ISC — Information Systems & Controls (Discipline)·Isc Overview

ISC — Information Systems and Controls: Overview

Exam: CPA — Certified Public Accountant Section: ISC — Information Systems and Controls (Discipline) Last Updated: 2026-06-26

---

Key Takeaways

  • ISC is one of three Discipline sections; candidates choose one of BAR, ISC, or TCP.
  • ISC is 4 hours, with 82 MCQs and 6 TBSs — the most MCQ-heavy Discipline.
  • Content is largely new to the CPA exam (not repackaged from BEC); expect to study topics that feel unfamiliar.
  • Core focus: IT governance, information security, data management, and SOC reporting.
  • Best fit for candidates with IT audit, internal controls, or systems advisory backgrounds.

    • ---

    What ISC Tests

    ISC assesses whether a CPA can evaluate and advise on information systems, IT controls, and privacy/security frameworks — skills increasingly demanded of CPAs in audit, advisory, and compliance roles. Topics span:

  • IT governance frameworks and how they align with business objectives
  • Security controls: physical, logical, network, and application-level
  • Data management: databases, data integrity, analytics infrastructure
  • SOC engagements: SOC 1, SOC 2, SOC 3 — understanding and reporting on controls at service organizations
  • Privacy regulations: GDPR, CCPA, and sector-specific requirements
  • Network architecture and its relevance to audit and control testing

    • ---

    Content Area Weight Distribution

    | Content Area | Approximate Weight | |---|---| | IT governance and IT general controls (ITGCs) | 25–35% | | Security controls and risk management | 20–30% | | Network architecture and technology environments | 10–20% | | Data management, analytics, and cloud | 10–20% | | SOC engagements and reporting | 15–25% |

    Note: Confirm against current AICPA Blueprint at aicpa.org.

    ---

    Key Topics by Area

    IT Governance

  • COBIT (Control Objectives for Information and Related Technologies) framework
  • IT governance structures: board oversight, IT steering committees
  • IT general controls (ITGCs): change management, access controls, computer operations, program development
  • How ITGCs support (or undermine) application controls
  • IT risk and how it maps to financial statement assertions

    • Exam Tip: In audit, if ITGCs are weak, the auditor cannot rely on automated controls — this forces more substantive testing. ISC asks you to understand this linkage.

    Information Security

  • Authentication and authorization: multi-factor authentication, role-based access control (RBAC)
  • Encryption: symmetric vs. asymmetric; TLS/SSL; data at rest vs. in transit
  • Intrusion detection and prevention systems (IDS/IPS)
  • Vulnerability management: penetration testing, patch management
  • Social engineering and phishing as audit risks
  • Physical security controls: data center access, environmental controls
  • Business continuity and disaster recovery: RTO, RPO, failover

    • Network Architecture

  • LAN, WAN, VPN, cloud environments (IaaS, PaaS, SaaS)
  • Firewalls, DMZ, and network segmentation
  • Client-server vs. cloud-native architectures
  • How architecture affects audit scope and control reliance

    • Data Management and Analytics

  • Database concepts: relational databases, SQL, data integrity controls
  • Data warehousing and ETL processes
  • Big data environments and their audit implications
  • Data analytics tools: what they can and cannot verify
  • Blockchain basics: immutability, distributed ledger, audit implications

    • SOC Reporting

    This is a high-weight, high-priority area for ISC candidates.

    | Report Type | Purpose | Users | |---|---|---| | SOC 1 (Type I/II) | Controls at a service organization relevant to user entity's financial reporting | User entity auditors | | SOC 2 (Type I/II) | Controls over security, availability, processing integrity, confidentiality, privacy (Trust Services Criteria) | Management, stakeholders | | SOC 3 | General-use version of SOC 2; no detailed testing description | Public |

  • Type I: Design of controls at a point in time
  • Type II: Design AND operating effectiveness over a period (6–12 months typical)
  • Complementary User Entity Controls (CUECs): controls the user organization must maintain for the service organization's controls to be effective

    • Exam Tip: Know the difference between SOC 1 and SOC 2 audiences and purposes. Know what a Type II report covers that a Type I does not. CUECs appear frequently in TBSs.

    Privacy Regulations

  • GDPR: EU regulation; applies to any organization processing EU residents' data; key rights (erasure, portability)
  • CCPA/CPRA: California law; similar consumer rights framework
  • HIPAA: Health information privacy (healthcare sector)
  • PCI-DSS: Payment card security standards (not law, but contractual)
  • How privacy frameworks create IT control requirements auditors must evaluate

    • ---

    Who Should Choose ISC

    ISC is a strong fit for candidates who:

  • Work in IT audit, cybersecurity consulting, or internal audit with technology focus
  • Have backgrounds in computer science, MIS, or systems design
  • Are employed at firms with large service organization or SOC practice groups
  • Prefer security and systems topics over financial analysis or advanced tax

ISC has the most MCQs (82) but fewer TBSs (6), so test-taking speed matters. Expect technical definitional questions and control scenario analysis.

---

Exam Tip Summary

| Topic | Watch For | |---|---| | ITGCs | Weak ITGCs = less reliance on automated controls | | SOC 1 vs. SOC 2 | Purpose and audience differ | | Type I vs. Type II | Design vs. design + operating effectiveness | | CUECs | What the user entity must do for SOC controls to matter | | Encryption | Symmetric (one key) vs. asymmetric (public/private pair) | | RBAC | Access based on role, not individual — principle of least privilege |

---

Tags: #CPA #ISC #InformationSystems #Discipline #chapter16 #ITGovernance #SOC #Cybersecurity #DataManagement #Privacy