- ➻ by Bryan Kesler, CPA
ABOUT THE AUTHOR:
Bryan Kesler, CPA is a CPA Practice Advisor Top 20 Under 40, Licensed Certified Public Accountant, and founder of Kesler CPA Review, Community and Mentorship Platform.
- ✎ Updated
- 📖 ~14 min read
ISC is the most specialized of the three CPA discipline sections, and it's the least chosen by candidates. But it might be the most valuable long-term career investment you can make.
If your career path involves IT audit, cybersecurity advisory, SOC reporting, data governance, or technology consulting, ISC is the clear discipline choice. Firms are actively hiring CPAs with ISC expertise, and the demand is growing faster than supply.
The most common fear I hear from candidates: "I'm not a tech person. Can I still pass ISC?" The answer is yes. ISC does NOT require coding, programming, or deep technical engineering knowledge. It tests your ability to understand how information systems work, how controls protect data, and how auditors evaluate those systems. You're not building firewalls. You're assessing whether firewall controls are adequate.
Having mentored thousands of CPA candidates, I've seen many people shy away from ISC because the terminology feels foreign. That's a mistake. The content is conceptual, the candidate pool is small (which means less competition for ISC-qualified roles), and firms are paying premiums for CPAs who understand technology risk. This guide covers everything you need to study for, prepare for, and pass ISC.
In This Guide
What Is the ISC Discipline?
ISC stands for Information Systems and Controls. It's one of three discipline sections introduced under CPA Evolution in January 2024. Every candidate must pass three core sections (FAR, AUD, REG) and then choose and pass one discipline: BAR, ISC, or TCP.
Think of ISC as the intersection of auditing and technology. You're not building systems. You're evaluating whether those systems are controlled, secure, and reliable. The accounting profession increasingly needs CPAs who can bridge the gap between financial reporting and technology, and ISC was designed to fill that gap.
The demand is real. SOC 1 and SOC 2 engagements, IT audits, and cybersecurity assessments have exploded over the past five years. Accounting firms can't hire enough people qualified to do this work. If you hold a CPA with ISC on your credential, you're positioned for career paths that most accountants can't access.
Career paths ISC supports include IT audit (internal and external), SOC reporting (SOC 1, SOC 2, SOC 3), cybersecurity advisory and risk assessment, technology consulting at accounting firms, data governance and privacy compliance, and ERP system implementation and audit.
↑ Back to Table of Contents
What Does ISC Test? 60% MCQ / 40% TBS
ISC Has Unique Scoring: ISC is the only CPA exam section where MCQs are weighted at 60% and TBS at 40%. Every other section (Core and Discipline) uses a 50/50 split. Your multiple-choice performance carries more weight on ISC than on any other section. Keep this in mind when allocating study time.
The ISC section is built on the AICPA Exam Blueprints and covers three content areas. Here's what you'll face on exam day. Click each area to expand the detailed topic list:
This is the foundational area. If you understand how systems work and how controls protect them, the security and SOC topics downstream make much more sense.
- IT general controls: access controls, change management, program development, computer operations
- Systems development life cycle (SDLC) phases and controls at each phase
- Database management and data governance concepts (data warehouses, data lakes, data quality)
- IT infrastructure: networks, cloud computing models (IaaS, PaaS, SaaS), virtualization
- Business process controls and application controls (input, processing, output controls)
- IT audit methodology and frameworks: COBIT and COSO as applied to IT environments
- Data management across the data life cycle
- Change management and system availability
This area builds directly on the IT systems knowledge from Area I. You're no longer asking "how does this system work?" but rather "how do we keep it safe?"
- Cybersecurity concepts and frameworks (NIST Cybersecurity Framework, SOC for Cybersecurity)
- Encryption and cryptography: symmetric vs. asymmetric encryption, hashing, digital signatures
- Access control models: role-based (RBAC), discretionary (DAC), mandatory (MAC)
- Network security: firewalls, intrusion detection/prevention systems, VPNs
- Data privacy regulations and concepts: PII, PHI, GDPR concepts, state privacy laws
- Incident response and disaster recovery planning
- Vulnerability management and penetration testing concepts
- Social engineering and human-layer threats (phishing, pretexting)
- Confidentiality controls
This is the most "audit-like" area and connects directly back to your AUD knowledge. SOC engagements follow audit logic: assertions, evidence, reporting.
- SOC 1: controls relevant to user entities' financial reporting (formerly SAS 70)
- SOC 2: Trust Services Criteria covering security, availability, processing integrity, confidentiality, and privacy
- SOC 3: general use report based on Trust Services Criteria
- SOC for Cybersecurity: entity-level cybersecurity risk management
- Differences between Type I (design of controls at a point in time) and Type II reports (design and operating effectiveness over a period)
- Description criteria for service organizations
- Management assertions, auditor responsibilities, and report structure
- Testing controls and evaluating findings in SOC engagements
Source: AICPA CPA Exam Blueprints (2026), UWorld ISC Guide.
What ISC is NOT: This is not a certification in cybersecurity or programming. The exam tests your ability to understand, evaluate, and communicate about these topics at a CPA's professional level. You're not configuring firewalls or writing encryption algorithms. You're assessing whether those controls are adequate for protecting an organization's data and financial systems.
ISC vs BAR vs TCP: Which Discipline Should You Choose?
This is one of the most common questions I get from mentorship candidates. The discipline choice shapes your CPA credential, and while you can change it later by retaking the discipline exam, you can't "add" a second discipline. Choose based on your 5-year career trajectory, not just what seems easiest to pass.
BAR
Business Analysis & Reporting- Extends FAR knowledge
- Financial analysis, data analytics, advanced accounting
- Best for: general audit, financial reporting, advisory
- Most popular discipline choice
ISC
Information Systems & Controls- Extends AUD knowledge
- IT audit, cybersecurity, SOC, data governance
- Best for: IT audit, SOC reporting, tech advisory
- Smallest candidate pool = less competition
TCP
Tax Compliance & Planning- Extends REG knowledge
- Advanced tax planning, estate tax, entity selection
- Best for: tax practice, financial advising, wealth management
- Highest discipline pass rate
Choose ISC if your career path involves ANY of the following: IT audit, SOC reporting, cybersecurity advisory, data governance, technology consulting, ERP implementation, internal audit with an IT focus, or any Big 4/mid-tier technology advisory or risk assurance practice.
Employer guidance matters. Some firms, particularly Big 4 technology advisory and risk assurance practices, specifically want ISC. Ask your employer or target employer before choosing. If you're interviewing at a firm's technology risk practice, showing up with ISC on your credential signals that you're serious about that career path.
The career market reality is compelling. ISC has the smallest candidate pool of the three disciplines, which means less competition for roles that require it. As SOC reporting and IT audit demand grows (and it is growing rapidly), ISC-holding CPAs become more valuable. If you're thinking long-term, ISC positions you in a space where demand is outpacing supply.
↑ Back to Table of Contents
ISC Pass Rate and Difficulty
ISC launched in January 2024, so historical data is still building. Early reported pass rates have been in the 51-56% range based on aggregated data from major CPA review providers (UWorld, Surgent, and Gleim, drawing from 2025 AICPA quarterly releases). The AICPA continues to publish discipline-specific data as the candidate pool grows. Check the latest pass rates here.
Why ISC can be challenging: most accounting graduates have minimal IT coursework. The terminology alone, SDLC, COBIT, symmetric encryption, Trust Services Criteria, can feel overwhelming at first. Candidates from traditional audit or tax backgrounds are stepping into unfamiliar vocabulary and concepts, and that initial discomfort leads some to switch disciplines before giving ISC a fair shot.
Why ISC is manageable: the content is conceptual, not technical. You don't need to configure systems, write code, or do complex calculations. If you can understand what a control does and why it matters, you can pass ISC. The questions test your ability to evaluate and communicate, not to engineer.
The biggest difficulty variable is your IT background. Candidates who've worked in IT audit, internal audit with IT exposure, or technology advisory will find ISC significantly easier than candidates with zero IT experience. A candidate doing SOC 2 audits daily might need 50 study hours. A candidate from a tax background with no IT exposure might need 120. Be honest about where you are, and plan accordingly.
↑ Back to Table of Contents
How Long to Study for ISC
General guidance: most candidates need 300-400 total hours across all four CPA exam sections. ISC typically gets a moderate allocation within that, but the range depends heavily on your starting point.
With IT background: 50-80 hours for first-time candidates, 30-50 hours for retakers who scored 60+. That's roughly 4-6 weeks at 10-15 hours per week.
Without IT background: 80-120 hours for first-time candidates, 60-80 hours for retakers. That's roughly 6-10 weeks at 12-18 hours per week. If you're working full-time, add 2 weeks to either estimate.
This is the biggest differentiator in study time across any CPA exam section. No other section has such a wide range based on prior experience. If you've never heard of SDLC, COBIT, or symmetric encryption, you're starting from further back than someone who encounters these concepts at work every day. Budget honestly.
Testing Window Reminder: Discipline sections (BAR, ISC, TCP) are only available during the first month of each quarter: January, April, July, and October. Plan your study schedule backward from the next available window. If you finish studying in February, you're waiting until April. Missing a window means a 3-month delay, which can put credit expiration at risk.
Best Study Order Within ISC
The order you tackle ISC's three content areas matters, especially if you're coming in without an IT background. Here's the study sequence I recommend and use with my mentorship candidates:
If you have NO IT background, start with a 1-2 week "IT foundations" phase. Read about IT general controls, SDLC phases, basic database concepts, and network architecture at a high level. You don't need to become an IT expert. You need enough vocabulary to understand the exam questions when you encounter them. Free resources from ISACA, the AICPA, and introductory IT audit textbooks can fill this gap.
Information Systems first (35-45%). IT general controls, SDLC, application controls, and IT infrastructure. This is the foundation everything else builds on. If you understand how systems work and how controls protect them, the security and SOC topics make much more sense.
Security, Confidentiality, and Privacy second (35-45%). Encryption, access controls, network security, privacy regulations, incident response. This builds directly on the IT systems knowledge from Area I. The progression is logical: first you learn the system, then you learn how to protect it.
SOC Engagements last (15-25%). SOC 1 vs SOC 2 vs SOC 3, Type I vs Type II reports, Trust Services Criteria, management assertions, and auditor responsibilities. This is the most "audit-like" area and connects back to your AUD knowledge. If you passed AUD, you already understand the audit logic; you just need to learn how it applies to service organizations.
Sims practice throughout. Start practicing ISC simulations by week 3-4. ISC sims may involve reading a system description and identifying control deficiencies, evaluating a SOC report, or assessing a cybersecurity risk scenario. Do at least 25-30 TBS before exam day. Don't save simulation practice for the last week.
Terminology flashcards daily. ISC has more specialized vocabulary than any other CPA exam section. Create flashcard decks for encryption types, access control models, SDLC phases, COBIT principles, SOC report types, and the five Trust Services Criteria. Review them daily. The vocabulary needs to be automatic before you sit.
↑ Back to Table of Contents
Study Strategy for ISC
MCQ volume: aim for 1,000+ MCQs before sitting. ISC has narrower content than FAR or REG, but the terminology is unfamiliar to most candidates. You need enough reps to make the vocabulary automatic. When you see "asymmetric encryption" in a question, your brain should immediately associate it with public/private key pairs without having to think about it.
Build mental frameworks, not flashcard dumps. Instead of memorizing individual facts, develop a framework you can apply to every question. For any IT control question, ask yourself: "What's the risk? What control addresses it? What would the auditor test?" This three-part framework applies to every IT general control area and prevents you from getting lost in details.
Create a SOC report comparison table. Build a one-page reference comparing SOC 1, SOC 2, and SOC 3 on five dimensions: purpose, intended audience, criteria used, Type I vs Type II distinctions, and who performs the engagement. This single reference tool can answer 5-10 questions on exam day. Memorize it.
Master the Trust Services Criteria. There are five: security, availability, processing integrity, confidentiality, and privacy. Understand what each one means and how controls map to each criterion. Security is the foundation that the other four build on. If a question asks about controls related to "system availability," you should immediately know that's about uptime, disaster recovery, and business continuity, not about data encryption (which maps to confidentiality).
Connect ISC to your AUD knowledge. SOC engagements are essentially audit engagements with a technology focus. Your AUD knowledge of auditor responsibilities, management assertions, evidence gathering, and reporting directly applies. Don't treat ISC as completely separate from AUD. When you study SOC reporting, think of it through the lens of the audit process you already know: planning, risk assessment, evidence, conclusions, and reporting.
Practice under exam conditions. ISC sims can be reading-intensive, with long system descriptions and detailed SOC reports. Practice reading technical documents quickly and extracting the relevant control information. If you've only done MCQs, the sims will feel overwhelming on exam day because of the sheer volume of text.
For more study tips, check out my 21 CPA Exam Study Tips.
↑ Back to Table of Contents
Best CPA Review Courses for ISC
One caveat up front: ISC content quality varies more across courses than any other section because it's the newest and most specialized material. Evaluate the ISC-specific modules of any course before committing. What works great for FAR or REG might have thin ISC coverage.
Kesler CPA Review 8,000+ MCQs | $97/mo
Mentorship is especially valuable for ISC candidates because the discipline choice itself needs guidance. Mentors can help candidates with no IT background build a realistic study plan and identify when they're actually ready to sit. The gamification system (XP, achievements, streak multipliers) keeps motivation high during ISC's terminology-heavy study grind, which can feel dry without engagement tools. 8,000+ unique MCQs across all six sections including ISC-specific content, 150+ TBS, and 3,910+ intelligent flashcards. Works great as a primary course or as a supplement to any other course.
Becker CPA Review 9,000+ MCQs
Becker's ISC modules benefit from their structured, methodical approach. SkillBuilder videos help with the SOC engagement sim format, and Newt AI can assist with IT terminology questions in real time. The question bank covers IT general controls and cybersecurity concepts thoroughly. Lectures run longer (40-60 min), which is actually useful for ISC because the topics are dense enough to warrant deeper explanation.
UWorld Roger CPA Review 9,000+ MCQs
The lecture-based approach helps explain unfamiliar IT concepts to candidates without IT backgrounds. Shorter lectures (15-30 min) prevent information overload on topics like encryption or SDLC that can feel overwhelming in long sessions. If you learn better from hearing someone explain a concept than from reading a textbook, UWorld Roger is a strong fit for ISC.
Gleim CPA Review 10,000+ MCQs
The largest question bank on the market gives maximum exposure to ISC-specific scenarios. If you want to see every possible question variation on SOC reports, IT controls, and cybersecurity frameworks, Gleim's volume is unmatched. Premium Pro includes Prep Pal AI for instant answers to IT audit rule questions.
Surgent CPA Review Adaptive Tech
Surgent's adaptive A.S.A.P. Technology is particularly valuable for ISC because it can identify whether your weakness is on the IT systems side or the security/SOC side and adjust your study path accordingly. ReadySCORE helps calibrate readiness for a section where limited historical pass rate data makes it harder to know when you're ready.
Supplemental resources worth considering: ISACA's free IT audit resources, the AICPA's SOC reporting guides, and NIST's cybersecurity framework documentation can all supplement your primary course's ISC content. These are free and authoritative.
Visit the Best CPA Review Courses Comparison page for a full side-by-side breakdown across all courses.
↑ Back to Table of Contents
Testing Windows for ISC
Discipline sections (BAR, ISC, TCP) are only available during the first month of each quarter: January, April, July, and October. This is different from core sections (FAR, AUD, REG), which use continuous testing and can be taken year-round.
Plan your study schedule backward from the next available window. If you finish studying in February, you wait until April. That's two months of knowledge decay before you sit. Either accelerate your study to hit January, or pace it to peak in early April.
ISC-specific timing advice: if you're taking ISC last (after FAR, AUD, REG), you've already built study discipline and test-taking skills from three prior exams. Use that momentum. But if you have no IT background, start your ISC prep at least 1-2 weeks before you finish your third core section so you're not starting from zero when the discipline window opens.
Missing a quarterly window means waiting 3 months for the next one. For ISC candidates with the 30-month rolling clock ticking, this delay can be dangerous. Plan ahead.
↑ Back to Table of Contents
Common Mistakes on ISC
Choosing ISC for the wrong reasons. Don't pick ISC because you "like computers." Pick it because your career path involves IT audit, SOC, or technology advisory. If you're going into general audit or financial reporting, BAR is probably the better choice.
Underestimating the terminology gap. If you've never heard of SDLC, COBIT, symmetric encryption, or Trust Services Criteria, you're starting from further back than you think. Budget extra study time and start with the IT foundations phase described above.
Studying ISC like a memorization exercise. ISC rewards understanding over memorization. Knowing "what AES-256 is" matters less than understanding "why encryption is a control for confidentiality." The exam tests whether you can evaluate controls in context, not whether you can recite definitions.
Skipping SOC engagement material. Some candidates assume SOC content is "just audit stuff" they already know from AUD. Wrong. SOC reports have specific rules, report structures, and distinctions (Type I vs Type II, SOC 1 vs SOC 2) that you need to know cold. The Trust Services Criteria alone warrant dedicated study time.
Not connecting ISC back to AUD knowledge. SOC engagements follow audit logic: assertions, evidence, and reporting. Candidates who treat ISC as completely separate from AUD miss easy connections that could save them study time and boost their scores.
Not practicing sims with long reading passages. ISC sims often present a detailed system description or SOC report and ask you to evaluate it. If you've only done MCQs, the simulation format will feel overwhelming because of the reading volume. Practice document review sims specifically.
Ignoring the privacy component. Data privacy regulations (PII concepts, GDPR principles, HIPAA, state privacy laws) are increasingly tested and candidates from traditional audit backgrounds often overlook them entirely. Don't leave these points on the table.
↑ Back to Table of Contents
Frequently Asked Questions About the ISC CPA Exam
ISC is the most specialized, but "hardest" depends on your background. Candidates with IT audit or SOC experience often find ISC easier than BAR. Candidates with zero IT exposure face a steeper learning curve due to unfamiliar terminology. The content itself is conceptual, not calculation-heavy, which makes it learnable regardless of your starting point.
No. ISC does not require coding, programming, or deep technical skills. It tests your ability to understand how information systems work and how controls protect them. Candidates without IT experience should budget 80-120 study hours and start with a 1-2 week IT foundations phase (covering SDLC, IT general controls, and basic network concepts) before diving into exam-specific material. Many candidates with zero IT background pass ISC on their first attempt.
BAR builds on FAR knowledge, so the content feels familiar to most candidates. ISC introduces more new terminology and concepts, especially around cybersecurity, encryption, and SOC engagements. If you have an IT or audit background, ISC may actually feel easier because the content is narrower and more focused. If you have no IT exposure, ISC has a steeper initial learning curve but the total content volume is smaller than BAR.
ISC positions you for IT audit (internal and external), SOC reporting (SOC 1, SOC 2, SOC 3), cybersecurity advisory and risk assessment, technology consulting at accounting firms, data governance and privacy compliance, and ERP system implementation and audit. Big 4 and mid-tier technology advisory and risk assurance practices specifically seek ISC-qualified CPAs. The demand for these roles is growing faster than the candidate pool.
ISC launched in January 2024. Early reported pass rates have been in the 51-56% range based on aggregated data from major CPA review providers, drawing from 2025 AICPA quarterly releases. For comparison, FAR and BAR have been around 42%, while TCP has been around 78-82%. Check the latest CPA exam pass rates for the most current data.
Your Next Step
If ISC is your discipline, the path forward is straightforward. Finish your core sections (FAR, AUD, REG) with continuous testing, then schedule ISC for the next available quarterly window. If you have no IT background, start your ISC foundations phase 1-2 weeks before finishing your last core section so you hit the ground running.
Need help choosing a CPA review course? Visit the Best CPA Review Courses Comparison page, or compare courses side-by-side to find the right fit for your study style and budget.
Want a personalized study plan? Start your free Kesler CPA trial and get access to ISC-specific content, mentorship, and study tools built around how your brain actually learns.
Questions? Email me at bryan@cpaexamguide.com.
Link Disclaimer: Please note that some of the links are affiliate links or links to my Kesler CPA study supplement, and at no additional cost to you, assume I will earn a referral fee if you decide to invest in a course listed below. Please only use my links if you feel that I have helped you in your review course decision.
ABOUT THE AUTHOR:
Bryan Kesler, CPA is the founder of Kesler CPA Review & Ultimate CPA Exam Guide which earned him a spot on CPA Practice Advisor's Top 20 Under 40.
He has helped thousands of CPA candidates pass the CPA exam since 2013. You can contact him via email bryan@cpaexamguide.com