Free CPA ISC (Information Systems & Controls) Information Systems and Data Management Practice Questions

C is correct. Metadata is data about data. It includes information such as data definitions (what each field means), data types and formats, source system origins, transformation rules applied during ETL, data lineage (how data flows and changes through systems), and ownership information. Metadata is foundational to data governance because it enables users to find, understand, trust, and properly use the organization's data assets.
A is incorrect because transactional data is the actual business data, not metadata about that data.
B is incorrect because encrypted backup copies are data protection mechanisms, not metadata.
D is incorrect because aggregate summaries are derived data used for reporting, not metadata describing the characteristics of underlying data.

A is correct. This is a segregation of duties violation within change management controls. A fundamental principle of IT general controls is that the person who develops or modifies code should not be the same person who promotes that code to production. This separation prevents a developer from introducing unauthorized or malicious changes without independent review and approval. When one person can both write and deploy code, the risk of unauthorized changes to financial reporting systems increases significantly.
B is incorrect because computer operations controls address day-to-day operations such as job scheduling and monitoring, not the code promotion process.
C is incorrect because developers need write access in the development environment to do their work; the issue is not that the programmer has write access, but that the same person has access to promote code to production.
D is incorrect because physical security controls address physical access to facilities and hardware, which is a separate concern from the logical ability to migrate code between environments.

A is correct. A data warehouse migration involving SOX-regulated financial data requires multiple layers of controls: (1) reconciliation controls (record counts, hash values, control totals) at each migration stage verify that no data is lost, added, or altered during transfer; (2) parallel-run testing confirms that redesigned ETL processes produce the same results as legacy processes, ensuring that transformation logic is faithfully replicated; (3) a complete audit trail documents the migration process, supporting SOX compliance documentation; (4) access control validation ensures the cloud environment maintains the segregation of duties and access restrictions required under SOX.
Choice B is incorrect because encryption addresses confidentiality during transfer but does not verify data completeness or accuracy, and ETL processes typically require redesign for different platform architectures rather than simple reuse.
Choice C is incorrect because deferring migration is impractical — the historical data remains subject to SOX requirements regardless of when it was created, and the company still needs a functioning data warehouse.
Choice D is incorrect because SOX compliance responsibility cannot be fully transferred to a cloud provider; the company retains accountability for its internal controls over financial reporting, even when using outsourced infrastructure, and a SOC 2 report does not cover SOX compliance obligations directly.