ISC CPA Exam 2026: What's Tested, Study Tips & How Kesler Helps You Pass
WHAT IS THE ISC CPA EXAM?
ISC (Information Systems and Controls) is one of three discipline sections candidates can choose under CPA Evolution, which launched in January 2024. It is closely aligned with AUD and tests advanced topics related to IT audit, data management, cybersecurity, and SOC engagements. While AUD tests auditing fundamentals, ISC goes deeper into the technology systems and controls that underpin modern audit engagements.
ISC aligns with IT audit, controls, security/privacy, data management, and SOC work. A common concern candidates have: "I'm not a tech person. Can I still pass?" The answer is yes. ISC does not require software engineering depth, but it does test data and systems concepts, including SQL-related topics. Think of it as understanding how IT systems work and how controls protect them from a CPA's perspective.
ISC has a unique scoring structure. It is the only CPA exam section where MCQs are weighted at 60% and TBSs at 40%. All other sections use a 50/50 split. This means your multiple-choice performance matters more on ISC than on any other section.
| ISC Quick Facts | Details |
|---|---|
| Section Type | Discipline (choose 1 of 3: BAR, ISC, or TCP) |
| Closely Aligned With | AUD (Auditing & Attestation). ISC is closely aligned with AUD, and many audit-oriented candidates take AUD before ISC. Candidates may take the four sections in any order. |
| Exam Duration | 4 hours (plus 15-minute break after testlet 3) |
| Question Format | 82 MCQs (2 testlets of 41) + 6 TBSs (3 testlets) |
| Score Weighting (UNIQUE) | MCQs = 60% of score, TBSs = 40% of score (only section with this split) |
| Passing Score | 75 (scaled 0-99, not a raw percentage, not curved) |
| Pass Rate | 58.00% cumulative in 2024. For comparison: TCP 73.91%, BAR 38.08%. |
| Recommended Study Time | Kesler recommends 60-120 hours depending on IT background (4-10 weeks). These are Kesler estimates, not official exam stats. |
| Skill Levels Tested | Remembering & Understanding (55-65%), Application (20-30%), Analysis (10-20%) |
| Coding/Programming? | ISC does not require software engineering depth, but the 2026 blueprint includes data extraction, storage, and SQL-related topics in Area I. |
| Career Paths | IT audit, SOC reporting, cybersecurity advisory, ERP, data management, internal auditing |
ISC CONTENT AREAS &
WHAT'S TESTED
ISC covers three content areas. Areas I and II carry equal and heavy weight (35-45% each). Area III (SOC engagements) is smaller but highly testable and requires understanding specific report types and Trust Services Criteria.
| Content Area | Weight | Key Topics |
|---|---|---|
| Area I: Information Systems & Data Management | 35-45% | IT general controls (access controls, change management, program development), systems development life cycle (SDLC), database management, data governance and lifecycle, cloud computing governance, ERP systems, business continuity and disaster recovery, data extraction, storage, and SQL queries |
| Area II: Security, Confidentiality & Privacy | 35-45% | Cybersecurity frameworks and risk management, encryption (symmetric vs. asymmetric), network security, access control models, data privacy regulations (HIPAA), confidentiality controls, vulnerability assessment, incident response |
| Area III: SOC Engagements | 15-25% | SOC 1 and SOC 2 engagements, Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy), planning, performing, and reporting on SOC engagements, service organization controls |
2026 Blueprint Update: The AICPA updated ISC references to reflect the renamed SOC 1 Guide, added certain HIPAA term references, removed the specific NIST Privacy Framework version reference, updated the PCI DSS Quick Reference Guide, and added Data Analytics to eligible textbook categories. ISC subject matter is subject to rapid change due to the evolving technology landscape. Download the official AICPA Blueprint →
WHY ISC IS UNLIKE
ANY OTHER CPA SECTION
ISC has a heavy Remembering and Understanding component, with 55-65% of the section allocated to that skill level. The content isn't harder conceptually, but it's unfamiliar to most accounting candidates.
Specialized Vocabulary
ISC has more specialized terminology than most accounting candidates are used to: encryption types (symmetric vs. asymmetric), access control models (MAC, DAC, RBAC), SDLC phases, COBIT principles, Trust Services Criteria, and SOC report types. This vocabulary needs to be automatic before you sit for the exam.
MCQs Matter More (60/40)
ISC is the only section where MCQs are weighted at 60%. This means your multiple-choice performance is worth more than on any other section. Candidates who focus too heavily on TBS practice at the expense of MCQ drilling are making a strategic error on ISC.
MCQs Carry More Weight, but Simulations Still Matter
ISC simulations include long system descriptions and SOC reports. MCQs carry more weight on ISC, but simulation practice still matters. AICPA has noted that candidates have generally done better on MCQs and been more challenged by simulations. Practice reading technical documents quickly and extracting relevant control information.
One of the Newer CPA Exam Sections
ISC is one of the newer discipline sections introduced with CPA Evolution in January 2024, alongside BAR and TCP. This means study materials can vary in quality across providers. Some courses have deep ISC modules; others have thinner coverage because the content is still being refined. Verify ISC-specific depth before committing to a course.
ISC vocabulary needs to be visual, not memorized from flashcard dumps.
Kesler's Learn N GO videos draw out IT concepts so they stick.
ISC STUDY STRATEGY
WITH KESLER
ISC has narrower content than FAR or REG, but the terminology is unfamiliar to most accounting candidates. Your study plan needs to front-load vocabulary building and prioritize MCQ volume since MCQs carry 60% of the score.
RECOMMENDED ISC TIMELINE (KESLER ESTIMATES)
4-8 WEEKS
With IT/audit background
8-10 WEEKS
Without IT background
60-120 HRS
Total (varies by background)
Note: These are Kesler recommendations based on candidate experience, not official AICPA study-time estimates.
Key strategy: Start with Area I (Information Systems) to build a foundation. Then cover Area II (Security/Privacy), which builds on the systems knowledge. Study Area III (SOC) last since it's the most specialized and builds on both prior areas. Drill vocabulary flashcards daily. Aim for 1,000+ MCQ reps before sitting. ISC's 60/40 scoring means MCQ mastery is your highest-leverage study activity.
ISC STUDY TIPS
Prioritize MCQ Practice (60% of Score)
ISC is the only section where MCQs outweigh TBSs. Kesler recommends aiming for 1,000+ MCQ reps before sitting. When you see "asymmetric encryption" in a question, your brain should immediately associate it with public/private key pairs without thinking.
Drill Vocabulary Daily
Create or use flashcard decks for encryption types, access control models, SDLC phases, COBIT principles, SOC report types, and the five Trust Services Criteria. Review them daily. The vocabulary needs to be automatic before exam day.
Build Mental Frameworks
For any IT control question, ask: "What's the risk? What control mitigates it? How do we test whether it's working?" This framework applies to every ISC question and keeps you from drowning in isolated facts. Kesler's GEM™ takeaways give you these frameworks.
Practice Reading Technical Documents
ISC TBSs include long system descriptions and SOC reports. Practice reading technical documents quickly and extracting relevant control information. MCQs carry more weight, but don't skip simulation practice entirely.
Know SOC 1 vs. SOC 2 Cold
SOC 1 focuses on financial reporting controls. SOC 2 focuses on Trust Services Criteria. Know the differences, report types (Type I vs. Type II), and when each engagement applies. This is heavily tested in Area III.
Consider Taking AUD First
ISC is closely aligned with AUD. Internal control concepts from AUD carry directly into ISC. Many audit-oriented candidates take AUD before ISC and ideally take ISC soon after AUD while the audit foundation is fresh. You can take the four sections in any order, but this sequencing often helps.
WHAT KESLER CANDIDATES SAY
⭐⭐⭐⭐⭐
"I'd like to thank Especially, Bryan Kesler for creating the wonderful Kesler CPA Review which makes one of the most challenging professional tests in the world more digestible. Without his hard work, it would have taken me much longer and been many times harder to pass each section."
— Jimmy Chilimigras, Youngest CPA In History (Passed at 15)
⭐⭐⭐⭐⭐
"After 8 attempts, I passed FAR with a 79! More shocked than anything because it's hard to envision it happening until it actually does. I used both Becker and Kesler CPA Review, and I went heavy on the Kesler side this time around - constantly reviewing my custom flashcards (I had accumulated around 270 of them), reviewing each questions' "gem," and circling back to Becker for more diversification with practice MCQs and sims. To anyone struggling through FAR or any other section, please keep at it. I didn't think this was possible either… stick to your system and Bryan's studying method. It WORKS!"
— Bryce W., Passed FAR
⭐⭐⭐⭐⭐
"I PASSED FAR WITH AN 84!!! You have no idea what an accomplishment this is for me! I have been taking this exam for 5 years and have tested specifically for FAR At least 13 times.....i really lost count after that. It wasn't until I used your study methods that I got the score I am more than thankful. I'm honestly and shock!! Thank you thank you thank you!!!"
— Emma Jean, Passed FAR
Results may vary. These testimonials reflect individual experiences and are not guarantees of specific outcomes.
ISC CPA EXAM FAQ
Candidates with IT or audit background typically need 60-100 hours (4-8 weeks). Candidates without IT background may need 100-120 hours (8-10 weeks). These are Kesler's recommendations based on candidate experience. ISC has narrower content than FAR or REG, but the terminology is unfamiliar. Vocabulary drilling is critical. Kesler's CPA mentorship program helps you build a realistic ISC study plan based on your background.
ISC had a cumulative pass rate of 58.00% in 2024. For comparison, TCP had the highest discipline pass rate at 73.91% and BAR was 38.08%. Candidates who choose ISC often have some IT or audit background, which may contribute to the relatively strong pass rate. However, the specialized terminology catches candidates who underestimate how different ISC content is from the core sections.
ISC does not require software engineering depth, but it does test data and systems concepts, including SQL-related topics. The 2026 blueprint explicitly includes data extraction, storage, and SQL queries in Area I. You need to understand how IT systems work and how controls protect them from a CPA's perspective, not how to build them from scratch.
ISC is the only CPA exam section where MCQs are weighted at 60% and TBSs at 40%. All other sections use a 50/50 split. This means your multiple-choice performance carries more weight on ISC than on any other section. Prioritize MCQ practice and terminology mastery accordingly.
ISC aligns well with candidates interested in IT audit, SOC reporting, cybersecurity advisory, ERP and data management, internal auditing, and technology consulting. If your career involves IT systems in any capacity, ISC can be a strong long-term investment.
NASBA says candidates may take the four sections in any order. That said, ISC is closely aligned with AUD, and many audit-oriented candidates find it helpful to take AUD before ISC because internal control concepts from AUD carry directly into ISC. If you go this route, try to take ISC soon after AUD while the audit foundation is fresh.
Yes. Kesler's ISC materials are fully mapped to the 2026 AICPA Blueprint. This includes MCQs with Learn N GO whiteboard explainer videos, task-based simulations, study materials, flashcards, and mentorship covering ISC-specific study strategy. All six CPA exam sections are included in every Kesler subscription. See current pricing →
IT CONCEPTS CLICK WHEN YOU
SEE THEM DRAWN OUT.
Kesler CPA Review is a CPA exam prep course founded by Bryan Kesler, CPA, featuring Learn N GO whiteboard explainer videos, gamification, mentorship, and mobile apps. 68,000+ CPA candidates served since 2015.
MONTHLY PLAN
No contracts. Cancel anytime. Start with one section and expand. All features included.
SEE CURRENT PRICING →UNLIMITED ACCESS
One payment. All sections until you pass. Ideal for career changers tackling the full exam. Financing options available.
SEE CURRENT PRICING →30-Day Money Back Guarantee • Instant Access • CPA Exam Sections Covered: AUD, FAR, REG, BAR, TCP, ISC
EXPLORE ALL CPA EXAM SECTIONS
Visual Learners • ADHD • Failed the Exam? • CPA Supplement • Career Changers • Working Professionals