About the Information Systems & Controls (ISC) CPA Exam
2024 CPA Exam Evolution
The Information Systems & Controls (ISC) discipline of the CPA Exam is designed to evaluate candidates’ knowledge of IT and data governance, assurance or advisory services related to business processes, internal control testing, and information system security. It’s one of three disciplines candidates can choose from based on the CPA Exam’s core-plus-discipline model, effective January 2024. Here are some specific examples of the content covered on ISC, according to the AICPA blueprints:
CPA candidates who choose this discipline are likely to consider roles in system and organization controls (SOC), ERP and data management, and internal auditing, among others. If these specialities interest you, read on to learn what to expect from the ISC CPA Exam.
How the ISC Discipline Is Related to the AUD Core
The ISC CPA Exam is an extension of the AUD CPA Exam, which is a core section that all candidates must take. The objective of the CPA Evolution is to ensure that the three core sections examine candidates' foundational knowledge, while the discipline sections examine applicants’ knowledge of advanced concepts within each domain. While the AUD core will test your knowledge of auditing engagements, ISC will take it one step further by assessing your knowledge and skills related to data management, including data collection, storage, and consumption across the data life cycle.
The ISC CPA Exam’s Structure and Format
The ISC discipline features five testlets in total. Testlets 1 and 2 consist of 41 multiple-choice questions (MCQs) each, totaling 82 MCQs on the full ISC Exam. Testlets 3, 4, and 5 consist of task-based simulations (TBSs), totaling 6 on the full ISC Exam. The MCQ section accounts for 60% of your score, while the TBS section accounts for the remaining 40%.
|Question Type||Number of Questions||Score Weighting|
ISC is a computer-based test that lasts for 4 hours. As such, you’ll need to allocate your time efficiently across each testlet. We recommend spending just under 1.5 minutes on each MCQ, which results in approximately 60 minutes per MCQ testlet. For TBSs, we recommend spending about 18 minutes each, which equates to completing all TBS testlets within 108 minutes. This provides you with 12 extra minutes of cushion to work through difficult problems or double check your answers.
|Testlet||Question Type||Suggested Time|
|Testlet 1||41 MCQ||60 Minutes|
|Testlet 2||41 MCQ||60 Minutes|
|Testlet 3||1 TBS||18 Minutes|
|15-minute break (does not count toward total exam time)|
|Testlet 4||3 TBS||54 Minutes|
|Testlet 5||2 TBS||36 Minutes|
|Extra Time||12 Minutes|
|Total Time||240 Minutes|
ISC Exam Blueprint: Content Areas & Allocation
As laid out in the AICPA blueprints, the ISC Exam includes three content areas that cover advanced concepts pertaining to information systems and controls. You can learn about each subject area and topic weight in the table below:
- Information systems
- Data management
- Regulations, standards, and frameworks
- Confidentiality and privacy
- Incident response
- Considerations specific to planning and performing a SOC engagement
- Considerations specific to reporting on a SOC engagement
*When sitting for the ISC section of the exam, candidates should base their answers on the information provided within the question.
Skills Tested on the ISC Exam
The ISC CPA Exam uses Bloom's Taxonomy of Educational Objectives as a skill-set parameter. The table below depicts necessary skills to pass the ISC Exam:
The ISC section of the CPA Exam evaluates information at the first three skill levels of Bloom's Taxonomy:
- Remembering and Understanding (55-65%): Examined across all Areas, emphasizing understanding of standards, norms, frameworks, and procedures.
- Application (20-30%): Examined across all Areas, emphasizing information systems, data management, and SOC engagements.
- Analysis (10-20%): Concentrated in Areas I and II, asking candidates to recognize shortcomings in the suitability or design of information system controls and variations in their functioning.
Accounting Roles Related to Information Systems & Controls
Aspiring CPAs have many career-path options, but candidates who choose to take the ISC discipline will be uniquely positioned to excel in the following accounting careers:
System and Organization Controls (SOC) is a suite of services related to the system-level controls of a service organization or the entity-level controls of other organizations. Additionally, SOC provides a compliance standard that service businesses can adopt to control how they report financial and security information to customers. SOC skills are the focus of ISC Area III, but they are also lightly tested in Areas I and II.
Advisory services in accounting entail offering advice, solutions, and strategies to assist business owners in achieving their financial and operational objectives. Successful advisors understand the client’s business inside and out, including the systems and controls already in place and those that perhaps need to be implemented. The skills needed for advisory services are tested throughout all three areas of ISC.
Internal auditors assess their organization’s internal controls, corporate regulations, and accounting processes. Internal audits preserve accurate and timely financial reporting and data collecting while ensuring adherence to laws and regulations. Internal auditors also sometimes assist with providing documentation or support to the external auditors. A broad understanding of all of the content tested in ISC is valuable.
Governance is an organization’s overarching set of rules and policies establishing how it does business. Risk is any potential threat that could prevent the organization from doing its business. Compliance is making sure the organization follows all regulations and laws applicable to its business. GRC programs consolidate all of these aspects into one cohesive system in order to improve efficiencies and make better business decisions. The skills needed for a career in GRC are tested throughout all of ISC.
Enterprise resource planning (ERP) systems effectively consolidate all of a company's information into a single uniform database. Data management via ERP increases the efficiency of corporate processes, reduces expenses, and eliminates overhead. CPAs are responsible for maintaining and verifying the accuracy of financial and accounting data within the ERP system. They may also participate in the design, implementation, and maintenance of internal controls and financial reporting processes. ERP and data management are both specifically tested in ISC Area I.
ISC CPA Exam FAQs
Other CPA Exam Discipline PagesTax Compliance and Planning (TCP)
Learn what to expect when you take the TCP discipline of the CPA Exam, including the exam’s topics, structure, question format, and more. Plus, see how this discipline section relates to the REG core section.Business Analysis and Reporting (BAR)
Learn what to expect when you take the BAR discipline of the CPA Exam, including the exam’s topics, structure, question format, and more. Plus, see how this discipline section relates to the FAR core section.