100+ Free CITP Practice Questions

Pass your AICPA Certified Information Technology Professional (CITP) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Not publicly disclosed Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

Who is eligible to earn the AICPA Certified Information Technology Professional (CITP) credential?

Any IT professional with five years of relevant experience

AICPA members in good standing who hold an unrevoked CPA certificate and meet the business experience requirement

Any CPA, regardless of AICPA membership status

ISACA CISA holders only

to track

2026 Statistics

Key Facts: CITP Exam

4 hours

Standard Pathway exam

AICPA CITP Credential Handbook

60 Qs / 2h

Experienced Pathway

AICPA (7,000+ hours of experience required)

1,000 hours

Business experience minimum

Within preceding 5 years (CITP CSO)

$400 / $500

Standard exam fee (member/non-member)

AICPA exam registration

CISA waiver

ISACA CISA passes the exam requirement

AICPA CITP Credential Handbook

20 hours / yr

CPD for recertification

AICPA CITP recertification policy

The AICPA CITP exam is a 4-hour comprehensive multiple-choice exam delivered online-proctored or at 300+ Pearson VUE centers (year-round). Standard fee is $400 member / $500 non-member; one retake is now included with the purchase. CITP is restricted to CPAs (AICPA membership + unrevoked CPA + 1,000 hours business experience). ISACA CISA holders qualify for the exam waiver. An Experienced Pathway exists (60 Qs, 2 hours, 7,000+ hours of qualifying experience).

Sample CITP Practice Questions

Try these sample questions to test your CITP exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Who is eligible to earn the AICPA Certified Information Technology Professional (CITP) credential?

A.Any IT professional with five years of relevant experience

B.AICPA members in good standing who hold an unrevoked CPA certificate and meet the business experience requirement

C.Any CPA, regardless of AICPA membership status

D.ISACA CISA holders only

Explanation: Per the CITP Credential Handbook, a candidate must (1) be an AICPA member in good standing, (2) hold an unrevoked CPA certificate from a state board of accountancy, (3) accumulate at least 1,000 hours of business experience in the CITP body of knowledge within the five-year period preceding application, and (4) pass the CITP exam (waived for CISA holders). Active CPA license status is not required — only an unrevoked certificate.

2Which professional certification waives the AICPA CITP exam requirement?

A.ISACA CISM (Certified Information Security Manager)

B.ISACA CISA (Certified Information Systems Auditor)

C.(ISC)2 CISSP

D.ISACA CRISC

Explanation: The AICPA waives the CITP exam requirement for candidates who have passed the ISACA CISA exam, recognizing that CISA covers substantially equivalent IT audit, governance, and controls knowledge. Candidates still must satisfy AICPA membership, CPA licensure, business experience, and ongoing CPE requirements.

3How many hours of relevant business experience must a CITP candidate document, and within what timeframe?

A.500 hours within the past 3 years

B.1,000 hours within the past 5 years

C.2,000 hours within the past 5 years

D.1,500 hours within the past 7 years

Explanation: The standard CITP business experience requirement is a minimum of 1,000 hours within the CITP body of knowledge during the five-year period preceding the application. The Experienced Pathway requires at least 7,000 hours and 7+ years for candidates seeking the abbreviated 60-question / 2-hour exam.

4What format and length is the standard CITP exam?

A.60 multiple-choice questions in 2 hours

B.150 multiple-choice questions in 4 hours, with case-study items

C.Computer-based, 4-hour comprehensive multiple-choice exam covering the CITP body of knowledge

D.Oral examination conducted by an AICPA panel

Explanation: Per the CITP Credential Handbook, the standard CITP Exam is a 4-hour, computer-based, comprehensive multiple-choice exam focused on the CITP body of knowledge. It is delivered year-round via online proctoring or at one of 300+ Pearson VUE test centers across the United States and Canada. The Experienced Pathway is the abbreviated 60-question / 2-hour alternative.

5What is the CITP Experienced Pathway exam designed for?

A.First-time CPAs with no IT background

B.CPAs with at least 7,000 hours and 7 years of business experience in the CITP body of knowledge

C.Non-CPAs with extensive IT consulting experience

D.CISA holders only

Explanation: The CITP Experienced Pathway is a streamlined 60-question, 2-hour exam available to candidates who can document a minimum of 7,000 hours and at least 7 years of business experience in the CITP credential body of knowledge. It contains a mix of stand-alone multiple-choice and case-based items.

6How is the CITP exam administered?

A.Paper-and-pencil only at AICPA chapter offices

B.Online proctored or at 300+ Pearson VUE test centers in the U.S. and Canada, year-round

C.Twice annually at a single AICPA testing site

D.Only at AICPA national conferences

Explanation: The CITP exam is offered continuously throughout the year. Candidates can choose between online (remote-proctored) delivery or scheduling at one of 300+ Pearson VUE test centers across the United States and Canada. Results are reported promptly after sitting.

7Which of the following is NOT one of the three modules of the CITP credential body of knowledge?

A.Information Security & Cyber Risks

B.Data Management & Analytics

C.Tax Information Systems

D.IT Governance, Risk, & Controls

Explanation: The CITP body of knowledge is organized into three modules: (1) Information Security & Cyber Risks, (2) Data Management & Analytics (including Business Intelligence), and (3) IT Governance, Risk, & Controls (including SOC reporting). Tax information systems is not a CITP module.

8How many CPE/CPD hours must a CITP credential holder complete annually to maintain the credential?

A.0 — the credential does not require CPE

B.10 hours of any CPE

C.20 hours of continuing professional development within the CITP body of knowledge

D.40 hours of CPE in any topic

Explanation: Per the CITP Credential Handbook, recertification requires the holder to (a) maintain AICPA membership, (b) maintain a valid CPA credential, (c) complete 20 hours of continuing professional development annually within the CITP body of knowledge, and (d) pay the annual fee with attestation of compliance.

9In the NIST Cybersecurity Framework (CSF) 2.0, which function was added to the original five (Identify, Protect, Detect, Respond, Recover)?

A.Govern

B.Audit

C.Assess

D.Comply

Explanation: NIST released CSF 2.0 in February 2024, adding 'Govern' as a sixth function that wraps and supports the original five (Identify, Protect, Detect, Respond, Recover). Govern emphasizes establishing and monitoring the cybersecurity risk management strategy, expectations, and policy at the organizational level — a key area for CITP candidates assessing entity-wide IT governance.

10Which of the following best describes the CIA triad in information security?

A.Compliance, Integrity, Audit

B.Confidentiality, Integrity, Availability

C.Control, Investigation, Authentication

D.Cybersecurity, Identity, Access

Explanation: The CIA triad — Confidentiality, Integrity, and Availability — is the foundational model for information security. Confidentiality protects against unauthorized disclosure; Integrity protects against unauthorized modification; Availability ensures information and systems are accessible when needed. CITP exam questions on access controls, encryption, and BCP map to one or more of these three properties.

About the CITP Exam

The Certified Information Technology Professional (CITP) credential, issued by the AICPA exclusively to CPAs, validates expertise at the intersection of technology and financial reporting. The exam is built around the AICPA CITP Content Specification Outline (CSO) and covers three modules: (1) Information Security & Cyber Risks — NIST CSF, cybersecurity risk management, SOC for Cybersecurity, BCP/DR, and privacy regulations; (2) Data Management & Analytics — data governance, warehousing, ETL, the four analytics tiers, audit data analytics, RPA, and AI/ML basics; and (3) IT Governance, Risk & Controls — COBIT 2019, COSO 2013/ERM 2017, IT general controls, application controls, and the SOC 1/2/3 reporting suite (Trust Services Criteria, Type 1 vs Type 2, CUECs, subservice carve-out vs inclusive, AU-C 402 user-auditor responsibilities).

Questions

100 scored questions

Time Limit

4 hours (Standard Pathway) / 2 hours (Experienced Pathway, 60 Qs)

Passing Score

Scaled (not publicly disclosed by AICPA)

Exam Fee

$400 member / $500 non-member (Standard) — one retake included since May 2024 (AICPA & CIMA (online proctored or Pearson VUE test centers))

CITP Exam Content Outline

~25%

Module I — Information Security & Cyber Risks

Information security governance (strategy, policies, logical and physical access, authentication including MFA and zero trust, BCP/DR with RTO/RPO/BIA), cybersecurity risk management (NIST CSF 2.0 with the Govern function, threat vectors, ransomware, business email compromise, vulnerability management, encryption — AES, RSA, hashing), and SOC for Cybersecurity (TSP Section 100). Privacy regulations: GDPR Article 33 (72-hour breach notice), CCPA/CPRA, data minimization.

~25%

Module II — Data Management & Analytics

Information lifecycle management, data governance (stewards vs custodians), data architecture (OLTP vs OLAP, star/snowflake schemas, slowly changing dimensions, data lakes vs warehouses vs marts, master data management), ETL/ELT pipelines, data quality dimensions, the four analytics tiers (descriptive, diagnostic, predictive, prescriptive), data visualization, KPIs, audit data analytics with CAATs, Benford's Law, RPA governance, and AI/ML risk considerations (bias, explainability, drift).

~50%

Module III — IT Governance, Risk, & Controls (incl. SOC Reporting)

IT governance and strategy (COBIT 2019 Goals Cascade, EDM/APO/BAI/DSS/MEA domains, six governance principles, IT steering committee, three lines of defense), enterprise risk (COSO 2013, COSO ERM 2017), IT risk identification and assessment, IT general controls (access provisioning/deprovisioning, segregation of duties, change management, computer operations), application controls (input validation, 3-way match), preventive/detective/corrective/compensating control taxonomy, IPE/system-generated report testing, control deficiency severity (AU-C 265 / AS 2201), and the SOC 1/SOC 2/SOC 3 reporting suite (Trust Services Criteria, Type 1 vs Type 2, CUECs, subservice carve-out vs inclusive, AU-C 402 user-auditor responsibilities, qualified vs adverse opinions). Vendor/third-party risk management, cloud shared responsibility (IaaS/PaaS/SaaS), and emerging-tech risk advisory.

How to Pass the CITP Exam

What You Need to Know

Passing score: Scaled (not publicly disclosed by AICPA)
Exam length: 100 questions
Time limit: 4 hours (Standard Pathway) / 2 hours (Experienced Pathway, 60 Qs)
Exam fee: $400 member / $500 non-member (Standard) — one retake included since May 2024

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

CITP Study Tips from Top Performers

1Memorize the three CITP modules and their content areas — Module I (Info Security & Cyber Risks), Module II (Data Management & Analytics), Module III (IT Governance, Risk & Controls)

2Master the SOC 1 vs SOC 2 vs SOC 3 distinction — purpose, audience, scope, restricted vs general use — and Type 1 vs Type 2 (point-in-time vs operating effectiveness over a period)

3Know SOC 2 Trust Services Criteria cold: Security (always required), Availability, Processing Integrity, Confidentiality, Privacy

4Understand CUECs and the carve-out vs inclusive method for subservice organizations — frequent CITP and SOX testing topic

5Drill ITGC categories — Access to Programs and Data, Program Changes, Computer Operations — and how each maps to SOX 404 reliance on automated controls

6Know COBIT 2019 governance vs management split (EDM vs APO/BAI/DSS/MEA) and the Goals Cascade

7Master COSO 2013 (5 components, 17 principles) and COSO ERM 2017 (5 components) — both appear regularly

8Understand NIST CSF 2.0 — including the new Govern function added in February 2024 — and apply it to scenario questions

Frequently Asked Questions

Who is eligible to earn the AICPA CITP credential?

The CITP is restricted to AICPA members in good standing who hold an unrevoked CPA certificate. Candidates must document at least 1,000 hours of business experience in the CITP body of knowledge within the five-year period preceding application, pass the CITP Exam (or qualify for the CISA waiver), and maintain 20 hours of annual continuing professional development in CITP topics for recertification.

Does the ISACA CISA waive the CITP exam requirement?

Yes. The AICPA explicitly waives the CITP examination for candidates who have passed the ISACA Certified Information Systems Auditor (CISA) exam. CISA holders still must satisfy AICPA membership, CPA licensure, the 1,000-hour business experience requirement, and ongoing CPD. No other certification (CISM, CISSP, CRISC) waives the CITP exam.

What is the CITP Experienced Pathway exam?

The Experienced Pathway is a streamlined 60-question, 2-hour exam available to candidates who can document a minimum of 7,000 hours and at least 7 years of business experience in the CITP body of knowledge. Fees are $165 (member) / $220 (non-member). It uses a mix of stand-alone multiple choice and case-based items. Standard Pathway candidates take the 4-hour comprehensive exam.

How is the CITP exam structured and delivered?

The Standard Pathway exam is a 4-hour, computer-based, comprehensive multiple-choice examination focused on the three modules of the CITP body of knowledge. It is offered year-round and can be taken online (remote-proctored) or at one of 300+ Pearson VUE test centers across the U.S. and Canada. As of May 1, 2024, one retake is included with the original exam purchase.

What does the CITP exam cover, and what are the module weightings?

Per the AICPA CITP Content Specification Outline (CSO): Module I — Information Security & Cyber Risks (information security governance, cybersecurity risk management, SOC for Cybersecurity), Module II — Data Management & Analytics (data management, data analysis & reporting, business intelligence management), and Module III — IT Governance, Risk & Controls (IT governance & strategy, IT risks/process/controls, SOC reporting). Module III carries the heaviest weight; we distribute practice questions roughly 25% / 25% / 50% to mirror that emphasis.

How long should I study for the CITP exam?

Plan for 60-100 hours of focused preparation. Core materials: the AICPA CITP Content Specification Outline, the Complete Guide to the CITP Body of Knowledge (AICPA self-study), the CITP Learning Pathway Bundle, NIST CSF 2.0, COBIT 2019, COSO 2013/ERM 2017, SSAE 18 / TSP Section 100 guidance, and the AICPA Audit Data Analytics Guide. Complete 100+ practice questions and target 80%+ before sitting.

Does the CITP credential expire?

The CITP does not have a fixed expiration date, but holders must complete annual recertification: maintain AICPA membership in good standing, maintain a valid CPA credential, complete 20 hours of continuing professional development annually within the CITP body of knowledge, and pay the annual fee with attestation. Failure to meet any requirement can result in loss of the credential.