ExpertMinds LogoExpertMinds
CPA®

CPA ISC Practice Exam 2

82 free questions · No sign-up required to browse

Comprehensive practice exam for the CPA Information Systems and Controls (ISC) discipline, strictly aligned with the 2026 AICPA Blueprint. Covers Information Systems, Data Management, Security, Regulations (HIPAA, GDPR, NIST), and SOC Engagements.

82
Questions
Hard
Difficulty
75%
Pass mark

Difficulty breakdown

Easy(21)
Medium(46)
Hard(15)

Topics covered

Browse all topics →
Area I: Information SystemsArea I: Information SystemsArea I: Information SystemsArea I: Information SystemsArea I: Information SystemsArea I: Information SystemsArea II: SecurityArea II: SecurityArea II: SecurityArea II: SecurityArea II: SecurityArea II: SecurityArea III: SOC EngagementsArea III: SOC EngagementsArea III: SOC EngagementsArea III: SOC Engagements

Sample questions

Q01Medium1 mark

A service organization provides a cloud-based payroll platform where clients access the software via a web browser. The clients do not manage the underlying infrastructure, operating systems, or application capabilities. Which cloud service model is the service organization providing?

View question with guidance →
Q02Hard1 mark

An auditor is reviewing the backup strategy for a financial institution that requires a Recovery Point Objective (RPO) of 15 minutes. The current strategy involves a daily full backup at midnight. Which conclusion should the auditor draw?

View question with guidance →
Q03Medium1 mark

During a walkthrough of the change management process, an auditor observes that developers have write access to the production environment to deploy hotfixes quickly. Which principle does this violate?

View question with guidance →
Q04Hard1 mark

An auditor is reviewing a SQL query used to generate a list of active customers for a marketing campaign. The query is:<br/>SELECT * FROM Customers WHERE Status = 'Active' OR LastOrderDate > '2023-01-01'.<br/>What is the potential issue with this query regarding data accuracy?

View question with guidance →
Q05Medium1 mark

Which of the following entities is considered a 'Covered Entity' under the HIPAA Privacy Rule?

View question with guidance →

Ready to Practice the full exam?

All 82 questions with worked answers, mark schemes, and AI tutoring.

Sign up freeTake the exam

All questions (82)

Free to browse · no sign-up required
Q01A service organization provides a cloud-based payroll platform where clients access the software via a web browser. T...MediumQ02An auditor is reviewing the backup strategy for a financial institution that requires a Recovery Point Objective (RPO...HardQ03During a walkthrough of the change management process, an auditor observes that developers have write access to the p...MediumQ04An auditor is reviewing a SQL query used to generate a list of active customers for a marketing campaign. The query i...HardQ05Which of the following entities is considered a 'Covered Entity' under the HIPAA Privacy Rule?MediumQ06Under GDPR, which principle requires that personal data be adequate, relevant, and limited to what is necessary in re...MediumQ07A service auditor is engaged to perform a SOC 2® examination. The client requests that the report focus solely on the...MediumQ08In a SOC 2® engagement, management asserts that they use a subservice organization for data center hosting. Managemen...MediumQ09Which component of the COSO Internal Control framework is most directly related to the 'Governance and Culture' compo...HardQ10An organization uses a 'defense-in-depth' strategy. Which of the following best represents this approach?EasyQ11Which NIST Cybersecurity Framework (CSF) function includes the category 'Recovery Planning'?MediumQ12A company processes credit card transactions. Which standard is MOST applicable to their environment?EasyQ13An auditor is testing a control that states: 'All new employees must undergo background checks.' The auditor selects ...HardQ14Which type of attack involves an attacker inserting malicious code into a website's input field to manipulate the bac...MediumQ15A company wants to ensure that if a disaster occurs, they can restore data to the state it was in no more than 1 hour...MediumQ16Which of the following is a detective control?EasyQ17In the context of CIS Controls, what is the primary purpose of 'Inventory and Control of Enterprise Assets' (Control 1)?MediumQ18A service organization's management refuses to provide a written assertion for a SOC 2® engagement. What action shoul...HardQ19Which of the following is a key difference between SOC 1® and SOC 2® engagements?MediumQ20An auditor observes that a company uses a 'test' environment that is an exact replica of the 'production' environment...MediumQ21Which encryption method uses a pair of keys: a public key for encryption and a private key for decryption?EasyQ22A company uses a 'Data Lake' architecture. Which characteristic best describes a Data Lake?MediumQ23In a SOC 2® report, which opinion type is issued when the auditor concludes that controls were not suitably designed ...MediumQ24Which NIST Special Publication provides a catalog of security and privacy controls for federal information systems?HardQ25An auditor is reviewing a flowchart of the 'Order-to-Cash' process. The flowchart shows that the 'Sales Department' a...MediumQ26Which of the following best describes 'Tokenization'?MediumQ27A healthcare provider stores patient records in a cloud database. Which HIPAA rule specifically governs the technical...MediumQ28What is the primary purpose of a 'Walkthrough' in an IT audit?MediumQ29Which SQL command is used to remove a table and all its data permanently from the database?MediumQ30A company uses a biometric scanner for server room access. This is an example of which authentication factor?EasyQ31In the context of COBIT 2019, which of the following is a 'Governance Objective' rather than a 'Management Objective'?HardQ32A service organization provides a SOC 2® Type II report covering the period January 1 to December 31. A significant c...MediumQ33Which of the following is a 'Corrective' control?EasyQ34An auditor is evaluating the 'Processing Integrity' criterion in a SOC 2® engagement. Which of the following is a key...MediumQ35Which cloud deployment model involves infrastructure provisioned for exclusive use by a single organization comprisin...EasyQ36A company is subject to GDPR. A data breach occurs involving unencrypted personal data of 5,000 customers. Within wha...MediumQ37An auditor is reviewing the 'User Access Review' control. The policy states reviews happen quarterly. The auditor fin...MediumQ38What is the primary function of a 'Hypervisor' in a virtualized environment?MediumQ39Which of the following SQL clauses is used to filter the results of a query based on a specific condition?EasyQ40In a SOC 2® engagement, what are 'Complementary User Entity Controls' (CUECs)?MediumQ41Which phase of the Cyber Kill Chain involves transmitting the weaponized code to the target environment (e.g., via em...MediumQ42An auditor is testing the 'Logical Access' domain. They find that a terminated employee's account remained active for...MediumQ43Which of the following is a primary benefit of using a 'VPN' (Virtual Private Network) for remote employees?EasyQ44A company uses 'Incremental' backups daily and a 'Full' backup on Sundays. If the system crashes on Thursday, what is...HardQ45Which NIST Privacy Framework function includes the category 'Data Processing Management'?HardQ46What is the primary difference between a 'Type I' and 'Type II' SOC report?MediumQ47An auditor is reviewing a blockchain implementation used for supply chain tracking. Which risk is unique to the 'Immu...MediumQ48Which of the following is a 'Preventive' control?MediumQ49Under the HIPAA Security Rule, 'Encryption' is classified as an 'Addressable' implementation specification. What does...HardQ50An auditor is testing the 'Change Management' process. They select a sample of 30 changes. They find that 2 changes w...MediumQ51Which of the following is a 'Social Engineering' attack?EasyQ52A company uses 'Mirroring' for its database. What is the primary advantage of this approach?MediumQ53Which SQL aggregate function is used to count the number of rows in a result set?EasyQ54In a SOC 2® engagement, the 'System Description' is primarily the responsibility of:EasyQ55Which of the following is a 'Physical' security control?EasyQ56A company stores customer passwords in a database. To enhance security, they add a random string of characters to eac...MediumQ57Which document in a SOC engagement outlines the auditor's opinion, the scope of the engagement, and the responsibilit...EasyQ58What is the primary purpose of a 'DDoS' (Distributed Denial of Service) attack?EasyQ59An auditor is reviewing the 'Incident Response Plan'. Which phase should occur immediately after 'Containment'?MediumQ60Which of the following is a 'Logical' access control?EasyQ61A company uses 'Asynchronous Replication' to a disaster recovery site. What is the primary risk associated with this ...HardQ62Which GDPR right allows an individual to request that their personal data be sent to them or another controller in a ...MediumQ63An auditor is testing the 'Completeness' of a data extraction from an ERP system. They compare the record count in th...MediumQ64Which of the following is a 'Unit Test' in software development?EasyQ65A service organization uses a 'Bridge Letter' (Gap Letter). What is its purpose?MediumQ66Which of the following is a key principle of 'Zero Trust' architecture?MediumQ67An auditor is reviewing a database schema. They notice that the 'SocialSecurityNumber' column is indexed. What is the...HardQ68Which COBIT 2019 component describes the rules, regulations, and policies that the enterprise must comply with?EasyQ69A company uses a 'Cold Site' for disaster recovery. What is the main characteristic of a Cold Site?MediumQ70Which of the following is an example of 'Inherent Risk' in a cloud environment?HardQ71What is the purpose of a 'Data Dictionary'?EasyQ72An auditor is testing 'Logical Access'. They find a user with the role 'SuperAdmin'. This user is also the 'HR Manage...MediumQ73Which of the following is a requirement of the 'Privacy' Trust Services Criterion?MediumQ74A company uses 'Ransomware' insurance. This is an example of which risk response strategy?EasyQ75Which of the following is a 'Data Loss Prevention' (DLP) control?MediumQ76An auditor is reviewing the 'System Development Life Cycle' (SDLC). Which phase should include the definition of secu...MediumQ77Which of the following is a 'Symmetric' encryption algorithm?HardQ78In a SOC 2® engagement, if the service organization uses the 'Inclusive Method' for a subservice organization, what i...HardQ79Which of the following is a 'Batch Processing' characteristic?EasyQ80An auditor is reviewing the 'Termination' process. They find that while network access is revoked immediately, physic...MediumQ81Which of the following is a 'PaaS' (Platform as a Service) example?MediumQ82An auditor finds that a company's 'Incident Response Plan' has not been tested or updated in 3 years. What is the pri...Medium