Information Systems and Controls (ISC) is one of the three Discipline sections in the CPA Evolution model, taken alongside the three Core sections (AUD, FAR, REG) by candidates who choose the technology and assurance path to the US Certified Public Accountant license. The 2026 ISC blueprint is built around three weighted areas: Information Systems and Data Management (35 to 45%), Security, Confidentiality and Privacy (35 to 45%), and Considerations for System and Organization Controls (SOC) Engagements (15 to 25%). The section is anchored in IT audit and advisory work, especially SOC 1 and SOC 2 engagements and the AICPA Trust Services Criteria, and it leans heavily on recall and understanding, with roughly 55 to 65% of the section sitting at the Remembering and Understanding skill level. The single most important habit it tests is staying inside the blueprint's named References: the exam draws only on specific sections of specific standards (the Trust Services Criteria, NIST CSF, NIST SP 800-53, NIST Privacy Framework, CIS Controls v8.1, COBIT 2019, COSO guides, HIPAA, GDPR Articles 4 to 34, and the PCI DSS Quick Reference Guide), so answer from what those sources actually say rather than general IT practice.
What This Cheat Sheet Covers
This topic spans 27 focused tables and 280 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: IT Architecture Components
ISC Area I-A.1 (IT infrastructure): explain the purpose and recognize examples of the key components of IT architecture, and frame each by its general IT control (GITC) and audit relevance. Each component is part of the IT environment an auditor maps when scoping access, change, and operations controls.
| Component | Example | Description |
|---|---|---|
Windows Server, Linux, macOS mediating between an app and the disk/CPU | The master control software that manages hardware and provides the platform applications run on; the kernel stays in memory. β’ Key access-control and patch surface for GITCs β’ Not an application: apps call the OS for file and user-interface operations | |
A computer that stores files, processes queries, or manages network traffic for many clients | A computer or device on a network that manages shared resources for client devices. Distinct roles (web, application, database, file, print) sit in different tiers, each with its own access and patch controls | |
A SQL engine that processes database queries and returns rows | A server that stores and processes the organization's data and answers queries. β’ Not the same tier as an application server β’ Holds the financially relevant data, so a top target for access and change controls | |
The tier that runs business logic and calls the database server for data | A server that runs application or business logic between the user and the data tier. Distinct from the database server it queries; mis-tiering the two creates gaps in access and patch controls | |
Apache or IIS serving web pages over HTTP/HTTPS | A computer that provides WWW services, including the hardware, OS, web server software, and site content. An internal-only web server is an intranet server | |
Workstations, laptops, and mobile/BYOD phones used by staff | The client hardware people use to access systems. β’ In scope of the IT environment an auditor maps (CIS Control 1 asset inventory) β’ An unmanaged device is an unmonitored entry point |