US CPA ISC (Information Systems and Controls) — Complete Guide 2026

What is CPA ISC?

Information Systems and Controls (ISC) is one of the three discipline sections under CPA Evolution — candidates choose one of ISC, BAR, or TCP as their discipline section (in addition to the three core sections FAR, AUD, REG). ISC focuses on IT audit, information systems, and IT controls — making it most suitable for candidates planning careers in IT audit, advisory, or risk management.

ISC Exam Format

ISC Syllabus — Content Areas

Key Topics in CPA ISC

Information Systems

• IT governance frameworks (COBIT, ITIL)
• ERP systems (SAP, Oracle) and their audit implications
• Database management and SQL fundamentals
• Cloud computing models (IaaS, PaaS, SaaS) and audit considerations
• Business continuity and disaster recovery planning

IT Security

• Cybersecurity frameworks (NIST)
• Access controls (authentication, authorisation, logical and physical)
• Encryption, firewalls, intrusion detection
• Data privacy regulations (GDPR concepts, CCPA)
• Cybercrime and cyber risk for financial institutions

SOC Reports

• SOC 1 — ICFR (Internal Control over Financial Reporting) at service organisations
• SOC 2 — Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy)
• SOC 3 — General use report based on SOC 2 criteria
• Type 1 vs Type 2 reports — design vs design and operating effectiveness

Should You Choose ISC?

ISC is best for candidates who:

• Plan to work in IT audit, internal audit with IT focus, or advisory services
• Are interested in cybersecurity, ERP audit, or cloud assurance roles
• Have a technology background alongside accounting
• Are targeting Big 4 Advisory or risk consulting roles

For candidates planning traditional audit, financial reporting, or tax careers, BAR or TCP are more directly relevant. Study ACCA with Learnsignal — ACCA's AAA and Risk papers provide a foundation for ISC concepts.