Back to CPA Exam

CPA Exam · Cheat Sheet

ISC — Information Systems & Controls (Discipline)

Tip: Use your browser's print function (Ctrl+P / Cmd+P) to save as PDF for offline study.

ISC — Information Systems & Controls (Discipline) | CHEAT SHEET

---

IT ARCHITECTURE & INFRASTRUCTURE

|---|---|

---

DATABASE & DATA GOVERNANCE

Key DB Concepts:

  • Primary key = uniquely identifies each row
  • Foreign key = enforces referential integrity between tables
  • Normalization = reduces redundancy (1NF, 2NF, 3NF)

Governance Roles:

  • Data steward = business owner; responsible for quality
  • Data custodian = IT role; technical storage/maintenance

Data Quality Dimensions: Accuracy, Completeness, Consistency, Timeliness, Validity, Uniqueness

---

SYSTEMS DEVELOPMENT LIFE CYCLE (SDLC)

|---|---|

Development Methodologies:

  • Waterfall = Sequential; stable requirements
  • Agile/Scrum = Iterative sprints; dynamic requirements
  • DevOps = CI/CD; high-frequency releases
  • Prototyping = Build early for feedback; unclear requirements

Change Management Controls: Formal request → Impact assessment → Test (non-prod) → Approval → Document

---

IT GENERAL CONTROLS (ITGC)

Four Pillars:

  • Change management — formal process, testing, segregation of duties
  • Logical access — provisioning, password policy, access reviews, termination
  • Computer operations — backup, job scheduling, incident management
  • Program development — SDLC, code review, version control
  • Segregation of Duties in IT:

    • Developers ≠ production system access
    • Operations ≠ source code access
    • Users ≠ system admin access

    ---

    APPLICATION CONTROLS

    |---|---|

    ---

    SECURITY FRAMEWORK (NIST CSF)

    5 Functions (in order):

  • Identify — asset management, risk assessment
  • Protect — access control, data security, training
  • Detect — monitoring, anomaly detection
  • Respond — incident response, mitigation
  • Recover — recovery planning, improvements
  • Defense in Depth Layers: Physical → Network → Host → Application → Data

    ---

    ACCESS CONTROL

    Authentication Factors:

    |---|---|

    MFA (Multi-Factor Auth) = 2+ factors; significantly stronger

    Access Control Models:

    • DAC = Resource owner sets permissions
    • MAC = System enforces via labels (government/military)
    • RBAC = Based on job role (most common)
    • ABAC = Based on attributes (role + time + location)

    Critical IAM Controls:

    • Principle of least privilege = minimum access needed
    • Segregation of duties = no single person: initiate + record + approve
    • Access reviews = periodic verification (quarterly/annually)
    • Termination procedures = IMMEDIATE revocation (highest risk control)

    ---

    ENCRYPTION

    |---|---|---|

    Digital Signatures: Hash + sign with private key → verify with public key = authenticity + integrity

    Encryption Locations:

    • In transit = TLS/SSL, VPN, SSH
    • At rest = disk encryption, database encryption

    ---

    NETWORK SECURITY

    |---|---|

    ComponentDefinition
    IaaSProvider manages hardware/network; customer manages OS, runtime, apps (AWS EC2)
    PaaSProvider manages hardware/OS/runtime; customer manages apps, data (Salesforce)
    SaaSProvider manages everything; customer manages user data only (Microsoft 365)
    PhaseKey Activity
    PlanningScope, feasibility, resources
    RequirementsGather functional & non-functional needs
    DesignArchitecture, database, security design
    DevelopmentCode per specifications
    TestingUnit → Integration → System → UAT
    ImplementationGo-live, data conversion, training
    MaintenanceFixes, enhancements, monitoring
    Control TypeExamples
    InputEdit checks, validity checks, range checks, check digits, completeness, duplicates
    ProcessingRun-to-run totals, balancing, reasonableness checks
    OutputReport distribution, reconciliation to inputs
    FactorExamples
    Something you knowPassword, PIN
    Something you haveToken, smart card, OTP
    Something you areBiometrics (fingerprint, face, retina)
    TypeMechanismUse Case
    SymmetricSame key encrypt/decrypt (AES)Large data volumes; fast
    AsymmetricPublic + private keys (PKI)Key distribution, digital signatures
    TLS/HTTPSAsymmetric handshake → symmetric sessionSecure web traffic
    ControlFunction
    FirewallFilters traffic by IP/port/protocol
    IDSDetects intrusions (passive alert)
    IPSPrevents intrusions (active block)
    DMZBuffer zone between internet & internal network
    SegmentationIsolates critical assets; limits blast radius
    ---

    DATA ANALYTICS FOR AUDITORS

    Continuous Monitoring = Management monitors controls in real-time (automated)

    Continuous Auditing = Auditors perform procedures in real-time or near-real-time

    Key Analytical Techniques:

    • Benford's Law — detects fabricated numbers
    • Regression analysis — identifies unexpected patterns
    • Trend analysis — detects anomalies over time
    • Outlier detection — finds values outside expected range
    • Duplicate detection — identifies identical records

    Data Sources for Testing: ERP transactions, journal entries (fraud), payroll, AP

    ---

    DATA MIGRATION CONTROLS

    ✓ Field mapping (source → target) ✓ Parallel processing (both systems running) ✓ Reconcile before/after totals ✓ Retain pre-migration backups ✓ Full control total reconciliation

    ---

    EXAM FOCUS:

    Aligned to the AICPA CPA Exam Blueprints.

    Make this cheat sheet yours

    Personalize this sheet — focus it however you study, or build one from the exact questions you keep getting wrong.

    Sign up free to create a personalized cheat sheet.