The Ultimate CPA Guide to IT Systems & Data (AUD & ISC Exam)
The Ultimate CPA Guide to IT Systems & Data
AUD & ISC exam review
IT topics appear across both AUD and ISC, and they are one of the easiest areas to lose unnecessary points if the material feels scattered. The concepts are very manageable once they are organized correctly.
This guide consolidates the major IT themes you need: IT governance, IT participants, systems, change management, relational databases, ETL, SQL, general IT controls, SOC reports, and risk frameworks — all in one place.
Who this guide is for:
- AUD students who need to connect IT systems to risk assessment and control testing
- ISC students who need a broad IT and data-management review page
- Students struggling with SOC reports, ERP, ETL, SQL, or IT controls
- Anyone who wants a single IT pillar page instead of many disconnected notes
Jump to:
- IT Governance
- IT Participants
- Types of IT Systems
- IT Change Management
- Relational Database
- Real-Time vs. Batch
- SDLC
- Legacy Systems
- Manual vs. Automated Controls
- Data Analytics
- ETL
- General IT Controls
- SQL
- How AUD Tests IT
- SOC Reports
- Inherent Limitations
- How ISC Tests IT
- ERM
- Quick Reference Glossary
- FAQ
Want a full study roadmap for AUD and ISC?
I built a free course covering the exact strategies that helped me score 90+ on all four CPA exams.
Get My Free CPA 101 CourseIT Governance AUD / ISC High-Yield
The IT Governance Institute identifies five core components. This section tends to be easier once you realize it behaves a lot like other framework topics on the CPA exam.
| # | Component |
|---|---|
| 1 | Strategic Alignment |
| 2 | Value Delivery |
| 3 | Risk Management |
| 4 | Resource Management |
| 5 | Performance Management |
1. Strategic Alignment
IT should support the overall strategy of the company, not just function as a back-office utility. If the business strategy and the IT strategy do not match, the IT environment is misaligned.
This can also include high-level design choices such as physical vs. virtual networks and centralized vs. decentralized networks.
2. Value Delivery
Management should view IT as a value-generating investment, not just a cost center. Strong IT can automate processes, reduce labor costs, improve service, and strengthen decision-making.
3. Risk Management
IT governance includes identifying and managing IT risks, balancing mitigation cost against the severity and likelihood of the risk. Risk identification must be ongoing rather than one-time.
- Natural disasters
- User error
- Fraud and intentional misuse
- Unauthorized access
- System unavailability
- System inefficiency and compliance failures
4. Resource Management
This focuses on using IT resources efficiently — software, hardware, personnel, and related support.
5. Performance Management
Once an IT system is implemented, the company must monitor whether it is actually delivering the expected value and whether resources should be adjusted.
IT Participants: Roles in an IT Setting AUD / ISC
The key participants in IT governance look very similar to the participants you see in internal control and ERM topics.
Board of Directors
The board oversees IT governance at a high level and ensures alignment with the company’s overall strategy.
Executive Management (CEO, CFO)
Management is responsible for implementation and day-to-day tone at the top. Their attitude affects how seriously employees take IT structure and controls.
Steering Committee
The steering committee is the senior group that directs, reviews, and approves strategic IT plans, major initiatives, and IT resource allocation.
Study Tip: The steering committee directs the company in the right direction for its IT needs.
Types of IT Systems AUD / ISC High-Yield
Rather than trying to memorize every single system type in isolation, it helps to group them into two broad categories.
| Category | Purpose |
|---|---|
| Decision-Making Systems | Provide information that helps management or executives make decisions |
| Transaction-Processing Systems | Help the entity complete business processes efficiently |
Study Tip: Decision-making systems inform decisions. Transaction-processing systems help execute processes.
Decision-Making Systems
| System | Purpose |
|---|---|
| Management Information System | Supports the strategic process |
| Decision Support System | Supports day-to-day decisions |
| Executive Information System | Specifically for senior executives |
| What-If Analysis | Forecasts scenarios |
| Artificial Intelligence | Automates or supports decision-making |
| Performance Management Systems | Support executive decision-making |
Transaction-Processing Systems
Accounting Information System (AIS)
An AIS handles accounting processes such as invoices, cash receipts, reconciliations, and financial reporting. It also creates audit trails and can contain edit checks and other controls.
Customer Relationship Management (CRM)
A CRM helps manage relationships with customers and prospects. Salesforce is the classic example.
Enterprise Resource Planning (ERP)
An ERP integrates departments into one shared platform so that accounting, inventory, sales, warehouse, and other functions communicate in real time.
Study Tip: The goal of an ERP is to centralize and integrate departments to provide better information.
Supply Chain Management System
This manages the process from sourcing raw materials through production and delivery.
IT Change Management AUD / ISC
IT change management is the process for implementing new or modified IT systems in a controlled way. Change introduces risk, so companies need policies, assigned responsibilities, segregation of duties, and fallback plans.
Plan-Do-Check-Act
- Plan: Decide what should be implemented and how
- Do: Implement the change
- Check: Verify that it works properly
- Act: Make necessary adjustments
A parallel transition is safer than a direct changeover because both systems can run together while the new one is validated.
Business Process Re-Engineering vs. Business Process Management
- Business Process Re-Engineering: major, radical change
- Business Process Management: smaller, gradual change
Cloud Computing
Cloud computing is on-demand access to IT resources over the internet. Instead of maintaining physical servers on-site, a company rents storage or computing resources from a provider.
IT topics are easy points if you have them organized.
My Free CPA 101 Course walks through how I approached AUD and the discipline sections to score 90+. Check it out here.
Relational Database ISC
| Term | Definition |
|---|---|
| Table | The full dataset |
| Data Types | The kind of data stored, such as names or numbers |
| Records / Rows | Horizontal entries |
| Columns | Vertical entries |
| Fields | Individual cells |
Real-Time vs. Batch Processing AUD / ISC
| Method | How It Works | Example |
|---|---|---|
| Real-Time Processing | Transactions are processed immediately as entered | Immediate transaction posting |
| Batch Processing | Transactions are accumulated and processed together | End-of-day EFT file reviewed before submission |
Systems Development Life Cycle (SDLC) AUD / ISC
| Step | Stage | Description |
|---|---|---|
| 1 | Plan | Identify needs |
| 2 | Analyze | Gather and analyze requirements |
| 3 | Design | Visualize the system |
| 4 | Develop | Build or code the system |
| 5 | Test | Test before live use |
| 6 | Deploy | Go live or transition |
| 7 | Maintain | Monitor and update over time |
Legacy Systems AUD / ISC
| Advantages | Risks |
|---|---|
|
|
Manual Controls vs. Automated Controls AUD / ISC
Manual controls rely on people. Automated controls are system-driven. Manual controls carry more direct human-error risk, while automated controls usually improve speed and consistency. Both still exist within the COSO framework.
Data Analytics ISC High-Yield
| Type | Time Focus | What It Does | Example |
|---|---|---|---|
| Descriptive | Past | Describes what happened | “We lost 20% of sales last year” |
| Diagnostic | Past | Explains why it happened | “A competitor entered the market” |
| Predictive | Future | Estimates future outcomes | “We will gain 10% market share” |
| Prescriptive | Future | Suggests how to achieve an outcome | “Increase marketing spend to capture market share” |
Study Tip: Descriptive and diagnostic look backward. Predictive and prescriptive look forward.
Extract, Transform, and Load (ETL) ISC High-Yield
Step 1: Extract
Pull raw data from the source system.
Step 2: Transform
Clean and structure the data so it is ready for analysis.
Study Tip: Unstructured data is not ready for analysis. Structured data is cleaned and usable.
Step 3: Load
Store the data in the appropriate destination for analysis.
| Storage Type | Data Type | Scope |
|---|---|---|
| Data Warehouse | Structured only | Company-wide |
| Data Mart | Structured only | Department-specific |
| Data Lake | Structured and unstructured | Broader/raw storage |
Study Tip: Warehouse and mart = structured only. Data lake = structured and unstructured.
General IT Controls AUD / ISC High-Yield
Logical Controls
Logical controls regulate system access — who can log in and what they can do once inside. Think logical = logging in.
| Control | Description |
|---|---|
| Firewall | Controls incoming and outgoing network activity |
| Encryption | Makes data unreadable to unauthorized parties |
| VPN | Encrypted remote access tunnel |
| Multi-Factor Authentication | Requires more than one credential factor |
| Digital Signature | Verifies authenticity and document integrity |
| E-Signature | Electronic signing of a document |
| Passwords | Basic access control; stronger and longer is better |
Physical Controls
Physical controls prevent unauthorized physical access to systems and equipment.
- Security cameras
- Security guards
- Key cards / smart cards
- Biometric devices
Structured Query Language (SQL) ISC High-Yield
ISC often focuses on understanding how a query retrieves data and whether the resulting data set is relevant and complete.
Commands
| Command | Function |
|---|---|
| SELECT | Select data |
| FROM | Specify source table |
| WHERE | Filter results |
| GROUP BY | Aggregate by group |
| ORDER BY | Sort results |
| HAVING | Filter grouped results |
Operators
Operators perform comparisons and logical tests such as equals, not equals, greater than, and less than.
Aggregate Functions
| Function | What It Returns |
|---|---|
| COUNT() | Number of matching rows |
| SUM() | Total of numeric column |
| AVG() | Average value |
| MAX() | Highest value |
| MIN() | Lowest value |
String Functions
| Function | What It Does |
|---|---|
| CONCAT() | Joins strings together |
| SUBSTR() / SUBSTRING() | Extracts part of a string |
| REPLACE() | Substitutes one substring for another |
| LENGTH() | Returns string length |
How Does the AUD Exam Test These Topics? AUD
The AUD blueprint places IT primarily in Area II: Assessing Risk and Developing a Planned Response. The exam is less about memorizing random IT vocabulary and more about how IT affects understanding the client, control design, and audit procedures.
| Topic | Representative Task | Skill Level |
|---|---|---|
| COSO Framework | Define internal control, purpose, objectives, components, and structure | Remembering & Understanding |
| IT General Controls | Understand and test design/implementation of relevant IT general controls | Application |
| Business Processes & IT Environment | Document significant processes and walkthroughs | Application |
| IT Infrastructure | Understand ERP, cloud, and applications | Application |
| IT Applications & Transaction Data | Understand systems that capture and process transactions | Analysis |
| Automated & Manual Controls | Test relevant transaction-level controls | Application |
What this means for your exam prep
- COSO remains more definition-based
- IT general controls, ERP, cloud, and control testing are more application-based
- Expect TBS-style thinking when the topic shifts to how the system affects the audit approach
SOC Reports AUD / ISC High-Yield
Purpose of a SOC Report
A SOC report lets user auditors rely on work already performed over the service organization’s controls rather than re-performing that work themselves.
SOC 1 vs. SOC 2
| Report | Focus | Example |
|---|---|---|
| SOC 1 | Controls relevant to financial reporting | Payroll processor affecting payroll expense |
| SOC 2 | Controls related to customer/system data protection | Data security at a service provider |
Study Tip: SOC 1 = financial statements. SOC 2 = customer data / system controls.
Type I vs. Type II
| Type | What It Covers | Level of Assurance |
|---|---|---|
| Type I | Control description as of a specific date | Lower assurance |
| Type II | Operating effectiveness tested over a period | Higher assurance |
Study Tip: Type II is more reliable than Type I.
Kyle’s 90+ Score Insight: Think of Type I as a photo and Type II as a movie. Type I shows controls at one point in time. Type II shows them working over a full period. If the exam asks which gives more assurance, the answer is Type II.
Inherent Limitations of Internal Controls AUD / ISC
| Limitation | Explanation |
|---|---|
| Human Error | People make mistakes even when controls are well designed |
| Human Bias | Judgment can be distorted by bias |
| Strategy Misalignment | A strong framework may still fail if it is misaligned with company goals |
| Collusion | Two or more people can circumvent controls together |
| Management Override | Management may bypass controls intentionally |
| External Events | Outside events remain outside company control |
How Does the ISC Exam Test These Topics? ISC
For ISC, IT and data management sit in the largest exam area. The test becomes more analytical here, especially around SQL, databases, data storage, integration, and SOC 2 topics.
Section A: Information Systems
| Topic | Representative Task | Skill Level |
|---|---|---|
| IT Infrastructure | Architecture, cloud models, and governance basics | Remembering & Understanding |
| ERP & AIS | Evaluate ERP, AIS, and process improvements | Analysis |
| Business Process Reconciliation | Compare actual vs. documented process flow | Analysis |
| SOC 2 & Trust Services Criteria | Detect control design/operation deficiencies | Evaluation |
Section B: Data Management
| Topic | Representative Task | Skill Level |
|---|---|---|
| Data Extraction & Storage Types | Identify extraction methods and storage options | Remembering & Understanding |
| Data Life Cycle | Summarize data from creation to disposal | Remembering & Understanding |
| Relational Databases | Analyze structure and integrity rules | Analysis |
| SQL Queries | Evaluate whether retrieved data is relevant and complete | Analysis |
| Data Integration | Combine data from different sources for decision use | Analysis |
| Business Process Models | Review process models and suggest improvements | Analysis |
What this means for ISC candidates
- Definitions matter, but ISC heavily shifts into analysis
- SQL, ERP, ETL, data integration, and relational databases are not just vocabulary topics
- SOC 2 / Trust Services Criteria is especially important because it pushes toward evaluation-level thinking
Enterprise Risk Management (ERM) AUD / ISC
Key ERM Terms
| Term | Definition |
|---|---|
| Risk Appetite | The type and amount of risk the organization is willing to accept |
| Risk Portfolio | The total collection of risks across the entity |
| Inherent Risk | Risk before mitigation |
| Residual Risk | Risk after mitigation |
The 5 Components of ERM
| ERM Component | Internal Control Parallel | Key Point |
|---|---|---|
| Governance and Culture | Control Environment | Very similar to COSO control environment |
| Review and Revision | Monitoring | Ongoing review and correction |
| Information, Communication, and Reporting | Information and Communication | Parallel to COSO information flow |
| Performing | Risk Assessment + Control Activities | Broader risk response lens than pure controls |
| Strategy and Objective-Setting | No direct equivalent | Unique ERM component focused on alignment and appetite |
The 4 Risk Responses
| Response | Meaning | Example |
|---|---|---|
| Risk Acceptance | Take no action | Accept competitor risk |
| Risk Avoidance | Exit the activity | Leave a market entirely |
| Risk Reduction | Lower the risk | Add controls or diversify |
| Risk Sharing | Share risk with another party | Joint venture / insurance / partnership |
Absolute Assurance vs. Reasonable Assurance
Absolute assurance is impossible. Reasonable assurance is the achievable standard.
Quick Reference Glossary
Use this glossary for final review before exam day.
| Term | One-Line Definition | Exam |
|---|---|---|
| IT Governance | Framework for managing IT across strategy, value, risk, resources, and performance | AUD / ISC |
| Steering Committee | Senior group that directs strategic IT plans | AUD / ISC |
| ERP | Integrated system connecting departments in real time | AUD / ISC |
| AIS | Accounting system that records transactions and supports reporting | AUD / ISC |
| Cloud Computing | On-demand IT resources accessed over the internet | AUD / ISC |
| SDLC | Plan, Analyze, Design, Develop, Test, Deploy, Maintain | AUD / ISC |
| Legacy System | Old system still in use despite risk and support issues | AUD / ISC |
| Relational Database | Interconnected data stored in tables | ISC |
| Real-Time Processing | Transactions processed immediately | AUD / ISC |
| Batch Processing | Transactions grouped and processed together later | AUD / ISC |
| ETL | Extract, Transform, Load | ISC |
| Data Warehouse | Structured data, broad company scope | ISC |
| Data Mart | Structured data, department-specific scope | ISC |
| Data Lake | Structured and unstructured data storage | ISC |
| SQL | Language for retrieving and manipulating database data | ISC |
| Logical Controls | Access-related controls such as passwords, MFA, and VPN | AUD / ISC |
| Physical Controls | Controls over physical access to systems and facilities | AUD / ISC |
| SOC 1 | Service organization controls relevant to financial reporting | AUD / ISC |
| SOC 2 | Service organization controls relevant to customer/system data | AUD / ISC |
| Type I | Controls described as of a single date | AUD / ISC |
| Type II | Controls tested over a period | AUD / ISC |
| Inherent Risk | Risk before mitigation | AUD / ISC |
| Residual Risk | Risk remaining after mitigation | AUD / ISC |
| Risk Appetite | Risk the organization is willing to accept | AUD / ISC |
| Reasonable Assurance | Achievable confidence level; absolute assurance is impossible | AUD / ISC |
FAQ
What is the easiest way to think about IT systems on the CPA exam?
Start by splitting them into decision-making systems and transaction-processing systems. That makes the topic much easier to organize mentally.
What is the difference between SOC 1 and SOC 2?
SOC 1 focuses on controls relevant to financial reporting. SOC 2 focuses on controls related to customer data and system trust criteria.
What is the difference between Type I and Type II reports?
Type I describes controls at a point in time. Type II tests whether controls operated effectively over a period.
What is the easiest way to remember ETL storage types?
Warehouse and mart hold structured data only. A data lake can hold both structured and unstructured data.
Which general IT controls matter most for exam questions?
Logical controls, physical controls, access provisioning, passwords, MFA, firewalls, encryption, and VPNs are the most testable areas.
Ready to put it all together for AUD and ISC?
IT concepts are just one piece of the puzzle. My Free CPA 101 Course gives you a complete roadmap for studying smarter and passing each section the first time.
Kyle Ashcraft is a CPA who scored a 90+ on all four CPA exams. Kyle founded Maxwell CPA Review, which is an exam-prep company that offers a comprehensive CPA exam review course and private tutoring.