Free CPA ISC (Information Systems & Controls) Formula Sheet (2026)
Every CPA ISC formula you need on the test, grouped by topic, rendered with full math notation. 37 formulas across 3 topics, calibrated to the 2026 syllabus. Free forever, no signup required.
Print-ready PDF: 1080x1350 portrait, math pre-rendered, fonts embedded. Download once, study anywhere.
Download PDF →
All CPA ISC Formulas
Information Systems and Data Management
15 items
RPO vs. RTO
RPO (Recovery Point Objective): max acceptable data loss in time (how old can restored data be?).
RTO (Recovery Time Objective): max acceptable downtime.
RPO drives backup frequency; RTO drives recovery infrastructure.
MTBF and system availability
MTTR = Mean Time to Repair. Higher MTBF or lower MTTR → higher availability.
Data classification levels
Government: Top Secret → Secret → Confidential → Unclassified.
Commercial: Restricted → Confidential → Internal → Public.
Drives access controls, handling, and retention.
Backup site tiers
Cold: basic infrastructure only; lowest cost, longest RTO (days–weeks).
Warm: partial equipment; moderate cost/RTO (hours–days).
Hot: fully mirrored, real-time; highest cost, lowest RTO (minutes–hours).
Database normalization — first three normal forms
1) 1NF: atomic values, no repeating groups. 2) 2NF: 1NF + no partial dependencies (non-key attrs depend on FULL primary key). 3) 3NF: 2NF + no transitive dependencies (non-key attrs depend only on PK, not other non-key attrs).
Application controls — input, processing, output
Input: 1) edit checks 2) validation rules 3) batch totals 4) completeness checks. Processing: 1) run-to-run totals 2) control totals 3) logic checks 4) exception reports. Output: 1) distribution restrictions 2) reconciliation 3) error-log review. Supplements ITGCs at transaction level.
Software development methodologies — Waterfall vs Agile vs DevOps
1) Waterfall: sequential phases, heavy docs, rigid — stable reqs. 2) Agile (Scrum/Kanban): iterative sprints, daily standups, flexible — changing reqs. 3) DevOps: dev+ops integration, CI/CD, automated test/deploy — reduces release risk.
Cloud computing service models (IaaS / PaaS / SaaS)
Customer-managed layers: 1) IaaS = OS + runtime + apps + data (e.g., AWS EC2). 2) PaaS = apps + data only (e.g., Heroku). 3) SaaS = data/config only (e.g., Salesforce). Provider manages everything below the customer's layer.
System Development Life Cycle (SDLC) — 7 phases
Phases: 1) Planning/feasibility 2) Requirements analysis 3) System design 4) Development/coding 5) Testing/QA 6) Implementation/deployment 7) Maintenance. ITGC change mgmt covers phases 3-6. Risks: scope creep (2), weak testing (5), poor docs (any).
ETL vs ELT vs Data Warehouse vs Data Lake
1) ETL: Extract→Transform→Load (transform before load; structured DW). 2) ELT: Extract→Load→Transform (load raw, transform in lake). 3) DW: structured, schema-on-write, analytics-optimized. 4) Lake: raw/unstructured, schema-on-read, low-cost storage.
Data lifecycle stages (CRUD-DD)
Stages: 1) Create — classify data 2) Read — access controls 3) Update — audit trails 4) Delete — logical removal 5) Disclosure — DLP + authorization 6) Destruction — sanitize via overwrite, degauss, or physical destruction.
Business Impact Analysis (BIA) — required outputs
BIA outputs: 1) Critical processes + dependencies 2) MTD (max tolerable downtime) 3) RTO (recovery time objective) 4) RPO (max data loss) 5) Resource needs 6) Financial + operational impact. Constraint: RTO ≤ MTD.
Cloud deployment models (public / private / community / hybrid)
1) Public = shared infra, multi-tenant (AWS, Azure). 2) Private = dedicated to one org (on-prem or hosted). 3) Community = shared by orgs w/ common concerns (e.g., federal). 4) Hybrid = public + private orchestrated together.
Disaster Recovery sites — hot vs warm vs cold
DR site tiers: 1) Hot = fully equipped + live data, RTO <1 hr, highest cost 2) Warm = HW/network ready, no current data, RTO hours–1 day, mid cost 3) Cold = facility + utilities only, RTO days–weeks, lowest cost.
IT General Controls (ITGCs) — 4 domains
1) Logical Access — authN, authZ, SoD 2) Change Mgmt — request, approve, test, deploy 3) IT Operations — job sched, backups, incident, monitoring 4) SysDev/Acquisition — SDLC, vendor mgmt. ITGCs support reliance on app-level controls.
Security, Confidentiality and Privacy
16 items
Information security risk formula
Controls reduce vulnerability or impact. Risk = residual risk after controls applied.
Annual loss expectancy (ALE)
= Single Loss Expectancy (loss per incident), = Annualized Rate of Occurrence.
Control is cost-effective if cost of control < ALE reduction achieved.
NIST password guidelines (SP 800-63B)
Min length 8 (15 for admin).
No complexity rules.
No forced rotation unless compromise.
Screen against breached passwords.
Allow paste + password managers.
Encryption key sizes and strength
AES-128 adequate; AES-256 for sensitive.
RSA-2048 min; RSA-4096 long-term.
ECC-256 RSA-3072.
NIST: 112-bit min through 2030; 128-bit beyond.
Public Key Infrastructure (PKI) components
PKI: 1) CA issues+signs certs 2) RA verifies identity pre-issue 3) X.509 Digital Certificates 4) CRL/OCSP for revocation 5) Public/Private key pair. Enables SSL/TLS, S/MIME, code signing.
Encryption deployment — at rest vs in transit
At Rest: full-disk (BitLocker, FileVault), DB-level (TDE), file-level — AES-256 standard. In Transit: TLS 1.2+ (HTTPS), IPsec VPN, S/MIME or PGP email. Rule: deploy BOTH — at-rest alone exposes data during transmission.
Network defense layers — defense in depth
7 layers: 1) Perimeter — firewalls, DMZ 2) Network — segmentation, VLANs, IDS/IPS 3) Endpoint — AV, EDR, host firewall 4) Application — input validation, secure coding 5) Data — encryption at rest+transit, DLP 6) Identity — MFA, RBAC 7) Physical — locks, cards, surveillance.
Cryptography — symmetric vs asymmetric vs hashing
1) Symmetric: same key encrypts+decrypts (AES, DES) — fast, key-distribution problem. 2) Asymmetric: public/private pair (RSA, ECC) — slower, solves key exchange + digital signatures. 3) Hashing: one-way, fixed-length (SHA-256) — integrity + password storage.
Privacy regulations — GDPR + CCPA + HIPAA
1) GDPR (EU): consent + access/delete/portability, 72-hr breach notice, fines ≤4% global revenue. 2) CCPA (CA): know/delete/opt-out of sale. 3) HIPAA (US health): PHI Privacy + Security Rules, breach notice ≤60 days.
NIST Cybersecurity Framework — 5 functions (IPDRR)
IPDRR: 1) Identify (asset mgmt, risk assessment, governance) 2) Protect (access control, training, data security) 3) Detect (anomalies, continuous monitoring) 4) Respond (response planning, comms, mitigation) 5) Recover (recovery planning, improvements). Outcome-based; voluntary.
Data Loss Prevention (DLP) categories
DLP types: 1) Network DLP — inspects data in motion (email, web). 2) Endpoint DLP — agent on devices; controls USB, print, screenshots. 3) Storage/Cloud DLP — discovers + classifies data at rest. Prevents exfiltration of PII, IP, financials.
Authentication factors — types + MFA
3 factors: 1) KNOW (password, PIN); 2) HAVE (token, smartcard, push); 3) ARE (biometric — fingerprint, iris, face). MFA = 2+ different factors (e.g., password + token = 2FA). NIST requires strong auth for privileged access.
Firewall types — stateful vs stateless vs WAF vs NGFW
1) Stateless: per-packet ACL match (fast, no session memory). 2) Stateful: tracks connection state/session table. 3) WAF: inspects HTTP/HTTPS at app layer (OWASP, SQLi, XSS). 4) NGFW: stateful + DPI + IDS/IPS + app awareness + user identity.
CIA triad
Security objectives: 1) Confidentiality — only authorized parties see data (threat: theft) 2) Integrity — data accurate & unaltered (threat: malicious modification) 3) Availability — systems usable when needed (threat: DoS). Map each control to one pillar.
Common attack vectors — top 5
1) Phishing/social engineering — targets humans 2) Malware — ransomware, viruses, worms, trojans 3) SQL Injection — malicious SQL via input 4) XSS — script injected into web pages 5) DDoS — overwhelms system with traffic
Incident response phases (PICERL)
NIST SP 800-61 — 1) Preparation (IR plan) 2) Identification (detect/alert) 3) Containment (isolate) 4) Eradication (remove threat) 5) Recovery (restore + monitor) 6) Lessons Learned (post-incident review). Test via tabletop exercises.
Considerations for SOC Engagements
6 items
SOC report types
SOC 1: ICFR — for FS auditors.
SOC 2: Trust Services Criteria (Security, Availability, Integrity, Confidentiality, Privacy).
SOC 3: Public summary of SOC 2.
Type I = design (point in time). Type II = design + operating effectiveness (period).
Carve-out vs inclusive method (subservice organizations)
Carve-out: subservice controls EXCLUDED from main SOC report; user obtains separate SOC for subservice. Inclusive: subservice controls INCLUDED (subservice provides description + cooperates with auditor). Carve-out = default/most common.
Trust Services Criteria (TSC) — 5 categories
TSC: 1) Security (required for ALL SOC 2) 2) Availability — system available per SLA 3) Processing Integrity — complete + accurate 4) Confidentiality — confidential info protected 5) Privacy — personal info per notice. Service org picks beyond Security.
Service organization controls — bridge letter
Bridge (gap) letter from service org covering SOC report period-end → current date. Asserts: 1) no material changes to controls, 2) no significant incidents/breaches. Max gap ~6 months; not a substitute for new SOC report.
SOC report Type 1 vs Type 2
Type 1: DESIGN of controls at a point in time (snapshot); quicker, less reliable. Type 2: DESIGN + OPERATING EFFECTIVENESS over a period (6-12 months); preferred by user auditors. Both apply to SOC 1 and SOC 2.
SOC 1 vs SOC 2 vs SOC 3 — purpose + audience
SOC 1: ICFR at service org; audience = user auditors (restricted). SOC 2: Trust Services Criteria (security/availability/processing integrity/confidentiality/privacy); audience = mgmt + customers (restricted). SOC 3: same TSC as SOC 2; public/general use; less detail.