Make Your Study Process Easier and more effective with SuperfastCPA
Ultimate Guide to the ISC Section: CPA Exam Blueprint and Study Resources
Area I - Information Systems and Data Management (35–45%)
| Skill | |||||
| Content group/topic | Remembering & Understanding | Application | Analysis | Evaluation | Representative Task |
| A. Information systems | |||||
| 1. IT infrastructure |
 |
Explain the purpose and recognize examples of key components of IT architecture (e.g., operating systems, servers, network infrastructure, end-user devices). | |||
| Article: ISC CPA Exam: Understanding the Purpose and Recognizing Examples of Key Components of IT Architecture | |||||
|
|
Explain cloud computing, including cloud computing models (infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS)) and deployment models (e.g., public, private, hybrid). | ||||
| Article: ISC CPA Exam: Understanding Cloud Computing Models Such as IaaS, PaaS, and SaaS | |||||
|
|
Summarize the role and responsibilities of cloud service providers. | ||||
| Article: ISC CPA Exam: Understanding the Role and Responsibilities of Cloud Service Providers | |||||
|
|
Explain how the COSO frameworks address cloud computing governance. | ||||
| Article: ISC CPA Exam: Understanding How the COSO Framework Addresses Cloud Computing Governance | |||||
| Content group/topic | Remembering & Understanding | Application | Analysis | Evaluation | Representative Task |
| 2. Enterprise and accounting information systems |
|
Summarize enterprise resource planning (ERP) and accounting information systems, what they encompass and how they interact. | |||
| Article: ISC CPA Exam: Understanding What ERP and Accounting Information Systems Encompass, and How They Interact | |||||
|
|
Explain how the COSO internal control framework can be used to evaluate risks related to the use of blockchain in the context of financial reporting and to design and implement controls to address such risks. | ||||
| Article: ISC CPA Exam: Understand How the COSO Internal Control Framework is Used in Relation to the Use of Blockchain in Financial Reporting | |||||
|
|
Determine potential changes to business processes to improve the performance of an accounting information system (e.g., robotic process automation, outsourcing, system changes). | ||||
| Article: ISC CPA Exam: Understanding How Potential Changes to Business Processes Can Improve the Performance of an Accounting Information System | |||||
|
|
Reconcile the actual sequence of steps and the information, documents, tools and technology used in a key business process of an accounting information system (e.g., sales, cash collections, purchasing, disbursements, human resources, payroll, production, treasury, fixed assets, general ledger, reporting) to the documented process (e.g., flowchart, business process diagram, narrative). | ||||
| Article: ISC CPA Exam: How to Reconcile the Actual Sequence of Steps and Information Used in a Key Business Process of an AIS to the Documented Process | |||||
|
|
Detect deficiencies in the suitability or design and deviations in the operation of controls related to an information system’s processing integrity in a SOC 2® engagement using the Trust Services Criteria. | ||||
| Article: ISC CPA Exam: How to Detect Deficiencies in the Operation of Controls Related to an Information System's Processing Integrity in a SOC 2 Engagement | |||||
| Content group/topic | Remembering & Understanding | Application | Analysis | Evaluation | Representative Task |
| 3. Availability |
|
Recall the scope, purpose and key considerations for business resiliency, disaster recovery and business continuity plans. | |||
| Article: ISC CPA Exam: Understanding the Scope, Purpose, and Key Considerations for Business Resiliency, Disaster Recovery, and Business Continuity Plans | |||||
|
|
Explain the objectives of mirroring and replication. | ||||
| Article: ISC CPA Exam: Understanding the Objectives of Mirroring, Replication, and Backup | |||||
|
|
Summarize steps in a business impact analysis. | ||||
| Article: ISC CPA Exam: Understanding the Steps in a Business Impact Analysis | |||||
|
|
Recall measures of system availability (e.g., agreed service time, downtime). | ||||
| Article: ISC CPA Exam: Understanding the Measures of System Availability Such as Agreed Service Time and Downtime | |||||
|
|
Determine the appropriateness of the organization’s data backup types (e.g., full, incremental, differential) including recovery considerations. | ||||
| Article: ISC CPA Exam: Understanding the Appropriateness of the Organization's Data Backup Types Including Recovery Considerations | |||||
|
|
Detect deficiencies in the suitability or design and deviations in the operation of controls related to a service organization’s availability service commitments and system requirements in a SOC 2® engagement using the Trust Services Criteria. | ||||
| Article: ISC CPA Exam: How to Detect Deficiencies in the Operation of Controls Related to an Organization's Service Commitments and System Requirements in a SOC 2 Engagement | |||||
| Content group/topic | Remembering & Understanding | Application | Analysis | Evaluation | Representative Task |
| 4. Change management |
|
Explain the purpose of change management related to internal hardware and software applications, including the risks and the different types of documentation used (e.g., system component inventory, baseline configuration). | |||
| Article: ISC CPA Exam: Understanding Change Management Including Authorization, the Use of Different Environments, Segregation of Duties, Testing, Conversion, and Documentation | |||||
|
|
Explain the different environments used (e.g., development, staging, production) and the types of tests performed (e.g., unit, integration, system, acceptance). | ||||
| Article: ISC CPA Exam: Understanding the Key Concepts of Release Management and Patch Management Procedures | |||||
|
|
Explain the approaches than can be used when converting to a new information system (e.g., direct, parallel, pilot). | ||||
|
|
Explain patch management. | ||||
|
|
Test the design and implementation of change control policies (e.g., acceptance criteria, test results, logging, monitoring) for IT resources (e.g., applications, infrastructure components, configurations) in organizations, including those that have adopted continuous integration and continuous deployment processes. | ||||
| Article: ISC CPA Exam: How to Test the Design and Implementation of Change Control Policies for IT Resources | |||||
| Content group/topic | Remembering & Understanding | Application | Analysis | Evaluation | Representative Task |
| B. Data management | |||||
|
|
Identify data collection methods and techniques. | ||||
| Article: ISC CPA Exam: Understanding Data Collection Methods and Techniques | |||||
|
|
Define the various types of data storage (e.g., data warehouse, data lake, data mart) and database schemas (e.g., star, snowflake). | ||||
| Article: ISC CPA Exam: Understanding the Various Types of Data Storage and Database Schemas | |||||
|
|
Summarize the data life cycle (i.e., the span of the use of information, from creation, through active use, storage and final disposition). | ||||
| Article: ISC CPA Exam: Understanding the Data Life Cycle from Data Creation to Storage and Final Disposition | |||||
|
|
Examine a relational database’s structure to determine whether it applies data integrity rules, uses a data dictionary, and normalizes the data. | ||||
| Article: ISC CPA Exam: How to Examine a Relational Database's Structure to Determine Whether It Applies Data Integrity Rules, Uses a Data Dictionary, and Normalizes the Data | |||||
|
|
Examine a standard SQL query (common commands, clauses, operators, aggregate functions and string functions) to determine whether the retrieved data set is relevant and complete. | ||||
| Article: ISC CPA Exam: How to Examine a SQL Query to Determine Whether the Data Set is Relevant and Complete | |||||
|
|
Integrate the data available from different data sources to provide information necessary for financial and operational analysis and decisions. | ||||
| Article: ISC CPA Exam: How to Integrate Data from Different Sources to Provide Information for Financial and Operational Analysis and Decisions | |||||
|
|
Investigate a business process model (e.g., flowchart, data flow diagram, business process model and notation (BPMN) diagram) to identify potential improvements. | ||||
| Article: ISC CPA Exam: How to Investigate a Business Process Model to Identify Potential Improvements | |||||
Area ll – Security, Confidentiality and Privacy (35–45%)
| 0 | Skill | ||||
| Content group/topic | Remembering & Understanding | Application | Analysis | Evaluation | Representative Task |
| A. Regulations, standards and frameworks | |||||
|
|
Recall the covered entities and permitted uses and disclosures of the HIPAA Security and Privacy Rules. | ||||
| Article: ISC CPA Exam: Understanding the Covered Entities and Permitted Uses and Disclosures of the HIPAA Security and Privacy Rules | |||||
|
|
Recall the scope of the GDPR and the six principles and key concepts for personal data. | ||||
| Article: ISC CPA Exam: Understanding the Scope of the GDPR and Six Principles and Key Concepts for Personal Data | |||||
|
|
Recall the requirements of the PCI DSS. | ||||
| Article: ISC CPA Exam: Understanding the Requirements of the PCI DSS | |||||
|
|
Recall the three parts of the NIST CSF (Framework Core, Framework Implementation Tiers, Framework Profiles). | ||||
| Article: ISC CPA Exam: Understanding the Three Parts of the NIST CSF | |||||
|
|
Recall the three parts of the NIST Privacy Framework (Framework Core, Framework Profiles, Framework Implementation Tiers). | ||||
| Article: ISC CPA Exam: Understanding the Three Parts of the NIST Privacy Framework | |||||
|
|
Recall the purpose, applicability, target audience and organizational responsibilities of NIST SP 800-53. | ||||
| Article: ISC CPA Exam: Understanding the Purpose, Applicability, Target Audience, and Organizational Responsibilities of NIST SP 800-53 | |||||
|
|
Recall the overview of each CIS Control. | ||||
| Article: ISC CPA Exam: Understanding the Overview of Each CIS Control | |||||
|
|
Recall the governance system principles, governance framework principles and the components of a governance system according to COBIT 2019. | ||||
| Article: ISC CPA Exam: Understanding Governance System Principles, Governance Framework Principles, and the Components of a Governance System According to COBIT 2019 | |||||
| Content group/topic | Remembering & Understanding | Application | Analysis | Evaluation | Representative Task |
| B. Security | |||||
| 1. Threats and attacks |
|
Classify the different types of threat agents (e.g., internal or external, nation or non-nation state-sponsored, adversary, threat actors, attacker or hacker). | |||
| Article: ISC CPA Exam: How to Classify the Different Types of Threat Agents Such as Internal vs External, or Attacker vs Hacker | |||||
|
|
Identify types of attacks (e.g., physical, distributed denial of service, malware, social engineering, web application attacks, mobile device attacks). | ||||
| Article: ISC CPA Exam: Understanding the Types of Attacks Such as Malware, Social Engineering, Distributed Denial of Service, etc | |||||
|
|
Identify techniques used in a cyber-attack (e.g., buffer overflow, mobile code, cross-site scripting, SQL injections, race conditions, covert channel, replay and return-oriented attack). | ||||
| Article: ISC CPA Exam: Understanding Techniques Used in a Cyber-Attack | |||||
|
|
Explain the stages in a cyber-attack (e.g., reconnaissance, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks). | ||||
| Article: ISC CPA Exam: Explain the Stages in a Cyber-Attack | |||||
|
|
Identify the cybersecurity risks related to using cloud environments, platforms and services. | ||||
| Article: ISC CPA Exam: Understanding the Cybersecurity Risks Related to Using Cloud Environments, Platforms, and Services | |||||
|
|
Identify the cybersecurity risks related to the Internet of Things (IoT). | ||||
| Article: ISC CPA Exam: Understanding the Cybersecurity Risks Related to the Internet of Things | |||||
|
|
Identify the cybersecurity risks related to mobile technologies. | ||||
| Article: ISC CPA Exam: How to Identify Cybersecurity Risks Related to Mobile Technologies | |||||
| Explain threat modeling and threat landscape. | |||||
| Article: ISC CPA Exam: Understanding Threat Modeling and Threat Landscape in Cybersecurity | |||||
|
|
Determine the specific cybersecurity threats in an organization’s connections with customers, vendors and partner organizations. | ||||
| Article: ISC CPA Exam: How to Determine the Specific Cybersecurity Threats in an Organization's Connections with Customers, Vendors, and Partner Organizations | |||||
|
|
Determine the specific cybersecurity threats to an organization’s on-premise and cloud-based applications, networks and connected devices (e.g., mobile and Internet of Things (IOT) devices). | ||||
| Content group/topic | Remembering & Understanding | Application | Analysis | Evaluation | Representative Task |
| 2. Mitigation |
|
Identify ways to protect networks and devices used to access the network remotely (e.g., isolation and segmentation, virtual private network (VPN), wireless network security, endpoint security, system hardening, intrusion prevention and detection systems). | |||
| Article: ISC CPA Exam: Ways to Protect Networks and Devices Used to Access a Network Remotely | |||||
|
|
Recall the definition and purpose of vulnerability management. | ||||
| Article: ISC CPA Exam: Understanding the Definition and Purpose of Vulnerability Management | |||||
|
|
Explain the concepts of layered security and defense-in-depth. | ||||
| Article: ISC CPA Exam: Understanding the Concepts of Layered Security and Defense-in-Depth | |||||
|
|
Define the concepts of least-privilege, zero-trust, whitelisting and the need-to-know principle. | ||||
| Article: ISC CPA Exam: Understanding the Concepts of Least-Privilege, Zero-Trust, Whitelisting, and the Need-to-Know Principle | |||||
|
|
Recall the purpose and content of a technology acceptable use policy including considerations specific to mobile technologies and bring-your-own-device (BYOD). | ||||
| Article: ISC CPA Exam: Understanding the Purpose and Content of a Technology Acceptable Use Policy Including Considerations Specific to Mobile and BYOD Technology | |||||
|
|
Explain how the COSO frameworks can be used to assess cyber risks and controls. | ||||
| Article: ISC CPA Exam: Understanding How the COSO Frameworks Can Be Used to Assess Cyber Risks and Controls | |||||
|
|
Determine the common preventive, detective or corrective controls (e.g., intrusion prevention systems, device and software hardening, log analysis, intrusion detection systems, virus quarantining, patches) to mitigate risk of cyber-attacks for an organization. | ||||
| Article: ISC CPA Exam: Understanding the Preventive, Detective, or Corrective Controls to Mitigate Risk of Cyber-Attacks for an Organization | |||||
|
|
Determine the appropriate identification and authentication techniques and technologies (e.g., password management, single sign-on, multi-factor authentication, personal identification number (PIN) management, digital signatures, smart cards, biometrics) in a specific scenario. | ||||
| Article: ISC CPA Exams: Understanding the Appropriate Identification and Authentication Techniques and Technologies in a Specific Scenario | |||||
|
|
Determine the appropriate authorization model (e.g., discretionary, role-based, mandatory) and the controls (e.g., access control list, account restrictions, physical barriers) used to implement the model in a specific scenario. | ||||
| Article: ISC CPA Exam: How to Determine the Appropriate Authorization Model and the Controls Used to Implement the Model in a Specific Scenario | |||||
| Content group/topic | Remembering & Understanding | Application | Analysis | Evaluation | Representative Task |
| 3. Testing |
|
Perform procedures to obtain an understanding how the entity communicates information to improve security knowledge and awareness and to model appropriate security behaviors to personnel through a security awareness training program. | |||
| Article: ISC CPA Exam: How to Perform Procedures to Understand How the Entity Communicates and Models Security Behaviors Through a Training Program | |||||
|
|
Provide input into a security assessment report by documenting the issues, findings and recommendations identified while performing tests of controls. | ||||
| Article: ISC CPA Exam: How to Provide Input into a Security Assessment Report by Documenting the Issues, Findings, and Recommendations Identified After Performing Test of Controls | |||||
|
|
Perform a walkthrough of an organization’s procedures relevant to IT security (e.g., IT risk management, human resources, training and education) and compare the observed procedure with the documented policy requirement. | ||||
| Article: ISC CPA Exam: How to Perform a Walkthrough of an Organization's Procedures Relevant to IT Security and Compare with the Documented Policies | |||||
|
|
Detect deficiencies in the suitability or design and deviations in the operation of controls related to a service organization’s security service commitments and system requirements in a SOC 2® engagement using the Trust Services Criteria. | ||||
| Article: ISC CPA Exam: How to Detect Deficiencies in the Operation of Controls in an Organization's Commitments and Requirements in a SOC 2 Engagement | |||||
| Content group/topic | Remembering & Understanding | Application | Analysis | Evaluation | Representative Task |
| C. Confidentiality and privacy | |||||
|
|
Explain encryption fundamentals, techniques and applications. | ||||
| Article: ISC CPA Exam: Understanding Encryption Fundamentals, Techniques, and Applications | |||||
|
|
Recall the differences between confidentiality and privacy. | ||||
| Article: ISC CPA Exam: Understanding the Differences Between Confidentiality and Privacy in Cybersecurity | |||||
|
|
Identify methods for the protection of confidential data during the design, development, testing and implementation of applications that use confidential data (e.g., data obfuscation, tokenization). | ||||
| Article: ISC CPA Exam: Methods for the Protection of Data During the Design, Development, Testing, and Implementation of Applications Using Confidential Data | |||||
|
|
Explain Data Loss Prevention (DLP). | ||||
| Article: ISC CPA Exam: Understanding Data Loss Prevention (DLP) in Cybersecurity | |||||
|
|
Identify financial and operational implications of a data breach. | ||||
| Article: ISC CPA Exam: Understanding Financial and Operational Implications of a Data Breach | |||||
|
|
Determine controls and data management practices to securely collect, process, store, transmit and delete confidential data or data subject to privacy regulations. | ||||
| Article: ISC CPA Exam: Determining Controls and Data Management Practices to Securely Collect, Process, Store, Transmit, and Delete Confidential Data | |||||
|
|
Detect deficiencies in the suitability or design and deviations in the operation of controls related to a service organization’s confidentiality and privacy service commitments and system requirements in a SOC 2® engagement using the Trust Services Criteria. | ||||
| Article: ISC CPA Exam: Detecting Deficiencies in the Operation of Controls in a Service Organization's Service Commitments and Systems in a SOC 2 Engagement | |||||
|
|
Perform a walkthrough of an organization’s procedures relevant to confidentiality and privacy (e.g., IT risk management, human resources, training and education) and compare the observed procedure with the documented policy requirement. | ||||
| Article: ISC CPA Exams: How to Perform a Walkthrough of an Organization's Procedures Related to Confidentiality and Privacy and Compare with Documented Policies | |||||
| Content group/topic | Remembering & Understanding | Application | Analysis | Evaluation | Representative Task |
| D. Incident response | |||||
|
|
Recall the differences between security/cybersecurity events and incidents. | ||||
| Article: ISC CPA Exam: Understanding the Differences Between Security and Cybersecurity Events and Incidents | |||||
|
|
Explain the use of insurance as a mitigation strategy for a security incident or data breach. | ||||
| Article: ISC CPA Exam: Understanding the Use of Insurance as a Mitigation Strategy for a Security Incident or Data Breach | |||||
|
|
Summarize contents commonly included in incident response plans (e.g., roles, responsibilities, methods, steps, timelines). | ||||
| Article: ISC CPA Exam: Understanding Contents Commonly Included in Incident Response Plans | |||||
|
|
Perform procedures to test whether the entity responded to cybersecurity incidents in accordance with the incident response plan. | ||||
| Article: ISC CPA Exams: How to Perform Procedures to Test Whether the Entity Responded to Cybersecurity Incidents in Accordance with the Incident Response Plan | |||||
Area III – Considerations for System and Organization Controls (SOC) Engagements (15–25%)
| Skill | |||||
| Content group/topic | Remembering & Understanding | Application | Analysis | Evaluation | Representative Task |
| A. Considerations specific to planning and performing a SOC engagement | |||||
|
|
Explain the purpose of the Trust Services Criteria and its organization (e.g., alignment with the COSO Internal Control – Integrated Framework, supplemental criteria, common criteria and additional specific criteria). | ||||
| Article: ISC CPA Exam: Understanding the Trust Services Criteria and Its Organization in a SOC Engagement | |||||
|
|
Recall the types of subject matters a practitioner may be engaged to report on using the Trust Services Criteria. | ||||
| Article: ISC CPA Exam: Understanding he Types of Subject Matters a Practitioner May be Engaged to Report on Using the Trust Services Criteria | |||||
|
|
Identify management assertions specific to the different categories and types (Type 1 and Type 2) of SOC engagements (SOC 1®, SOC 2®, SOC 3®). | ||||
| Article: ISC CPA Exam: How to Identify Management Assertions Specific to the Different Categories and Types of SOC Engagements | |||||
|
|
Recall the intended users of SOC 1®, SOC 2® and SOC 3® reports. | ||||
| Article: ISC CPA Exam: Understanding the Intended Users of SOC 1, SOC 2, and SOC 3 Reports | |||||
|
|
Summarize the independence considerations between the service auditor, service organization and subservice organizations. | ||||
| Article: ISC CPA Exam: Understanding the Independence Considerations Between the Service Auditor, Service Organization, and Subservice Organizations | |||||
|
|
Explain how materiality is determined and used in performing a SOC engagement (SOC 1®, SOC 2®). | ||||
| Article: ISC CPA Exam: Understanding How Materiality is Determined and Used in Performing a SOC 1 or SOC 2 Engagement | |||||
|
|
Identify the risk assessment requirements for a service organization and the service auditor. | ||||
| Article: ISC CPA Exam: Understanding the Risk Assessment Requirements for a Service Organization and the Service Auditor | |||||
|
|
Summarize the criteria for a vendor to be considered a subservice organization. | ||||
| Article: ISC CPA Exam: Understanding the Criteria for a Vendor to be Considered a Subservice Organization | |||||
|
|
Explain the considerations for deciding between, and use of, the inclusive and carve-out method for subservice organizations and complementary subservice organization controls (CSOCs). | ||||
| Article: ISC CPA Exam: Understanding the Considerations for Deciding Between and Use of, the Inclusive and Carve-Out Method for Subservice Organizations and CSOCs | |||||
|
|
Define service commitments and system requirements in a SOC 2® engagement and how they correspond to an entity’s objectives referred to in the Trust Services Criteria. | ||||
| Article: ISC CPA Exam: Understanding Service Commitments and System Requirements in a SOC 2 Engagement and How They Correspond to the Trust Services Criteria | |||||
|
|
Recall the impact of subsequently discovered facts on the SOC engagement (SOC 1®, SOC 2®). | ||||
| Article: Understanding the Impact of Subsequently Discovered Facts on a SOC 1 or SOC 2 Engagement | |||||
|
|
Explain the purpose and common sections of a system description subject to SOC 1® or SOC 2® engagements. | ||||
| Article: ISC CPA Exam: Understanding the Purpose and Common Sections of a System Description Subject to SOC 1 or SOC 2 Engagements | |||||
|
|
Recall the Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program. | ||||
| Article: ISC CPA Exam: Understanding the Description Criteria for Management's Description of an Entity's Cybersecurity Risk Management Program | |||||
|
|
Explain the purpose of complementary user entity controls (CUECs) identified by service organization management in their system description. | ||||
| Article: ISC CPA Exam: Understanding the Purpose of Complementary User Entity Controls (CUECs) Identified by Service Organization Management in their System Description | |||||
|
|
Recall requirements about obtaining management’s written representations in a SOC engagement (SOC 1®, SOC 2®). | ||||
| Article: ISC CPA Exam: Understanding Requirements About Obtaining Management's Written Representations in a SOC 1 or SOC 2 Engagement | |||||
|
|
Obtain an understanding of the system addressed by a SOC 2® engagement, including the clear identification of the boundaries of the system as defined by the service organization. | ||||
| Article: How to Obtain an Understanding of the System Addressed by a SOC 2 Engagement, Including the Boundaries of the System | |||||
|
|
Perform procedures to obtain an understanding of how a service organization provides its personnel and external users information on how to report failures, incidents, concerns and other complaints related to a system subject to a SOC 2® engagement. | ||||
| Article: ISC CPA Exam: How to Obtain an Understanding of How a Service Organization Provides Its Users Information on How to Report on a System Subject to a SOC 2 Engagement | |||||
|
|
Prepare a comparison of management’s system description to suitable criteria in a SOC 1® engagement or to the description criteria in a SOC 2® engagement. | ||||
| Article: ISC CPA Exam: How to Prepare a Comparison of Management's System Description to Suitable Criteria in a SOC 1 or SOC 2 Engagement | |||||
|
|
Determine the effect of subsequent events in a SOC 1® or SOC 2® engagement. | ||||
| Article: ISC CPA Exam: How to Perform Procedures to Identify Subsequent Events That Could Require Disclosure Related to a SOC 1 or SOC 2 Engagement | |||||
| Content group/topic | Remembering & Understanding | Application | Analysis | Evaluation | Representative Task |
| B. Considerations specific to reporting on a SOC engagement | |||||
|
|
Explain the effect of CUECs on the SOC report (SOC 1®, SOC 2®). | ||||
| Article: ISC CPA Exam: Understanding the Effect of CUECs on a SOC 1 or SOC 2 Report | |||||
|
|
Summarize the carve-out vs. the inclusive method of reporting on CSOCs. | ||||
| Article: ISC CPA Exam: Understanding the Carve-Out vs the Inclusive Method of Reporting on CSOCs in a SOC Engagement | |||||
|
|
Explain the types of opinions and report modifications when deficiencies have been identified. | ||||
| Article: ISC CPA Exam: Understanding the Types of Opinions and Report Modifications When Deficiencies Have Been Identified in a SOC Engagement | |||||
|
|
Prepare results of testing of controls to be included in the SOC 2® report of the test of a control, including when there was an exception identified by the test. | ||||
| Article: ISC CPA Exam: How to Prepare Results of Testing of Controls to be Included in the SOC 2 Report of the Test of a Control | |||||
|
|
Determine the appropriate form and content of a report on the examination of controls at a service organization (SOC 1®, SOC 2®). | ||||
| Article: ISC CPA Exam: How to Determine the Appropriate Form and Content of a Report on the Examination of Controls at a Service Organization Related to a SOC Engagement | |||||
| Skill | |||||
| Content group/topic | Remembering & Understanding | Application | Analysis | Evaluation | Representative Task |
| A. Considerations specific to planning and performing a SOC engagement | |||||
|
|
Explain the purpose of the Trust Services Criteria and its organization (e.g., alignment with the COSO Internal Control – Integrated Framework, supplemental criteria, common criteria and additional specific criteria). | ||||
| Article: ISC CPA Exam: Understanding the Trust Services Criteria and Its Organization in a SOC Engagement | |||||
|
|
Recall the types of subject matters a practitioner may be engaged to report on using the Trust Services Criteria. | ||||
| Article: ISC CPA Exam: Understanding he Types of Subject Matters a Practitioner May be Engaged to Report on Using the Trust Services Criteria | |||||
|
|
Identify management assertions specific to the different categories and types (Type 1 and Type 2) of SOC engagements (SOC 1®, SOC 2®, SOC 3®). | ||||
| Article: ISC CPA Exam: How to Identify Management Assertions Specific to the Different Categories and Types of SOC Engagements | |||||
|
|
Recall the intended users of SOC 1®, SOC 2® and SOC 3® reports. | ||||
| Article: ISC CPA Exam: Understanding the Intended Users of SOC 1, SOC 2, and SOC 3 Reports | |||||
|
|
Summarize the independence considerations between the service auditor, service organization and subservice organizations. | ||||
| Article: ISC CPA Exam: Understanding the Independence Considerations Between the Service Auditor, Service Organization, and Subservice Organizations | |||||
|
|
Explain how materiality is determined and used in performing a SOC engagement (SOC 1®, SOC 2®). | ||||
| Article: ISC CPA Exam: Understanding How Materiality is Determined and Used in Performing a SOC 1 or SOC 2 Engagement | |||||
|
|
Identify the risk assessment requirements for a service organization and the service auditor. | ||||
| Article: ISC CPA Exam: Understanding the Risk Assessment Requirements for a Service Organization and the Service Auditor | |||||
|
|
Summarize the criteria for a vendor to be considered a subservice organization. | ||||
| Article: ISC CPA Exam: Understanding the Criteria for a Vendor to be Considered a Subservice Organization | |||||
|
|
Explain the considerations for deciding between, and use of, the inclusive and carve-out method for subservice organizations and complementary subservice organization controls (CSOCs). | ||||
| Article: ISC CPA Exam: Understanding the Considerations for Deciding Between and Use of, the Inclusive and Carve-Out Method for Subservice Organizations and CSOCs | |||||
|
|
Define service commitments and system requirements in a SOC 2® engagement and how they correspond to an entity’s objectives referred to in the Trust Services Criteria. | ||||
| Article: ISC CPA Exam: Understanding Service Commitments and System Requirements in a SOC 2 Engagement and How They Correspond to the Trust Services Criteria | |||||
|
|
Recall the impact of subsequently discovered facts on the SOC engagement (SOC 1®, SOC 2®). | ||||
| Article: Understanding the Impact of Subsequently Discovered Facts on a SOC 1 or SOC 2 Engagement | |||||
|
|
Explain the purpose and common sections of a system description subject to SOC 1® or SOC 2® engagements. | ||||
| Article: ISC CPA Exam: Understanding the Purpose and Common Sections of a System Description Subject to SOC 1 or SOC 2 Engagements | |||||
|
|
Recall the Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program. | ||||
| Article: ISC CPA Exam: Understanding the Description Criteria for Management's Description of an Entity's Cybersecurity Risk Management Program | |||||
|
|
Explain the purpose of complementary user entity controls (CUECs) identified by service organization management in their system description. | ||||
| Article: ISC CPA Exam: Understanding the Purpose of Complementary User Entity Controls (CUECs) Identified by Service Organization Management in their System Description | |||||
|
|
Recall requirements about obtaining management’s written representations in a SOC engagement (SOC 1®, SOC 2®). | ||||
| Article: ISC CPA Exam: Understanding Requirements About Obtaining Management's Written Representations in a SOC 1 or SOC 2 Engagement | |||||
|
|
Obtain an understanding of the system addressed by a SOC 2® engagement, including the clear identification of the boundaries of the system as defined by the service organization. | ||||
| Article: How to Obtain an Understanding of the System Addressed by a SOC 2 Engagement, Including the Boundaries of the System | |||||
|
|
Perform procedures to obtain an understanding of how a service organization provides its personnel and external users information on how to report failures, incidents, concerns and other complaints related to a system subject to a SOC 2® engagement. | ||||
| Article: ISC CPA Exam: How to Obtain an Understanding of How a Service Organization Provides Its Users Information on How to Report on a System Subject to a SOC 2 Engagement | |||||
|
|
Prepare a comparison of management’s system description to suitable criteria in a SOC 1® engagement or to the description criteria in a SOC 2® engagement. | ||||
| Article: ISC CPA Exam: How to Prepare a Comparison of Management's System Description to Suitable Criteria in a SOC 1 or SOC 2 Engagement | |||||
|
|
Determine the effect of subsequent events in a SOC 1® or SOC 2® engagement. | ||||
| Article: ISC CPA Exam: How to Perform Procedures to Identify Subsequent Events That Could Require Disclosure Related to a SOC 1 or SOC 2 Engagement | |||||
| Content group/topic | Remembering & Understanding | Application | Analysis | Evaluation | Representative Task |
| B. Considerations specific to reporting on a SOC engagement | |||||
|
|
Explain the effect of CUECs on the SOC report (SOC 1®, SOC 2®). | ||||
| Article: ISC CPA Exam: Understanding the Effect of CUECs on a SOC 1 or SOC 2 Report | |||||
|
|
Summarize the carve-out vs. the inclusive method of reporting on CSOCs. | ||||
| Article: ISC CPA Exam: Understanding the Carve-Out vs the Inclusive Method of Reporting on CSOCs in a SOC Engagement | |||||
|
|
Explain the types of opinions and report modifications when deficiencies have been identified. | ||||
| Article: ISC CPA Exam: Understanding the Types of Opinions and Report Modifications When Deficiencies Have Been Identified in a SOC Engagement | |||||
|
|
Prepare results of testing of controls to be included in the SOC 2® report of the test of a control, including when there was an exception identified by the test. | ||||
| Article: ISC CPA Exam: How to Prepare Results of Testing of Controls to be Included in the SOC 2 Report of the Test of a Control | |||||
|
|
Determine the appropriate form and content of a report on the examination of controls at a service organization (SOC 1®, SOC 2®). | ||||
| Article: ISC CPA Exam: How to Determine the Appropriate Form and Content of a Report on the Examination of Controls at a Service Organization Related to a SOC Engagement | |||||