What ISC Actually Tests

ISC, short for Information Systems and Controls, is one of the three Discipline sections introduced under the 2024 CPA Evolution model. After you pass the three Core sections (AUD, FAR and REG), you choose exactly one Discipline: ISC, BAR (Business Analysis and Reporting), or TCP (Tax Compliance and Planning). ISC is the technology and controls track.

I think of ISC as the section that sits between an IT auditor and a CPA. It assumes you understand basic financial-reporting risk, then asks you to reason about the systems, data flows and controls behind that reporting. You are tested on IT general controls, application controls, information security, data management and governance, and on the mechanics of System and Organization Controls (SOC) engagements. If you have worked in IT audit, cybersecurity, or SOC reporting, a lot of this will feel familiar. If you have not, the vocabulary is the first hurdle.

The exam is 4 hours. Like the other sections, it blends multiple-choice questions (MCQs) with task-based simulations (TBSs), and the two contribute roughly equal weight to your score. There is no written communication task.

Blueprint and Topic Weights

The blueprint organizes ISC into three areas. I keep the weights front of mind because they tell you where to spend time:

  • Area I: Information Systems and Data Management (roughly 35-45%). System availability, change management, the system development life cycle, data governance, data lifecycle, and the flow of transactions through business processes. Expect questions on IT general controls and application controls.
  • Area II: Security, Confidentiality and Privacy (roughly 35-45%). Threats and attacks, logical and physical access controls, encryption, network security, incident response, and privacy versus confidentiality distinctions.
  • Area III: Considerations for System and Organization Controls (SOC) Engagements (roughly 15-25%). SOC 1 versus SOC 2 versus SOC 3, Type 1 versus Type 2 reports, the Trust Services Criteria, complementary user entity controls, and how these reports are used by user organizations and their auditors.

Treat these ranges as a guide, not a promise. The two larger areas together make up the bulk of the exam, so I would not let SOC crowd out security and data management in your schedule even though SOC feels like the signature ISC topic.

Study Hours and Timeline

My planning number for ISC is 80 to 120 hours. Here is how I would allocate it over a 6 to 9 week window:

  • Weeks 1-2: Area I. Read the material once, then start MCQs immediately. Do not wait until you feel ready.
  • Weeks 3-4: Area II. Security has a lot of discrete definitions, so this is where flashcards earn their keep.
  • Week 5: Area III (SOC). It is smaller but conceptually slippery. Build a one-page comparison table of SOC 1/2/3 and Type 1/2 and keep refining it.
  • Weeks 6-7: Task-based simulations across all three areas, plus targeted review of weak MCQ topics.
  • Final week: Two timed mixed sets under exam conditions, then light review. Do not cram new material in the last 48 hours.

If you are working full time, 12 to 15 hours a week gets you there. Consistency beats marathon weekends. The concepts stack, so a gap of two weeks costs you more than the calendar suggests.

A Practice Strategy That Works

ISC rewards recognition and reasoning more than calculation, which changes how you should practice.

First, do MCQs early and often. The fastest way to learn the ISC vocabulary is to see it used in questions and answer explanations. I would aim to work several hundred MCQs across the study period, tracking which sub-topics you miss.

Second, build comparison tables from memory. SOC 1 versus SOC 2, Type 1 versus Type 2, preventive versus detective versus corrective controls, confidentiality versus privacy. The exam loves distinctions, and TBSs often hinge on picking the right report or control category for a scenario.

Third, simulate the task-based simulations. TBSs in ISC frequently give you an exhibit (a policy, a report excerpt, a system description) and ask you to match, classify, or evaluate. Practicing these under time pressure trains you to read exhibits efficiently instead of rereading them three times.

You can drill all three areas for free at FreeFellow's CPA ISC question bank. I built it so you can filter by topic and hammer the areas where your MCQ accuracy is lowest.

Common Mistakes

A few patterns cost candidates points that they should not lose:

  • Underweighting Areas I and II. SOC feels like the identity of ISC, so people over-study it. The two larger areas carry more weight. Spend your hours proportionally.
  • Memorizing SOC labels without understanding use. Knowing that SOC 2 covers the Trust Services Criteria is not enough. You need to know who requests each report, what a user auditor does with it, and what complementary user entity controls mean in a scenario.
  • Confusing confidentiality and privacy. These are separate Trust Services categories with different meanings. Nail the distinction before exam day.
  • Skipping TBS practice. MCQ-heavy studying leaves you slow on simulations. Since TBSs carry about half the score, that is a costly blind spot.
  • Ignoring the process context. Controls do not exist in a vacuum. Questions often embed a control inside a transaction flow, and you have to identify where in the process it operates.

Frequently Asked Questions

What is the pass rate for CPA ISC?

Published quarterly pass rates for ISC have generally fallen in the mid-50s to low-60s percent range, placing it among the higher-scoring Discipline sections. Rates move by quarter, so treat any single number as a snapshot rather than a guarantee.

How many hours should I study for ISC?

Most candidates budget about 80 to 120 hours. If you have a hands-on IT audit or security background you can land near the low end; if the material is new to you, plan for the high end and spread it over 6 to 9 weeks.

What topics does ISC cover?

Three areas: Information Systems and Data Management, Security, Confidentiality and Privacy, and Considerations for System and Organization Controls (SOC) Engagements. The first two areas each carry the largest weight, and SOC engagements is the smallest but very concept-dense.

What is the exam format for ISC?

ISC is a 4-hour section built from multiple-choice questions and task-based simulations, split roughly half and half by score weight. There is no written communication component.

Is ISC harder than TCP or BAR?

Difficulty is personal. ISC tends to favor candidates comfortable with IT general controls, security concepts and SOC reporting rather than heavy calculation. Its pass rates have often been the highest of the three Disciplines, but that reflects who self-selects into it as much as the content. If your background is technology or audit, ISC is usually the most natural Discipline choice.