GGoCPA us
Sign inStart free
Home / CPAUS-ISC · ISC: Information Systems and Controls
Updated for the 2024 CPA Evolution exam format

ModuleCPAUS-ISC

ISC: Information Systems and Controls

Prepare for ISC: Information Systems and Controls with practice questions covering 21 topics. Build your knowledge, track your progress, and study effectively with GoCPAus.

Questions
660
Units
3
Topics
21

What’s in it.

3 units

Sample questions

3 of many

A few questions from this module, with the answer and a full explanation. The complete bank is available when you start practising.

  1. A SOC 2 report's tests section shows that access provisioning controls were tested 40 times with 4 exceptions (a 10% deviation rate). What factors should the service auditor consider before determining whether this deviation rate is material?

    • The qualifications of the specific auditor who performed the access provisioning tests
    • The nature and root cause of the exceptions, whether they are isolated or systemic, the sensitivity of the data affected, and the potential impact on user entities' control environments
      Correct answer
    • Only the percentage deviation rate; 10% always constitutes materiality in SOC engagements
    • The number of user entities served by the service organisation and whether any were affected
    Explanation

    Materiality in SOC engagements is not a mechanical calculation based on deviation rate alone. The service auditor must consider: the nature of each exception (what actually happened); whether they share a common root cause indicating a systemic failure; the significance of access provisioning to user entities' ICFR; whether the exceptions follow a pattern suggesting the control is fundamentally unreliable; and the potential impact on financial reporting. A 10% rate in a critical access control is concerning but not automatically material without further analysis.

  2. A company's SSL inspection proxy decrypts, inspects, and re-encrypts all HTTPS traffic from employee workstations. The security team discovers that personal banking traffic and medical portal traffic are being decrypted and logged alongside business traffic. What privacy and legal risk does this create, and how should the inspection policy be remediated?

    • The risk is only operational — inspecting personal traffic creates unnecessary data retention obligations and should be excluded for performance reasons, not legal compliance
    • Decrypting personal financial and medical traffic may violate employee privacy expectations and potentially applicable laws (HIPAA, financial privacy regulations). Remediation: configure SSL inspection bypass categories for personal banking, healthcare, and other sensitive personal domains so those sessions are not decrypted.
      Correct answer
    • The only remediation required is to delete logs of personal traffic after 24 hours; no bypass categories are needed because retention length determines legality
    • There is no legal risk because the company owns the network and employees have no expectation of privacy when using company internet connections
    Explanation

    DNS acts as the internet's phone book, translating domain names to IP addresses. DNS hijacking redirects this translation to return malicious IP addresses:

    1. The attacker modifies DNS records (through compromised registrar credentials, BGP route manipulation, or router firmware compromise) to return a malicious IP when clients query for 'bank.example.com'
    2. Users type 'bank.example.com' in their browser — exactly the correct domain name
    3. Their DNS resolver returns the attacker's IP instead of the legitimate IP
    4. Users connect to the attacker's server, which presents a cloned banking website
    5. The browser URL bar shows 'bank.example.com' (correct), but the user is connected to a malicious server

    Why browser URL doesn't help users: users see the correct domain name — the attack happens at the DNS resolution layer, before the connection is established. Detection: a valid TLS certificate for bank.example.com would not be issued to the attacker by a trusted CA (unless they also compromise a CA). HSTS (HTTP Strict Transport Security) and DNSSEC (DNS Security Extensions) mitigate this attack.

  3. CC6 covers Logical and Physical Access Controls. Which COSO component does CC6 most closely align with?

    • Monitoring Activities (COSO Component 5)
    • Information and Communication (COSO Component 3)
    • Risk Assessment (COSO Component 2)
    • CC6 goes beyond the five COSO components — it is a technology-specific criterion that does not directly map to a single COSO component
      Correct answer
    Explanation

    CC1 through CC5 map directly to the five COSO 2013 components. CC6 through CC9 are technology-specific criteria that extend beyond the five COSO components. CC6 (Logical and Physical Access Controls) addresses how the service organisation restricts access to systems, data, and physical facilities — these are security controls specific to technology environments. While access controls support COSO Control Activities (CC5), CC6 is not a direct COSO mapping — it is a technology extension.