PracticeStudy GuidesBlogFlashcardsEspañol
All Practice Exams

100+ Free CPA ISC Practice Questions

Pass your AICPA CPA Exam — Information Systems & Controls (ISC) Discipline exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
~67% Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Which of the following is NOT one of the three traditional categories of IT general controls (ITGCs)?

A
B
C
D
to track
2026 Statistics

Key Facts: CPA ISC Exam

82 MCQ + 6 TBS

Exam Format

AICPA ISC Blueprint 2026

60% / 40%

MCQ / TBS Scoring

AICPA (ISC unique split)

75

Passing Scaled Score

AICPA / NASBA

4 hours

Exam Time

AICPA

Quarterly

Testing Windows

Jan, Apr, Jul, Oct (NASBA)

~67%

Q1 2026 Pass Rate

AICPA quarterly statistics

ISC is the IT Discipline section of the CPA Evolution exam. It is 4 hours with 82 multiple-choice questions and 6 task-based simulations, uniquely weighted 60% MCQ / 40% TBS (other CPA sections are 50/50). The passing score is 75 on a 0-99 scaled score, and ISC is offered in four quarterly testing windows: January, April, July, and October. AICPA reported a ~67% Q1 2026 pass rate, the highest of the three Disciplines.

Sample CPA ISC Practice Questions

Try these sample questions to test your CPA ISC exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which of the following is NOT one of the three traditional categories of IT general controls (ITGCs)?
A.Change management
B.Logical access
C.Computer operations
D.Application input edit checks
Explanation: The three traditional ITGC categories are change management, logical access, and computer operations. Application input edit checks (e.g., field validations, range checks) are application controls — controls embedded in a specific business application — not general controls. Auditors test ITGCs to gain reliance on automated application controls.
2A control that requires programming changes to be approved, tested in a development environment, and migrated to production by an independent party best illustrates which ITGC category?
A.Computer operations
B.Change management
C.Logical access
D.Physical security
Explanation: Change management ITGCs ensure that modifications to applications and infrastructure are authorized, tested, approved, and migrated by someone other than the developer. Independent migration enforces segregation of duties between development and production. Logical access controls cover user authentication and authorization, while computer operations covers job scheduling, backups, and incident handling.
3Under CPA Evolution, the ISC Discipline section is uniquely scored as:
A.50% MCQ / 50% TBS like AUD, FAR, and REG
B.60% MCQ / 40% TBS
C.40% MCQ / 60% TBS
D.100% MCQ
Explanation: ISC is the only CPA Exam section weighted 60% multiple-choice questions and 40% task-based simulations. The three Core sections (AUD, FAR, REG) and the other two Discipline sections (BAR and TCP) are weighted 50% MCQ / 50% TBS. The split reflects ISC's emphasis on knowledge of frameworks and standards.
4Which database normal form is achieved when every non-key attribute is fully functionally dependent on the entire primary key (eliminating partial dependencies)?
A.First Normal Form (1NF)
B.Second Normal Form (2NF)
C.Third Normal Form (3NF)
D.Boyce-Codd Normal Form (BCNF)
Explanation: Second Normal Form (2NF) requires the table to be in 1NF and that every non-key attribute be fully functionally dependent on the entire primary key — i.e., no partial dependencies on a portion of a composite key. 1NF only requires atomic values; 3NF additionally eliminates transitive dependencies; BCNF is a stricter version of 3NF.
5Which SQL clause is used to filter rows AFTER a GROUP BY aggregation has been performed?
A.WHERE
B.HAVING
C.ORDER BY
D.DISTINCT
Explanation: HAVING filters groups produced by GROUP BY using aggregate predicates (e.g., HAVING COUNT(*) > 10). WHERE filters rows BEFORE aggregation and cannot reference aggregate functions. ORDER BY sorts the final result set; DISTINCT removes duplicate rows.
6In an ETL pipeline, the 'T' stage typically includes all of the following EXCEPT:
A.Cleansing and de-duplication
B.Data type conversion and standardization
C.Aggregation and derivation of calculated fields
D.Physical storage allocation on disk arrays
Explanation: The T (Transform) stage of Extract-Transform-Load involves cleansing, standardization, type conversion, deduplication, joining, aggregation, and deriving new fields. Physical storage allocation is an infrastructure / DBA concern unrelated to ETL transformations. The L (Load) stage moves transformed data into the target — typically a data warehouse or lake.
7Which SDLC phase is most likely to involve a written user acceptance test (UAT) signed off by the business owner?
A.Requirements gathering
B.Design
C.Testing / Implementation
D.Maintenance
Explanation: User acceptance testing (UAT) is performed during the testing/implementation phase of the SDLC, typically immediately before go-live. The business owner signs off that the system meets requirements before production migration. Requirements and design phases produce specifications; maintenance covers post-deployment changes.
8Data lineage documentation is most useful for which of the following objectives?
A.Encrypting sensitive data at rest
B.Tracing a value reported in a financial statement back through every system, table, and transformation that produced it
C.Hashing user passwords for storage
D.Mapping the company's organizational chart
Explanation: Data lineage shows the flow of data from source through every transformation to its final use — critical for auditability, regulatory reporting, and root-cause analysis when errors are detected downstream. Encryption and hashing are confidentiality and integrity controls, not lineage. Lineage supports the ICFR assertions of completeness and accuracy.
9In a relational database, a foreign key is best described as:
A.A column whose values uniquely identify each row in its own table
B.A column in one table that references the primary key of another table to enforce referential integrity
C.A redundant copy of the primary key used for backup
D.An index that speeds up SELECT queries
Explanation: A foreign key is a column (or set of columns) in a child table that references the primary key in a parent table. The DBMS uses it to enforce referential integrity — e.g., preventing an order from referencing a customer that does not exist. Primary keys uniquely identify rows in their own table.
10Which of the following is the BEST example of a preventive ITGC?
A.Reviewing a daily exception report of failed login attempts
B.Restoring a database from backup after corruption
C.Requiring multi-factor authentication before granting access to the ERP
D.Reconciling the general ledger to the subledger monthly
Explanation: Preventive controls stop errors or unauthorized activity from occurring. Multi-factor authentication prevents unauthorized access before it happens. Reviewing exception reports is detective; restoring from backup is corrective; reconciliations are detective business-process controls.

About the CPA ISC Exam

Information Systems and Controls (ISC) is one of three Discipline section options under the post-2024 CPA Evolution Uniform CPA Examination. ISC is the IT-focused choice and tests information systems and data management (35-45%), security/confidentiality/privacy (35-45%), and considerations for SOC engagements (15-25%). Candidates need fluency in IT general controls (ITGCs), the AICPA Trust Services Criteria, SSAE 21 attestation standards (AT-C 105, 205, 320), security frameworks (COSO ERM, COBIT, NIST CSF, NIST 800-53, ISO 27001), encryption, identity and access management, business continuity, and SOC 1 / SOC 2 / SOC 3 engagements.

Questions

88 scored questions

Time Limit

4 hours (82 MCQs + 6 TBSs)

Passing Score

75 (0-99 scaled)

Exam Fee

$262.64 (AICPA / NASBA (Prometric test centers))

CPA ISC Exam Content Outline

35-45%

Information Systems and Data Management

IT general controls (change management, logical access, computer operations), system development life cycle, data governance and lineage, ETL and data quality, relational databases, normalization (1NF/2NF/3NF), SQL fundamentals, business process and data flow analysis, system implementation

35-45%

Security, Confidentiality, and Privacy

Frameworks (COSO ERM, COBIT 2019, NIST CSF, NIST 800-53, ISO 27001), access controls (RBAC, ABAC, MFA, SSO, least privilege, segregation of duties), encryption (symmetric vs asymmetric, hashing, PKI, TLS), incident response, business continuity / disaster recovery (RTO, RPO), privacy frameworks (GDPR, CCPA), data classification, threat modeling

15-25%

Considerations for System and Organization Controls (SOC) Engagements

SSAE 21, AT-C 105 (general attestation requirements), AT-C 205 (examination engagements), AT-C 320 (SOC 1 ICFR engagements), SOC 1 (Type 1 vs Type 2), SOC 2 Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy), SOC 3, complementary user entity controls (CUECs), subservice organizations (carve-out vs inclusive method)

How to Pass the CPA ISC Exam

What You Need to Know

  • Passing score: 75 (0-99 scaled)
  • Exam length: 88 questions
  • Time limit: 4 hours (82 MCQs + 6 TBSs)
  • Exam fee: $262.64

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

CPA ISC Study Tips from Top Performers

1Memorize the three ITGC categories — change management, logical access, computer operations — and tie each to the application controls it supports
2Know SOC 1 vs SOC 2 cold: SOC 1 covers ICFR (financial reporting), SOC 2 covers Trust Services Criteria
3Memorize the five Trust Services Criteria — Security (mandatory), Availability, Processing Integrity, Confidentiality, Privacy
4Know Type 1 (controls at a point in time) vs Type 2 (operating effectiveness over a period, typically 6-12 months)
5Drill encryption fundamentals: symmetric (AES) for bulk data, asymmetric (RSA, ECC) for key exchange, hashing (SHA-256) for integrity, TLS as the layered combination
6Master RTO (recovery time objective) vs RPO (recovery point objective) — RTO is downtime tolerance, RPO is data-loss tolerance
7Be able to identify carve-out vs inclusive method for subservice organizations and what each implies for the user auditor
8Practice the 60/40 MCQ-TBS scoring weighting in your mock exams — ISC rewards MCQ accuracy more than other CPA sections

Frequently Asked Questions

What makes ISC different from the other CPA Discipline sections?

ISC is the only IT-focused Discipline. It is also unique in scoring: ISC is weighted 60% multiple-choice questions and 40% task-based simulations, whereas BAR and TCP (and the three Core sections) are 50/50. Candidates with IT audit, SOC, or cybersecurity experience typically find ISC the easiest match.

When is the CPA ISC exam offered?

Like all Discipline sections, ISC is administered in four quarterly testing windows each year: January, April, July, and October. Score releases follow ~6-10 weeks after each window closes. Unlike the Core sections (AUD, FAR, REG), Disciplines are not available continuously.

What is the passing score and format for CPA ISC?

ISC requires a scaled score of 75 on a 0-99 scale to pass. The exam is 4 hours and contains 82 multiple-choice questions and 6 task-based simulations (88 items). The MCQs are delivered in two testlets, and difficulty in the second testlet adapts based on first-testlet performance.

What SOC standards do I need to know for ISC?

You must understand SSAE 21 and the related AT-C sections: AT-C 105 (general attestation requirements), AT-C 205 (examination engagements), and AT-C 320 (SOC 1 ICFR). Memorize SOC 1 vs SOC 2 vs SOC 3, Type 1 vs Type 2, the five Trust Services Criteria, complementary user entity controls (CUECs), and the carve-out vs inclusive method for subservice organizations.

How does ITGC content show up on ISC?

IT general controls are tested heavily in Area I. Memorize the three traditional ITGC categories — change management, logical access, and computer operations — and how each supports automated application controls. Be able to identify control deficiencies, design vs operating effectiveness, and the implications for an integrated audit and SOC 1 engagement.

What review materials work best for ISC?

Becker, Wiley, Roger CPA Review, Surgent, and UWorld all publish ISC sections aligned with the AICPA Blueprint. ISC has less institutional history than legacy CPA sections, so use a current 2026 edition and supplement with the AICPA ISC Blueprint, AICPA Trust Services Criteria, and free NIST CSF and 800-53 reference material.

Does the CPA license still expire under CPA Evolution?

Section credits remain valid for 30 months from the score release date under the CPA Evolution credit policy adopted by NASBA in 2024. After licensure, CPA license renewal and CPE requirements are set by each state board and typically include 40 CPE hours annually or 80-120 over a 2-3 year cycle.