CPA ISC (Information Systems & Controls) Glossary
23 essential terms and definitions for CPA ISC (Information Systems & Controls). Each definition is written for exam preparation, covering the concepts as they are tested on the 2026 syllabus.
A
- Access Controls
- Access controls are technical and procedural mechanisms that restrict who can view, modify, or operate a system or its data. They include authentication, authorization, and accountability and are central to almost every IT control framework.
- Application Controls
- Application controls are automated controls built into a specific application that help ensure transaction completeness, accuracy, validity, and authorization. They include input validation, processing edits, and output reconciliation.
B
- Business Continuity Plan (BCP)
- A business continuity plan documents procedures for maintaining or rapidly restoring critical business functions during and after a disruption. Key parameters include the recovery time objective (RTO) and the recovery point objective (RPO).
C
- Change Management
- Change management is the set of controls over modifications to systems and applications. It covers authorization, testing, documentation, segregation between development and production, and post-implementation review.
- COBIT Framework
- COBIT is ISACA's governance and management framework for enterprise IT. It addresses strategic alignment, value delivery, risk management, resource management, and performance measurement, and is widely referenced by IT auditors.
- COSO Internal Control Framework
- COSO defines internal control across five interrelated components: control environment, risk assessment, control activities, information and communication, and monitoring. It is the dominant framework cited in management's internal-control assertions.
D
- Data Encryption
- Data encryption converts plaintext into ciphertext using cryptographic keys. Encryption at rest protects stored data; encryption in transit protects data moving across networks. Key management is the critical operational control.
- Disaster Recovery Plan (DRP)
- A disaster recovery plan is the IT-focused subset of business continuity, documenting procedures for restoring technology infrastructure after a disruption. It includes recovery sequences, dependencies, and tests of failover procedures.
G
- General IT Controls (ITGCs)
- General IT controls are pervasive controls over the IT environment that support application controls. They include access controls, change management, computer operations, and program development.
I
- Identity and Access Management (IAM)
- Identity and access management is the discipline of managing user identities, authentication, and authorization across applications and systems. Centralizing IAM is a leading practice for reducing both audit findings and breach risk.
- Incident Response
- Incident response is the structured approach to handling security events: preparation, identification, containment, eradication, recovery, and lessons learned. The plan should be tested via tabletop exercises and refined after real incidents.
- Internal Audit Function
- The internal audit function provides independent assurance on the design and operating effectiveness of internal controls and risk management. It typically reports administratively to senior management and functionally to the audit committee of the board.
L
- Logical Access Controls
- Logical access controls are software-based controls that restrict user access to programs, data, and system resources based on assigned permissions. They include user IDs, passwords, role-based access, and audit logging.
M
- Multi-Factor Authentication (MFA)
- Multi-factor authentication requires two or more independent factors to verify identity: something you know (password), something you have (token, phone), or something you are (biometric). MFA materially reduces credential-theft risk.
N
- Network Segmentation
- Network segmentation divides a network into smaller zones to contain breaches and limit lateral movement. Common patterns include the DMZ for internet-facing services and microsegmentation in zero-trust architectures.
P
- Penetration Testing
- A penetration test is an authorized simulated attack on a system to identify exploitable vulnerabilities. Unlike vulnerability scanning, penetration testing attempts real exploitation and chains weaknesses to demonstrate impact.
- Phishing
- Phishing is a social-engineering attack that tricks users into revealing credentials or installing malware via fraudulent communications. It remains a leading initial-access vector and is the primary target of user-awareness training.
R
- Risk Assessment
- Risk assessment is the systematic process of identifying, analyzing, and evaluating risks to an entity's objectives. It informs the design of control activities and the allocation of audit and IT investment.
S
- SOC 1 Report
- A SOC 1 report addresses a service organization's controls relevant to user entities' internal control over financial reporting (ICFR). Type 1 covers design at a point in time; type 2 covers operating effectiveness over a period.
- SOC 2 Report
- A SOC 2 report addresses a service organization's controls over the trust services criteria: security, availability, processing integrity, confidentiality, and privacy. It is widely requested by user entities evaluating vendor risk.
- Segregation of Duties (SoD)
- Segregation of duties splits incompatible functions (authorization, recording, custody) across different people to reduce both fraud risk and error. Designing SoD into automated workflows is a central focus of IT general controls.
- System and Organization Controls (SOC) Engagements
- SOC engagements are assurance engagements over service organizations performed by CPAs under AICPA standards (SSAE 18). They cover financial-reporting controls (SOC 1), trust criteria (SOC 2), and a public-report variant (SOC 3).
U
- User Provisioning and Deprovisioning
- User provisioning is the process of granting access rights to new or transferred users; deprovisioning removes rights when access is no longer required. Timely deprovisioning at termination is a common audit finding and a frequent root cause of insider incidents.