The CPA ISC (Information Systems and Controls) exam tests a candidate’s ability to evaluate IT controls, cybersecurity frameworks, risk management, and audit processes. Success in this section is crucial for demonstrating expertise in both accounting and information systems. This post presents CPA ISC Practice Questions Part 2 (51–100), focusing on IT governance, risk management, and audit-related controls. Each question is carefully explained to help candidates understand core concepts and prepare effectively for the exam.
CPA ISC Practice Questions (Part 2: 51–100)
Q51. Which of the following best describes the purpose of SOC 1 reports?
A) Evaluate cybersecurity controls
B) Assess internal controls over financial reporting (ICFR)
C) Measure overall IT governance maturity
D) Identify fraud schemes in an organization
✅ Correct Answer: B) Assess internal controls over financial reporting (ICFR)
Explanation: SOC 1 reports focus specifically on controls that are relevant to financial reporting. They are widely used by auditors to assess the reliability of financial statements. SOC 2 and SOC 3, in contrast, emphasize security, availability, processing integrity, confidentiality, and privacy.
Q52. Which type of SOC report is intended for general public use?
A) SOC 1
B) SOC 2 Type I
C) SOC 2 Type II
D) SOC 3
✅ Correct Answer: D) SOC 3
Explanation: SOC 3 reports are designed for broad distribution and can be shared publicly. Unlike SOC 2, which is restricted, SOC 3 summarizes the same trust service criteria but in a less technical format suitable for stakeholders without deep IT knowledge.
Q53. In CPA ISC, which control type is an example of a preventive control?
A) Audit log review
B) Intrusion detection system (IDS)
C) Multi-factor authentication (MFA)
D) Security incident reporting
✅ Correct Answer: C) Multi-factor authentication (MFA)
Explanation: Preventive controls are designed to stop unauthorized access before it occurs. MFA requires additional verification, making it much harder for attackers to compromise accounts. Audit logs and IDS are detective controls, while incident reporting is a corrective control.
Q54. What is the primary purpose of an Intrusion Detection System (IDS)?
A) Block unauthorized access in real-time
B) Monitor and detect suspicious activities
C) Encrypt confidential information
D) Automatically restore lost data
✅ Correct Answer: B) Monitor and detect suspicious activities
Explanation: An IDS monitors network traffic for malicious activities or policy violations and generates alerts. Unlike firewalls or Intrusion Prevention Systems (IPS), an IDS does not block traffic—it only detects and reports.
Q55. In CPA ISC, which framework is most widely used for IT governance?
A) COSO
B) COBIT
C) NIST Cybersecurity Framework
D) ISO 9001
✅ Correct Answer: B) COBIT
Explanation: COBIT (Control Objectives for Information and Related Technologies) is the most recognized framework for IT governance and management. It provides comprehensive principles, objectives, and practices for aligning IT with business goals. COSO relates to financial reporting, while NIST focuses on cybersecurity.
Q56. Which of the following is considered a detective control in IT systems?
A) Firewalls
B) Audit trail analysis
C) Biometric authentication
D) Data encryption
✅ Correct Answer: B) Audit trail analysis
Explanation: Detective controls help discover and identify issues after they have occurred. Audit trail reviews allow organizations to monitor system activities, detect anomalies, and investigate incidents. Preventive controls include firewalls and biometrics, while encryption is a protective safeguard.
Q57. What is the key difference between SOC 2 Type I and SOC 2 Type II reports?
A) Type I evaluates design; Type II evaluates operating effectiveness
B) Type I focuses on privacy; Type II focuses on confidentiality
C) Type I is public; Type II is confidential
D) Type I covers financial reporting; Type II covers cybersecurity
✅ Correct Answer: A) Type I evaluates design; Type II evaluates operating effectiveness
Explanation: SOC 2 Type I reports assess the design of controls at a point in time, while SOC 2 Type II reports test whether those controls operate effectively over a defined period (usually 6–12 months).
Q58. Which of the following best describes logical access controls?
A) Restricting entry to data centers
B) Fire extinguishers in server rooms
C) Password policies and user permissions
D) Power supply redundancy
✅ Correct Answer: C) Password policies and user permissions
Explanation: Logical access controls include mechanisms like passwords, MFA, role-based access, and user authorization. They protect data and systems from unauthorized digital access. Physical access controls, like door locks or fire systems, secure physical infrastructure.
Q59. Which of the following is a corrective control in IT systems?
A) Implementing encryption for sensitive files
B) Backing up and restoring lost data
C) Intrusion prevention systems
D) Role-based access restrictions
✅ Correct Answer: B) Backing up and restoring lost data
Explanation: Corrective controls are designed to mitigate the impact of an incident and restore operations. Backups and recovery procedures ensure business continuity after data loss or breaches. Preventive and detective controls aim to stop or detect incidents.
Q60. Which of the following best describes the purpose of an IT risk assessment?
A) To eliminate all possible risks
B) To identify, analyze, and prioritize risks
C) To provide regulatory compliance reports
D) To generate SOC audit reports
✅ Correct Answer: B) To identify, analyze, and prioritize risks
Explanation: An IT risk assessment helps organizations recognize potential threats, assess their impact, and prioritize risk mitigation strategies. It’s a core component of CPA ISC and aligns with frameworks like COBIT and NIST.
Q61. Which of the following is an example of a physical control?
A) Strong password policy
B) Multi-factor authentication
C) Security cameras in the data center
D) Intrusion detection system
✅ Correct Answer: C) Security cameras in the data center
Explanation: Physical controls protect the actual hardware and facilities from unauthorized access or damage. Logical controls (like passwords) protect digital access, and detective controls (like IDS) detect issues after they occur.
Q62. Which IT governance principle ensures that IT investments are aligned with business objectives?
A) Accountability
B) Strategic alignment
C) Performance measurement
D) Risk optimization
✅ Correct Answer: B) Strategic alignment
Explanation: Strategic alignment ensures that IT activities directly support business goals, maximizing value creation. This is a central theme in COBIT and CPA ISC coverage.
Q63. What is the main objective of change management controls?
A) To speed up system changes
B) To ensure only authorized and tested changes are implemented
C) To prevent all system changes
D) To track employee attendance
✅ Correct Answer: B) To ensure only authorized and tested changes are implemented
Explanation: Change management controls reduce risks associated with system updates by requiring approvals, testing, and documentation before changes go live.
Q64. Which control would best mitigate the risk of unauthorized system access?
A) Firewall configuration
B) Role-based access control (RBAC)
C) Incident reporting system
D) Audit trail review
✅ Correct Answer: B) Role-based access control (RBAC)
Explanation: RBAC restricts user access based on roles, ensuring that employees only access systems necessary for their responsibilities. Firewalls protect networks, while audit trails and incident reporting are detective controls.
Q65. Which of the following is NOT part of the Trust Services Criteria (TSC) in SOC reports?
A) Security
B) Availability
C) Processing integrity
D) Financial materiality
✅ Correct Answer: D) Financial materiality
Explanation: Trust Services Criteria include security, availability, processing integrity, confidentiality, and privacy. Financial materiality is part of financial auditing, not SOC reports.
Q66. What does the term least privilege mean in CPA ISC?
A) Granting full system access to auditors
B) Users are given only the access necessary to perform their job
C) All employees must have admin rights for efficiency
D) Revoking all user permissions after login
✅ Correct Answer: B) Users are given only the access necessary to perform their job
Explanation: The principle of least privilege ensures users cannot access unnecessary systems or data, reducing risks of internal fraud and security breaches.
Q67. Which of the following is a compensating control?
A) Firewall blocking external IP addresses
B) Supervisor review when segregation of duties is not possible
C) Two-factor authentication
D) Antivirus software
✅ Correct Answer: B) Supervisor review when segregation of duties is not possible
Explanation: Compensating controls serve as substitutes when ideal controls (like segregation of duties) cannot be implemented due to cost or practicality.
Q68. Which framework is most closely associated with cybersecurity risk management?
A) COBIT
B) ISO 27001
C) COSO
D) NIST Cybersecurity Framework
✅ Correct Answer: D) NIST Cybersecurity Framework
Explanation: The NIST CSF provides a structured approach for identifying, protecting, detecting, responding, and recovering from cybersecurity incidents. COBIT is broader IT governance, while COSO focuses on financial reporting.
Q69. Which of the following is a key performance indicator (KPI) for IT controls?
A) Number of failed login attempts
B) Employee salary levels
C) Frequency of staff meetings
D) Number of physical office locations
✅ Correct Answer: A) Number of failed login attempts
Explanation: KPIs measure how effectively controls operate. Failed login attempts are a common KPI for evaluating system access controls.
Q70. What is the primary role of a business continuity plan (BCP)?
A) To eliminate all cybersecurity threats
B) To ensure critical operations can continue during a disruption
C) To report incidents to regulators
D) To enforce tax compliance
✅ Correct Answer: B) To ensure critical operations can continue during a disruption
Explanation: A BCP provides strategies for sustaining operations during disasters, including alternative work arrangements, backup systems, and emergency communication.
Q71. Which of the following best describes general IT controls (GITCs)?
A) Controls that apply across all systems and processes
B) Controls specific to one business unit
C) Controls applied only to payroll systems
D) Controls enforced only by regulators
✅ Correct Answer: A) Controls that apply across all systems and processes
Explanation: GITCs (like access controls, change management, backup, and recovery) apply broadly across IT environments, supporting the effectiveness of application controls.
Q72. Which of the following is a corrective security measure?
A) Data backup and restore
B) Password expiration policy
C) Encryption of sensitive data
D) Firewall rules
✅ Correct Answer: A) Data backup and restore
Explanation: Backups and restoration help recover from incidents and are corrective in nature. Preventive measures include encryption and passwords, while firewalls are preventive controls.
Q73. Which document specifies roles and responsibilities during an IT disaster?
A) SOC 2 report
B) Incident response plan
C) Business continuity plan
D) Disaster recovery plan
✅ Correct Answer: D) Disaster recovery plan
Explanation: Disaster recovery plans (DRP) focus on restoring IT systems after a disruption, clearly assigning responsibilities to ensure quick recovery.
Q74. What does segregation of duties (SoD) aim to prevent?
A) Loss of company assets due to accidents
B) A single individual having control over incompatible functions
C) Unauthorized third-party audits
D) Business continuity testing
✅ Correct Answer: B) A single individual having control over incompatible functions
Explanation: SoD reduces fraud and errors by dividing responsibilities, such as separating authorization, custody, and record-keeping roles.
Q75. Which type of control ensures evidence of system activity is retained for analysis?
A) Preventive
B) Corrective
C) Detective
D) Compensating
✅ Correct Answer: C) Detective
Explanation: Detective controls, such as logging and monitoring, retain system activity records for later review and incident detection.
Q76. Which of the following is an example of an application control?
A) Automated validation of data entry fields
B) Security guard at the server room
C) Firewall between internal and external networks
D) Air conditioning in the server room
✅ Correct Answer: A) Automated validation of data entry fields
Explanation: Application controls operate at the program level, ensuring completeness, accuracy, and validity of data processing. Physical and logical controls apply at a broader level.
Q77. What is the primary objective of IT governance?
A) Ensure IT supports business goals and adds value
B) Reduce staff turnover
C) Eliminate all cybersecurity risks
D) Meet tax compliance deadlines
✅ Correct Answer: A) Ensure IT supports business goals and adds value
Explanation: IT governance ensures that IT is aligned with strategic objectives, delivering value while managing risks effectively.
Q78. Which of the following is the best control for mitigating phishing attacks?
A) Intrusion prevention system
B) Security awareness training
C) Biometric authentication
D) Audit log reviews
✅ Correct Answer: B) Security awareness training
Explanation: Phishing relies heavily on human manipulation. Employee awareness and training are the most effective defenses against phishing scams.
Q79. Which framework is widely recognized for internal control over financial reporting (ICFR)?
A) NIST
B) COSO
C) COBIT
D) ISO 27001
✅ Correct Answer: B) COSO
Explanation: COSO (Committee of Sponsoring Organizations) provides the leading framework for ICFR, often used in CPA ISC exams alongside IT governance concepts.
Q80. Which of the following best describes availability in IT controls?
A) Ensuring systems are secure against hackers
B) Ensuring information is accessible when needed
C) Protecting data confidentiality from unauthorized users
D) Guaranteeing financial statements are accurate
✅ Correct Answer: B) Ensuring information is accessible when needed
Explanation: Availability is one of the Trust Service Criteria in SOC reports, focusing on systems being operational and accessible within required timeframes.
Q81. Which of the following is a key objective of IT risk management?
A) Eliminating all risks
B) Identifying, assessing, and mitigating IT risks
C) Outsourcing all IT services
D) Preventing employees from using social media
✅ Correct Answer: B) Identifying, assessing, and mitigating IT risks
Explanation: Risk management acknowledges that risks cannot be fully eliminated. Instead, they are identified, assessed, and controlled through mitigation strategies such as controls, insurance, or transfer.
Q82. Which of the following is an example of detective control in IT systems?
A) Intrusion detection system (IDS)
B) Biometric authentication
C) Firewalls
D) Data encryption
✅ Correct Answer: A) Intrusion detection system (IDS)
Explanation: IDS monitors network traffic and reports suspicious activity. Preventive controls include firewalls and authentication, while encryption is preventive.
Q83. Which of the following best represents processing integrity in SOC reports?
A) Systems are available when needed
B) Data is complete, accurate, valid, and authorized
C) Confidential information is protected
D) Personal information is kept private
✅ Correct Answer: B) Data is complete, accurate, valid, and authorized
Explanation: Processing integrity ensures system processing is correct, timely, and authorized — a critical CPA ISC concept.
Q84. Which of the following is a limitation of internal controls?
A) They cannot be automated
B) They are subject to management override or collusion
C) They cannot prevent errors
D) They are not required in audits
✅ Correct Answer: B) They are subject to management override or collusion
Explanation: Even strong internal controls can fail due to collusion or management override, which auditors must always consider.
Q85. Which of the following is a preventive measure against unauthorized access?
A) Regular monitoring of logs
B) User training
C) Encryption of passwords and data
D) Incident reporting system
✅ Correct Answer: C) Encryption of passwords and data
Explanation: Encryption prevents data from being read by unauthorized parties. Monitoring and reporting are detective, while training is preventive but people-focused.
Q86. Which of the following frameworks focuses on governance and management of enterprise IT?
A) COBIT
B) COSO
C) NIST CSF
D) ISO 9001
✅ Correct Answer: A) COBIT
Explanation: COBIT provides best practices for IT governance and management. COSO focuses on ICFR, NIST CSF on cybersecurity, and ISO 9001 on quality management.
Q87. Which type of control is a password expiration policy?
A) Preventive
B) Detective
C) Corrective
D) Compensating
✅ Correct Answer: A) Preventive
Explanation: Requiring regular password changes reduces the chance of compromised credentials being exploited.
Q88. Which of the following is the primary purpose of audit logs?
A) Prevent cyberattacks
B) Monitor system activity and support investigations
C) Replace segregation of duties
D) Train employees
✅ Correct Answer: B) Monitor system activity and support investigations
Explanation: Audit logs provide a record of user activity, supporting both real-time monitoring and post-incident investigations.
Q89. In CPA ISC, confidentiality refers to:
A) Ensuring data is available when needed
B) Protecting personal information from unauthorized disclosure
C) Ensuring data is accurate and valid
D) Preventing all cyberattacks
✅ Correct Answer: B) Protecting personal information from unauthorized disclosure
Explanation: Confidentiality ensures sensitive data (like customer information) is only accessible to authorized parties.
Q90. Which of the following would be the best control against unauthorized physical access to a data center?
A) Biometric scanners
B) Passwords
C) Firewalls
D) Antivirus software
✅ Correct Answer: A) Biometric scanners
Explanation: Biometric scanners (e.g., fingerprint, iris recognition) are effective physical access controls. Firewalls and antivirus protect digital assets.
Q91. Which of the following is a key feature of role-based access control (RBAC)?
A) Access based on employee age
B) Access based on organizational role
C) Access based on manager’s discretion only
D) Access granted for unlimited time
✅ Correct Answer: B) Access based on organizational role
Explanation: RBAC ensures employees only have access according to their job functions, reducing risks of excessive privileges.
**Q92. Which of the following best represents a business impact analysis (BIA)?
A) A financial audit
B) Identifying critical processes and the impact of disruptions
C) Testing a backup system
D) A staff training program
✅ Correct Answer: B) Identifying critical processes and the impact of disruptions
Explanation: A BIA determines which processes are critical, potential impacts of downtime, and required recovery times.
Q93. Which of the following is an example of compensating control?
A) Independent reconciliation of bank statements
B) Passwords
C) Data encryption
D) Biometric scanners
✅ Correct Answer: A) Independent reconciliation of bank statements
Explanation: If segregation of duties is not feasible, independent review of transactions serves as a compensating control.
Q94. Which of the following is the best detective control for fraudulent transactions?
A) System access restrictions
B) Continuous transaction monitoring
C) Data encryption
D) Backup and restore
✅ Correct Answer: B) Continuous transaction monitoring
Explanation: Continuous monitoring detects unusual or fraudulent transactions, alerting management in real time.
Q95. Which of the following is the main objective of IT general controls (GITCs)?
A) Ensure reliability of IT systems and support application controls
B) Eliminate all risks in IT systems
C) Replace manual processes entirely
D) Provide assurance over business law compliance
✅ Correct Answer: A) Ensure reliability of IT systems and support application controls
Explanation: GITCs like access, backup, and change controls establish a reliable IT environment supporting application-level accuracy.
Q96. Which of the following is an example of a corrective control?
A) Antivirus software quarantining a virus
B) Password policy enforcement
C) Encryption
D) Multi-factor authentication
✅ Correct Answer: A) Antivirus software quarantining a virus
Explanation: Corrective controls act after an incident to limit damage. Preventive controls (like MFA and encryption) reduce risk beforehand.
Q97. Which of the following is a trust service principle relevant to CPA ISC audits?
A) Security
B) Transparency
C) Materiality
D) Efficiency
✅ Correct Answer: A) Security
Explanation: Trust Services Principles are: Security, Availability, Processing Integrity, Confidentiality, and Privacy (not transparency or efficiency).
Q98. Which of the following best represents an incident response plan (IRP)?
A) A strategy for reducing staff turnover
B) A set of procedures for responding to cybersecurity events
C) A financial reporting framework
D) An HR training policy
✅ Correct Answer: B) A set of procedures for responding to cybersecurity events
Explanation: An IRP outlines steps for detecting, containing, eradicating, and recovering from cybersecurity incidents.
Q99. Which of the following would be considered a logical access control?
A) Firewall rules
B) Biometric locks
C) Security guards
D) Server room cameras
✅ Correct Answer: A) Firewall rules
Explanation: Logical access controls protect data and systems digitally (firewalls, authentication). Physical access controls include biometrics and guards.
Q100. Which of the following is the primary benefit of segregation of duties (SoD)?
A) Preventing system downtime
B) Reducing fraud and error risk
C) Ensuring physical security
D) Increasing employee productivity
✅ Correct Answer: B) Reducing fraud and error risk
Explanation: SoD prevents any one individual from controlling incompatible functions, reducing risk of fraud or undetected error.
Completing these 50 questions provides you with a strong foundation in IT risk, controls, and audit procedures tested in the CPA ISC exam. Continue with Part 3 (101–150) to further strengthen your preparation with advanced topics such as data governance, cybersecurity, and assurance services.
👉 Explore all CPA exam sections (AUD, FAR, REG, BAR, ISC, TCP) on our site for comprehensive preparation resources.
👉 Next Steps:
- Previous Part: Part 1 (1-50)
- Next Part: Part 3 (101-150)
- Explore our CPA FAR, REG , AUD , BAR, ISC & TCP Master Sets