CPA ISC (Information Systems & Controls) Glossary

30 essential terms and definitions for CPA ISC (Information Systems & Controls). Each definition is written for exam preparation, covering the concepts as they are tested on the 2026 syllabus.

30 Terms
14 Sections
2026 Syllabus

A

Access Controls
Access controls are technical and procedural mechanisms that restrict who can view, modify, or operate a system or its data. They include authentication, authorization, and accountability and are central to almost every IT control framework.
Annualized Loss Expectancy (ALE)
A quantitative risk metric estimating the expected yearly financial loss from a specific threat, calculated by multiplying the loss per event by how often the event is expected to occur each year. It helps management prioritize controls by comparing expected loss against the cost of mitigation.ALE=SLE×AROALE = SLE \times ARO
Application Controls
Application controls are automated controls built into a specific application that help ensure transaction completeness, accuracy, validity, and authorization. They include input validation, processing edits, and output reconciliation.

B

Business Continuity Plan (BCP)
A business continuity plan documents procedures for maintaining or rapidly restoring critical business functions during and after a disruption. Key parameters include the recovery time objective (RTO) and the recovery point objective (RPO).

C

Change Management
Change management is the set of controls over modifications to systems and applications. It covers authorization, testing, documentation, segregation between development and production, and post-implementation review.
COBIT Framework
COBIT is ISACA's governance and management framework for enterprise IT. It addresses strategic alignment, value delivery, risk management, resource management, and performance measurement, and is widely referenced by IT auditors.
Complementary User Entity Controls (CUECs)
Controls that a service organization assumes its customers (user entities) will implement for the service organization's controls to operate effectively. They are identified in a SOC report so user entities know which controls they remain responsible for.
COSO Internal Control Framework
COSO defines internal control across five interrelated components: control environment, risk assessment, control activities, information and communication, and monitoring. It is the dominant framework cited in management's internal-control assertions.

D

Data Encryption
Data encryption converts plaintext into ciphertext using cryptographic keys. Encryption at rest protects stored data; encryption in transit protects data moving across networks. Key management is the critical operational control.
Data Loss Prevention (DLP)
A set of technologies and processes designed to detect and prevent unauthorized transmission, use, or exfiltration of sensitive data across endpoints, networks, and storage. DLP tools classify data and enforce policies that block or alert on prohibited transfers.
Disaster Recovery Plan (DRP)
A disaster recovery plan is the IT-focused subset of business continuity, documenting procedures for restoring technology infrastructure after a disruption. It includes recovery sequences, dependencies, and tests of failover procedures.

G

General IT Controls (ITGCs)
General IT controls are pervasive controls over the IT environment that support application controls. They include access controls, change management, computer operations, and program development.

I

Identity and Access Management (IAM)
Identity and access management is the discipline of managing user identities, authentication, and authorization across applications and systems. Centralizing IAM is a leading practice for reducing both audit findings and breach risk.
Incident Response
Incident response is the structured approach to handling security events: preparation, identification, containment, eradication, recovery, and lessons learned. The plan should be tested via tabletop exercises and refined after real incidents.
Internal Audit Function
The internal audit function provides independent assurance on the design and operating effectiveness of internal controls and risk management. It typically reports administratively to senior management and functionally to the audit committee of the board.

L

Logical Access Controls
Logical access controls are software-based controls that restrict user access to programs, data, and system resources based on assigned permissions. They include user IDs, passwords, role-based access, and audit logging.

M

Multi-Factor Authentication (MFA)
Multi-factor authentication requires two or more independent factors to verify identity: something you know (password), something you have (token, phone), or something you are (biometric). MFA materially reduces credential-theft risk.

N

Network Segmentation
Network segmentation divides a network into smaller zones to contain breaches and limit lateral movement. Common patterns include the DMZ for internet-facing services and microsegmentation in zero-trust architectures.

P

Penetration Testing
A penetration test is an authorized simulated attack on a system to identify exploitable vulnerabilities. Unlike vulnerability scanning, penetration testing attempts real exploitation and chains weaknesses to demonstrate impact.
Phishing
Phishing is a social-engineering attack that tricks users into revealing credentials or installing malware via fraudulent communications. It remains a leading initial-access vector and is the primary target of user-awareness training.

R

Recovery Point Objective (RPO)
The maximum acceptable amount of data loss measured in time, indicating how far back in time recovered data may need to reach after a disruption. A shorter RPO requires more frequent backups or replication.
Recovery Time Objective (RTO)
The maximum acceptable length of time a system or process can be down after a disruption before the impact on the business becomes unacceptable. It drives decisions about recovery strategies and resource investment in business continuity planning.
Risk Assessment
Risk assessment is the systematic process of identifying, analyzing, and evaluating risks to an entity's objectives. It informs the design of control activities and the allocation of audit and IT investment.

S

Segregation of Duties (SoD)
Segregation of duties splits incompatible functions (authorization, recording, custody) across different people to reduce both fraud risk and error. Designing SoD into automated workflows is a central focus of IT general controls.
Single Loss Expectancy (SLE)
The estimated monetary loss expected from a single occurrence of a risk event, found by multiplying the value of the affected asset by the percentage of that value lost in the event (the exposure factor).SLE=$AV×EFSLE = \$AV \times EF
SOC 1 Report
A SOC 1 report addresses a service organization's controls relevant to user entities' internal control over financial reporting (ICFR). Type 1 covers design at a point in time; type 2 covers operating effectiveness over a period.
SOC 2 Report
A SOC 2 report addresses a service organization's controls over the trust services criteria: security, availability, processing integrity, confidentiality, and privacy. It is widely requested by user entities evaluating vendor risk.
System and Organization Controls (SOC) Engagements
SOC engagements are assurance engagements over service organizations performed by CPAs under AICPA standards (SSAE 18). They cover financial-reporting controls (SOC 1), trust criteria (SOC 2), and a public-report variant (SOC 3).

T

Trust Services Criteria (TSC)
The control criteria established by the AICPA used to evaluate systems in SOC 2 engagements, covering five categories: security, availability, processing integrity, confidentiality, and privacy. Security (the common criteria) is required, while the other four are included based on the engagement scope.

U

User Provisioning and Deprovisioning
User provisioning is the process of granting access rights to new or transferred users; deprovisioning removes rights when access is no longer required. Timely deprovisioning at termination is a common audit finding and a frequent root cause of insider incidents.
Practice CPA ISC Questions →

About FreeFellow

FreeFellow is a free exam prep library for actuarial (SOA & CAS), CFA, CFP, CPA, CAIA, GARP FRM, IRS Enrolled Agent, IMA CMA, and FINRA / NASAA securities licensing candidates. The entire question bank, written solutions, and lessons are free for every candidate, with no trial period and no credit card. Lessons include narrated audio, and every constructed-response item has a copy-to-AI prompt builder so candidates can paste their answer into their own ChatGPT or Claude for self-graded feedback; Fellow members get instant AI grading on essays against the official rubric (currently CFA Level III, expanding to other essay-bearing sections).

The 70% you need to pass (question bank, written solutions, lessons, formula sheet, mixed practice, readiness tracking) is free forever, with no trial period and no credit card. Become a Fellow ($59/quarter or $149/year per track) to unlock mock exams, flashcards with spaced repetition, performance analytics, AI essay grading, and a personalized study plan.