How many sections are on the CPA exam?

The CPA exam has 4 required sections: 3 core sections (FAR — Financial Accounting, AUD — Auditing, REG — Regulation) and 1 discipline section of your choice (BAR, ISC, or TCP).

What is the passing score for the CPA exam?

A score of 75 (on a scale of 0–99) is required to pass each CPA exam section.

How long do I have to pass all CPA exam sections?

Candidates have 30 months from the date they pass their first section to pass all remaining sections.

How many questions are in each CPA exam section?

Each section contains approximately 72–78 multiple choice questions plus task-based simulations (TBS). The exact number varies by section.

ExpertMinds

CPA®

CPA ISC Practice Exam 5

82 free questions · No sign-up required to browse

Comprehensive practice exam for the CPA Information Systems and Controls (ISC) discipline. This exam covers Information Systems and Data Management, Security, Confidentiality and Privacy, and SOC Engagements based on the 2026 AICPA Blueprint.

Questions

Hard

Difficulty

75%

Pass mark

Difficulty breakdown

Easy(18)

Medium(45)

Hard(19)

Topics covered

Browse all topics →

Area I: Information Systems Area I: Information Systems Area I: Information Systems Area I: Information Systems Area I: Information Systems Area I: Information Systems Area I: Information Systems Area I: Information Systems Area II: Security Area II: Security Area II: Security Area II: Security Area II: Security Area II: Security Area III: SOC Engagements Area III: SOC Engagements Area III: SOC Engagements Area III: SOC Engagements

Sample questions

Q01Medium1 mark

A service organization provides a cloud-based payroll processing application to its user entities. The user entities access the software via a web browser, but the service organization manages the underlying infrastructure, operating system, and application updates. Which cloud service model is the service organization providing?

View question with guidance →

Q02Hard1 mark

An auditor is reviewing the shared responsibility model for a client using an Infrastructure as a Service (IaaS) provider. Which of the following responsibilities typically remains with the client (user entity) rather than the cloud provider?

View question with guidance →

Q03Medium1 mark

A financial institution requires a cloud deployment model that offers the highest level of control and isolation for its sensitive data, even if it requires higher costs and maintenance. Which deployment model is most appropriate?

View question with guidance →

Q04Medium1 mark

During an IT audit, you observe that a company uses a 'Hybrid Cloud' architecture. Which scenario best describes this architecture?

View question with guidance →

Q05Easy1 mark

Which component of IT architecture is primarily responsible for translating domain names (like www.aicpa.org) into IP addresses that computers use to communicate?

View question with guidance →

Ready to Practice the full exam?

All 82 questions with worked answers, mark schemes, and AI tutoring.

All questions (82)

Free to browse · no sign-up required

Q01A service organization provides a cloud-based payroll processing application to its user entities. The user entities ...Medium Q02An auditor is reviewing the shared responsibility model for a client using an Infrastructure as a Service (IaaS) prov...Hard Q03A financial institution requires a cloud deployment model that offers the highest level of control and isolation for ...Medium Q04During an IT audit, you observe that a company uses a 'Hybrid Cloud' architecture. Which scenario best describes this...Medium Q05Which component of IT architecture is primarily responsible for translating domain names (like www.aicpa.org) into IP...Easy Q06In the context of COSO Enterprise Risk Management, which principle is most relevant when an organization evaluates th...Medium Q07An auditor is reviewing the 'Order-to-Cash' process. The documented flowchart indicates that a credit check is perfor...Hard Q08A company uses a private blockchain to record supply chain transactions. Which of the following is a unique risk asso...Hard Q09An auditor is testing processing integrity controls for a payroll system. The auditor inputs a test transaction with ...Medium Q10Which of the following best describes the 'Three-Way Match' control in a procurement process?Medium Q11A company is implementing an ERP system. Which of the following represents a 'Segregation of Duties' conflict that sh...Hard Q12In a batch processing system for utility billing, which control would best detect if a transaction file was processed...Medium Q13A company has a Recovery Point Objective (RPO) of 4 hours. They currently perform a full backup every Sunday at midni...Hard Q14Which disaster recovery site option provides the fastest recovery time (lowest RTO) but incurs the highest cost?Easy Q15A database administrator implements 'disk mirroring' (RAID 1). Which availability risk does this primarily mitigate?Medium Q16What is the primary difference between a Differential Backup and an Incremental Backup?Medium Q17During a SOC 2 engagement, you observe that the organization tests its Disaster Recovery Plan (DRP) annually using a ...Easy Q18Which of the following metrics would be most critical to review when assessing the effectiveness of an organization's...Medium Q19An auditor observes that a developer has 'write' access to the production environment to fix urgent bugs. The develop...Medium Q20In a formal change management process, which testing stage is performed by the end-users to verify the system meets b...Easy Q21A company uses a 'Continuous Integration/Continuous Deployment' (CI/CD) pipeline. An auditor notes that code is autom...Hard Q22Which document should be updated immediately following an emergency change to the production system?Easy Q23An auditor is reviewing a population of changes. They select a sample of changes and trace them back to the Change Re...Hard Q24Which environment is used to combine individual software modules and test their interaction before UAT?Medium Q25An auditor wants to extract all customers from the 'Sales' table who live in 'NY' and spent more than $1,000. Which S...Easy Q26Review the following SQL query:<br/>SELECT CustomerID, SUM(OrderAmount)<br/>FROM Orders<br/>GROUP BY CustomerID<br/>H...Hard Q27Which data storage concept refers to a vast pool of raw, undefined data (structured and unstructured) stored for futu...Medium Q28In the ETL (Extract, Transform, Load) process, at which stage is data cleaned, deduplicated, and converted into a con...Easy Q29An auditor is validating the completeness of a data migration from a legacy system to a new ERP. Which procedure is m...Medium Q30Which SQL command is used to combine rows from two or more tables based on a related column between them?Medium Q31Under the HIPAA Security Rule, which of the following is a 'Covered Entity'?Medium Q32A European customer requests that a US-based company delete all their personal data. Under GDPR, this is known as:Easy Q33Which PCI DSS requirement falls under the goal of 'Protect Cardholder Data'?Hard Q34The NIST Cybersecurity Framework (CSF) is organized into five core functions. Which function involves developing and ...Medium Q35Which component of COBIT 2019 describes the 'Governance System'?Hard Q36According to the CIS Controls v8, what is Control 1 (the most foundational control)?Medium Q37NIST Special Publication 800-53 is primarily designed for:Medium Q38Which part of the NIST Privacy Framework helps organizations determine their current privacy posture and their target...Hard Q39An employee receives an email appearing to be from the CEO asking for an urgent wire transfer. The email address is s...Easy Q40A web application allows users to input text into a comment field. A malicious user enters a script that executes in ...Medium Q41Which stage of the 'Cyber Kill Chain' involves the attacker installing a backdoor or remote access trojan (RAT) to ma...Medium Q42What is the primary purpose of a Distributed Denial of Service (DDoS) attack?Easy Q43Which of the following is a characteristic of an 'Advanced Persistent Threat' (APT)?Medium Q44An organization implements a 'Zero Trust' architecture. Which principle is central to this approach?Medium Q45Which authentication factor is represented by a fingerprint scan?Easy Q46A network administrator separates the Finance department's network traffic from the Engineering department's traffic ...Medium Q47Which security device is primarily designed to detect and block malicious traffic patterns or signatures in real-time?Medium Q48In an Identity and Access Management (IAM) system, 'Role-Based Access Control' (RBAC) assigns permissions based on:Easy Q49Which cryptographic concept ensures that a message has not been altered in transit?Medium Q50An auditor is reviewing the results of a penetration test. The report identifies a 'Critical' vulnerability involving...Medium Q51What is the primary difference between Vulnerability Scanning and Penetration Testing?Medium Q52During a security walkthrough, an auditor notices that employees are writing passwords on sticky notes attached to th...Easy Q53Which type of security test involves the tester having full knowledge of the system (network diagrams, source code, I...Easy Q54A company replaces sensitive credit card numbers in their database with a random string of characters that has no mat...Medium Q55Which encryption type uses a public key to encrypt and a private key to decrypt?Medium Q56Data Loss Prevention (DLP) tools are primarily designed to:Medium Q57What is the difference between Confidentiality and Privacy?Hard Q58Which phase of the data lifecycle involves securely removing data when it is no longer needed?Easy Q59In Incident Response, what is the primary goal of the 'Containment' phase?Medium Q60A company purchases cyber insurance. Which risk management strategy is this?Easy Q61What is the difference between an 'Event' and an 'Incident' in cybersecurity?Medium Q62After a ransomware attack is resolved, the team holds a 'Lessons Learned' meeting. What is the primary output of this...Medium Q63A service organization's clients need assurance regarding the controls over financial reporting. Which SOC report is ...Medium Q64Which of the following is NOT one of the five Trust Services Criteria categories used in SOC 2 engagements?Hard Q65A service organization wants a report to display on their website for potential customers to prove they are secure. T...Medium Q66What is the primary difference between a Type I and a Type II SOC report?Medium Q67In a SOC 2 engagement, which criteria is MANDATORY for every report?Medium Q68A service organization uses a subservice organization for data center hosting. The service organization's auditor dec...Hard Q69When using the 'Inclusive' method for a subservice organization, what is the service auditor's responsibility?Hard Q70What are 'Complementary User Entity Controls' (CUECs)?Medium Q71In planning a SOC 2 engagement, the auditor must assess 'Materiality'. How is materiality typically viewed in a SOC 2...Hard Q72Which section of a SOC 2 report contains the Management's Assertion?Medium Q73During a SOC 2 Type II engagement, an auditor finds that a daily backup failed 3 times out of 365 days. The backups w...Hard Q74Which testing procedure provides the highest level of assurance for operating effectiveness?Medium Q75An auditor is testing a control that states 'All new hires must undergo a background check'. The auditor selects a sa...Easy Q76In a SOC engagement, what is the purpose of the 'System Description'?Medium Q77If an auditor discovers a 'Subsequent Event' (after the period end but before the report date) that significantly aff...Hard Q78Which opinion type is issued when the system description is fairly presented and controls are effective, EXCEPT for o...Medium Q79What constitutes an 'Adverse Opinion' in a SOC report?Medium Q80In a SOC 2 report, where would a user find the auditor's detailed tests and the results of those tests?Easy Q81A service organization refuses to provide a written assertion (Section II). What must the auditor do?Hard Q82Which of the following statements is TRUE regarding the use of a SOC 2 report?Medium