memiliki logika, prinsip, dan cara berpikir yang serupa. Keduanya sangat terkait jadi saya menyarankan semua orang yang ingin mengikuti ujian CGEIT untuk juga membaca kerangka kerja COBIT (terutama yang terbaru yaitu COBIT 2019).



5. Menghadiri Pelatihan CGEIT Review


Jika teman-teman ingin memiliki persiapan yang lebih matang, saya sarankan mengikuti pelatihan persiapan ujian (terutama yang diadakan oleh pusat pelatihan yang terafiliasi dengan ISACA). Namun, sekalipun tidak dapat mengikuti pelatihan, jangan khawatir. Dengan atau tanpa mengikuti pelatihan, teman-teman tetap dapat memiliki persiapan yang cukup kok.



6. Berlatih Melalui Mock Exams


Mengikuti mock exams sangat penting agar kita terbiasa duduk dan berpikir tanpa gangguan selama berjam-jam. Kerjakan pertanyaan sampai teman-teman mendapatkan setidaknya 80 (semakin tinggi semakin baik). Saya sendiri mencoba menyelesaikan setiap mock exam dalam 2 jam untuk melatih kemampuan berpikir cepat dan menyelesaikan ujian di bawah tekanan.



7. Perhatikan Kondisi Fisik dan Mental Kita


Menjaga kesehatan dan kebugaran untuk ujian sangat penting. Pastikan teman-teman tidur cukup agar keesokan paginya fit untuk mengerjakan 150 soal dalam 4 jam. Pastikan juga kita sarapan pagi, tiba di tempat ujian lebih awal, dan yang tak kalah pentingnya adalah mengelola kondisi emosi dan mental kita. Tenang. kita sudah cukup mempersiapkan diri dan siap menghadapi ujian ini.



8. Berdoa


Tips ini akan selalu saya ulangi di setiap post tips ujian karena memang sepenting itu. berdoalah agar kita diberi kemudahan dalam mengerjakan soal-soal. Berdoalah agar soal-soalnya berpihak dengan pengetahuan dan persiapan kita 😊


9.  Tips Lainnya


a. Baca silabus untuk memahami apa yang perlu dipahami dan porsinya masing-masing dibandingkan dengan keseluruhan materi ujian.

B. Menjadwalkan ujian adalah salah satu cara terbaik untuk mulai belajar. Ketika saya belum memesan tanggal ujian, rasanya masih ada waktu lama untuk mempersiapkannya. Namun, ketika sudah terjadwal, tiba-tiba saya merasa harus segera belajar :)

C. Pengetahuan yang kita peroleh dari pengalaman adalah sesuatu yang harus disikapi dengan bijak: terkadang membantu, terkadang tidak. Terdapat kemungkinan pengetahuan yang kita peroleh tidak sesuai dengan standar/kerangka kerja yang ditetapkan oleh ISACA. Oleh karena itu, kita harus mengidentifikasi keselarasan pengetahuan kita dengan body of knowledge ISACA.


10. Tips Selama Ujian


a. Jika teman-teman mengikuti ujian di pusat ujian, perhatikan suhu ruang ujian. Apabila terlalu dingin untuk didiami selama 4 jam, kenakan jaket. Selain itu, duduklah senyaman mungkin. Empat jam bukanlah waktu yang singkat. 😊

B. Kerjakan dengan tenang. Kita memiliki waktu yang relatif lama untuk melakukannya. Jika kita tenang, kita akan lebih teliti. Pada ujian di mana ada banyak pertanyaan dan jawaban yang rumit (dan akurasi menjadi kuncinya), mengelola ketenangan adalah suatu keharusan.

C. Hati-hati dengan jawaban "hampir benar". Secara umum, pertanyaan CGEIT memberi kita 2 alternatif jawaban yang keduanya tampak benar. Hehe. Pastikan memilih yang benar, bukan yang terlihat benar.

D. Fokus pada pertanyaan yang mudah terlebih dahulu. Kita bisa melewatkan pertanyaan yang sulit/panjang (jangan lupa untuk menandainya). Nantinya kita bisa kembali kepada soal-soal yang kita lewati.

e. Durasi ujian memungkinkan kami untuk meninjau ulang jawaban. Tinjau jawaban seolah-olah kita mengerjakannya lagi dari awal. Jangan bosan dulu meski stamina dan konsentrasi sudah menurun. Inilah saran pribadi saya: kecuali teman-teman begitu yakin dengan hasilnya, gunakan 4 jam sepenuhnya.

F. Jika teman-teman mengambil pilihan proctored exam (seperti yang dipilih teman saya), peserta ujian memiliki waktu istirahat ke toilet dua kali (masing-masing 10 menit). Istirahat ini juga diberikan jika teman-teman mengikuti tes di test center. Teman saya menyarankan untuk menggunakan waktu istirahat untuk mendapatkan kembali keseimbangan setelah mengerjakan soal. (bagi saya, saya mengambil istirahat di tengah waktu ujian.)

G. Jangan lupa untuk mengisi kuesioner post-test.


Itulah tips yang bisa saya bagikan kepada teman-teman yang ingin mengikuti ujian CGEIT. Semoga sukses teman-teman semuanya. Jika teman-teman memiliki pertanyaann, jangan ragu untuk menghubungi saya ya. Dengan senang hati saya membantu Anda. Semangat!


English version: My Tips to Pass CGEIT Exam


source: westfloridaisaca.org

Hello, everyone. I hope you all are doing well and staying safe. I’m humbled to share that starting this month, I officially got a CGEIT (Certified in Governance of Enterprise IT) designation. I’ve committed to always write down the tips to pass every certification exam I take as my token of gratitude and also to help every aspirant out there. So here is my version of how to pass the CGEIT exam:

(P.S.: some of them are similar to the tips to pass a CISA exam I posted previously as I believed both shared the similar kind of necessary preparations)


1. Recalibrate My Mindset

The one thing I realized the most from CGEIT material is that its point of view and way of thinking slightly differ from what I have. While as a practitioner I sometimes have to think practically, the CGEIT exam requires us to think strategically and ideally. So before embarking on the learning journey, I recalibrate my mindset. Besides, I prepared myself to think based on the roles given e.g. audit committee, CIO, CEO, etc, and understand the buzzwords/terms used by them.

2. Study the CGEIT Review Manual and the CGEIT Review Questions, Answers & Explanations (QAE) Manual 

As I mentioned in my post about CISA exam tips, the review and QAE manuals are two sacred references for everyone pursuing ISACA certifications. Take your time to read the books cover to cover especially the QAE Manual since it introduces us to the kinds of questions we will face. Learn the explanation of the answers suggested by the book to get the logic, perspective, and wisdom that ISACA sets out. I also identified my knowledge gaps and wrote down a note containing them. I reread it again whenever I could.

Anyway, please do make sure you study the latest version of these books. For now, the latest CGEIT Review Manual is the 8th edition and the QAE Manual is the 5th edition


I took note of everything I'm confused/didn't know about

3. Obtain Knowledge and Experience in the IT Governance Field

Having knowledge and experience in the IT governance field is certainly substantial in solving CGEIT exam questions. Regarding acquiring the needed knowledge, my advice is to read lots of references related to IT governance, discuss them with others, or join a community (or anything. Pick your favorite way of absorbing knowledge). Meanwhile, answering some CGEIT exam questions requires the candidate to be equipped with not only knowledge but also experience so real-life exposure will surely be beneficial. Experience shapes our logic, perspective, and wisdom which will make it easier for us to figure the answers out.


Besides, in my opinion, it's important to increase your exposure to IT terms and English (especially when IT isn't your major and English is not your first language). Familiarity with IT terms and English is advantageous!


4. Exposure to COBIT is Beneficial

If I have to point out one thing that helped me the most when learning the CGEIT material is that I’ve exposed myself to COBIT 5 and COBIT 2019 framework previously. The familiarity with the frameworks accelerated my learning process as CGEIT and COBIT shared the same underlying logic, principles, and way of thinking. They are heavily linked so I recommend everyone who wants to take a CGEIT exam to also read COBIT frameworks (especially the newest one i.e. COBIT 2019).


5. Attend CGEIT Review Training

If you want to have a more solid preparation, I suggest you attend the exam preparation training (especially the one held by a training center affiliated with ISACA). However, even if you can't sit in on the training, don’t worry. With or without training, you can still have sufficient preparation.


6. Practice Through the Mock Exams

Having a mock exam is essential so that we get used to sitting and thinking without interruption and distraction for hours. Work on the questions until you scored at least 80 out of 100 (the higher, the better). I tried to complete each mock exam in 2 hours to train my quick thinking and ability to finish the exam under pressure. 


7. Mind Our Physical and Mental State

Maintaining health and fitness for an exam is vital. Make sure you get enough sleep so that the next morning we are fit to do 150 questions in 4 hours. Also make sure we take our breakfast, arrive at the test center early, and last but not least manage our emotional and mental state. Be calm. You have prepared enough and are ready to face this test. 

8. Pray

I will always repeat this in every exam tips post I write because it is that salient. Pray that we will be at ease in working on those questions. Pray that the questions will favor our knowledge and preparation 😊

9. Miscellaneous Tips

a. First things first, read the syllabus to understand what needs to be understood and the portion of each compared to the whole exam material.

b. Scheduling the exam is one of the best ways to start studying. When I haven't booked an exam date, it feels like there is still a long time to prepare for it. However, when it is already scheduled, I suddenly felt that I had to study immediately :)

c. The knowledge we gained from experience is something to be treated wisely: sometimes it helps, sometimes it doesn't. The knowledge that we have gained may not be in line with the standards/frameworks set by the ISACA, so we must identify the alignment of our knowledge with the ISACA's body of knowledge.


10. Tips During the Exam:

a. If you take the exam at the test center, pay attention to the temperature of the test room. If it is too cold to stay inside for 4 hours, wear a jacket. Also, sit as comfortable as possible. Four hours is not a short time, sweetie. 😊

b. Do it serenely. We have a relatively long time to do it. If we are calm, we’ll be more careful. On exams where there are many tricky questions and answers (and accuracy becomes the key), managing our tranquillity is a must.

c. Be careful with the “almost correct” answers. In general, CGEIT questions leave us with 2 alternative answers that both seem true. Hehe. Make sure you choose the right one, not one which looks like it.

d. Focus on the easy questions first. We can skip the difficult/long questions (don't forget to flag them). We can always come back to them later.

e. The duration of the exam allows us to review the answers. Review the answers as if we do it again from the beginning. Don't get bored just yet even though your stamina and concentration have decreased. Here’s my personal advice: if you haven't so sure about the results, use the 4 hours fully.

f. If you take the option of a proctored exam (like what a friend of mine chose), you have toilet breaks twice (10 minutes each). These breaks are also provided if you take the test in the test center. My friend suggested using the break to regain your balance after working on the questions. (for me, I took a break in the middle of the exam duration.)

g. Don't forget to fill out the post-test questionnaire.

Those are the tips I can share with everyone who wants to take the CGEIT exam. Good luck, everyone. If you have anything to ask, feel free to reach out. It's my pleasure to help you. Cheers!


Indonesian version: Tips Ujian CGEIT


Jakarta, Indonesia