fbpx

Ultimate Guide to the ISC Section: CPA Exam Blueprint and Study Resources

Area I - Information Systems and Data Management (35–45%)

Skill
Content group/topic Remembering & Understanding Application Analysis Evaluation Representative Task
A. Information systems
1. IT infrastructure Explain the purpose and recognize examples of key components of IT architecture (e.g., operating systems, servers, network infrastructure, end-user devices).
Explain cloud computing, including cloud computing models (infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS)) and deployment models (e.g., public, private, hybrid).
Summarize the role and responsibilities of cloud service providers.
Explain how the COSO frameworks address cloud computing governance.
Content group/topic Remembering & Understanding Application Analysis Evaluation Representative Task
2. Enterprise and accounting information systems Summarize enterprise resource planning (ERP) and accounting information systems, what they encompass and how they interact.
Explain how the COSO internal control framework can be used to evaluate risks related to the use of blockchain in the context of financial reporting and to design and implement controls to address such risks.
Determine potential changes to business processes to improve the performance of an accounting information system (e.g., robotic process automation, outsourcing, system changes).
Reconcile the actual sequence of steps and the information, documents, tools and technology used in a key business process of an accounting information system (e.g., sales, cash collections, purchasing, disbursements, human resources, payroll, production, treasury, fixed assets, general ledger, reporting) to the documented process (e.g., flowchart, business process diagram, narrative).
Detect deficiencies in the suitability or design and deviations in the operation of controls related to an information system’s processing integrity in a SOC 2® engagement using the Trust Services Criteria.
Content group/topic Remembering & Understanding Application Analysis Evaluation Representative Task
3. Availability Recall the scope, purpose and key considerations for business resiliency, disaster recovery and business continuity plans.
Explain the objectives of mirroring and replication.
Summarize steps in a business impact analysis.
Recall measures of system availability (e.g., agreed service time, downtime).
Determine the appropriateness of the organization’s data backup types (e.g., full, incremental, differential) including recovery considerations.
Detect deficiencies in the suitability or design and deviations in the operation of controls related to a service organization’s availability service commitments and system requirements in a SOC 2® engagement using the Trust Services Criteria.
Content group/topic Remembering & Understanding Application Analysis Evaluation Representative Task
4. Change management Explain the purpose of change management related to internal hardware and software applications, including the risks and the different types of documentation used (e.g., system component inventory, baseline configuration).
Explain the different environments used (e.g., development, staging, production) and the types of tests performed (e.g., unit, integration, system, acceptance).
Explain the approaches than can be used when converting to a new information system (e.g., direct, parallel, pilot).
Explain patch management.
Test the design and implementation of change control policies (e.g., acceptance criteria, test results, logging, monitoring) for IT resources (e.g., applications, infrastructure components, configurations) in organizations, including those that have adopted continuous integration and continuous deployment processes.
Content group/topic Remembering & Understanding Application Analysis Evaluation Representative Task
B. Data management
Identify data collection methods and techniques.
Define the various types of data storage (e.g., data warehouse, data lake, data mart) and database schemas (e.g., star, snowflake).
Summarize the data life cycle (i.e., the span of the use of information, from creation, through active use, storage and final disposition).
Examine a relational database’s structure to determine whether it applies data integrity rules, uses a data dictionary, and normalizes the data.
Examine a standard SQL query (common commands, clauses, operators, aggregate functions and string functions) to determine whether the retrieved data set is relevant and complete.
Integrate the data available from different data sources to provide information necessary for financial and operational analysis and decisions.
Investigate a business process model (e.g., flowchart, data flow diagram, business process model and notation (BPMN) diagram) to identify potential improvements.

Area ll – Security, Confidentiality and Privacy (35–45%)

Skill
Content group/topic Remembering & Understanding Application Analysis Evaluation Representative Task
A. Regulations, standards and frameworks
Recall the covered entities and permitted uses and disclosures of the HIPAA Security and Privacy Rules.
Recall the scope of the GDPR and the six principles and key concepts for personal data.
Recall the requirements of the PCI DSS.
Recall the three parts of the NIST CSF (Framework Core, Framework Implementation Tiers, Framework Profiles).
Recall the three parts of the NIST Privacy Framework (Framework Core, Framework Profiles, Framework Implementation Tiers).
Recall the purpose, applicability, target audience and organizational responsibilities of NIST SP 800-53.
Recall the overview of each CIS Control.
Recall the governance system principles, governance framework principles and the components of a governance system according to COBIT 2019.
Content group/topic Remembering & Understanding Application Analysis Evaluation Representative Task
B. Security
1. Threats and attacks Classify the different types of threat agents (e.g., internal or external, nation or non-nation state-sponsored, adversary, threat actors, attacker or hacker).
Identify types of attacks (e.g., physical, distributed denial of service, malware, social engineering, web application attacks, mobile device attacks).
Identify techniques used in a cyber-attack (e.g., buffer overflow, mobile code, cross-site scripting, SQL injections, race conditions, covert channel, replay and return-oriented attack).
Explain the stages in a cyber-attack (e.g., reconnaissance, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).
Identify the cybersecurity risks related to using cloud environments, platforms and services.
Identify the cybersecurity risks related to the Internet of Things (IoT).
Identify the cybersecurity risks related to mobile technologies.
Explain threat modeling and threat landscape.
Determine the specific cybersecurity threats in an organization’s connections with customers, vendors and partner organizations.
Determine the specific cybersecurity threats to an organization’s on-premise and cloud-based applications, networks and connected devices (e.g., mobile and Internet of Things (IOT) devices).
Content group/topic Remembering & Understanding Application Analysis Evaluation Representative Task
2. Mitigation Identify ways to protect networks and devices used to access the network remotely (e.g., isolation and segmentation, virtual private network (VPN), wireless network security, endpoint security, system hardening, intrusion prevention and detection systems).
Recall the definition and purpose of vulnerability management.
Explain the concepts of layered security and defense-in-depth.
Define the concepts of least-privilege, zero-trust, whitelisting and the need-to-know principle.
Recall the purpose and content of a technology acceptable use policy including considerations specific to mobile technologies and bring-your-own-device (BYOD).
Explain how the COSO frameworks can be used to assess cyber risks and controls.
Determine the common preventive, detective or corrective controls (e.g., intrusion prevention systems, device and software hardening, log analysis, intrusion detection systems, virus quarantining, patches) to mitigate risk of cyber-attacks for an organization.
Determine the appropriate identification and authentication techniques and technologies (e.g., password management, single sign-on, multi-factor authentication, personal identification number (PIN) management, digital signatures, smart cards, biometrics) in a specific scenario.
Determine the appropriate authorization model (e.g., discretionary, role-based, mandatory) and the controls (e.g., access control list, account restrictions, physical barriers) used to implement the model in a specific scenario.
Content group/topic Remembering & Understanding Application Analysis Evaluation Representative Task
3. Testing Perform procedures to obtain an understanding how the entity communicates information to improve security knowledge and awareness and to model appropriate security behaviors to personnel through a security awareness training program.
Provide input into a security assessment report by documenting the issues, findings and recommendations identified while performing tests of controls.
Perform a walkthrough of an organization’s procedures relevant to IT security (e.g., IT risk management, human resources, training and education) and compare the observed procedure with the documented policy requirement.
Detect deficiencies in the suitability or design and deviations in the operation of controls related to a service organization’s security service commitments and system requirements in a SOC 2® engagement using the Trust Services Criteria.
Content group/topic Remembering & Understanding Application Analysis Evaluation Representative Task
C. Confidentiality and privacy
Explain encryption fundamentals, techniques and applications.
Recall the differences between confidentiality and privacy.
Identify methods for the protection of confidential data during the design, development, testing and implementation of applications that use confidential data (e.g., data obfuscation, tokenization).
Explain Data Loss Prevention (DLP).
Identify financial and operational implications of a data breach.
Determine controls and data management practices to securely collect, process, store, transmit and delete confidential data or data subject to privacy regulations.
Detect deficiencies in the suitability or design and deviations in the operation of controls related to a service organization’s confidentiality and privacy service commitments and system requirements in a SOC 2® engagement using the Trust Services Criteria.
Content group/topic Remembering & Understanding Application Analysis Evaluation Representative Task
D. Incident response
Recall the differences between security/cybersecurity events and incidents.
Explain the use of insurance as a mitigation strategy for a security incident or data breach.
Summarize contents commonly included in incident response plans (e.g., roles, responsibilities, methods, steps, timelines).
Perform procedures to test whether the entity responded to cybersecurity incidents in accordance with the incident response plan.

Area III – Considerations for System and Organization Controls (SOC) Engagements (15–25%)

Skill
Content group/topic Remembering & Understanding Application Analysis Evaluation Representative Task
A. Considerations specific to planning and performing a SOC engagement
Explain the purpose of the Trust Services Criteria and its organization (e.g., alignment with the COSO Internal Control – Integrated Framework, supplemental criteria, common criteria and additional specific criteria).
Recall the types of subject matters a practitioner may be engaged to report on using the Trust Services Criteria.
Identify management assertions specific to the different categories and types (Type 1 and Type 2) of SOC engagements (SOC 1®, SOC 2®, SOC 3®).
Recall the intended users of SOC 1®, SOC 2® and SOC 3® reports.
Summarize the independence considerations between the service auditor, service organization and subservice organizations.
Explain how materiality is determined and used in performing a SOC engagement (SOC 1®, SOC 2®).
Identify the risk assessment requirements for a service organization and the service auditor.
Summarize the criteria for a vendor to be considered a subservice organization.
Explain the considerations for deciding between, and use of, the inclusive and carve-out method for subservice organizations and complementary subservice organization controls (CSOCs).
Define service commitments and system requirements in a SOC 2® engagement and how they correspond to an entity’s objectives referred to in the Trust Services Criteria.
Recall the impact of subsequently discovered facts on the SOC engagement (SOC 1®, SOC 2®).
Explain the purpose and common sections of a system description subject to SOC 1® or SOC 2® engagements.
Recall the Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program.
Explain the purpose of complementary user entity controls (CUECs) identified by service organization management in their system description.
Recall requirements about obtaining management’s written representations in a SOC engagement (SOC 1®, SOC 2®).
Obtain an understanding of the system addressed by a SOC 2® engagement, including the clear identification of the boundaries of the system as defined by the service organization.
Perform procedures to obtain an understanding of how a service organization provides its personnel and external users information on how to report failures, incidents, concerns and other complaints related to a system subject to a SOC 2® engagement.
Prepare a comparison of management’s system description to suitable criteria in a SOC 1® engagement or to the description criteria in a SOC 2® engagement.
Determine the effect of subsequent events in a SOC 1® or SOC 2® engagement.
Content group/topic Remembering & Understanding Application Analysis Evaluation Representative Task
B. Considerations specific to reporting on a SOC engagement
Explain the effect of CUECs on the SOC report (SOC 1®, SOC 2®).
Summarize the carve-out vs. the inclusive method of reporting on CSOCs.
Explain the types of opinions and report modifications when deficiencies have been identified.
Prepare results of testing of controls to be included in the SOC 2® report of the test of a control, including when there was an exception identified by the test.
Determine the appropriate form and content of a report on the examination of controls at a service organization (SOC 1®, SOC 2®).
Skill
Content group/topic Remembering & Understanding Application Analysis Evaluation Representative Task
A. Considerations specific to planning and performing a SOC engagement
Explain the purpose of the Trust Services Criteria and its organization (e.g., alignment with the COSO Internal Control – Integrated Framework, supplemental criteria, common criteria and additional specific criteria).
Recall the types of subject matters a practitioner may be engaged to report on using the Trust Services Criteria.
Identify management assertions specific to the different categories and types (Type 1 and Type 2) of SOC engagements (SOC 1®, SOC 2®, SOC 3®).
Recall the intended users of SOC 1®, SOC 2® and SOC 3® reports.
Summarize the independence considerations between the service auditor, service organization and subservice organizations.
Explain how materiality is determined and used in performing a SOC engagement (SOC 1®, SOC 2®).
Identify the risk assessment requirements for a service organization and the service auditor.
Summarize the criteria for a vendor to be considered a subservice organization.
Explain the considerations for deciding between, and use of, the inclusive and carve-out method for subservice organizations and complementary subservice organization controls (CSOCs).
Define service commitments and system requirements in a SOC 2® engagement and how they correspond to an entity’s objectives referred to in the Trust Services Criteria.
Recall the impact of subsequently discovered facts on the SOC engagement (SOC 1®, SOC 2®).
Explain the purpose and common sections of a system description subject to SOC 1® or SOC 2® engagements.
Recall the Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program.
Explain the purpose of complementary user entity controls (CUECs) identified by service organization management in their system description.
Recall requirements about obtaining management’s written representations in a SOC engagement (SOC 1®, SOC 2®).
Obtain an understanding of the system addressed by a SOC 2® engagement, including the clear identification of the boundaries of the system as defined by the service organization.
Perform procedures to obtain an understanding of how a service organization provides its personnel and external users information on how to report failures, incidents, concerns and other complaints related to a system subject to a SOC 2® engagement.
Prepare a comparison of management’s system description to suitable criteria in a SOC 1® engagement or to the description criteria in a SOC 2® engagement.
Determine the effect of subsequent events in a SOC 1® or SOC 2® engagement.
Content group/topic Remembering & Understanding Application Analysis Evaluation Representative Task
B. Considerations specific to reporting on a SOC engagement
Explain the effect of CUECs on the SOC report (SOC 1®, SOC 2®).
Summarize the carve-out vs. the inclusive method of reporting on CSOCs.
Explain the types of opinions and report modifications when deficiencies have been identified.
Prepare results of testing of controls to be included in the SOC 2® report of the test of a control, including when there was an exception identified by the test.
Determine the appropriate form and content of a report on the examination of controls at a service organization (SOC 1®, SOC 2®).