ExpertCPA®
CPA ISC Practice Exam
82 free questions · No sign-up required to browse
Comprehensive practice examination for the CPA Information Systems and Controls (ISC) discipline. This exam covers the 2026 AICPA Blueprint areas: Information Systems and Data Management, Security, Confidentiality and Privacy, and SOC Engagements.
82
Questions
Hard
Difficulty
75%
Pass mark
Difficulty breakdown
Easy(15)
Medium(41)
Hard(26)
Topics covered
Browse all topics →Area I: Information SystemsArea I: Information SystemsArea I: Information SystemsArea I: Information SystemsArea I: Information SystemsArea I: Information SystemsArea II: SecurityArea II: SecurityArea II: SecurityArea II: SecurityArea II: SecurityArea II: SecurityArea III: SOC EngagementsArea III: SOC EngagementsArea III: SOC EngagementsArea III: SOC Engagements
Sample questions
Q01Hard1 mark
A CPA is performing a risk assessment for a client that uses a public cloud provider for its core ERP system. The client utilizes an Infrastructure as a Service (IaaS) model. When defining the scope of the IT audit, which of the following components is the client's management primarily responsible for securing, rather than the cloud service provider?
Q02Hard1 mark
During a walkthrough of a client's change management process, the auditor notes that developers have write access to the production environment to facilitate quick hotfixes. The client argues that a code review tool logs all changes. Which of the following represents the MOST significant risk associated with this configuration?
Q03Hard1 mark
A service organization provides a real-time transaction processing platform. The service level agreement (SLA) guarantees a Recovery Point Objective (RPO) of 15 minutes. The auditor discovers that the organization performs full backups nightly at midnight and ships tapes to offsite storage daily. No other backup mechanisms are in place. What is the auditor's conclusion?
Q04Hard1 mark
An auditor is reviewing a SQL query used by the finance team to generate a report of all sales transactions above $10,000 for the first quarter of 2024. The query is:<br/><br/>SELECT * FROM Sales<br/>WHERE Amount > 10000<br/>AND Date BETWEEN '2024-01-01' AND '2024-03-31'<br/><br/>Assuming the 'Amount' column includes cents and the 'Date' column is a standard date type, which potential issue should the auditor investigate regarding the completeness of this population?
Q05Hard1 mark
A healthcare clearinghouse is preparing for a SOC 2® engagement. They utilize a private cloud deployment model hosted in their own data center. Which of the following statements accurately describes the auditor's responsibility regarding the infrastructure in this scenario?
Ready to Practice the full exam?
All 82 questions with worked answers, mark schemes, and AI tutoring.
All questions (82)
Free to browse · no sign-up requiredQ01A CPA is performing a risk assessment for a client that uses a public cloud provider for its core ERP system. The cli...HardQ02During a walkthrough of a client's change management process, the auditor notes that developers have write access to ...HardQ03A service organization provides a real-time transaction processing platform. The service level agreement (SLA) guaran...HardQ04An auditor is reviewing a SQL query used by the finance team to generate a report of all sales transactions above $10...HardQ05A healthcare clearinghouse is preparing for a SOC 2® engagement. They utilize a private cloud deployment model hosted...HardQ06An auditor is evaluating the design of a disaster recovery plan (DRP). The organization uses a 'differential' backup ...HardQ07A company is implementing a new ERP system. The project team decides to run the old system and the new system simulta...MediumQ08Under the COSO Internal Control framework, which of the following is a critical risk associated with the use of block...HardQ09An auditor is reviewing the data integration process between a CRM system and the General Ledger. The process uses an...MediumQ10A company uses a 'Data Lake' architecture to store unstructured customer feedback logs alongside structured transacti...HardQ11Which of the following scenarios represents a violation of the 'Segregation of Duties' principle in the context of IT...MediumQ12A service organization uses a 'hot site' for disaster recovery. Which of the following best describes the readiness o...EasyQ13An auditor is testing the 'completeness' of a data extraction from a legacy mainframe to a new cloud database. The au...MediumQ14A company uses a SaaS-based CRM. The auditor wants to verify that the company's data is backed up. The SaaS provider'...MediumQ15Which of the following is a 'preventive' control in the context of network security?EasyQ16A covered entity under HIPAA uses a cloud service to store Patient Health Information (PHI). The cloud provider exper...HardQ17Under the General Data Protection Regulation (GDPR), a 'Data Controller' is defined as:MediumQ18A retailer processes credit card transactions. According to PCI DSS Requirement 3 (Protect stored cardholder data), w...HardQ19The NIST Cybersecurity Framework (CSF) organizes its Core into five concurrent and continuous functions. Which functi...MediumQ20An organization is adopting the COBIT 2019 framework. Which of the following is NOT one of the six 'Governance System...HardQ21A penetration tester is hired to assess a company's external security. The tester sends a deceptive email to the HR d...EasyQ22Which of the following authentication methods provides the highest level of security for remote access to a corporate...MediumQ23An auditor is reviewing the 'Least Privilege' implementation for a database. They find that the 'Reporting_User' role...MediumQ24Which of the following best describes the concept of 'Defense in Depth'?EasyQ25A service organization is undergoing a SOC 2® engagement. The auditor observes that the organization uses a 'bastion ...MediumQ26In the context of encryption, what is the primary difference between symmetric and asymmetric encryption?MediumQ27A company wants to ensure that sensitive emails sent to external clients cannot be read by interceptors. They impleme...MediumQ28An auditor is reviewing the incident response plan of a financial institution. The plan states that in the event of a...MediumQ29Which of the following is a key requirement of the NIST Privacy Framework's 'Control' function?HardQ30A CPA is engaged to perform a SOC 1® engagement. Which of the following best describes the subject matter of this eng...MediumQ31A service organization's system description includes controls performed by a subservice organization (e.g., a data ce...HardQ32In a SOC 2® engagement, which of the following Trust Services Criteria is MANDATORY for every report?MediumQ33A service auditor is issuing a SOC 2® Type II report. Testing identified that a key control for revoking terminated u...HardQ34What is the primary difference between a SOC 2® Type I and a SOC 2® Type II report?MediumQ35Which of the following is an example of a 'Complementary User Entity Control' (CUEC) that might be listed in a payrol...MediumQ36An auditor is testing a control that requires 'Quarterly access reviews'. The auditor selects a sample of one review ...HardQ37Which of the following is a 'corrective' control?EasyQ38A company uses a 'Platform as a Service' (PaaS) environment to develop and host its web application. The auditor asks...MediumQ39An auditor is reviewing the logical access controls for a financial application. They notice that the 'Application Ad...MediumQ40Which of the following SQL statements would an auditor use to identify duplicate invoice numbers in the 'Sales' table?HardQ41Under the CIS Controls (Center for Internet Security), Control 1 is 'Inventory and Control of Enterprise Assets'. Why...EasyQ42A company implements a 'Zero Trust' architecture. Which of the following principles is central to this model?MediumQ43An auditor is examining the 'User Acceptance Testing' (UAT) phase of a software implementation. Who is the MOST appro...MediumQ44A service organization provides a cloud-based data warehouse. A user entity auditor wants to know if the data in the ...MediumQ45Which of the following is a characteristic of a 'hardened' operating system?EasyQ46A company is subject to GDPR. They wish to use customer data for a new purpose (marketing) that was not disclosed whe...MediumQ47Which of the following is a 'detective' control for ensuring data integrity in a batch processing system?MediumQ48An auditor is reviewing the 'Management's Assertion' in a SOC 2® report. Which of the following statements must be in...MediumQ49Which of the following is a primary benefit of using a 'Hybrid Cloud' deployment model?MediumQ50An auditor is testing the 'Termination' process. They sample 10 employees who left the company. For one employee, the...HardQ51What is the primary purpose of a 'Data Warehouse' compared to an operational database (OLTP)?MediumQ52A company uses 'Tokenization' to protect credit card numbers. How does this differ from Encryption?HardQ53Which of the following is a 'physical' security control?EasyQ54An auditor is reviewing the 'Change Management' process. They find a change ticket labeled 'Emergency Fix' that was d...MediumQ55Which of the following is a requirement of the HIPAA Security Rule but NOT the Privacy Rule?HardQ56A service organization's management refuses to provide a written assertion for a SOC 2® engagement. What action must ...HardQ57Which of the following best describes 'Static Application Security Testing' (SAST)?MediumQ58An auditor observes that a company uses 'Symmetric' encryption for transmitting large database backups across a publi...HardQ59In the context of COBIT 2019, what is the purpose of the 'Goals Cascade'?MediumQ60A company uses a 'Biometric' authentication system. The 'False Acceptance Rate' (FAR) is set to 0.01%. What does this...MediumQ61An auditor is reviewing a 'Business Continuity Plan' (BCP). The plan relies on a 'Reciprocal Agreement' with a neighb...MediumQ62Which of the following is a 'Logical' access control?EasyQ63An auditor is reviewing the 'System Description' for a SOC 2® report. The description lists 'Google Cloud Platform' a...MediumQ64Which of the following is a 'Risk Response' strategy where the organization decides to stop the activity that causes ...EasyQ65An auditor is testing the 'Accuracy' of a report generated by an IT system. They trace a sample of items from the rep...HardQ66Under the NIST Cybersecurity Framework, 'Recovery Planning' falls under which function?EasyQ67A company stores customer passwords in a database. To protect them, they use a hashing algorithm. Which additional te...MediumQ68An auditor is evaluating the 'Independence' of the personnel performing a SOC 2® engagement. Which of the following w...MediumQ69Which of the following is a 'Social Engineering' technique where the attacker waits for an authorized user to pass th...EasyQ70A company uses a 'Waterfall' methodology for software development. Which of the following is a primary characteristic...EasyQ71An auditor is reviewing a SQL query that joins two tables: 'Customers' and 'Orders'. The query uses an 'INNER JOIN'. ...MediumQ72A service organization has a control that states: 'Firewall rules are reviewed semi-annually.' The auditor tests this...MediumQ73Which of the following is a 'Substantive Procedure' in an IT audit context?HardQ74A company uses a 'Cold Site' for disaster recovery. What is the primary disadvantage of this approach?EasyQ75Which of the following is a 'Corrective' control in the Change Management process?MediumQ76An auditor is reviewing the 'System Description' and notices it mentions 'The system is protected by a firewall'. How...HardQ77Which of the following is a 'Privacy' control (as opposed to Security) in a SOC 2® engagement?MediumQ78A company uses a 'Public Key Infrastructure' (PKI). What is the role of the 'Certificate Authority' (CA)?MediumQ79An auditor is reviewing the 'Incident Response' log. They see an entry: 'Server detected high CPU usage. Investigatio...EasyQ80Which of the following is a requirement of PCI DSS Requirement 11 (Regularly test security systems and processes)?HardQ81An auditor is reviewing the 'System Description' for a SOC 2® report. The description includes a flowchart of the ord...MediumQ82Which of the following is the MOST effective method to prevent 'SQL Injection' attacks in a web application?Hard