Skip to main content

Information Systems and Controls (ISC)

Welcome to the Information Systems and Controls section of the CPA Bear Book. ISC is one of three discipline sections on the CPA exam, and it is designed for candidates who want to demonstrate advanced competency in information technology, data management, cybersecurity, and System and Organization Controls (SOC) engagements. The ISC exam focuses on the knowledge and skills that newly licensed CPAs need to evaluate an entity's information systems, assess security risks, and perform IT audit and advisory services.

Whether you are evaluating the cloud infrastructure that Kingfisher Industries uses to host its ERP system, analyzing a SQL query to verify that Bear Co.'s financial data extraction is complete and accurate, or assessing the suitability of controls in a SOC 2® engagement for Illini Security, the material in this section prepares you to handle it all.

Exam Structure

The ISC exam is 4 hours long and contains 82 multiple-choice questions (MCQs) and 6 task-based simulations (TBSs). MCQs account for 60% of the total score and TBSs account for 40%. It is one of three discipline sections — alongside BAR (Business Analysis and Reporting) and TCP (Tax Compliance and Planning) — from which candidates choose one to complete their CPA licensure.

Content Areas and Exam Weights

The AICPA Blueprint organizes the ISC exam into three content areas:

Content AreaDescriptionApproximate Weight
I. Information Systems and Data ManagementIT infrastructure, cloud computing, enterprise and accounting information systems, system availability, change management, data extraction, SQL, and business process models35–45%
II. Security, Confidentiality and PrivacyRegulations, standards and frameworks (HIPAA, GDPR, PCI DSS, NIST, COBIT), threats and attacks, mitigation controls, security testing, confidentiality and privacy, and incident response35–45%
III. Considerations for SOC EngagementsPlanning and performing SOC 1®, SOC 2®, and SOC 3® engagements, Trust Services Criteria, system descriptions, subservice organizations, and SOC engagement reporting15–25%

The exam also emphasizes the following skill levels:

Skill LevelWeight
Remembering and Understanding55–65%
Application20–30%
Analysis10–20%
Content Weights May Shift

The AICPA periodically updates the CPA Exam Blueprint. Always verify the latest version at aicpa.org before finalizing your study plan. The weights above reflect the 2026 Blueprint.

What This Section Covers

Area I: Information Systems and Data Management (35–45%)

This is the largest content area and covers information systems and data management in a modern, cloud-based context. You are expected to understand IT architecture, evaluate enterprise systems and their controls, and work with data at every stage of its life cycle.

  • IT Infrastructure — key components of IT architecture (operating systems, servers, network infrastructure, end-user devices), cloud computing models (IaaS, PaaS, SaaS), cloud deployment models (public, private, hybrid), the role and responsibilities of cloud service providers, and how the COSO frameworks address cloud computing governance.
  • Enterprise and Accounting Information Systems — enterprise resource planning (ERP) systems, accounting information systems, the business processes they enable, controls over processing integrity, the use of blockchain in the context of financial reporting, robotic process automation (RPA), and the ability to reconcile actual business process steps against documented processes such as flowcharts and business process diagrams.
  • Availability — business resiliency, disaster recovery and business continuity plans, mirroring and replication, business impact analysis, system availability measures, data backup types (full, incremental, differential), and the evaluation of controls related to a service organization's availability commitments in a SOC 2® engagement.
  • Change Management — the purpose of change management processes, the tools and documentation used (change tracking, version control, test libraries, build automation, monitoring and logging), the different environments (development, staging, production), testing types (unit, integration, system, acceptance), system conversion approaches (direct, parallel, pilot), patch management, and the testing of change control policies in organizations using continuous integration and continuous deployment (CI/CD).
  • Data Management — data extraction methods and techniques, data storage types (data warehouse, data lake, data mart), database schemas (star, snowflake), the data life cycle, relational database structure (integrity rules, data dictionaries, normalization), SQL queries (commands, clauses, operators, aggregate functions, string functions), data integration from multiple sources, and business process models (flowcharts, data flow diagrams, BPMN diagrams).
Area I Strategy

Area I rewards candidates who understand how information systems work end-to-end. Do not simply memorize definitions — practice tracing a business process from initiation to reporting, and be able to identify where controls exist (or are missing) along the way. The exam will present scenarios where you must evaluate whether a system's design and operation meet the applicable criteria.

Area II: Security, Confidentiality and Privacy (35–45%)

This area tests your knowledge of the regulatory landscape, threat environment, and controls that organizations use to protect their systems and data. It is equally weighted with Area I and spans from foundational knowledge of regulations to hands-on analysis of security controls.

  • Regulations, Standards and Frameworks — foundational knowledge of HIPAA (covered entities, permitted uses and disclosures), GDPR (scope, six principles, key concepts for personal data), PCI DSS (requirements), NIST Cybersecurity Framework (Core, Tiers, Organizational Profiles), NIST Privacy Framework, NIST SP 800-53, CIS Controls (Version 8.1), and COBIT 2019 (governance system principles, governance framework principles, governance system components).
  • Threats and Attacks — types of threat agents (internal, external, nation-state, adversary), types of attacks (physical, DDoS, malware, social engineering, web application attacks, mobile device attacks), techniques used in cyber-attacks (buffer overflow, cross-site scripting, SQL injection, replay attacks), stages of a cyber-attack (reconnaissance through covering tracks), and cybersecurity risks related to cloud environments, IoT, and mobile technologies. You must also be able to determine specific threats to an organization's applications, networks, and connected devices.
  • Mitigation — network protection and remote access security (VPN, segmentation, endpoint security, intrusion prevention and detection), vulnerability management, layered security and defense-in-depth, least-privilege, zero-trust, acceptable use policies, preventive/detective/corrective controls for cyber-attacks, and identification and authentication techniques (multi-factor authentication, single sign-on, digital signatures, biometrics) and authorization models (discretionary, role-based, mandatory access control).
  • Security Testing — procedures to evaluate security awareness training programs, documentation of security assessment findings, walkthroughs of IT security procedures, and the detection of deficiencies in the design and operation of controls related to a service organization's security commitments in a SOC 2® engagement.
  • Confidentiality and Privacy — encryption fundamentals, the distinction between confidentiality and privacy, data protection methods (obfuscation, tokenization), data loss prevention (DLP), financial and operational implications of data breaches, controls for collecting, processing, storing, transmitting, and deleting confidential data, and the evaluation of confidentiality and privacy controls in a SOC 2® engagement.
  • Incident Response — the distinction between security events and incidents, cyber insurance as a mitigation strategy, contents of incident response plans, and testing whether an entity responded to cybersecurity incidents in accordance with its plan.
Area II Depth

Area II spans a wide range of regulations and frameworks. You do not need to memorize every detail of HIPAA, GDPR, and PCI DSS — but you must understand their scope, key requirements, and how they relate to an organization's control environment. The exam tests foundational awareness at the Remembering and Understanding level, then applies that knowledge in higher-order tasks like evaluating whether specific controls adequately mitigate identified threats.

Area III: Considerations for SOC Engagements (15–25%)

This area focuses on the unique aspects of System and Organization Controls engagements. While Areas I and II cover the underlying subject matter, Area III tests how that subject matter is applied in the specific context of SOC 1®, SOC 2®, SOC 3®, and SOC for Cybersecurity engagements.

  • Planning and Performing SOC Engagements — the purpose and organization of the Trust Services Criteria (alignment with the COSO Internal Control – Integrated Framework), types of subject matters, management assertions in SOC 1®/SOC 2®/SOC 3® engagements (Type 1 and Type 2), purpose and intended users of each SOC report type, independence considerations, materiality in SOC engagements, risk assessment for service organizations and service auditors, subservice organizations (inclusive vs. carve-out method, complementary subservice organization controls), service commitments and system requirements, subsequently discovered facts, system description criteria, complementary user entity controls (CUECs), and management representations.
  • Reporting on SOC Engagements — obtaining an understanding of the system and its boundaries, procedures for understanding how a service organization handles failures, incidents, and complaints, comparing management's system description to suitable criteria, and determining the effect of subsequent events.
note

SOC engagements are a core service offering for many CPA firms and represent a rapidly growing area of the profession. The ISC exam tests both the conceptual framework underlying these engagements and the practical procedures a newly licensed CPA would perform. If you are unfamiliar with SOC reports, budget extra study time to learn the terminology and structure before diving into the procedural details.

Key Frameworks and References

Throughout this section, you will work with these authoritative sources:

FrameworkDescription
AICPA Trust Services CriteriaCriteria for evaluating security, availability, processing integrity, confidentiality, and privacy in SOC 2® and SOC 3® engagements
AICPA SOC 1® and SOC 2® GuidesAuthoritative guidance for planning, performing, and reporting on SOC engagements
COSO Internal Control – Integrated FrameworkFramework for designing and evaluating internal controls, which aligns with the Trust Services Criteria
COSO ERM FrameworkEnterprise Risk Management guidance, including perspectives on cloud computing and cyber risk
COBIT 2019ISACA's governance and management framework for enterprise IT
NIST Cybersecurity Framework (CSF)Framework for managing cybersecurity risk (Core, Tiers, Organizational Profiles)
NIST Privacy FrameworkFramework for managing privacy risk
NIST SP 800-53Security and privacy controls for information systems and organizations
CIS Controls v8.1Prioritized set of actions to protect organizations from known cyber-attack vectors
HIPAAHealth Insurance Portability and Accountability Act — security and privacy rules for protected health information
GDPREU General Data Protection Regulation — personal data protection requirements
PCI DSSPayment Card Industry Data Security Standard — requirements for protecting payment account data

Study Guide

How to Approach ISC

ISC is a unique exam that blends IT knowledge with audit and advisory skills. A structured study plan is essential.

  1. Start with Information Systems and Data Management (Area I). This area carries the heaviest weight and establishes the technical foundation you need for everything else. Begin with IT infrastructure and cloud computing, then work through enterprise systems, availability, change management, and data management.

  2. Layer in Security, Confidentiality and Privacy (Area II). Start with the regulations, standards, and frameworks — these provide the "why" behind the controls you will evaluate. Then study threats and attacks, mitigation strategies, security testing, confidentiality and privacy, and incident response.

  3. Finish with SOC Engagements (Area III). SOC engagements build on the knowledge from Areas I and II but add engagement-specific considerations. Understand the different SOC report types and their purposes first, then dive into the planning, performing, and reporting procedures.

  4. Learn the terminology. ISC uses specialized IT and cybersecurity vocabulary that may be unfamiliar to candidates with accounting backgrounds. Invest time in understanding terms like IaaS, PaaS, SaaS, VPN, DDoS, SQL injection, zero-trust, and data normalization. Misunderstanding a key term in a question stem can lead to an incorrect answer.

  5. Practice scenario-based questions. The exam will present scenarios where MAS Inc. needs to evaluate its cloud provider's controls, or where Gies Co. is assessing whether its change management process has adequate segregation of duties. Practice identifying the specific control, deficiency, or procedure that applies in each scenario.

  6. Connect the content areas. A single scenario may span multiple areas. A question about evaluating a service organization's security controls could require knowledge of threat types (Area II), the Trust Services Criteria (Area III), and the underlying IT infrastructure (Area I).

Common Pitfall

Many candidates underestimate ISC because they assume IT knowledge alone is sufficient. ISC tests IT concepts through the lens of audit and advisory engagements — you must understand not only what a control is, but how to evaluate its design, test its operation, and detect deficiencies. Candidates who study only IT concepts without understanding the audit context often struggle with the application and analysis questions.

Let's Get Started

Select a topic area from the sidebar to begin, or start with the first topic — IT Infrastructure.