📘 CPA ISC (Information Systems & Controls) Practice Questions – Part 1 (1–50)
The CPA Information Systems & Controls (ISC) exam tests your knowledge of IT controls, cybersecurity, governance, and risk management. To help you succeed, we’ve created a set of 50 carefully selected practice MCQs with detailed explanations. These questions are designed to reflect real exam scenarios and strengthen your understanding of critical concepts such as SOC reports, access controls, cloud security, IT risk management, and information governance. Whether you’re a CPA candidate in the United States or preparing internationally, these ISC MCQs will give you the confidence and clarity you need.
1. Which of the following is the primary purpose of IT governance?
A) Ensure maximum profit from IT investments
B) Align IT strategy with business objectives ✅
C) Minimize IT staffing costs
D) Eliminate cybersecurity risks
Explanation: IT governance ensures IT supports and aligns with business objectives, not just cost savings or risk elimination.
2. A company adopts COBIT framework. What is the main benefit?
A) Establish legal compliance
B) Provide guidelines for IT management and governance ✅
C) Reduce hardware costs
D) Eliminate all data breaches
Explanation: COBIT is widely used for IT governance, risk, and compliance.
3. Segregation of duties (SoD) in IT is designed to:
A) Reduce payroll expenses
B) Prevent fraud and errors ✅
C) Increase system speed
D) Centralize all IT functions
Explanation: SoD prevents one individual from having too much control, reducing fraud risks.
4. Which framework focuses on information security controls?
A) COSO
B) NIST ✅
C) ITIL
D) ISO 9001
Explanation: NIST provides standards for information security and cybersecurity.
5. Change management ensures:
A) New IT systems are implemented without approval
B) Unauthorized system updates are allowed
C) All changes are documented, tested, and approved ✅
D) IT projects run faster
Explanation: Change management maintains control and avoids unauthorized changes.
6. Which of the following is a preventive IT control?
A) Firewall rules ✅
B) Audit logs
C) Incident reports
D) Bank reconciliation
Explanation: Firewalls prevent unauthorized access, making them preventive controls.
7. An audit trail in IT is classified as:
A) Preventive control
B) Detective control ✅
C) Corrective control
D) Compensating control
Explanation: Audit trails help detect and trace activity after it occurs.
8. Which of the following is a general IT control?
A) Bank reconciliation
B) Password policies ✅
C) Accounts receivable aging
D) Depreciation calculation
Explanation: General IT controls (GITCs) apply to systems as a whole, such as passwords and access.
9. Disaster recovery planning (DRP) is primarily aimed at:
A) Preventing cyberattacks
B) Restoring IT systems after disruption ✅
C) Increasing revenue
D) Eliminating hardware failures
Explanation: DRP focuses on restoring systems after disasters, not on prevention.
10. Which is an example of a corrective IT control?
A) Intrusion detection system alerts
B) Restoring data from backups ✅
C) Password encryption
D) Firewalls
Explanation: Backups allow correction after an incident.
11. Which control ensures that only authorized users can access systems?
A) Fire suppression
B) Access controls ✅
C) Encryption
D) Backup systems
Explanation: Access control enforces user authentication and authorization.
12. ITIL framework is mainly concerned with:
A) IT service management ✅
B) Financial reporting
C) Tax compliance
D) Business mergers
Explanation: ITIL provides best practices for IT service delivery.
13. What does the principle of least privilege mean?
A) Users get access to all company systems
B) Users receive the minimum access required for their job ✅
C) All employees share the same credentials
D) Access is unrestricted for efficiency
Explanation: Least privilege reduces security risks by limiting unnecessary access.
14. Encryption is an example of:
A) Detective control
B) Preventive control ✅
C) Corrective control
D) Compensating control
Explanation: Encryption prevents unauthorized access to sensitive data.
15. Which law primarily governs data privacy in the European Union?
A) HIPAA
B) GDPR ✅
C) SOX
D) PCI DSS
Explanation: GDPR governs EU data privacy and protection.
16. Which of the following BEST describes continuous monitoring?
A) Manual monthly reviews
B) Real-time, automated detection of anomalies ✅
C) Annual audits
D) One-time penetration tests
Explanation: Continuous monitoring identifies risks in real-time.
17. A company uses two-factor authentication. This is an example of:
A) Detective control
B) Preventive control ✅
C) Corrective control
D) Manual control
Explanation: Multi-factor authentication prevents unauthorized access.
18. Which body regulates IT controls for financial reporting under SOX?
A) SEC ✅
B) PCAOB
C) FASB
D) IASB
Explanation: SEC enforces compliance; PCAOB audits the implementation.
19. Which type of control is anti-virus software?
A) Preventive ✅
B) Detective
C) Corrective
D) Compensating
Explanation: Antivirus prevents malware infection.
20. COSO framework primarily focuses on:
A) IT governance
B) Internal controls for financial reporting ✅
C) Cybersecurity standards
D) IT service management
Explanation: COSO provides a framework for internal control, used widely in auditing.
21. Which of the following is an example of detective IT control?
A) Password policy
B) Firewall
C) Intrusion detection system (IDS) ✅
D) Encryption
Explanation: IDS detects suspicious activity after it occurs, making it detective.
22. Which type of control is used when outsourcing IT services to a vendor?
A) Detective
B) Compensating ✅
C) Corrective
D) Preventive
Explanation: Compensating controls are alternative controls, often used when outsourcing.
23. The purpose of an IT risk assessment is to:
A) Eliminate all risks
B) Identify and evaluate risks ✅
C) Reduce audit costs
D) Monitor employees
Explanation: Risk assessments identify, analyze, and prioritize risks for treatment.
24. Business continuity planning (BCP) differs from disaster recovery planning (DRP) in that BCP:
A) Focuses only on IT
B) Focuses on keeping overall business operations running ✅
C) Deals only with cyber threats
D) Is not concerned with IT systems
Explanation: BCP covers broader business continuity, while DRP focuses on IT restoration.
25. Which of the following is an example of a physical IT control?
A) Fire suppression systems ✅
B) Intrusion detection system
C) Data encryption
D) Password policies
Explanation: Physical controls include fire suppression, locked rooms, and surveillance.
26. The purpose of a SOC 1 report is to:
A) Provide assurance over service provider controls relevant to financial reporting ✅
B) Assess IT infrastructure speed
C) Report on IT service performance only
D) Evaluate hardware costs
Explanation: SOC 1 reports are focused on financial reporting controls.
27. Which of the following is a SOC 2 Trust Service Principle?
A) Integrity of reporting
B) Security ✅
C) GAAP compliance
D) Audit independence
Explanation: SOC 2 covers security, availability, confidentiality, processing integrity, and privacy.
28. Multi-factor authentication (MFA) combines:
A) Two passwords
B) Two different forms of verification ✅
C) Two biometric scans
D) One password and one hint
Explanation: MFA uses two or more types of authentication (something you know, have, or are).
29. A control designed to ensure data is accurate, complete, and valid at input stage is called:
A) General IT control
B) Application control ✅
C) Compensating control
D) Corrective control
Explanation: Application controls focus on accuracy and completeness of transactions.
30. Which of the following is an example of IT general control (GITC)?
A) Reconciliation of bank accounts
B) User access provisioning ✅
C) Approval of journal entries
D) Sales cutoff testing
Explanation: GITCs include access provisioning, change management, and system security.
31. Data classification is primarily used to:
A) Reduce storage costs
B) Assign security levels to data ✅
C) Increase data redundancy
D) Speed up IT audits
Explanation: Data classification helps apply appropriate controls based on data sensitivity.
32. What does PCI DSS regulate?
A) Healthcare information
B) Payment card data security ✅
C) Government tax records
D) Stock exchange reporting
Explanation: PCI DSS protects cardholder data globally.
33. Which of the following ensures that critical systems will continue running after a power outage?
A) Encryption
B) UPS (Uninterruptible Power Supply) ✅
C) Antivirus
D) Password policies
Explanation: UPS provides backup power to prevent downtime.
34. An example of corrective IT control is:
A) Reconfiguring firewalls after a breach ✅
B) Password expiration
C) Intrusion detection system
D) Access provisioning
Explanation: Corrective controls are applied after an incident to restore security.
35. A company encrypts sensitive data at rest and in transit. This is an example of:
A) Preventive control ✅
B) Detective control
C) Corrective control
D) Compensating control
Explanation: Encryption prevents unauthorized data access.
36. In IT governance, “tone at the top” refers to:
A) Senior management support for IT governance ✅
B) IT staff motivation
C) Vendor management
D) Technical manuals
Explanation: Tone at the top reflects leadership’s commitment to IT governance.
37. A penetration test is primarily what type of control?
A) Preventive
B) Detective ✅
C) Corrective
D) Physical
Explanation: Penetration tests detect vulnerabilities before attackers exploit them.
38. The COSO cube’s three dimensions include:
A) Control environment, monitoring, IT management
B) Objectives, components, organizational structure ✅
C) Assets, liabilities, equity
D) Prevention, detection, correction
Explanation: COSO cube connects objectives, components, and entity levels.
39. System development life cycle (SDLC) controls focus on:
A) IT audits
B) Secure design and implementation of systems ✅
C) Accounting reconciliations
D) Financial reporting compliance only
Explanation: SDLC ensures security and proper controls during system development.
40. A detective control used in network security is:
A) Firewall
B) IDS logs ✅
C) Encryption
D) Role-based access
Explanation: IDS logs are reviewed to detect suspicious network activities.
41. Which of the following is the BEST method for ensuring secure remote access?
A) Strong passwords only
B) VPN with multi-factor authentication ✅
C) Public Wi-Fi
D) Remote desktop without encryption
Explanation: VPN + MFA ensures secure encrypted connections.
42. What is the main purpose of IT risk management?
A) Eliminate all risks
B) Identify, assess, and mitigate risks ✅
C) Increase revenue
D) Approve financial reports
Explanation: Risk management balances risk and control to protect assets.
43. Which of the following is an example of detective application control?
A) Edit checks on data entry ✅
B) Firewalls
C) Antivirus
D) Backups
Explanation: Edit checks validate accuracy of input data.
44. A data center requires fingerprint access. This is an example of:
A) Logical control
B) Physical control ✅
C) Corrective control
D) Detective control
Explanation: Biometric access is a physical control to secure data centers.
45. What is the role of a “control owner”?
A) Approve IT budgets
B) Maintain and monitor specific IT controls ✅
C) Audit IT controls
D) Eliminate IT risks
Explanation: Control owners ensure specific controls are operating effectively.
46. In cloud computing, shared responsibility means:
A) Vendor controls everything
B) Both customer and provider share security responsibilities ✅
C) Customer controls everything
D) Only auditors manage risks
Explanation: Cloud security is shared between provider and client.
47. Which standard is used for information security management systems (ISMS)?
A) ISO 27001 ✅
B) ISO 9001
C) COSO
D) COBIT
Explanation: ISO 27001 is the global standard for ISMS.
48. Which of the following is NOT a Trust Service Principle under SOC 2?
A) Security
B) Privacy
C) Availability
D) Financial Reporting ✅
Explanation: SOC 2 covers IT security aspects, not financial reporting.
49. The purpose of logical access controls is to:
A) Prevent unauthorized physical entry
B) Restrict digital access to systems and data ✅
C) Secure data centers with locks
D) Control employee salaries
Explanation: Logical access deals with passwords, MFA, and system permissions.
50. The primary objective of internal controls over IT is to:
A) Eliminate all IT risks
B) Provide reasonable assurance of confidentiality, integrity, and availability ✅
C) Reduce IT budget
D) Fully automate all IT functions
Explanation: IT internal controls safeguard data and ensure reliable operations.
You’ve now completed Part 1 of our CPA ISC practice questions (1–50). Mastering these topics will give you a solid foundation in IT governance, risk, and cybersecurity. For full preparation, continue with Part 2 (51–100) and beyond, where we dive deeper into IT operations, monitoring, and advanced security concepts. Bookmark this page and keep practicing daily—consistent practice is the key to CPA exam success.
👉 Next Steps:
- Next Part: Part 2 (51-100)
- Next Part: Part 3 (101-151)
- Explore our CPA FAR, REG , AUD , ISC & BAR Master Sets