CPA ISC — U.S. - Information Systems and Controls Study Plan
A practical 7-day, 14-day, 30-day, and 60/90-day study plan for the AICPA CPA ISC exam, with daily practice rhythm, mock timing, and review rules.
How to use this Study Plan
This Study Plan is for candidates preparing for the AICPA U.S. CPA ISC - Information Systems and Controls exam, exam code CPA ISC. It is designed for working candidates who need to turn limited study time into a clear schedule.
CPA ISC preparation should be active and scenario-based. Do not spend most of your time rereading outlines. Your study time should be built around:
- Multiple-choice question practice
- Task-based simulation practice
- Control identification and evaluation
- IT general controls and application control judgment
- Information security, data, and system process terminology
- Missed-question review
- Timed exam practice
Use the current AICPA CPA ISC materials and blueprint as your source of truth for exam scope. This page is an independent study-planning guide and is not affiliated with AICPA.
Which plan should you use?
| Time until exam | Best for | Weekly study time | Main objective | Main risk |
|---|---|---|---|---|
| 7 days | You already completed most content and need final review | 12-20 hours | Stabilize weak areas, rehearse timing, review missed questions | Trying to learn too much new material |
| 14 days | You have a partial foundation or are returning after a break | 20-35 hours | Cover core ISC topics quickly, then shift to timed mixed practice | Spending too long on notes |
| 30 days | You want a balanced plan while working full time | 35-60 hours | Complete content, drill topics, practice simulations, take mocks | Delaying mixed review until too late |
| 60 days | You need full preparation with steady pacing | 70-110 hours | Build topic mastery, then integrate with timed practice | Forgetting early topics |
| 90 days | You are starting early or have limited weekly availability | 80-130 hours | Learn gradually, review repeatedly, and avoid cramming | Moving too slowly without enough question practice |
If you are unsure, take a short diagnostic set first. Choose the shortest plan only if you can already explain most missed questions after reading the explanations.
Organize CPA ISC content into study buckets
Use these buckets to plan review sessions. They are not a substitute for the current AICPA CPA ISC blueprint, but they help you schedule practice.
| Study bucket | What to practice | Can you answer these questions? |
|---|---|---|
| Information systems and data | System components, data flow, database concepts, data governance, system development, change implementation | Where does data originate, change, transfer, and create risk? |
| IT general controls | Access controls, change management, computer operations, backups, monitoring, incident handling | What control prevents or detects the risk? What evidence supports it? |
| Application and automated controls | Input, processing, output, interface controls, edit checks, reconciliations, exception reports | Is the control manual, automated, IT-dependent, preventive, or detective? |
| Security, confidentiality, privacy, and availability | Identity and access management, encryption concepts, network controls, vendor risk, logging, incident response | What is the threat, vulnerability, control, and expected evidence? |
| Business process controls | Revenue, purchasing, payroll, inventory, financial reporting process controls | Where can misstatement, unauthorized change, or incomplete data occur? |
| SOC and service organization concepts | Service organization controls, user entity considerations, complementary user entity controls, report-use judgment | What can the report support, and what does management still need to do? |
| Data and evidence evaluation | Completeness, accuracy, exception analysis, populations, source-system reliability | Is the evidence reliable enough to support the conclusion? |
| Simulation execution | Exhibits, control matrices, process narratives, report excerpts, evidence selection | Can you extract the relevant fact without over-reading the exhibit? |
For CPA ISC, prioritize scenario judgment over memorizing isolated definitions. A correct answer often depends on identifying the risk, the relevant control objective, and the evidence that would support the control.
Daily practice rhythm
Standard weekday session: 90 minutes
| Time | Activity | What to do |
|---|---|---|
| 0-10 min | Warm-up recall | Write down 3-5 rules, control examples, or terms from memory before looking at notes. |
| 10-35 min | Focused topic review | Review one narrow topic, such as access provisioning, change approval, encryption use, or interface controls. |
| 35-65 min | Question set | Complete a timed set of CPA ISC multiple-choice questions on that topic or a mixed set. |
| 65-80 min | Explanation review | Review every missed and guessed question. Capture the tested rule and why the wrong answer was attractive. |
| 80-90 min | Error-log update | Add 3-5 high-value misses to your error log and schedule them for review. |
Longer session: 2.5 to 3.5 hours
| Block | Activity | What to do |
|---|---|---|
| Block 1 | Timed MCQs | Complete a focused or mixed question set without pausing for notes. |
| Block 2 | Review | Spend at least as long reviewing as you spent answering. |
| Block 3 | Simulation | Complete one task-based simulation or exhibit-heavy case. |
| Block 4 | Rebuild | Redo the missed parts, map each exhibit to the task, and write the rule in your own words. |
| Block 5 | Recall | End with a closed-book summary of what you learned. |
A useful rule: if you spend 45 minutes answering questions, reserve 45-60 minutes for review. CPA ISC improvement usually comes from explanation review, not from racing through more questions.
Diagnostic practice before you choose a path
Before starting any plan longer than 7 days, complete a diagnostic session:
| Step | Task | Output |
|---|---|---|
| 1 | Complete a mixed CPA ISC question set under timed conditions | Baseline pacing and topic exposure |
| 2 | Complete one simulation or exhibit-based task | Baseline simulation discipline |
| 3 | Tag every missed or guessed question | Topic weakness list |
| 4 | Sort misses by cause | Knowledge, misread, terminology, control judgment, or exhibit error |
| 5 | Pick your plan | 14, 30, 60, or 90 days based on the weakness pattern |
Do not treat the diagnostic as a prediction of your exam result. Treat it as a map of where your preparation time should go.
7-day final review plan
Use this plan if your exam is one week away and you have already completed most of your first pass. If you have not completed the material, do not attempt to read everything. Focus on high-frequency control judgment, missed questions, and simulations.
| Day | Focus | Study actions |
|---|---|---|
| Day 1 | Baseline timed review | Take a timed mixed set and one simulation. Build a final-week weakness list. Review every miss before studying anything new. |
| Day 2 | IT general controls | Drill access controls, change management, operations, backups, logs, and incident response. Write risk-control-evidence summaries. |
| Day 3 | Application and business process controls | Practice input, processing, output, interface, reconciliation, exception, and segregation-of-duties scenarios. Complete one simulation. |
| Day 4 | Security, privacy, confidentiality, and availability | Review terminology, threats, monitoring, identity management, encryption concepts, vendor risk, and data protection scenarios. |
| Day 5 | SOC, data, and mixed practice | Practice service organization report judgment, complementary user entity controls, data reliability, and evidence evaluation. Take a timed mixed set. |
| Day 6 | Mock review and targeted repair | Complete a shorter timed mock or selected exam blocks. Spend most of the day reviewing misses and redoing weak simulations. |
| Day 7 | Light final review | Review your error log, control matrices, definitions, and exam-day pacing plan. Do not add new topics unless they are essential and narrow. |
Final 7-day rules
- Stop adding broad new material by Day 4.
- Review explanations more than notes.
- Redo missed questions from the prior 72 hours.
- Keep simulation practice active, especially exhibit sorting and control selection.
- Do not take a full mock the night before the exam.
- Use the final evening for light recall, logistics, and rest.
14-day focused plan
Use this plan if you have some background in audit, accounting systems, controls, or IT concepts, but need a compressed preparation schedule.
| Day | Focus | Study actions |
|---|---|---|
| 1 | Diagnostic and schedule setup | Take a mixed diagnostic set and one simulation. Create your error log and rank topics red, yellow, green. |
| 2 | Systems, data, and process flow | Review system components, data movement, data quality, system development, and change implementation. Drill focused questions. |
| 3 | Access controls | Study provisioning, deprovisioning, privileged access, authentication, authorization, and review controls. |
| 4 | Change management and operations | Review development, testing, approvals, migration, job processing, backups, logs, incidents, and monitoring. |
| 5 | Application controls | Drill input, processing, output, interface, edit checks, automated approvals, and exception reports. |
| 6 | Business process controls | Apply controls to revenue, purchasing, payroll, inventory, and reporting process scenarios. Complete one simulation. |
| 7 | Security and availability | Review threats, vulnerability concepts, monitoring, encryption concepts, network security, business continuity, and recovery scenarios. |
| 8 | Timed mixed practice | Take a longer timed mixed set or partial mock. Review all misses the same day. |
| 9 | Simulation repair day | Redo weak simulations. Practice reading exhibits, extracting relevant facts, and mapping controls to risks. |
| 10 | SOC and service organization concepts | Review report-use judgment, user entity responsibilities, complementary user entity controls, and evidence implications. |
| 11 | Data and evidence | Drill completeness, accuracy, population reliability, exception analysis, and report/data-source interpretation. |
| 12 | Weak-area rotation | Spend the day on your top 3 weak topics. Use focused sets first, then a mixed set. |
| 13 | Final timed mock | Complete a timed mock or substantial timed exam rehearsal. Review misses, especially repeated errors. |
| 14 | Final review | Review error log, key terms, control examples, and pacing plan. Keep work light and targeted. |
14-day priorities
Spend less time on long note-taking and more time answering questions. Your goal is not to create perfect outlines. Your goal is to recognize CPA ISC scenarios quickly and explain why one control, evidence source, or reporting conclusion is better than another.
30-day balanced plan
Use this plan if you are working full time and want a realistic month-long schedule.
30-day structure
| Period | Main objective | Practice emphasis |
|---|---|---|
| Days 1-3 | Baseline and planning | Diagnostic set, simulation, error log, topic ranking |
| Days 4-10 | Core systems and ITGCs | Access, change, operations, data flow, system lifecycle |
| Days 11-16 | Application controls and business processes | Process risks, automated controls, reconciliations, exception reports |
| Days 17-21 | Security, privacy, confidentiality, availability | Threat-control mapping, monitoring, incident response, vendor risk |
| Days 22-25 | SOC, reporting, and data evidence | Service organization concepts, evidence reliability, data evaluation |
| Days 26-28 | Timed mocks and weak-area repair | Mixed sets, simulations, mock review |
| Days 29-30 | Final review | Error log, formulas or definitions if relevant, pacing, light recall |
30-day weekly schedule
| Week | Weekday work | Weekend work | Checkpoint |
|---|---|---|---|
| Week 1 | Build foundation in systems, data, access, and change controls | One longer session with focused questions and one simulation | Can you explain common ITGC risks and evidence? |
| Week 2 | Application controls and process-level control judgment | Mixed business process set plus simulation review | Can you identify control type and purpose from a scenario? |
| Week 3 | Security, availability, SOC, and data evidence | Timed mixed set and targeted weak-area review | Are misses now concentrated in fewer topics? |
| Week 4 | Mocks, simulations, and final repair | Timed mock, deep review, final error-log pass | Are you stable under time pressure? |
Example 30-day study week
| Day | Session type | Assignment |
|---|---|---|
| Monday | Focused topic | Read/review one topic and complete a focused MCQ set. |
| Tuesday | Focused topic | Continue the same domain and update error log. |
| Wednesday | Mixed recall | Complete mixed questions from current and prior topics. |
| Thursday | Simulation practice | Complete one simulation or exhibit-heavy case. |
| Friday | Weak-area repair | Redo misses and review explanations. |
| Saturday | Long timed practice | Complete a longer timed set and review thoroughly. |
| Sunday | Catch-up or light review | Flashcards, error log, terminology, process diagrams. |
If you miss a day, do not double the next day by reading more. Replace the missed session with questions and explanation review.
60/90-day full preparation path
Use this path if you are starting early, have limited weekly time, or need to build both IT/control vocabulary and CPA-style exam execution.
60-day versus 90-day pacing
| Phase | 60-day timing | 90-day timing | Goal |
|---|---|---|---|
| Phase 1: Baseline and setup | Days 1-4 | Days 1-7 | Diagnostic, schedule, topic map, error log |
| Phase 2: Systems, data, and ITGCs | Days 5-18 | Days 8-28 | Build core control vocabulary and risk-control-evidence thinking |
| Phase 3: Application, business process, and security controls | Days 19-34 | Days 29-55 | Apply controls to business scenarios and system environments |
| Phase 4: SOC, reporting, data, and simulations | Days 35-46 | Days 56-72 | Strengthen exhibit analysis, evidence judgment, and service organization concepts |
| Phase 5: Timed integration and mocks | Days 47-56 | Days 73-84 | Move from topic practice to exam-condition practice |
| Phase 6: Final review | Days 57-60 | Days 85-90 | Error-log review, light mixed sets, final readiness checks |
Phase 1: baseline and setup
| Task | How to do it |
|---|---|
| Take a diagnostic | Complete a mixed set and one simulation without notes. |
| Create your error log | Track topic, reason missed, correct rule, and review date. |
| Build a calendar | Assign study days, rest days, and mock dates now. |
| Choose review resources | Use your main course, current AICPA materials, and practice questions consistently. |
Phase 2: systems, data, and ITGCs
Focus on the controls that affect system reliability and financial information processing.
| Topic | Practice task |
|---|---|
| Access controls | Write examples of preventive and detective controls for user access risk. |
| Change management | Trace a change from request to approval, testing, migration, and monitoring. |
| Operations | Practice scenarios involving backups, job scheduling, logs, incidents, and availability. |
| Data flow | Draw where data is created, validated, transferred, reconciled, and reported. |
| System lifecycle | Identify risks in acquisition, development, testing, and implementation. |
Phase 3: application, business process, and security controls
Shift from definitions to applied control selection.
| Topic | Practice task |
|---|---|
| Input controls | Identify validity, completeness, authorization, and accuracy controls. |
| Processing controls | Match edit checks, automated calculations, exception reports, and reconciliations to risks. |
| Output controls | Evaluate distribution, review, reconciliation, and report access controls. |
| Business processes | Apply controls to revenue, purchasing, payroll, inventory, and reporting workflows. |
| Security controls | Connect threats and vulnerabilities to authentication, monitoring, encryption, and response controls. |
Phase 4: SOC, reporting, data, and simulations
This phase should include more simulations and exhibit-heavy practice.
| Skill | Practice task |
|---|---|
| Report interpretation | Practice identifying what a report supports and what it does not support. |
| User entity responsibilities | Identify controls the user entity still needs to operate. |
| Data reliability | Evaluate completeness, accuracy, and source-system reliability. |
| Exhibit handling | For each simulation, label each exhibit as relevant, background, or distractor. |
| Written reasoning | After each missed simulation, write the rule and the prompt clue that should have led you there. |
Phase 5: timed integration and mocks
Start mixing all topics. The exam will not tell you which bucket a question belongs to.
| Practice type | Frequency |
|---|---|
| Mixed MCQ sets | 3-5 times per week |
| Simulations | 2-4 per week |
| Timed mock or partial mock | Every 7-10 days during this phase |
| Error-log review | Daily or every other day |
| Redo missed questions | Within 24-72 hours, then again before final week |
Phase 6: final review
The last few days should be calm and targeted.
| Final task | What to review |
|---|---|
| Error log | Repeated misses, guessed questions, and terminology gaps |
| Control matrices | Risk, control, control type, evidence, and likely weakness |
| Simulations | Exhibit sorting, data reliability, report interpretation |
| Timed sets | Short, mixed, controlled practice rather than exhausting full-day work |
| Exam logistics | Timing strategy, identification, travel, rest, and food plan |
Missed-question review method
A missed question is useful only if you convert it into a future action.
Use the 5-step review loop
Restate the tested issue. Example: “The question tests whether a change was properly approved before migration.”
Identify the prompt clue. What wording should have pointed you to the right answer?
Explain why your answer was wrong. Was it too broad, too late in the process, not evidence-based, or unrelated to the stated risk?
Write the correct rule in plain language. Keep it short enough to review later.
Schedule a redo. Redo the question or a similar question within 24-72 hours.
Error-log template
| Date | Topic | Question type | Why I missed it | Correct rule | Redo date |
|---|---|---|---|---|---|
| Access controls | MCQ | Confused authorization with authentication | Authentication verifies identity; authorization determines permitted actions. | ||
| Change management | Simulation | Missed the migration approval evidence | Approved changes should be tested and authorized before production migration. | ||
| SOC concepts | MCQ | Overstated what the report proved | User entities may still need complementary controls. |
Common CPA ISC error types
| Error type | What it looks like | Fix |
|---|---|---|
| Terminology error | Confusing similar terms, such as authentication and authorization | Build short contrast cards |
| Control objective error | Choosing a control that does not address the stated risk | Write risk-control-evidence chains |
| Timing error | Selecting a control that occurs too late to prevent the issue | Mark controls as preventive or detective |
| Evidence error | Choosing evidence that does not prove operation or design | Ask, “What would I inspect or test?” |
| Simulation exhibit error | Using the wrong exhibit or ignoring a key table | Label exhibits before answering |
| Over-reading error | Adding facts not stated in the question | Underline only the facts provided |
When to use timed mock exams
Timed mocks are valuable only if you review them deeply. Do not take mocks just to collect scores.
| Plan | First timed mock | Second timed mock | Final timed practice |
|---|---|---|---|
| 7 days | Day 1 or Day 2 | Day 5 or Day 6 as a partial mock | Light mixed set only, no exhausting mock |
| 14 days | Around Day 8 | Around Day 13 | Error-log and targeted questions |
| 30 days | Around Day 15-18 | Around Day 25-27 | Short mixed sets in final 48 hours |
| 60 days | Around Day 35-40 | Around Day 50-54 | Final-week targeted practice |
| 90 days | Around Day 55-65 | Around Day 75-84 | Final-week targeted practice |
How to review a mock
| Review step | Action |
|---|---|
| 1 | Do not look only at the score. Sort by topic and error type. |
| 2 | Review missed and guessed questions first. |
| 3 | Rework simulations without the solution visible. |
| 4 | Identify repeated errors that appeared in earlier practice. |
| 5 | Replace the next planned content session with weak-area repair if needed. |
If you perform poorly on a mock, do not respond by reading an entire textbook section. First determine whether the problem was knowledge, timing, misreading, or simulation execution.
Final-week rules
| Rule | Why it matters |
|---|---|
| Stop broad new content | New material late in the process often crowds out review of testable weaknesses. |
| Keep mixed practice daily | The exam requires switching between topics without labels. |
| Review old misses | Repeated mistakes are more important than brand-new questions. |
| Practice simulations strategically | Focus on exhibit handling, evidence selection, and control judgment. |
| Keep sessions shorter near exam day | Fatigue can reduce retention and increase careless errors. |
| Protect sleep | Final-week recall depends on rest as much as repetition. |
Exam-readiness checks
Use these checks in the final week. They are not guarantees, but they help you decide where to spend your remaining time.
| Readiness area | Green | Yellow | Red |
|---|---|---|---|
| ITGCs | You can explain access, change, and operations controls with evidence examples | You know definitions but struggle with scenarios | You frequently confuse control purpose or timing |
| Application controls | You can identify input, processing, output, interface, and exception controls | You miss some automated versus manual control distinctions | You cannot match controls to risks |
| Security and availability | You can connect threats to controls and evidence | You know terms but miss applied questions | You rely on memorized definitions only |
| SOC and service organization concepts | You understand report-use limits and user entity responsibilities | You mix up who is responsible for what | You overstate what a report proves |
| Data and evidence | You can evaluate completeness, accuracy, source reliability, and exceptions | You can answer direct questions but struggle in simulations | You ignore data source or population issues |
| Timing | You finish practice sets with reviewable time remaining | You finish barely on time | You rush, guess, or leave simulations incomplete |
| Error log | Recent misses are fewer and explainable | The same topics repeat occasionally | The same errors keep appearing after review |
If two or more areas are red within a few days of the exam, stop broad review and spend your remaining time on targeted repair, mixed timed sets, and missed-question redo.
Practical next step
Choose your path based on your exam date, then complete one timed mixed CPA ISC practice set and one simulation. Build your error log from that session before opening new notes.
Your next study session should produce three things:
- A ranked list of weak CPA ISC topics
- A scheduled mock or partial mock date
- A short list of missed questions to redo within 72 hours