📘 CPA ISC Practice Questions (151–200) with Answers & Explanations
Welcome to CPA ISC Practice Questions Part 4 (151–200). In this section, we bring you high-quality, exam-focused MCQs designed to strengthen your preparation for the Information Systems & Controls (ISC) portion of the CPA exam. Each question is followed by the correct answer and a detailed explanation, helping you understand key concepts instead of just memorizing.
151. Which control helps ensure that only authorized individuals can access sensitive systems?
A) Data masking
B) Identity and Access Management (IAM) ✅
C) Change control
D) Encryption
Answer: B) Identity and Access Management (IAM)
Explanation: IAM ensures only authorized users have access to systems/resources, enforcing least privilege and preventing unauthorized entry.
152. Which of the following best describes a compensating control?
A) An alternative security measure when the primary control is not feasible ✅
B) A preventive control
C) A detective control
D) A redundant control
Answer: A) An alternative security measure
Explanation: Compensating controls provide alternate protection when primary controls cannot be implemented due to cost, feasibility, or other constraints.
153. In ISC audits, which type of evidence is the most reliable?
A) Inquiry of employees
B) Documentation from management
C) Independent third-party confirmations ✅
D) Internal reports
Answer: C) Independent third-party confirmations
Explanation: External confirmations are considered the strongest audit evidence because they are unbiased and independent.
154. Which incident response phase includes identifying lessons learned and improving controls?
A) Containment
B) Eradication
C) Recovery
D) Post-incident analysis ✅
Answer: D) Post-incident analysis
Explanation: After handling incidents, post-incident analysis ensures lessons are applied to strengthen controls and prevent recurrence.
155. Which of the following is a detective control?
A) Firewalls
B) Antivirus software
C) Security Information and Event Management (SIEM) ✅
D) Data encryption
Answer: C) SIEM
Explanation: SIEM tools detect and alert abnormal behavior or policy violations in real time, making them detective controls.
156. Which risk management method involves buying insurance?
A) Risk acceptance
B) Risk mitigation
C) Risk transference ✅
D) Risk avoidance
Answer: C) Risk transference
Explanation: Insurance shifts financial responsibility for certain risks to a third party.
157. Which of the following is considered a logical access control?
A) Biometric scanner
B) Role-based access control ✅
C) Guard at the door
D) Security badge
Answer: B) Role-based access control
Explanation: Logical controls include software mechanisms like RBAC, which restrict access based on roles.
158. Which framework provides guidance on IT governance and control objectives?
A) COSO
B) COBIT ✅
C) ITIL
D) ISO 27001
Answer: B) COBIT
Explanation: COBIT provides detailed IT governance and control practices aligned with business goals.
159. Which vulnerability is most effectively mitigated by patch management?
A) Insider threats
B) Zero-day attacks
C) Known software flaws ✅
D) Phishing
Answer: C) Known software flaws
Explanation: Patch management addresses security gaps in outdated software to prevent exploitation.
160. What is the PRIMARY purpose of audit logs?
A) Enhance performance
B) Prevent attacks
C) Record and monitor system activities ✅
D) Encrypt sensitive data
Answer: C) Record and monitor system activities
Explanation: Audit logs track activities, providing evidence for monitoring, investigations, and compliance audits.
161. Which of the following best represents segregation of duties?
A) One person authorizes, records, and approves a transaction.
B) One person records and another reconciles ✅
C) One person approves and executes payment.
D) One person manages all IT functions.
Answer: B) One person records and another reconciles
Explanation: Segregation of duties prevents fraud/errors by separating responsibilities between different employees.
162. What does encryption primarily protect?
A) Confidentiality ✅
B) Integrity
C) Availability
D) Accountability
Answer: A) Confidentiality
Explanation: Encryption secures data by making it unreadable to unauthorized parties, ensuring confidentiality.
163. A control designed to automatically shut down unauthorized access attempts is a:
A) Detective control
B) Preventive control ✅
C) Compensating control
D) Corrective control
Answer: B) Preventive control
Explanation: Preventive controls stop errors or unauthorized activity before it occurs.
164. Which law requires auditors to evaluate internal controls over financial reporting?
A) HIPAA
B) SOX (Sarbanes-Oxley Act) ✅
C) GDPR
D) FCPA
Answer: B) SOX
Explanation: The Sarbanes-Oxley Act mandates management and auditors to assess internal control over financial reporting.
165. Which of the following is an example of a physical control?
A) Antivirus software
B) Locked server room ✅
C) Role-based access
D) Intrusion detection system
Answer: B) Locked server room
Explanation: Physical controls restrict physical access to critical assets.
166. Which audit opinion indicates financial statements are fairly presented?
A) Disclaimer
B) Adverse
C) Qualified
D) Unqualified ✅
Answer: D) Unqualified
Explanation: An unqualified opinion means auditors found the statements free of material misstatements.
167. Which framework focuses on privacy management?
A) HIPAA
B) NIST Privacy Framework ✅
C) COBIT
D) ITIL
Answer: B) NIST Privacy Framework
Explanation: NIST’s Privacy Framework helps organizations manage privacy risks systematically.
168. What is the role of hashing in security?
A) Encrypt data
B) Ensure confidentiality
C) Verify integrity ✅
D) Provide availability
Answer: C) Verify integrity
Explanation: Hashing produces a unique fingerprint of data, confirming that it hasn’t been altered.
169. What is the main benefit of penetration testing?
A) Guarantees system security
B) Identifies exploitable vulnerabilities ✅
C) Eliminates insider threats
D) Provides real-time monitoring
Answer: B) Identifies exploitable vulnerabilities
Explanation: Pen testing simulates real-world attacks to discover weaknesses before attackers do.
170. A dual-factor authentication example is:
A) Username + password
B) Password + OTP sent to mobile ✅
C) Password + security questions
D) PIN + password
Answer: B) Password + OTP sent to mobile
Explanation: MFA uses two distinct categories (something you know + something you have) to increase security.
171. Which control type includes antivirus and firewalls?
A) Detective
B) Preventive ✅
C) Corrective
D) Compensating
Answer: B) Preventive
Explanation: These tools prevent malicious activity from succeeding.
172. The COSO cube integrates:
A) Security, integrity, compliance
B) Objectives, components, organizational structure ✅
C) Confidentiality, integrity, availability
D) People, process, technology
Answer: B) Objectives, components, organizational structure
Explanation: COSO’s cube links objectives, internal control components, and entities across an organization.
173. Which of the following best represents a detective control?
A) Background checks
B) Fire suppression systems
C) Log monitoring ✅
D) Password policy
Answer: C) Log monitoring
Explanation: Detective controls identify events that have already occurred.
174. Which security standard is used for credit card data protection?
A) SOX
B) PCI-DSS ✅
C) HIPAA
D) GDPR
Answer: B) PCI-DSS
Explanation: PCI-DSS sets security standards for organizations handling cardholder data.
175. What does the principle of least privilege mean?
A) Users should only have access necessary for their role ✅
B) Users can access everything after authentication
C) Privileged accounts bypass controls
D) Supervisors grant unlimited permissions
Answer: A) Users should only have access necessary for their role
Explanation: Least privilege reduces risks by limiting access strictly to job requirements.
176. In ISC, which control is corrective?
A) Antivirus software
B) Backup restoration ✅
C) Firewall rules
D) Biometric authentication
Answer: B) Backup restoration
Explanation: Corrective controls restore systems after issues occur.
177. Which type of risk arises from inadequate internal processes?
A) Strategic risk
B) Operational risk ✅
C) Compliance risk
D) Financial risk
Answer: B) Operational risk
Explanation: Operational risks stem from failed systems, processes, or human errors.
178. Which of the following describes “whitelisting”?
A) Blocking malicious IP addresses
B) Allowing only approved applications ✅
C) Detecting suspicious activity
D) Encrypting sensitive files
Answer: B) Allowing only approved applications
Explanation: Whitelisting permits only pre-approved software to run, reducing malware risks.
179. A SOC 2 audit primarily evaluates:
A) Security, availability, processing integrity, confidentiality, privacy ✅
B) GAAP compliance
C) Financial transactions accuracy
D) Tax filings
Answer: A) Security, availability, processing integrity, confidentiality, privacy
Explanation: SOC 2 reports assess service providers on five Trust Services Criteria.
180. Which framework provides information security management guidance?
A) ISO 27001 ✅
B) COSO
C) GAAS
D) COBIT
Answer: A) ISO 27001
Explanation: ISO 27001 defines best practices for establishing, maintaining, and improving an ISMS.
181. Which security concept is violated when sensitive information is altered by unauthorized parties?
A) Availability
B) Confidentiality
C) Integrity ✅
D) Authenticity
Answer: C) Integrity
Explanation: Integrity ensures information remains accurate and unaltered.
182. The PRIMARY purpose of business continuity planning is to:
A) Reduce insurance costs
B) Ensure critical operations continue during disruptions ✅
C) Comply with regulations
D) Prevent cyberattacks
Answer: B) Ensure critical operations continue
Explanation: BCP ensures operations remain functional during crises.
183. Which of the following best describes tokenization?
A) Encrypting passwords
B) Replacing sensitive data with unique identifiers ✅
C) Hiding IP addresses
D) Segmenting networks
Answer: B) Replacing sensitive data with unique identifiers
Explanation: Tokenization substitutes sensitive info (e.g., credit card numbers) with tokens that have no exploitable value.
184. Which IT control helps prevent accidental data loss by employees?
A) DLP (Data Loss Prevention) ✅
B) Intrusion detection
C) Encryption
D) VPN
Answer: A) DLP
Explanation: DLP monitors and prevents unauthorized sharing of sensitive data.
185. Which of the following is an example of risk avoidance?
A) Buying insurance
B) Discontinuing a risky product line ✅
C) Installing firewalls
D) Accepting potential losses
Answer: B) Discontinuing a risky product line
Explanation: Risk avoidance means eliminating activities that expose an organization to risk.
186. The PRIMARY purpose of continuous monitoring is:
A) To improve availability
B) To provide real-time risk detection ✅
C) To enhance integrity
D) To increase compliance costs
Answer: B) Real-time risk detection
Explanation: Continuous monitoring helps organizations detect and respond to threats immediately.
187. A control that ensures critical files cannot be deleted by unauthorized users is:
A) Logical access control ✅
B) Detective control
C) Physical safeguard
D) Corrective control
Answer: A) Logical access control
Explanation: Logical access controls prevent unauthorized actions on digital assets.
188. Which standard is commonly applied in auditing internal controls over IT systems?
A) ISO 27001
B) SSAE 18 ✅
C) ITIL
D) COSO
Answer: B) SSAE 18
Explanation: SSAE 18 outlines standards for examining controls relevant to security, availability, and integrity.
189. Which of the following is NOT a key COSO component?
A) Control environment
B) Risk assessment
C) Performance review ✅
D) Monitoring activities
Answer: C) Performance review
Explanation: COSO includes five components: control environment, risk assessment, control activities, information & communication, monitoring.
190. Which risk response involves lowering the probability or impact of risks?
A) Risk acceptance
B) Risk avoidance
C) Risk mitigation ✅
D) Risk transference
Answer: C) Risk mitigation
Explanation: Risk mitigation reduces the impact/probability of risks through safeguards and controls.
191. Which of the following is a detective physical control?
A) Security cameras ✅
B) Locked doors
C) Guard dogs
D) Biometric scanners
Answer: A) Security cameras
Explanation: Cameras record evidence of events after they happen, making them detective controls.
192. What is the PRIMARY role of an IT auditor?
A) Implement controls
B) Operate IT systems
C) Assess effectiveness of controls ✅
D) Write policies
Answer: C) Assess effectiveness of controls
Explanation: IT auditors evaluate whether existing controls function properly.
193. Which method reduces the attack surface by limiting services and applications?
A) Hardening ✅
B) Patch management
C) Logging
D) Encryption
Answer: A) Hardening
Explanation: Hardening reduces risks by removing unnecessary functions and securing configurations.
194. Which document outlines how an organization will recover IT systems after disasters?
A) Incident response plan
B) Business continuity plan
C) Disaster recovery plan ✅
D) Audit report
Answer: C) Disaster recovery plan
Explanation: DRPs detail steps to restore IT systems after disasters.
195. Which of the following is a key benefit of using cloud-based audit tools?
A) Reduced need for internet
B) Increased manual control
C) Scalability and real-time access ✅
D) Decreased security
Answer: C) Scalability and real-time access
Explanation: Cloud tools allow auditors to work efficiently with scalable resources and instant access.
196. Which authentication method is considered strongest?
A) Single-factor
B) Multi-factor ✅
C) Biometric only
D) Passwords
Answer: B) Multi-factor
Explanation: MFA provides layered security by requiring different categories of credentials.
197. Which of the following represents a corrective control?
A) Antivirus quarantining malware ✅
B) Password complexity policy
C) Role-based access
D) Firewall
Answer: A) Antivirus quarantining malware
Explanation: Corrective controls fix issues after they occur, like quarantining infected files.
198. Which is the PRIMARY goal of ISC in CPA exams?
A) IT system performance
B) Compliance with financial reporting and controls ✅
C) Cost reduction
D) Customer engagement
Answer: B) Compliance with financial reporting and controls
Explanation: ISC ensures IT controls support accurate, reliable, and compliant financial reporting.
199. What is the PRIMARY purpose of an audit trail?
A) Improve system performance
B) Provide accountability ✅
C) Reduce system errors
D) Hide sensitive data
Answer: B) Provide accountability
Explanation: Audit trails record system activities, holding users accountable for their actions.
200. Which of the following represents a preventive administrative control?
A) Security policy ✅
B) CCTV cameras
C) Incident reports
D) Backup systems
Answer: A) Security policy
Explanation: Administrative controls like policies and training establish preventive security measures.
This concludes CPA ISC Practice Questions Part 4 (151–200). By practicing with these carefully explained MCQs, you are building a strong foundation in information security, auditing, and compliance—all crucial for the ISC exam. For complete preparation, don’t forget to attempt Part 1 (1–50), Part 2 (51–100), & Part 3 (101-151). Stay tuned for Part 4 (151–200) to cover the remaining topics. Consistent practice is the key to success—so keep learning and stay exam-ready!
👉 Next Steps:
- Previous Part: Part 1 (1-50)
- Previous Part: Part 2 (51-100)
- Previous Part: Part 3 (101-150)
- Explore our CPA FAR, REG , AUD , BAR, ISC & TCP Master Sets