40.2 ISC Control Evidence and SOC Drill

ISC workbook drill: control, evidence, and SOC reasoning

Information Systems and Controls (ISC) is the discipline section that rewards candidates who turn technology language into assurance work. ISC is four hours long and has the most multiple-choice questions of any discipline: 82 MCQs across two testlets plus 6 task-based simulations across three testlets. ISC is also the scoring exception, weighting MCQs at 60 percent and simulations at 40 percent, so the MCQ testlets carry more of your 75-point target than they do in BAR or TCP. A question may mention cloud hosting, encryption, privileged users, data warehouses, change tickets, backups, incident response, or privacy notices.

Your job is not to admire the technology; it is to identify the risk, name the control objective, inspect relevant evidence, and decide whether the facts support the conclusion.

The four-column control drill

Build every ISC drill with four columns. This format works for MCQs and simulations because it mirrors practitioner reasoning.

For each row, write evidence a practitioner could actually inspect. A policy is not the same as operation: a policy says what should happen; operating evidence shows what did happen during the period.

Evidence quality drill

Rank evidence before answering. System-generated logs are persuasive when the population is complete, log access is controlled, and the log ties to the relevant period. Screenshots are weak because they show one point in time. Inquiry explains a process but rarely proves a recurring control operated. Reperformance, configuration review, independent reports, reconciliations, and approved tickets are usually stronger. Use this checklist:

1. Does the evidence cover the full period under review?
2. Does it identify who performed the control and when?
3. Does it show review, approval, or exception resolution when required?
4. Does it come from a reliable system or an independent source?
5. Does it tie to the control objective, not merely to a related activity?

SOC report drill

SOC questions separate candidates who memorize names from candidates who understand use. A SOC 1 report addresses controls at a service organization relevant to user entities' internal control over financial reporting (ICFR). A payroll processor, claims processor, loan servicer, or revenue platform is often a SOC 1 setting. A SOC 2 report addresses controls relevant to the trust services categories: security, availability, processing integrity, confidentiality, and privacy. A cloud host, software-as-a-service (SaaS) platform, data center, or managed security provider is often a SOC 2 setting.

Both come as Type 1 (design at a point in time) or Type 2 (design and operating effectiveness over a period); only Type 2 tests operation. A SOC 3 report is general-use, based on SOC 2 subject matter, but short and without detailed test results. Do not use SOC 3 when a user auditor needs detailed controls and tests.

CUEC and CSOC drill

Complementary user entity controls (CUECs) are controls a user entity must perform for the service organization's controls to meet their objectives. Complementary subservice organization controls (CSOCs) are controls expected at a subservice organization. In a drill, highlight every sentence saying the customer, user entity, vendor, data center, or subservice provider must perform a control, then ask whether the report's conclusion depends on that other party. A carve-out method excludes the subservice organization's controls; an inclusive method includes them.

Twelve-minute ISC mixed case

Read one system narrative for four minutes, fill the four-column grid for four minutes, spend two minutes choosing SOC 1, SOC 2, or neither, and use the last two minutes to write the likely deficiency and evidence gap. If you miss the answer, tag it as risk, control, evidence, or report. ISC improvement comes from knowing which link in the chain failed, not from memorizing more cybersecurity terms.

Frameworks and traps to rehearse

ISC questions often anchor on named frameworks, and the exam expects you to map a fact to the right one rather than recite definitions. Keep these distinctions sharp:

• COSO Internal Control framework has five components: control environment, risk assessment, control activities, information and communication, and monitoring activities. A weak tone at the top is a control environment issue, not a control activity issue.
• General IT controls (GITCs) versus application controls. GITCs cover access, change management, and operations across systems; application controls (input validation, edit checks, reconciliations) operate inside a single process. A failed GITC can undermine many application controls at once.
• Confidentiality versus privacy. Confidentiality protects information designated as confidential under an agreement; privacy concerns personal information and the entity's notice and consent commitments. ISC items deliberately blur these.
• Encryption in transit versus at rest. Data moving over a network needs transport encryption; data stored in a database needs encryption at rest. A control that addresses one does not satisfy the other.
• Least privilege and segregation of duties. A single user who can both request and approve a change, or both create a vendor and pay it, is a segregation-of-duties deficiency regardless of how clean the logs look.

Trap rehearsal also means knowing when a finding is a design deficiency versus an operating deficiency. A control that, even if performed perfectly, would not prevent the risk has a design problem; a well-designed control that was skipped during the period has an operating problem. Tag each miss with that distinction, because the remediation and the SOC report language differ sharply between the two. ISC rewards the candidate who can say not just that something is wrong, but exactly which link in the risk-control-evidence chain broke and whether the cure is redesign or consistent performance.