ExpertCPA®
CPA ISC Practice Exam 4
82 free questions · No sign-up required to browse
Comprehensive practice exam for the CPA Information Systems and Controls (ISC) discipline, covering Information Systems, Data Management, Security, and SOC Engagements based on the 2026 AICPA Blueprint.
82
Questions
Hard
Difficulty
75%
Pass mark
Topics covered
Browse all topics →Area I: Information SystemsArea I: Information SystemsArea I: Information SystemsArea I: Information SystemsArea I: Information SystemsArea I: Information SystemsArea I: Information SystemsArea I: Information SystemsArea I: Information SystemsArea II: SecurityArea II: SecurityArea II: SecurityArea II: SecurityArea II: SecurityArea III: SOC EngagementsArea III: SOC EngagementsArea III: SOC EngagementsArea III: SOC Engagements
Sample questions
Q01Hard1 mark
A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud environment. The client wants to minimize their responsibility for managing the underlying operating system, middleware, and runtime environment, but wants to retain control over the deployed applications and configuration settings. Which cloud service model is most appropriate for this client?
Q02Hard1 mark
An auditor is reviewing the Service Level Agreement (SLA) for a client using a public cloud provider. The client handles highly sensitive healthcare data. The auditor notes that the cloud provider stores data in a multi-tenant environment. Which specific risk is MOST heightened in this deployment model compared to a private cloud?
Q03Hard1 mark
A company uses an Infrastructure as a Service (IaaS) model. During an IT audit, the auditor discovers that the operating system of the virtual machines has not been patched for critical vulnerabilities. Under the shared responsibility model, who is responsible for this control failure?
Q04Hard1 mark
An organization is implementing the COSO Enterprise Risk Management (ERM) framework to govern its migration to the cloud. Which of the following actions best aligns with the 'Governance and Culture' component of COSO ERM in this context?
Q05Hard1 mark
During a walkthrough of an order-to-cash process, the auditor observes that the sales manager can both authorize credit limits for new customers and approve sales orders exceeding those limits. The documented process flow states these functions should be separated. Which type of deficiency has the auditor identified?
Ready to Practice the full exam?
All 82 questions with worked answers, mark schemes, and AI tutoring.
All questions (82)
Free to browse · no sign-up requiredQ01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud environment. The client wan...HardQ02An auditor is reviewing the Service Level Agreement (SLA) for a client using a public cloud provider. The client hand...HardQ03A company uses an Infrastructure as a Service (IaaS) model. During an IT audit, the auditor discovers that the operat...HardQ04An organization is implementing the COSO Enterprise Risk Management (ERM) framework to govern its migration to the cl...HardQ05During a walkthrough of an order-to-cash process, the auditor observes that the sales manager can both authorize cred...HardQ06An auditor is reviewing the backup strategy for a financial transaction system with a Recovery Point Objective (RPO) ...HardQ07A developer at a software company has access to write code in the development environment and also has administrative...HardQ08An auditor is examining a SQL query used to generate a report of all sales transactions for the fiscal year 2024. The...HardQ09A healthcare provider stores patient records in a cloud database. To comply with HIPAA, they must ensure that even if...HardQ10Under the General Data Protection Regulation (GDPR), a data subject requests that a company delete all their personal...HardQ11An auditor is evaluating a company's compliance with PCI DSS Requirement 3 (Protect stored cardholder data). The audi...HardQ12Which component of the NIST Cybersecurity Framework (CSF) focuses on developing and implementing the appropriate acti...HardQ13A service organization is preparing for a SOC 2® engagement. They have identified a risk that unauthorized changes to...HardQ14During a SOC 2® Type II engagement, the auditor discovers that for a sample of 25 new hires, 2 did not complete the r...HardQ15A service organization uses the 'Carve-out' method for a subservice organization that provides data center hosting. I...HardQ16Which of the following best describes the primary purpose of a SOC 3® report compared to a SOC 2® report?HardQ17An attacker sends an email to the HR department with an attachment named 'Payroll_Update.exe' that looks like a PDF i...HardQ18A company implements a 'Zero Trust' architecture. Which of the following principles is central to this approach?HardQ19An auditor is reviewing a company's disaster recovery plan (DRP). The company uses a 'Hot Site' for recovery. Which c...HardQ20Which of the following SQL statements would be most useful for an auditor attempting to identify duplicate invoice nu...HardQ21A company uses a blockchain ledger to record supply chain transactions. An auditor is assessing the risk of '51% atta...HardQ22Which of the following is a key principle of the COBIT 2019 governance framework?HardQ23An auditor is testing the 'Processing Integrity' criteria for a payroll system. They find that the system accepts neg...HardQ24A company is subject to HIPAA. An employee loses a company laptop containing unencrypted ePHI (electronic Protected H...HardQ25In the context of a SOC 2® engagement, what is the definition of a 'deviation'?HardQ26Which of the following best describes the 'Integrity' component of the CIA Triad in information security?HardQ27An auditor is reviewing the 'System Description' for a SOC 2® report. Which of the following is a REQUIRED element of...HardQ28A company uses a 'Data Lake' architecture. What is a primary characteristic of a Data Lake compared to a Data Warehouse?HardQ29Which of the following authentication methods is considered 'Something you are'?HardQ30An auditor is reviewing the 'Change Management' process. They observe that emergency changes are allowed to bypass th...HardQ31A service organization provides payroll processing services. They outsource the printing and mailing of checks to a t...HardQ32Which CIS Control focuses on 'Inventory and Control of Enterprise Assets'?HardQ33An auditor is reviewing a SQL query that joins two tables: 'Customers' and 'Orders'. The goal is to list ALL customer...HardQ34A company is designing a new data center. They install a 'mantrap' at the entrance to the server room. Which type of ...HardQ35In the context of NIST SP 800-53, what does the term 'Control Baseline' refer to?HardQ36An auditor is testing a client's firewall configuration. They notice a rule that allows 'Any' source IP to access the...HardQ37A company is using a 'SaaS' CRM application. The auditor wants to verify that the SaaS provider backs up the data. Si...HardQ38Which of the following scenarios describes a 'Phishing' attack?HardQ39An auditor is reviewing the 'Logical Access' controls. They find that user accounts are not disabled immediately upon...HardQ40What is the primary purpose of a 'VPN' (Virtual Private Network) for remote employees?HardQ41A company wants to ensure that their cloud provider cannot access their sensitive data, even if the provider is subpo...HardQ42In a SOC 2® engagement, which of the following is a 'Trust Services Criterion' related to Privacy?HardQ43An auditor is reviewing the 'Incident Response Plan'. Which phase of incident response involves removing the threat f...HardQ44Which of the following is an example of a 'Detective' control?HardQ45A company processes credit card payments. Which standard MUST they comply with?HardQ46An auditor is assessing the 'Availability' criteria in a SOC 2® engagement. The client claims to have high availabili...HardQ47Which of the following is a 'Corrective' control?HardQ48A company uses 'Asymmetric Encryption' for secure email. If User A wants to send a confidential message to User B, wh...HardQ49What is the primary difference between a SOC 2® Type I and a SOC 2® Type II report?HardQ50An auditor observes that a company uses 'Hashing' to store passwords. Why is hashing preferred over encryption for pa...HardQ51Which of the following is a 'Management Assertion' required in a SOC 2® report?HardQ52A company uses a 'Hybrid Cloud' model. Which of the following best describes this architecture?HardQ53An auditor is reviewing the 'Change Management' logs and notices a change labeled 'Standard Change'. How does a Stand...HardQ54Which of the following is a 'Physical' threat to information systems?HardQ55A company implements 'Data Loss Prevention' (DLP) software. Which of the following actions would the DLP system most ...HardQ56An auditor is reviewing the 'System Development Life Cycle' (SDLC). In which phase should security requirements be de...HardQ57Which of the following is a 'Nation-State' threat actor most likely to target?HardQ58An auditor is testing a control that requires 'Three-Way Matching' for accounts payable. What three documents must ma...HardQ59Under GDPR, which role determines the 'purposes and means' of processing personal data?HardQ60A company uses 'Tokenization' for credit card numbers. What is the primary benefit of tokenization over encryption fo...HardQ61An auditor is reviewing the 'System Boundaries' in a SOC 2® engagement. Which of the following should be included in ...HardQ62Which of the following is a 'Risk Response' strategy where the company decides to stop the activity that causes the r...HardQ63A company uses 'Ransomware' protection. Which backup strategy is most effective against ransomware that encrypts conn...HardQ64An auditor is testing 'Logical Access'. They find that the 'Administrator' group contains 15 users, including 5 who l...HardQ65Which of the following describes a 'Cold Site' for disaster recovery?HardQ66In a SOC 2® report, if the service auditor identifies a material weakness in the design of controls, what type of opi...HardQ67Which NIST framework is specifically designed to help organizations manage privacy risks?HardQ68An auditor is reviewing a 'Batch Processing' job that runs overnight. The job log shows 'Error: Input file footer cou...HardQ69What is the primary function of a 'Circuit Breaker' pattern in modern microservices architecture (though not explicit...HardQ70An auditor is reviewing the 'Complementary User Entity Controls' (CUECs) in a SOC 2® report. Who is responsible for i...HardQ71Which SQL command is used to remove a table and all its data permanently from the database?HardQ72A company uses 'Symmetric Encryption'. Which of the following is a major challenge associated with this method?HardQ73An auditor is reviewing the 'Incident Response' logs. They see a 'False Positive'. What does this mean?HardQ74Which of the following is a 'Preventive' control for 'SQL Injection'?HardQ75A service organization's management refuses to provide a written assertion for a SOC 2® engagement. What should the s...HardQ76Which of the following is an example of 'Social Engineering'?HardQ77An auditor is reviewing the 'Data Retention Policy'. The policy states that customer data is deleted after 7 years. H...HardQ78Which of the following is a 'Technical' (Logical) control?HardQ79A company uses 'Containerization' (e.g., Docker) for its applications. What is a key security benefit of containers c...HardQ80An auditor is reviewing the 'Business Continuity Plan' (BCP). What is the primary goal of BCP?HardQ81Which of the following is a 'Subsequent Event' in a SOC 2® engagement?HardQ82An auditor is reviewing the 'Risk Assessment' component of COSO. Which of the following is a prerequisite for risk as...Hard