Free beta

5,000 CPA practice questions are live across all six sections.

World of Accountants Start Practice

ISC study guide

ISC CPA Exam Study Guide for 2026.

ISC is a controls-first discipline. The best study approach is to connect systems risks to control responses and evidence.

Practice ISCISC question page

Last reviewed June 5, 2026. World of Accountants is independent and not affiliated with the AICPA, NASBA, Becker, NINJA, UWorld, Gleim, or other CPA review providers.

What ISC tests

ISC focuses on systems, controls, security, and information flow. Good practice should connect control objectives to risks, access, change management, processing integrity, confidentiality, privacy, and service organization reporting.

How to study it

For each question, ask what can go wrong, what control prevents or detects it, and what evidence would show the control worked.

High-value topics

Access controls, change management, cybersecurity risk, IT governance, data management, processing integrity, privacy, confidentiality, SOC reports, and service organization controls.

Practice plan

Start with a focused ISC set, review every missed explanation, bookmark weak items, then retest those topics later in the week.

ISC topic guides

Use these ISC topic pages before your next practice set.

ISCSOC reports explained for ISC CPA candidates

Service organization reports, user controls, scope, and control responsibility.

 ISCSOC 1 vs SOC 2 for ISC CPA candidates

SOC 1 versus SOC 2, ICFR, trust services, report users, and Type 1 vs Type 2.

 BAR / ISC / TCPBAR vs ISC vs TCP: which CPA discipline should you choose?

Compare the three CPA discipline choices before choosing your path.

Sample questions

Try a few ISC examples before opening the full bank.

These are real questions from the current beta bank. The practice app includes more questions, filters, explanations, bookmarks, and progress tracking.

ISC-000001ISC-IILogical access

During an IT controls walkthrough, a terminated employee still has access to the accounting system. Which control objective is most directly affected?

  1. A.Logical access should be removed timely when access is no longer appropriate.
  2. B.Physical inventory observation
  3. C.Depreciation accuracy
  4. D.Revenue cutoff only
Answer: A. Logical access should be removed timely when access is no longer appropriate.

Logical access should be removed timely when access is no longer appropriate.

Why the other answers are wrong
  • B. The choice "Physical inventory observation" misses the issue because inventory observation does not address system access.
  • C. The choice "Depreciation accuracy" misses the issue because depreciation accuracy is not the direct access-control issue.
  • D. The choice "Revenue cutoff only" misses the issue because access problems can affect many processes, not only cutoff.
ISC-000002ISC-IChange management

During an IT controls walkthrough, developers can approve and deploy their own production code changes. Which control weakness exists?

  1. A.Backups are automatically ineffective
  2. B.Segregation of duties is weak in the change-management process.
  3. C.Only physical security is affected
  4. D.The system has no business objective
Answer: B. Segregation of duties is weak in the change-management process.

Segregation of duties is weak in the change-management process.

Why the other answers are wrong
  • A. The choice "Backups are automatically ineffective" misses the issue because the fact pattern is about change approval and deployment.
  • C. The choice "Only physical security is affected" misses the issue because the weakness is logical/process control.
  • D. The choice "The system has no business objective" misses the issue because systems can have objectives even with weak change controls.
ISC-000003ISC-IIISystem availability

During an IT controls walkthrough, a company cannot restore critical data during a backup test. Which risk is most direct?

  1. A.Payroll tax rates are misstated
  2. B.Inventory costing is automatically wrong
  3. C.The entity may not be able to recover systems and data when needed.
  4. D.The risk is eliminated because backups exist
Answer: C. The entity may not be able to recover systems and data when needed.

The entity may not be able to recover systems and data when needed.

Why the other answers are wrong
  • A. The choice "Payroll tax rates are misstated" misses the issue because the fact pattern is about recovery capability.
  • B. The choice "Inventory costing is automatically wrong" misses the issue because backup restoration does not directly determine costing.
  • D. The choice "The risk is eliminated because backups exist" misses the issue because untested or failed backups may not support recovery.
ISC-000004ISC-IVSOC reporting

During an IT controls walkthrough, a SOC report identifies complementary user entity controls. What should the user entity do?

  1. A.Assume the service organization performs all user controls
  2. B.Ignore the controls because they are outside the report
  3. C.Treat CUECs as financial statement disclosures only
  4. D.Evaluate whether those complementary controls are designed and operating at the user entity.
Answer: D. Evaluate whether those complementary controls are designed and operating at the user entity.

Evaluate whether those complementary controls are designed and operating at the user entity.

Why the other answers are wrong
  • A. The choice "Assume the service organization performs all user controls" misses the issue because cUECs are responsibilities of the user entity.
  • B. The choice "Ignore the controls because they are outside the report" misses the issue because cUECs are relevant to relying on the report.
  • C. The choice "Treat CUECs as financial statement disclosures only" misses the issue because they are control responsibilities, not merely disclosures.
ISC-000005ISC-IIApplication controls

During an IT controls walkthrough, an automated three-way match blocks payment when purchase order, receipt, and invoice details do not agree. What type of control is this?

  1. A.It is an automated application control.
  2. B.A manual detective control only
  3. C.A board governance policy
  4. D.A disaster recovery control
Answer: A. It is an automated application control.

It is an automated application control. The tested issue is Application controls, so the best answer must match that rule and respond directly to the facts in the stem.

Why the other answers are wrong
  • B. The choice "A manual detective control only" misses the issue because the system automatically prevents or flags payment.
  • C. The choice "A board governance policy" misses the issue because the control operates inside the transaction process.
  • D. The choice "A disaster recovery control" misses the issue because the control validates transaction data, not system recovery.
ISC-000006ISC-IIISecurity monitoring

During an IT controls walkthrough, security logs are collected but no one reviews exceptions. What is the main issue?

  1. A.The logs are automatically sufficient because they exist
  2. B.Monitoring may not detect suspicious activity in a timely manner.
  3. C.The issue relates only to depreciation
  4. D.The company has eliminated all cyber risk
Answer: B. Monitoring may not detect suspicious activity in a timely manner.

Monitoring may not detect suspicious activity in a timely manner.

Why the other answers are wrong
  • A. The choice "The logs are automatically sufficient because they exist" misses the issue because logs provide value only if reviewed or monitored appropriately.
  • C. The choice "The issue relates only to depreciation" misses the issue because security logs are about system activity.
  • D. The choice "The company has eliminated all cyber risk" misses the issue because unreviewed logs do not eliminate risk.
ISC-000007ISC-IIConfidentiality and privacy

During an IT controls walkthrough, customer personal information is stored without encryption or access restrictions. Which objective is most threatened?

  1. A.Inventory existence
  2. B.Bond amortization
  3. C.Confidentiality and privacy of sensitive data are threatened.
  4. D.Gross margin classification
Answer: C. Confidentiality and privacy of sensitive data are threatened.

Confidentiality and privacy of sensitive data are threatened.

Why the other answers are wrong
  • A. The choice "Inventory existence" misses the issue because customer PII protection is not inventory existence.
  • B. The choice "Bond amortization" misses the issue because bond accounting is unrelated to data protection.
  • D. The choice "Gross margin classification" misses the issue because gross margin does not address sensitive data security.
ISC-000008ISC-IVThird-party risk

During an IT controls walkthrough, a vendor hosts the entity's payroll system. What should management consider?

  1. A.The vendor relationship eliminates management responsibility
  2. B.Payroll no longer affects financial reporting
  3. C.Only the vendor's marketing materials are needed
  4. D.Management should consider service provider controls and shared responsibilities.
Answer: D. Management should consider service provider controls and shared responsibilities.

Management should consider service provider controls and shared responsibilities.

Why the other answers are wrong
  • A. The choice "The vendor relationship eliminates management responsibility" misses the issue because outsourcing does not eliminate management's control responsibilities.
  • B. The choice "Payroll no longer affects financial reporting" misses the issue because hosted payroll can still affect reporting.
  • C. The choice "Only the vendor's marketing materials are needed" misses the issue because control evidence requires more than marketing claims.

Next step

Turn this guide into a short ISC practice set.

Practice ISC now