Search

CPA ISC — Task Based Simulations (TBS)

By /
CPA-ISC-TBS

TBS 1 — IT Risk Assessment & Prioritization (20 marks)

Scenario:
ACME Manufacturing is moving from a heavily manual invoicing process to a new ERP module. Management asks you to perform a quick IT risk assessment to identify top 5 risks and propose mitigation/prioritization for implementation in the next 6 months.

Tasks:
A. Identify five IT risks relating to ERP invoicing rollout. (5 × 1 mark)
B. For the top three risks, propose a specific control or mitigation and explain why it is effective. (3 × 3 marks = 9)
C. Recommend a prioritization approach (how to sequence mitigations) for 6-month rollout. (6 marks)

Model answer (high level):

A. Five risks:

  1. Unauthorized access to invoicing module → risk of mis-billing/fraud.
  2. Data migration errors → inaccurate customer balances.
  3. Inadequate change testing → production downtime/transaction loss.
  4. Segregation of duties (SoD) conflicts → single user can create and approve invoices.
  5. Incomplete audit trail / logging → inability to investigate disputes.

B. Top three risks + controls:

  1. Unauthorized access → Implement role-based access control (RBAC) + least privilege, enforce MFA for users with financial privileges. Why effective: restricts capability to authorized persons and adds strong authentication to reduce compromised credentials risk.
  2. Data migration errors → Use reconciliation scripts and parallel run: migrate a subset, reconcile totals (customer balances, open invoices), keep rollback plan. Why effective: ensures data fidelity and allows correction before cutover.
  3. SoD conflicts → Configure application roles to separate invoice creation, billing approval, and payment posting; enforce compensating controls (e.g., dual approvals) where application cannot enforce. Why effective: prevents single-user fraud and aligns with COSO principles of control activities.

C. Prioritization approach (6 marks):

  • 1. Controls that prevent major financial loss first (RBAC + MFA, SoD remediations).
  • 2. Controls ensuring integrity of financial data (data migration reconciliation, master data validation).
  • 3. Controls for availability and testing (comprehensive UAT, fallback procedures).
  • Use a risk/value matrix: score impact × likelihood; remediate high impact/high likelihood first. Include quick wins (low effort/high impact) to reduce immediate exposure. Build a cutover checklist and a 30/60/90 day monitoring plan.

Examiner guidance: Aim concise bullet lists. Reference risk scoring and COSO control objectives. (Max 20 minutes).

TBS 2 — Access Control Incident (20 marks)

Scenario:
Finance reports suspicious edits to historical invoices. Logs show an admin account was used outside business hours. The admin claims credentials were compromised. Management asks you to investigate and recommend immediate and longer-term controls.

Tasks:
A. Outline the investigation steps to determine if account was compromised or misused. (6 marks)
B. Recommend immediate containment actions. (4 marks)
C. Propose long-term controls (policy + technical) to prevent recurrence. (10 marks)

Model answer:

A. Investigation steps:

  1. Preserve logs and snapshot system images (for chain of custody).
  2. Review audit logs: source IP, time stamps, actions performed.
  3. Correlate with network logs/VPN logs to see origin.
  4. Check admin workstation for malware/credential theft (forensic scan).
  5. Interview admin about activity and credential handling.
  6. Check for privilege escalation traces and other suspicious accounts.

B. Immediate containment:

  • Disable the admin account (or force password reset + revoke sessions).
  • Block identified IP addresses and require reauthentication for privileged sessions.
  • Implement an elevated-privilege review for recent changes; reverse unauthorized edits if needed.

C. Long-term controls:

  • Technical: Enforce MFA for all privileged accounts; implement privileged access management (PAM) with session recording; reduce number of shared admin accounts; implement time-based access windows; centralized logging with SIEM and alerting for out-of-policy admin access.
  • Policy/process: Formalize privileged account policy, periodic access recertification, least privilege principle, mandatory incident response playbook, staff training on phishing and credential hygiene.
  • Monitoring: Real-time alerts for after-hours admin activity and threshold-based anomaly detection.

Examiner tips: Emphasize defensible forensic steps (preserve evidence) and prioritize actions by stop-gap containment then root-cause controls.

TBS 3 — Change Management & Segregation (20 marks)

Scenario:
During a recent patch deployment to the billing server, production invoices were delayed. The deployment was executed outside change window without CAB approval. Management wants: root cause, remedial steps, and recommended change governance model.

Tasks:
A. Identify root causes based on the scenario (4 marks).
B. Suggest three remedial steps to restore trust and service. (6 marks)
C. Design a lightweight change governance model suitable for medium-sized firm (10 marks).

Model answer:

A. Root causes:

  1. Deviation from authorized change window/CAB approval.
  2. Lack of automated rollback or insufficient testing in pre-prod.
  3. Missing emergency change procedures and poor communication.

B. Remedial steps:

  1. Roll back patch or apply hotfix if rollback not possible.
  2. Reconcile delayed invoices and run a catch-up processing with monitoring.
  3. Post-change review and incident report; notify stakeholders and put temporary compensating controls.

C. Lightweight change governance model:

  • Change categories: Standard (pre-approved, low risk), Normal (CAB approval), Emergency (expedited but documented).
  • CAB composition: cross-functional (IT ops, application owner, security, finance rep for billing changes). Virtual CAB allowed for rapid response.
  • Pre-deployment requirements: test plan, rollback plan, impact assessment, backout window, automated test suite pass.
  • Post-deployment: mandatory post-implementation review within 48–72 hrs; telemetry/health checks; change log and lessons learned.
  • Automation: Use CI/CD pipelines with approval gates; maintain version control and one-click rollback.
  • KPIs: change success rate, emergency change count, mean time to recovery (MTTR).

Why this works: Balances governance with agility; ensures controls and accountability while permitting emergency fixes.

TBS 4 — Encryption & Data Classification (20 marks)

Scenario:
A payroll file containing SSNs was emailed to an external consultant without encryption. HR claims urgency. Management wants policy, immediate mitigation, and a recommended encryption key management approach.

Tasks:
A. List immediate mitigation steps to reduce exposure. (5 marks)
B. Propose a data classification scheme and how it maps to encryption requirements. (7 marks)
C. Recommend a key management approach (on-prem / cloud / HSM) and justify. (8 marks)

Model answer:

A. Immediate mitigations:

  1. Request recipient to delete file and confirm (put it in writing).
  2. Revoke access (if shared link), disable credentials used, rotate any exposed keys/passwords.
  3. Retrieve logs to confirm file access/downloads; preserve evidence.
  4. Notify privacy officer and follow breach disclosure policy (PO = SSN).
  5. Reissue the file securely (SFTP / encrypted email / password-protected with out-of-band password delivery).

B. Data classification (example):

  • Public: no encryption required.
  • Internal: optional encryption in transit.
  • Confidential/Restricted: Personal Identifiable Information (PII), payroll, SSNs → encryption at rest + in transit, strict access controls, MFA.
    Mapping: Confidential → AES-256 at rest, TLS 1.2+ in transit, restricted access logging, DLP rules to block outgoing PII via uncontrolled channels.

C. Key management recommendation:

  • Use a managed Key Management Service (KMS) + HSM for high-value keys. For example: cloud KMS with customer-managed keys stored in HSM (FIPS 140-2 validated).
  • Why: centralizes key lifecycle (rotation, revocation), integrates with encryption services, offers audit trails and physical protection. For the highest security for SSNs, use on-prem/private HSM or cloud HSM with dedicated tenancy depending on regulatory needs. Ensure separation of duties: ops cannot retrieve keys without dual authorization.

Examiner note: Mention regulatory sensitivity (PII laws) and recommend DLP and staff training to prevent recurrence.

TBS 5 — Business Continuity & Backup Validation (20 marks)

Scenario:
After a localized flood, the company’s primary data center was offline for 48 hours. Backups exist but management is unsure of their recoverability. You’re asked to draft an immediate backup validation checklist and propose BCP improvements.

Tasks:
A. Provide a backup validation checklist (8 items). (8 marks)
B. Recommend three BCP improvements with rationale (6 marks).
C. Outline RTO and RPO framework for transactional systems vs. archival systems. (6 marks)

Model answer:

A. Backup validation checklist (8):

  1. Verify backup job success logs and integrity checks (checksums).
  2. Restore a sample backup to an isolated environment (test restore).
  3. Validate database consistency and application-level verification (test transactions).
  4. Confirm backups include configuration, system state, and application binaries.
  5. Check offsite copy accessibility and network connectivity.
  6. Test recovery time to restore to production-like environment.
  7. Verify backup retention policy matches retention/compliance requirements.
  8. Maintain restoration documentation and recovery runbook.

B. BCP improvements:

  1. Geographic redundancy: replicate critical systems to secondary data center (or cloud region). Why: reduces single-site risk.
  2. Automated failover testing: scheduled DR drills with stakeholders. Why: ensures people/processes work, avoids surprises.
  3. Immutable backups + air-gapped copies: to protect against corruption/ransomware. Why: ensures restore point is clean.

C. RTO/RPO framework:

  • Transactional (invoicing, payment): RTO = <4 hours, RPO = ≤15 minutes (near-real time replication).
  • Archival (historical reports): RTO = 24–72 hours, RPO = 24 hours.
    Set SLAs based on business impact analysis and cost/benefit tradeoffs.

TBS 6 — Third-Party Vendor Risk (20 marks)

Scenario:
A cloud analytics provider processes customer data. You must evaluate vendor risk and design contract clauses and monitoring to ensure security and compliance.

Tasks:
A. List five vendor risk factors to evaluate. (5 marks)
B. Draft four essential contract clauses (data protection, audit rights, breach notification, liability/indemnity). (8 marks)
C. Propose an ongoing monitoring plan. (7 marks)

Model answer:

A. Five vendor risk factors:

  1. Data classification & segregation practices.
  2. Encryption and key management.
  3. Access controls and personnel background checks.
  4. Incident response capability and breach history.
  5. Sub-processor/subcontractor usage and geographic location.

B. Four essential contract clauses (short drafts):

  1. Data protection: Vendor must process personal data only per instruction, maintain encryption at rest/in transit, and comply with applicable privacy laws (e.g., GDPR/CCPA where relevant).
  2. Audit & assessment rights: Client may conduct audits or request third-party SOC2/ISO27001 reports annually. Vendor must remediate findings within agreed timeframes.
  3. Breach notification: Vendor must notify client within 24 hours of detecting a breach, provide impact analysis, remediation plan, and offer cooperation for notifications.
  4. Liability/indemnity: Vendor accepts liability for negligence, with capped amounts for direct damages and carve-outs for gross negligence or willful misconduct; include data breach indemnity.

C. Monitoring plan:

  • Require SOC2 Type II / ISO27001 evidence and review annually.
  • Quarterly SLAs & performance reports; automated alerts on security events.
  • Annual vulnerability scanning & penetration testing evidence; periodic on-site/remote assessments.
  • Maintain vendor register with risk scoring; re-assessment triggers for changes in service or incident history.

Exam tip: Link contract clauses to mitigation of identified risk factors.

TBS 7 — ITGC Assessment for SOX (20 marks)

Scenario:
You are assessing IT General Controls (ITGCs) for a company in support of SOX testing. The following controls exist: logical access review, change management, backup & restore, segregation of duties, and IT operations runbooks. You find occasional exceptions in timely access recertification.

Tasks:
A. Explain how ITGC deficiencies can affect financial statement controls. (6 marks)
B. For the access recertification deficiency, propose remediation and compensating controls until remediation is complete. (8 marks)
C. Recommend testing procedures an auditor should perform for ITGC effectiveness. (6 marks)

Model answer:

A. Impact of ITGC deficiencies:
Weak ITGCs (e.g., access controls) can lead to unauthorized transactions, incorrect data processing, or improper segregation of duties — which undermines application controls and thus the reliability of financial reporting. Auditors cannot rely on automated application controls without effective ITGCs.

B. Remediation & compensating controls:

  • Remediation: Implement automated workflows for access recertification with reminders and escalation; enforce quarterly cert reviews; integrate with IAM.
  • Compensating controls: Temporary manual user access review with independent reviewer (e.g., internal audit or control owner), increase monitoring of privileged activity, require dual sign-offs on high-risk financial transactions.

C. Testing procedures:

  • Inspect access recertification logs and evidence of reviewer approvals.
  • Re-perform access recertification for sample users.
  • Review change management tickets and reconcile to production changes.
  • Test backup/restore via sample restore.
  • Observe physical/logical access controls and inspect runbooks; test incident logging and response.

Exam guidance: Connect deficiencies to control objectives (completeness, accuracy, authorization). Provide concrete sampling/testing steps.

TBS 8 — Logging, Monitoring & SIEM Use Case (20 marks)

Scenario:
Company plans to deploy a SIEM to detect threats across cloud workloads and on-prem servers. You are asked to draft three use cases, minimum log sources to collect, and KPIs to monitor SIEM effectiveness.

Tasks:
A. Provide three SIEM use cases with detection logic. (9 marks)
B. List minimum log sources required for those use cases. (6 marks)
C. Suggest four KPIs to measure SIEM performance. (5 marks)

Model answer:

A. SIEM use cases (3 × 3):

  1. Compromised credentials: Detection logic — multiple failed logins followed by successful login from uncommon geo/IP and privileged action within short window.
  2. Data exfiltration via cloud storage: Detection logic — large volume of outbound data from non-business hours or to new external IPs; unusual use of storage APIs.
  3. Unauthorized configuration changes: Detection logic — creation/modification of IAM roles, opening inbound firewall rules, or changes to S3 bucket ACLs outside change window.

B. Minimum log sources:

  • Authentication logs (AD/IdP).
  • Cloud audit logs (AWS CloudTrail / Azure Monitor).
  • Network perimeter logs (firewall, proxy).
  • Endpoint detection logs (EDR).
  • Application logs for critical apps (ERP invoicing).
  • SIEM ingest of change management tool events (optional).

C. KPIs:

  1. Mean Time to Detect (MTTD).
  2. Mean Time to Respond (MTTR).
  3. False positive rate (alerts triaged / total alerts).
  4. Coverage % (percentage of critical assets with logging enabled).

Explore our MCQs CPA FAR, REG , AUD , BAR, TCP, & ISC Master Sets

,Explore our Task-Based Simulations CPA AUD TBS, CPA FAR TBS, CPA REG TBS, CPA TCP TBS,

These CPA ISC TBS replicate real exam demands: you must identify control issues quickly, recommend prioritized, testable remediation, and reference standards (COSO/Cobit/NIST where applicable). Practice structuring answers: Issue → Impact → Recommendation → Rationale. Save this page and time yourself: aim 20–30 minutes per TBS. If you want, I’ll convert these into printable TBS worksheets, timed exam simulators, or add model marking rubrics for instructors.

Leave a Comment

Your email address will not be published. Required fields are marked *

© 2025 Your Preparation Hub. contact@tayarimcqs.com | About Us | Privacy Policy | Terms & Conditions | Disclaimer

error: Content is protected !!
Scroll to Top