16.1 Systems Architecture and Data Flow

Why Architecture Matters in ISC

The 2026 AICPA Information Systems and Controls (ISC) blueprint weights Area I, Information Systems and Data Management, at 35-45% of the discipline, the largest of the three areas (Area II Security/Confidentiality/Privacy 35-45%; Area III SOC engagements 15-25%). The ISC exam runs 4 hours with 82 multiple-choice questions (60% of score) and 6 task-based simulations (40%); the passing scaled score is 75. Architecture and data flow recur in both the multiple-choice and simulation testlets, so this material is high-yield.

A candidate is not expected to configure a router or write production code. The candidate is expected to read a system description and answer one question: where could data become incomplete, inaccurate, unauthorized, unavailable, or exposed?

IT architecture is the arrangement of technology components that capture, process, store, transmit, and present information. For a CPA, the brand of server is irrelevant; the control implications of each component are everything.

The exam frames architecture around the five information-processing objectives that map to financial-statement assertions: completeness (all valid transactions are captured), accuracy (amounts and details are correct), authorization/validity (only approved transactions occur), availability (data is accessible when needed), and confidentiality (sensitive data is protected). Architecture decisions either reinforce or undermine these objectives. A monolithic system concentrates risk in one place; a distributed or microservices design spreads processing across many components and APIs, multiplying the interface points where data can be lost.

Knowing the architecture style tells you where to look first.

Core Components and Control Focus

When a fact pattern lists a component, immediately attach its dominant risk. A shared admin password on an operating system is an authorization risk; an unmonitored API is a completeness risk; an unencrypted network link is a confidentiality risk. The exam rarely rewards a vague "weak IT controls" answer.

Cloud Models and Shared Responsibility

Cloud computing appears frequently because modern accounting systems are commonly outsourced or hybrid. Three service models matter:

• Infrastructure as a service (IaaS): provider supplies virtual servers, storage, and networking; customer manages the operating system, applications, and data.
• Platform as a service (PaaS): provider also manages the runtime, middleware, and operating system; customer manages applications and data.
• Software as a service (SaaS): provider delivers the finished application (cloud ERP, payroll, expense tools); customer manages only configuration, user access, and its own data.

As you move IaaS to PaaS to SaaS, the provider assumes more of the technology stack, but the customer never escapes responsibility for user access, data classification, business-process controls, vendor oversight, and review of reports and logs. This is the shared-responsibility model.

Deployment models also matter: a public cloud is multi-tenant, a private cloud is dedicated, and a hybrid cloud blends both. The Committee of Sponsoring Organizations (COSO) framework keeps governance grounded: management still sets objectives, identifies risk from outsourced systems, develops control activities, and monitors operation. Outsourcing changes who performs a control; it does not transfer accountability.

Data Flow and Control Points

A data-flow diagram (DFD) shows where information originates, how it moves, where it is stored, and what outputs are produced. In a sales process, a customer order may enter through an e-commerce storefront, route to credit approval, create a shipment, generate an invoice, update accounts receivable, and post to the general ledger.

Worked example. Suppose orders flow nightly from the storefront to the ERP. The storefront sends 4,210 orders totaling $1,883,400; the ERP posts 4,205 orders totaling $1,880,150. The 5-order, $3,250 gap signals an interface completeness failure that an interface-total reconciliation would catch and an error queue would explain.

Useful control points include:

• Input validation before records are accepted.
• Authorization before master-file or pricing changes take effect.
• Interface totals (record counts and dollar hash totals) when transactions move between applications.
• Exception reports for rejected, duplicate, or out-of-sequence records.
• Reconciliations among subledgers, bank files, and the general ledger.
• Output review before financial or operational reports are relied upon.

Exam Focus

When a simulation gives a system narrative, trace the data path first: source, transformation, storage location, interface, and final report. Then ask which risk is most direct. A missing interface-total review is a completeness risk. Unreviewed privileged access is an authorization and change risk. A report built from the wrong table is a relevance and completeness risk. The best answer normally ties one technology fact to one business consequence.