CPA ISC: Information Systems and Controls Practice Test

Use this page when you are preparing for the Certified Public Accountant Information Systems and Controls section and want a direct practice route. The public preview gives you sample questions and a full-length MCQ diagnostic; the web app adds mixed sets, topic drills, timed mocks, progress tracking, and full practice.

Mastery Exam Prep is independent exam-prep software. These are original practice questions, not official CPA Exam questions from AICPA, NASBA, or any state board.

What this CPA ISC page gives you

• a direct web route into Certified Public Accountant Information Systems and Controls practice
• 24 public sample questions with detailed explanations before you subscribe
• an 82-question multiple-choice question (MCQ) diagnostic across the ISC blueprint areas
• focused topic pages for each major blueprint area
• timed mixed practice for pacing, review discipline, and exam-day readiness
• explanations written to show why the reasoning is right, not just which answer is marked correct

CPA ISC exam snapshot

Abbreviation guide for this page

Topic coverage for CPA ISC practice

What CPA ISC is really testing

CPA ISC rewards candidates who can connect system facts to risks, controls, data reliability, security objectives, privacy obligations, and SOC reporting implications. Strong answers identify the process boundary and the control objective before choosing a response.

CPA ISC versus other CPA sections

High-yield CPA ISC traps

• choosing a technical control without identifying the risk it addresses
• confusing security, confidentiality, privacy, availability, and processing integrity objectives
• missing the difference between management controls, user controls, and service-organization controls
• treating data completeness and data accuracy as the same issue

Simulation-style skills to pair with MCQs

Use multiple-choice practice to build control vocabulary, then pair it with exhibit-style systems review. For CPA ISC, that means tracing process narratives, access matrices, data-flow descriptions, control descriptions, privacy facts, and SOC report excerpts before choosing the risk or control response. When you miss an MCQ, identify whether the weakness was process boundary, control objective, data reliability, user-control responsibility, or report-scope judgment.

How to use CPA ISC practice efficiently

1. Start with focused topic drills until you can explain the rule, objective, or calculation setup behind each answer.
2. Use the free 82-question diagnostic once as a baseline rather than as a memorization set.
3. Review misses by weakness type and return to the matching topic page before another timed set.
4. Move into timed mixed practice when topic-level accuracy is stable and you need pacing discipline.
5. If several unseen timed attempts are above roughly 75%, schedule or proceed instead of trying to memorize the full bank.

Miss pattern to next drill

CPA section routes

• CPA AUD : Auditing and Attestation
• CPA FAR : Financial Accounting and Reporting
• CPA REG : Taxation and Regulation
• CPA BAR : Business Analysis and Reporting
• CPA ISC: Information Systems and Controls
• CPA TCP : Tax Compliance and Planning

Free review resources

Need concept review before timed practice? Read the CPA ISC guide on CPAExamsMastery.com, then return here for sample questions, topic drills, timed mocks, and the full practice route.

Focused sample questions

Use these child pages when you want focused Mastery Exam Prep practice before returning to mixed sets and timed mocks.

• Free CPA ISC Full-Length Practice Exam
• CPA ISC: Information Systems and Data Management
• CPA ISC: Security, Confidentiality and Privacy
• CPA ISC: SOC Engagements and Report Scope

Free samples and full practice

• Live now: CPA ISC practice is available on web.
• On-page sample set: this page includes 24 public sample questions for the ISC route.
• Full practice: open the web route for mixed sets, topic drills, timed mocks, progress tracking, and detailed explanations.

24 CPA ISC sample questions with detailed explanations

These are original Mastery Exam Prep practice questions aligned to the live CPA ISC route and the main blueprint areas shown above. Use them to test readiness here, then continue in Mastery Exam Prep with mixed sets, topic drills, and timed mocks.

Question 1

Topic: Information Systems and Data Management

A CPA is performing a SOC 2 readiness review for a service organization that processes customer refund batches. The processing integrity service commitment states that authorized refund files received by 8:00 p.m. will be processed completely, accurately, and only once by midnight.

During a walkthrough, the CPA learns:

• The API gateway rejects malformed files.
• Accepted files are placed in a processing queue and then loaded to the settlement application.
• Operations reviews a daily job-status dashboard the next morning.
• Management says duplicate refunds are uncommon.
• No record counts, hash totals, duplicate checks, or reconciliations compare files accepted by the gateway, records placed in the queue, and refunds posted by the settlement application.

The CPA’s main unresolved concern is whether accepted files are processed completely and only once as they move between systems. To evaluate whether a deficiency exists in the suitability of design of controls, what should the CPA do next?

• A. Inspect the end-to-end interface design to determine whether controls reconcile accepted, queued, and posted records and detect duplicate processing.
• B. Inspect daily job-status dashboards for the last month to confirm batches completed before midnight.
• C. Reperform refund calculations for a sample of posted batches from the last quarter to test whether processed amounts were accurate.
• D. Review privileged-user access approvals for the settlement application to determine whether security access is restricted.

Best answer: A

Explanation: The unresolved risk is at the handoffs between file acceptance, queuing, and posting. The next step is to inspect whether controls such as reconciliations, record counts, and duplicate checks are designed to ensure transactions are processed completely and only once. Testing calculations or access first would skip the design issue. Suitability of design focuses on whether the controls, if they operate as intended, would meet the processing integrity commitment. Here, malformed-file validation addresses input format, and a next-day job-status dashboard may indicate whether a batch ran, but neither control addresses whether all accepted records moved completely from the gateway to the queue to the settlement application or whether duplicates were prevented. The CPA should next understand the end-to-end data flow and inspect whether record-count reconciliations, hash totals, duplicate detection, and exception handling are built into the interfaces. If those controls are missing, the issue is a design deficiency because the current control set would not reasonably achieve complete, accurate, and one-time processing even if performed consistently.

Question 2

Topic: Security, Confidentiality and Privacy

At 9:10 a.m., a company’s security team confirms that a terminated contractor’s VPN credentials were used overnight to access a shared drive containing customer tax documents. Log review shows a 3.8 GB download to an external IP address, and the unauthorized VPN session is still active. The incident response plan includes classification, containment, eradication, recovery, notification, and post-incident review. What should the company do next?

• A. Send breach notifications immediately to all customers whose tax documents may have been exposed.
• B. Begin eradication by reimaging the file server and deleting any suspicious files.
• C. Contain the incident by disabling the contractor account, terminating the VPN session, and preserving relevant logs.
• D. Hold a post-incident meeting to revise the incident response plan and assign remediation tasks.

Best answer: C

Explanation: The active unauthorized VPN session makes containment the most relevant incident response component. The company should first stop additional access and preserve evidence before moving to eradication, notification, or lessons learned. When an incident is confirmed and malicious access is still occurring, containment is the next priority. In this scenario, a terminated contractor’s credentials are being used, sensitive customer tax documents were accessed, and the session remains active. Disabling the account and terminating the session reduce ongoing harm, while preserving logs supports investigation, scope assessment, and later decisions about notification. Eradication and recovery come after the threat is contained. Customer notification may eventually be required, but it is premature before the organization confirms the incident’s extent and applicable reporting obligations. Post-incident review happens after response activities are completed.

Question 3

Topic: Considerations for System and Organization Controls Engagements

A service auditor issued a SOC 2 Type 2 report on April 15 for the period October 1 through December 31, 20X4. On May 10, the auditor learns that service organization management knew before April 15 of a December privileged-access failure that was omitted from the system description and would likely have changed the auditor’s conclusion. Management refuses to revise the description or inform intended users.

What is the most appropriate response by the service auditor?

• A. Seek revision of the system description and report; if management still refuses, take steps to prevent intended users from relying on the report.
• B. Defer the matter and disclose it only in the next period’s SOC report.
• C. Reissue the report independently with a modified conclusion.
• D. Keep the report unchanged because the auditor discovered the matter after issuance.

Best answer: A

Explanation: This is a subsequently discovered fact that existed before the report was issued and is significant enough to affect the system description and likely the conclusion. The service auditor should seek revision, and if management refuses to cooperate, take appropriate steps to prevent intended users from relying on the original report. In a SOC engagement, if the service auditor later becomes aware of facts that existed at the report date and that would likely have affected the system description or the auditor’s conclusion, the issue is not ignored just because the auditor learned of it after issuance. The service auditor should discuss the matter with management, determine whether the description and report need revision, and request that appropriate action be taken. Because the system description is management’s responsibility, the auditor does not simply rewrite it alone. If management refuses to revise the description or notify intended users, the auditor should take steps to prevent further reliance on the report. The deciding facts here are that the condition existed before issuance, management knew of it, and it was significant enough to have likely changed the conclusion.

Question 4

Topic: Information Systems and Data Management

A distributor uses a single vendor-hosted system with modules for sales order entry, inventory, accounts receivable, and the general ledger. All modules read from and write to the same database. When warehouse staff confirm shipment, the system automatically creates the customer invoice, updates accounts receivable, reduces inventory, records cost of goods sold, and posts the related accounting entries. How should this environment be best characterized?

• A. A data warehouse that stores summarized information mainly for reporting and analysis.
• B. A stand-alone accounting information system that requires periodic batch uploads from separate operational systems.
• C. An integrated ERP/accounting information system in which operational transactions feed accounting processes through a shared database.
• D. A customer relationship management system that supports sales activities but not core accounting processing.

Best answer: C

Explanation: The system is best characterized as an integrated ERP-based accounting information system. A single operational event, shipment confirmation, automatically updates multiple accounting records through one shared database, which is the key feature of ERP integration. An enterprise resource planning system integrates business processes across functions by using a common application environment and shared data. The accounting information system within an ERP does not operate separately; instead, operational events such as shipping, purchasing, or receiving inventory can automatically trigger accounting effects in subledgers and the general ledger. In this scenario, shipment confirmation causes invoicing, accounts receivable updates, inventory reduction, cost of goods sold recognition, and related postings without separate batch transfers or manual reentry. That means the system is processing transactions, not merely storing reports or managing customer contacts. A stand-alone AIS usually relies on interfaces from other systems, while a data warehouse is mainly for analysis, and a CRM is centered on customer and sales activities rather than full accounting processing.

Question 5

Topic: Security, Confidentiality and Privacy

During a SOC 2 walkthrough of a payroll SaaS provider, the CPA notes the following:

• The privacy notice states former employee personal data will be deleted within 60 days after a client terminates service unless law requires longer retention.
• When a client terminates service, portal access is disabled immediately.
• The same personal data remains indefinitely in the analytics warehouse and in support-ticket attachments.
• Legal confirmed no statutory or contractual retention exception applies to the sampled terminated clients.

Which corrective response best addresses this privacy control deficiency?

• A. Require multifactor authentication and quarterly access reviews for personnel who can view terminated-client personal data.
• B. Revise the privacy notice to permit indefinite retention of terminated-client personal data for analytics purposes.
• C. Encrypt terminated-client personal data in the analytics warehouse and support platform and rotate keys more frequently.
• D. Implement a monitored retention-and-deletion workflow that removes terminated-client personal data from all repositories within 60 days and logs any approved exceptions.

Best answer: D

Explanation: The issue is excessive retention of personal data beyond the stated 60-day period, including downstream copies. A monitored retention-and-deletion workflow is the best corrective response because it aligns actual processing with the privacy notice and removes data from all repositories unless a valid exception is approved. This is a privacy retention and disposal deficiency, not primarily an access-security problem. The organization promised deletion within 60 days, but personal data remains indefinitely in other repositories after the client relationship ends. The corrective response should therefore establish a retention schedule tied to the termination event, identify every system holding the data, delete or securely dispose of the data from those locations, document approved exceptions, and monitor completion. Encryption, MFA, and access reviews can strengthen confidentiality and security, but they do not satisfy a privacy commitment to delete data when it is no longer needed. Revising the notice to allow indefinite retention would avoid the promise rather than correct the control gap, especially when no legal or contractual exception applies.

Question 6

Topic: Considerations for System and Organization Controls Engagements

A CPA is completing a SOC 2 Type 2 examination of a payroll SaaS provider. Management provided the system description and cooperated with control testing throughout the period, but on the report date management refuses to sign a written representation letter, saying the CPA’s procedures already provide enough evidence. What is the most appropriate action for the CPA?

• A. Issue the SOC report because testing and oral confirmations provide sufficient evidence.
• B. Treat the refusal as a scope limitation and disclaim an opinion or withdraw from the engagement.
• C. Issue the SOC report with an explanatory paragraph describing management’s refusal to sign.
• D. Release the SOC report now and obtain the written representation letter after issuance.

Best answer: B

Explanation: In a SOC examination, written representations from management are required evidence and are obtained as of the report date. If management refuses to provide them, the CPA cannot rely only on testing or oral statements; the refusal typically leads to a disclaimer of opinion or withdrawal. Management written representations are a required part of evidence in a SOC engagement. In a SOC 2 Type 2 examination, management ordinarily represents its responsibility for the system description, the suitability of control design, and the operating effectiveness of controls throughout the specified period. Those representations are obtained in writing as of the practitioner’s report date. If management refuses to provide them, the problem is not cured by oral statements, extra disclosure, or issuing the report first and collecting the letter later. The refusal creates a scope limitation and may also raise concerns about management integrity. Accordingly, the CPA should disclaim an opinion or withdraw from the engagement, if withdrawal is available.

Question 7

Topic: Information Systems and Data Management

A CPA is evaluating controls over an internally developed billing application. Management states that the purpose of the company’s change management process is to reduce the risk that unauthorized or untested program changes reach production. Which source of evidence would BEST support that conclusion?

• A. A change ticket for release 5.7 showing the request, QA test results in a nonproduction environment, business-owner approval, and production migration approval by an IT operations manager
• B. An incident record showing that invoice calculation errors were discovered two days after the last release and then corrected
• C. A production access listing showing that developers have read-only access to the billing application’s live tables
• D. A system architecture summary showing separate development, test, and production environments for the billing application

Best answer: A

Explanation: The change ticket with documented request, testing, approval, and separate production migration most directly supports the conclusion. Those elements show why change management exists: to keep unauthorized or untested changes out of production and reduce disruption to processing. Change management for internal applications is intended to ensure changes are formally initiated, evaluated, tested, approved, and moved into production in a controlled manner. Strong evidence of that purpose includes a documented change request, testing in a nonproduction environment, approval by appropriate business or IT personnel, and controlled migration to production. A record containing all of those elements best supports the conclusion because it ties the change to both authorization and controlled implementation. By contrast, production access information, separate environments, or an incident report may each be useful for other conclusions, but none of them as directly demonstrates the full purpose of change management practices.

Question 8

Topic: Security, Confidentiality and Privacy

During a review of privacy source materials, a CPA compares the company’s public privacy notice with observed procedures:

• Privacy notice: “When a customer closes an account or submits a deletion request, personal information is deleted within 30 days unless a longer period is required by law.”
• Observed procedure: Closed-account records remain in the CRM for 180 days to support reactivation marketing, and deletion requests are processed at quarter-end.
• Additional fact: Legal counsel confirmed there is no law, contract, or litigation hold requiring retention beyond 30 days.

Which is the best corrective response?

• A. Treat this as a security breach and notify all affected former customers immediately.
• B. Accept the 180-day retention because marketing use is a valid business purpose even though the public notice states 30 days.
• C. Treat this primarily as a confidentiality issue and encrypt the CRM data retained for 180 days.
• D. Treat this as a privacy commitment mismatch and align the retention and deletion process to the 30-day notice; if management wants a longer period, it must first revise and disclose that commitment appropriately.

Best answer: D

Explanation: The issue is a mismatch between disclosed privacy commitments and actual data-retention procedures. Because the stem says no legal or contractual reason requires retention beyond 30 days, management should bring operations into line with the notice or formally change the disclosed commitment before using a longer period. When privacy source material states a specific retention or deletion commitment, the key question is whether actual processing follows that commitment. Here, the notice promises deletion within 30 days unless law requires longer retention, but the observed process keeps data 180 days for marketing and delays deletion requests until quarter-end. Since the facts say no law, contract, or litigation hold requires the longer period, this is a privacy control exception and a source-material inconsistency. The best correction is to reconcile operations to the published notice or formally revise and disclose a supportable retention period before continuing the longer practice. Adding encryption may strengthen confidentiality, but it does not fix an inaccurate privacy promise, and breach notification is not required absent unauthorized access or disclosure.

Question 9

Topic: Considerations for System and Organization Controls Engagements

A service organization is issuing a SOC 2 Type 2 report on the security category for the year ended December 31. The service auditor determined that:

• The system description properly identifies a cloud hosting provider as a carved-out subservice organization.
• Relevant complementary user entity controls are clearly described.
• Sufficient evidence was obtained for all controls within the service organization’s boundary.
• Quarterly user-access reviews were missed for two quarters for one in-scope customer support application, leaving some terminated users with active access.
• The exception was material to operating effectiveness for that application, but it was not pervasive to the system as a whole.
• No other deficiencies or system description errors were noted.

Which reporting conclusion is most supported?

• A. An unmodified SOC 2 Type 2 opinion because the carved-out subservice organization and CUECs were properly disclosed
• B. A qualified SOC 2 Type 2 opinion because a material operating effectiveness exception existed, but it was limited rather than pervasive
• C. An adverse SOC 2 Type 2 opinion because any failure of an in-scope control requires concluding controls were not effective overall
• D. A disclaimer of opinion because the carve-out method prevents the service auditor from obtaining enough evidence about the full system

Best answer: B

Explanation: The best conclusion is a qualified SOC 2 Type 2 opinion. The service auditor had sufficient evidence, the system description and carve-out disclosure were proper, and the identified problem was a material operating effectiveness exception that was limited to one application rather than pervasive. In a SOC 2 Type 2 engagement, the opinion addresses whether the system description is fairly presented, controls are suitably designed, and controls operated effectively throughout the period. A qualified opinion is appropriate when there is a material issue that is not pervasive. Here, the missed quarterly access reviews created an operating effectiveness problem, but the facts state it was limited to one in-scope application and not pervasive to the system as a whole. An adverse opinion would fit a material and pervasive problem. A disclaimer would fit a scope limitation or inability to obtain sufficient evidence. Properly disclosing a carved-out subservice organization and related CUECs does not, by itself, require modification.

Question 10

Topic: Information Systems and Data Management

A service organization is being examined under SOC 2 for the availability category. Management’s documented availability service commitments and system requirements include:

• Restore customer processing within 2 hours after a regional outage
• Limit data loss to 15 minutes
• Use continuous replication to a secondary region, quarterly backup-restore tests, and an annual full failover test

Which finding is the clearest design deficiency, rather than an operating deviation?

• A. The annual full failover test was completed 10 days later than scheduled during the examination period.
• B. Replication to the secondary region occurs every 15 minutes, but no control assesses whether that region has enough capacity to resume full processing within 2 hours.
• C. A daily review of backup exception reports was not documented on one holiday weekend even though the backups completed.
• D. A quarterly backup-restore test was missed because the responsible manager resigned before the test date.

Best answer: B

Explanation: The correct choice is the absence of any control to assess whether the secondary region can handle production workload within the stated 2-hour recovery objective. That is a design deficiency because the control framework itself lacks a necessary procedure to support the availability commitment, even if existing controls operate as planned. In a SOC 2 context, a design deficiency exists when controls are not suitably designed to achieve the stated service commitments and system requirements. An operating deviation exists when a suitably designed control is not performed, is performed late, or is not documented as required. Here, management promises restoration within 2 hours after a regional outage. Continuous replication supports the recovery point objective, but replication alone does not prove the secondary region can process full production demand within the recovery time objective. If no control evaluates failover capacity against that requirement, the availability control set is incomplete by design. By contrast, a missed test, a delayed test, or one missed review reflects failure in execution of an existing control, which is an operating deviation rather than a design flaw.

Question 11

Topic: Security, Confidentiality and Privacy

Northside Pediatrics has the following arrangements and requests:

• Northside is a physician practice that submits claims electronically to health plans.
• ClaimsPro LLC stores patient billing files and submits those claims for Northside under a signed business associate agreement.
• A patient’s employer HR department asks Northside for the patient’s diagnosis and treatment notes to decide paid sick-leave eligibility.
• The patient’s health plan asks Northside for documentation supporting a previously submitted claim.
• No patient authorization, court order, or other legal requirement has been provided.

Which statement is the best interpretation under HIPAA?

• A. Northside is a covered entity, but both the health plan and the employer need patient authorization before Northside may disclose the requested information.
• B. ClaimsPro is the covered entity because it handles electronic claims, and Northside may disclose the records to the employer for health care operations.
• C. Northside is a covered entity; ClaimsPro is a business associate; disclosure to the health plan for claim adjudication is permitted without authorization, but disclosure to the employer generally is not.
• D. Northside is not a covered entity because it outsourced billing, so both disclosures require patient authorization.

Best answer: C

Explanation: Northside is a HIPAA covered entity because it is a health care provider that transmits standard transactions electronically. The health plan request relates to payment, which is a permitted disclosure without authorization, while the employer HR request generally is not permitted without the patient’s authorization. Under HIPAA, covered entities include health care providers that transmit health information electronically in connection with covered transactions such as claims submission. That means Northside remains a covered entity even though it outsourced billing support. ClaimsPro, acting under a business associate agreement, is a business associate rather than the covered entity replacing Northside. The Privacy Rule generally permits uses and disclosures of PHI without authorization for treatment, payment, and health care operations. A health plan’s request for documentation to adjudicate a submitted claim fits payment, so Northside may disclose the necessary information without separate patient authorization. By contrast, an employer HR department requesting diagnosis and treatment notes for leave administration is generally not a permitted routine disclosure unless the patient authorizes it or another specific exception applies.

Question 12

Topic: Considerations for System and Organization Controls Engagements

A claims-processing service organization is preparing a SOC 2 report. A third-party cloud provider hosts the production environment and performs physical security, hypervisor patching, and backup replication. Those controls are relevant to the security and availability criteria.

The cloud provider will not allow the service auditor access to its personnel or records and will not provide a written assertion for inclusion in the report. Management can describe the services the cloud provider performs and the controls it expects the provider to operate.

How should this subservice organization arrangement be characterized in the SOC 2 report?

• A. Inclusive method, because the cloud provider performs controls relevant to security and availability.
• B. Carve-out method, because the cloud provider’s services are relevant but its controls cannot be included and tested without access and a written assertion.
• C. Complementary subservice organization control only, because identifying expected provider controls replaces the need to choose inclusive versus carve-out presentation.
• D. Complementary user entity control, because the cloud provider’s controls are treated as controls that user entities must operate.

Best answer: B

Explanation: The cloud provider is a subservice organization because it performs part of the system relevant to the SOC 2 report. Since it will not provide audit access or a written assertion for inclusion, the arrangement would generally be presented using the carve-out method rather than the inclusive method. The choice between inclusive and carve-out presentation turns largely on whether the subservice organization can be brought into the scope of the service auditor’s work. Under the inclusive method, the subservice organization’s relevant controls are included in the system description and are subject to testing, which generally requires the subservice organization’s cooperation, access to personnel and records, and appropriate representations. When that participation is unavailable or impractical, the service organization usually uses the carve-out method. Under carve-out, the report describes the services performed by the subservice organization but excludes that organization’s controls from the service auditor’s opinion. The service organization may also identify complementary subservice organization controls expected at the provider. These provider-operated controls are not complementary user entity controls, because user entities do not perform them.

Question 13

Topic: Information Systems and Data Management

An entity’s internal IT team administers a virtualized environment dedicated exclusively to the entity for its core general ledger system. During quarter-end, the entity shifts certain reporting workloads to a third-party provider’s multi-tenant cloud platform through a secure connection, while both environments remain in use. Which cloud deployment model best describes the entity’s overall arrangement?

• A. Public cloud deployment model
• B. Traditional on-premises deployment model
• C. Private cloud deployment model
• D. Hybrid cloud deployment model

Best answer: D

Explanation: Hybrid cloud is correct because the entity uses both a private environment dedicated to its own use and a public multi-tenant cloud service. The key fact is that the two distinct environments are connected and both support operations. A private cloud is used exclusively by one organization, even if a third party hosts or manages parts of it. A public cloud is a shared, multi-tenant environment provided to multiple customers. A hybrid cloud exists when an organization uses at least two distinct environments, such as private and public cloud, and they remain separate but are connected to support data sharing or workload movement. Here, the core general ledger runs in an environment dedicated exclusively to the entity, which indicates private cloud characteristics, while quarter-end processing uses a third-party multi-tenant platform, which indicates public cloud characteristics. Because both environments are used together through a secure connection, the overall arrangement is hybrid cloud.

Question 14

Topic: Security, Confidentiality and Privacy

During implementation of a new billing application, a company refreshed its QA database from production for user acceptance testing. Company policy states that confidential payment card numbers must not be readable in nonproduction environments. Management concludes that confidential data was protected during testing.

Which source most strongly supports that conclusion?

• A. A vendor SOC 2 excerpt stating the cloud provider encrypts storage volumes at rest.
• B. An access listing showing only QA analysts and developers have read access to the QA database.
• C. A data dictionary showing the card number field is classified as confidential.
• D. A change record showing the QA refresh ran a masking routine on the card number field and a validation query found no full card numbers in QA.

Best answer: D

Explanation: The change record with masking and validation is the best support because it directly ties the production-to-QA refresh to a control that made the confidential field unreadable in nonproduction. The other sources are relevant background, but they do not prove the test data itself was protected during testing. For confidential data in design, development, testing, and implementation, the strongest evidence is direct evidence that the sensitive data was protected where the risk exists. Here, the risk is that production payment card data was copied into QA for testing. A change record showing that a masking routine was applied during the refresh, plus validation that no full card numbers remained, directly supports management’s conclusion. A data dictionary only identifies the field as sensitive; it does not show any protection was applied. An access listing supports least-privilege access, but authorized users could still view full values if masking was not performed. A vendor SOC 2 excerpt about encryption at rest helps with infrastructure security, but it does not show the application test data was de-identified or otherwise unreadable in QA.

Question 15

Topic: Considerations for System and Organization Controls Engagements

A service auditor is planning a SOC 2 Type 2 examination for a payroll SaaS provider for the year ended December 31, 20X5. Relevant planning facts:

• On July 1, the provider outsourced production hosting and backups to a third-party data center.
• Management will describe the data center using the carve-out method.
• The provider retains controls over vendor selection, contract monitoring, and review of monthly uptime and incident reports.

Which statement best reflects the planning impact of these facts?

• A. The data center’s controls are included in the service auditor’s opinion scope because they support security and availability commitments.
• B. The outsourcing change affects only materiality, so no change in risk assessment or planned procedures is needed.
• C. The data center’s controls are complementary user entity controls because they are performed outside the provider’s system.
• D. The data center’s controls are outside the opinion scope, so planning should emphasize the provider’s monitoring controls and the adequacy of the carve-out disclosure.

Best answer: D

Explanation: Under the carve-out method, controls at the subservice organization are excluded from the service auditor’s opinion. Planning therefore focuses on whether the carve-out is properly described and whether the service organization has effective controls to monitor the outsourced provider. In a SOC engagement, a subservice organization may be presented using either the inclusive method or the carve-out method. If management uses the carve-out method, the subservice organization’s controls are not included in the service auditor’s opinion on the service organization’s system. That planning fact affects scope and procedures: the auditor evaluates whether the carve-out is appropriately disclosed and tests the service organization’s own controls over selecting, overseeing, and responding to issues at the outsourced provider. The outsourced provider’s controls are not complementary user entity controls, because CUECs are controls expected at the user entity, not at another service organization. The outsourcing also affects risk assessment because hosting and backup services can significantly affect security and availability commitments.

Question 16

Topic: Information Systems and Data Management

An auditor is reviewing an emergency configuration change to a payment application. Based on the exhibit, which control deficiency is best supported?

• A. Production access controls were deficient because the change was made through a shared administrative account.
• B. Rollback procedures were bypassed for the production change.
• C. Emergency approval controls were bypassed before implementation.
• D. Testing controls were bypassed because the change was moved without any predeployment validation.

Best answer: A

Explanation: The strongest deficiency is the use of a shared production account. Emergency changes may be expedited, but production activity still should be attributable to a specific authorized person, and the exhibit shows that approvals, testing, and rollback planning were present. Emergency changes can shorten normal timelines, but they should not bypass key control objectives. The exhibit documents preimplementation approvals, evidence of staging testing, and a defined rollback plan, so those areas are not the clearest problem. The control gap is production access: the change was implemented through a shared administrative account, and individual actions were not separately identifiable. That weakens accountability, monitoring, and investigation because management cannot reliably determine who performed which production actions. A stronger control would use individually assigned, time-limited elevated access with logging and follow-up review.

Question 17

Topic: Security, Confidentiality and Privacy

A company uses the following access-control process for its ERP system:

• Users sign in with a unique ID, password, and MFA.
• New access requests require manager approval and are assigned by role.
• Managers perform a quarterly review of user access listings.
• HR sends a weekly spreadsheet of terminated employees to IT.

During testing, the CPA notes that two terminated employees kept active ERP access for up to 6 days after termination. Which action is the best correction to this control weakness?

• A. Require a stronger MFA method for all ERP logins.
• B. Require system owners to approve all role assignments before access is provisioned.
• C. Expand quarterly access reviews to require managers to reapprove every user role.
• D. Integrate HR termination notices with IT so accounts are disabled immediately when employment ends.

Best answer: D

Explanation: The weakness is not how users authenticate or how access is initially approved. It is that terminated users keep access too long, so the best fix is an access revocation control that disables accounts promptly when HR records the termination. Authentication confirms who the user is, such as with passwords and MFA. Authorization and access provisioning determine what access a user receives, often through approved roles. Access review is a periodic check that existing access remains appropriate. Access revocation removes access when it is no longer needed, especially after termination. In this scenario, authentication is already in place, role-based provisioning exists, and quarterly reviews occur. The failure is that IT waits for a weekly HR spreadsheet, leaving terminated users active for several days. The most effective correction is to link HR termination events to immediate account disablement or deprovisioning so access ends as soon as employment ends.

Question 18

Topic: Considerations for System and Organization Controls Engagements

A CPA is reviewing the following draft SOC 2 system description excerpt for CloudLedger, a payroll SaaS provider.

• Report scope: Security and Availability
• Method for subservice organizations: Carve-out
• In-scope components of CloudLedger’s system:
  • Payroll web application and admin portal
  • Production databases in CloudLedger’s virtual network
  • CloudLedger employees who monitor production and respond to incidents
  • Change management and incident response procedures
• Relevant third-party services presented as carved out:
  • AWS physical data center facilities
  • Twilio SMS delivery service
• User entity responsibilities:
  • Customer administrators approve user access
  • Customers secure their own laptops and browsers

Based on the exhibit, which conclusion about the system boundary is supported?

• A. CloudLedger employees who monitor production and the incident response procedures are within the system boundary.
• B. AWS physical data center controls are within the system boundary.
• C. Customer laptop and browser security are within the system boundary.
• D. Twilio SMS delivery controls are within the system boundary.

Best answer: A

Explanation: The system boundary includes the service organization’s own components used to provide the service, such as its people and procedures. Here, CloudLedger’s monitoring staff and incident response procedures are explicitly listed in scope, while AWS and Twilio are carved out and customer devices remain user responsibilities. In a SOC 2 engagement, the system boundary is defined by the components of the service organization’s system that are included in the description and subject to the engagement. Those components commonly include the service organization’s infrastructure, software, people, procedures, and data used to deliver the service. When a subservice organization is presented using the carve-out method, the subservice organization’s controls are not included within the described system boundary, even if its services are relevant. Likewise, customer-managed laptops, browsers, and access approval activities are user entity responsibilities, not part of the service organization’s system. In this exhibit, CloudLedger’s production monitoring personnel and incident response procedures are clearly listed as in scope, so they are within the system boundary.

Question 19

Topic: Information Systems and Data Management

An accounting system team provided the following database exhibit. The “Key / rule” column lists every defined key constraint for each column.

Current master rows:

• Customer.CustomerID values: 100, 101
• SalesRep row: SalesRepID 7, SalesRepPhone 555-0100

Current OrderHeader rows:

Which conclusion is best supported by the exhibit?

• A. SalesRepPhone is properly normalized in OrderHeader because each order has only one sales representative assigned.
• B. The not-null rule on OrderHeader.CustomerID is enough to prevent invalid customer references.
• C. OrderHeader.CustomerID is not enforced as a foreign key, and storing SalesRepPhone in OrderHeader indicates a normalization issue.
• D. Customer.CustomerID functions as a foreign key because OrderHeader references it from another table.

Best answer: C

Explanation: The data dictionary shows that OrderHeader.CustomerID is only defined as not null, not as a foreign key, so referential integrity with Customer is not enforced. The order row with CustomerID 999 confirms an orphan reference, and repeating SalesRepPhone in each order suggests a normalization problem because that attribute depends on SalesRepID. A primary key uniquely identifies a row in its own table. A foreign key stores a related primary key value in another table and is what supports referential integrity by requiring a matching parent row. The data dictionary is the proper source to confirm whether those constraints are actually defined. Here, Customer.CustomerID and SalesRep.SalesRepID are primary keys, but OrderHeader.CustomerID is only marked not null. That allows OrderHeader to contain CustomerID 999 even though no matching customer exists. Also, SalesRepPhone is repeated in OrderHeader even though it is determined by SalesRepID, not by OrderID. Repeating that attribute across many order rows creates redundancy and possible update anomalies, which is a normalization issue.

Question 20

Topic: Security, Confidentiality and Privacy

A company documents its current cybersecurity practices and its desired future cybersecurity outcomes, then compares the two against the NIST Cybersecurity Framework to identify gaps and prioritize improvements. Under the NIST Cybersecurity Framework, this is best characterized as a(n):

• A. Organizational Profile
• B. Implementation Tier
• C. Core
• D. Confidentiality category

Best answer: A

Explanation: The correct classification is Organizational Profile. In the NIST Cybersecurity Framework, profiles are used to describe current and target cybersecurity outcomes and compare them to identify gaps and improvement priorities. The NIST Cybersecurity Framework has three main parts: the Core, Implementation Tiers, and Organizational Profiles. The Core organizes cybersecurity outcomes and activities, while Implementation Tiers describe how formally and consistently an organization manages cybersecurity risk. Organizational Profiles are used when an entity maps its current state and desired target state to the Framework and then compares them to identify gaps. Because the scenario focuses on documenting current and desired outcomes and using that comparison to prioritize improvements, it fits the definition of an Organizational Profile rather than the Core or an Implementation Tier.

Question 21

Topic: Considerations for System and Organization Controls Engagements

In a SOC 2 Type 2 examination over the security category, the service auditor determined that management’s system description is fairly presented, quarterly privileged-access reviews were not performed for the production environment during 11 of the 12 months under examination, the production environment supports substantially all in-scope services so the failure is pervasive to the security criteria, and there is no scope limitation. What report conclusion is most appropriate?

• A. Qualified opinion on operating effectiveness
• B. Disclaimer of opinion because sufficient evidence was not available
• C. Adverse opinion on operating effectiveness
• D. Unmodified opinion on the SOC 2 Type 2 report

Best answer: C

Explanation: The keyed response is correct because the service auditor identified a pervasive failure in operating effectiveness, not a narrow exception. Since the system description is fairly presented and there is no scope limitation, the appropriate modification is an adverse opinion on operating effectiveness rather than a qualified opinion or disclaimer. In a SOC 2 Type 2 examination, the service auditor opines on whether the system description is fairly presented, controls are suitably designed, and controls operated effectively over the period. When evidence shows a control deficiency, the opinion depends on how significant and pervasive the problem is. A material but limited problem may lead to a qualified opinion. A pervasive problem that affects substantially all in-scope services or criteria supports an adverse opinion on the affected aspect of the report. A disclaimer is different: it is used when the auditor cannot obtain sufficient appropriate evidence or another scope limitation prevents a conclusion. Here, the auditor has evidence, the description is fairly presented, and the operating failure is pervasive, so adverse on operating effectiveness is the best conclusion.

Question 22

Topic: Information Systems and Data Management

A CPA is evaluating a retail company’s order-import control during a SOC 2 engagement.

Order import process: Web store -> ERP sales order table

Expected control:
- Reject any order if customer_id is not in the active customer master file.
- Log rejected orders for follow-up.

Test results for 500 imported web orders:
- 18 orders had customer_id values not found in the active customer master file.
- All 18 orders were still assigned ERP sales order numbers and released to fulfillment.
- Imported field values matched the source web orders exactly.
- All 500 orders were imported within the required 15-minute window.

Which processing integrity objective is most directly affected by the issue shown in the exhibit?

• A. Accuracy of processing
• B. Validity of processing
• C. Completeness of processing
• D. Timeliness of processing

Best answer: B

Explanation: The exhibit shows that orders failing a master-file validation rule were processed instead of rejected. That is a validity problem because the system accepted inputs that did not meet required business rules, while the facts indicate the orders were processed completely, accurately transferred, and on time. Validity focuses on whether transactions accepted by the system meet defined business rules and represent acceptable inputs. Here, the control was supposed to reject any order whose customer_id was not found in the active customer master file. Because 18 such orders were still assigned ERP sales order numbers and sent to fulfillment, the system processed invalid transactions. This is not primarily a completeness issue because all 500 orders were imported, not an accuracy issue because the imported values matched the source web orders, and not a timeliness issue because processing occurred within the required 15-minute window. The most direct processing integrity failure is validity.

Question 23

Topic: Security, Confidentiality and Privacy

During a quarterly access review of the payroll system, management noted these facts:

• Three infrastructure employees use a shared PAYROLL-ADMIN account for emergency fixes.
• The shared account has valid business justification and is used only for privileged tasks.
• System logs record actions under PAYROLL-ADMIN but do not identify which individual used the account.
• All three employees are current personnel and still require elevated access.

Which issue is most directly identified by this access review?

• A. Excessive access
• B. Stale accounts
• C. Weak privileged-access monitoring
• D. Inappropriate segregation of duties

Best answer: C

Explanation: The review points to weak privileged-access monitoring because a shared administrator account is used and the logs do not show which person performed each privileged action. The facts do not indicate unnecessary access, incompatible duties, or inactive accounts left enabled. Weak privileged-access monitoring exists when elevated activity cannot be effectively tracked, attributed, or reviewed at the individual-user level. Here, the employees still need elevated access, so the issue is not stale accounts or excessive access based on job need. The scenario also does not describe one person having incompatible responsibilities, so segregation of duties is not the main problem. The decisive fact is that privileged changes are logged only under a shared admin ID, which prevents clear accountability and weakens monitoring over high-risk access.

Question 24

Topic: Considerations for System and Organization Controls Engagements

A CPA is reviewing a SOC 2 Type 2 report for a cloud payroll processor. Which excerpt most clearly belongs in the service auditor’s tests of controls and results section, rather than in management’s assertion, the system description, CUECs, CSOCs, or service commitments?

• A. Management asserts that the system description is fairly presented and that controls were suitably designed and operated effectively throughout the period.
• B. For a sample of 40 terminated-user tickets, the auditor inspected evidence of access removal within 24 hours and noted one removal completed after three days.
• C. The payroll platform receives employer files through an encrypted portal, validates file format, and stores accepted data in a cloud database.
• D. User entities must promptly notify the provider of terminated employees and review daily payroll exception reports.

Best answer: B

Explanation: The excerpt about sampling terminated-user tickets and noting one late removal is the only choice that reports the service auditor’s procedure and the result of that procedure. Management assertions, system descriptions, CUECs, CSOCs, and service commitments describe claims, system facts, responsibilities, or promises, not audit test results. In a SOC 2 Type 2 report, the tests of controls and results section explains what the service auditor actually tested and what was found. Common clues are the control tested, the procedure performed, the sample or items examined, and any exceptions or deviations noted. Management’s assertion is management’s claim about fair presentation, suitable design, and operating effectiveness. The system description explains the service organization’s system and processing environment. CUECs and CSOCs identify complementary controls expected at user entities or carved-out subservice organizations. Service commitments are promises such as availability, security, or processing expectations. Those items help users understand the system and responsibilities, but they are not the service auditor’s testing results.

In this section

• CPA ISC: Information Systems and Data Management
  Try 10 focused Certified Public Accountant Information Systems and Controls (CPA ISC) questions on system flow, data governance, data reliability, processing, and IT control context.
• CPA ISC: Security, Confidentiality and Privacy
  Try 10 focused Certified Public Accountant Information Systems and Controls (CPA ISC) questions on access, safeguards, privacy, confidentiality, incident response, and control objectives.
• CPA ISC: SOC Engagements and Report Scope
  Try 10 focused Certified Public Accountant Information Systems and Controls (CPA ISC) questions on SOC engagement scope, criteria, complementary controls, report types, and user-entity reliance.
• Free CPA ISC Full-Length Practice Exam: 82 Questions
  Try 82 free Certified Public Accountant Information Systems and Controls (CPA ISC) questions across the ISC blueprint areas, with answers and explanations, then continue in Mastery Exam Prep.