When the revised CPA Licensure Examination (CPALE) takes effect with the 2029 exam, five of its six subjects are recognizable descendants of what candidates study today. One is not. Information Systems and Controls — ISC — is the single genuinely new subject, and it is the one most students and faculty will find unfamiliar. This guide is an orientation: what ISC is, what it tests, and how to read its jargon. It is not a study reviewer, and you do not need to learn any of this yet.
ISC first applies in 2029 — if you're taking the CPALE in 2026, 2027, or 2028, this is a look ahead, not your exam. Your sitting still follows the current six subjects and Tables of Specifications.
What ISC Is
ISC is a brand-new, standalone subject in the 2029 CPALE. It has no predecessor among the current six subjects — it is not a renamed or merged version of anything you study today. It carries the same exam footprint as most subjects: 70 multiple-choice questions over three hours.
Why add a whole new technology subject? Because the financial-statement audit is now IT-dependent. Modern accounting records live in enterprise systems and databases, controls are enforced (or bypassed) in software, and much of the evidence an auditor relies on is system-generated. The exam reflects that reality: ISC asks whether an entry-level accountant understands the information systems that produce the numbers, the controls that protect them, and what it means to audit in that environment.
If you have looked at the US CPA exam, ISC will feel familiar — the redesigned US exam has its own Information Systems and Controls discipline covering similar ground. Treat that as a resemblance, not a stated reason: the Philippine Board of Accountancy published its own Table of Specifications and syllabus for the subject, and that is what governs the local exam. (If you are weighing the two credentials, see our guide on the Philippine CPA vs. the US CPA.)
The Exam at a Glance
ISC's syllabus describes it as testing the candidate's ability to demonstrate understanding and remembering of concepts, frameworks, standards, and regulations — but the detailed syllabus is written in application-level action verbs (implement, execute, evaluate, demonstrate), so expect questions that apply ideas to scenarios over rote recall. In plain terms: expect "given this situation, which control applies / what would the auditor do" more than "define this term."
Here is how the 70 items are split across the four areas:
| Area | Weight | Items | What it covers |
|---|---|---|---|
| A. Information Systems & Data Management | ~21% | ~15 | IT environment, ERP/AIS, frameworks, data management, SQL, CAATTs |
| B. IT Objectives & Controls | ~38.6% | 27 | Security, confidentiality/privacy, processing integrity & availability; ITGC/ITAC, encryption, DLP, change management, BCP/DR |
| C. Auditing IT as Part of the FS Audit | ~27.1% | 19 | IT's role in the FS audit, IT audit planning, ITGC testing, system-generated reports, the IT specialist |
| D. Service Organization Controls (SOC) | ~12.9% | 9 | SOC report purpose/types/parties, management's use, audit of SOC |
Total: 70 items over three hours.
The shape of that table is the single most useful thing to take away: IT Objectives & Controls is by far the heaviest area, and together with Auditing IT it accounts for roughly two-thirds of the exam. SOC, the most unfamiliar-sounding topic, is the smallest slice.
The Four Areas, Decoded
A. Information Systems & Data Management (~21%, ~15 items)
This is the foundation: how information systems are built and how data is stored and queried. The syllabus spans the IT environment (types of information systems such as AIS, MIS, and DSS, and the fundamentals of computerized information systems), enterprise resource planning (ERP) and accounting information systems (AIS) — how they fit together, the standard business-process models (order-to-cash, purchase-to-pay, record-to-report), and process documentation like narratives, flowcharts, and internal-control questionnaires. It also covers the regulations, standards, and frameworks an accountant should recognize (for example, COSO and COBIT 2019, plus data-privacy regulation). Finally, it covers data management: data storage and database schemas, relational database structures and normalization, standard SQL queries for checking data relevance and completeness, and the use of Computer-Assisted Audit Tools and Techniques (CAATTs).
B. IT Objectives & Controls (~38.6%, 27 items) — the heaviest area
This is the core of the subject and the largest block of questions. It is organized around the objectives a control environment is supposed to achieve: security; confidentiality and privacy; and processing integrity and availability. For each, the syllabus pairs the relevant threats and attacks with mitigation and the testing of management controls. Specific competencies include the difference between IT general controls (ITGC) and IT application controls (ITAC), encryption fundamentals and applications, data-loss prevention (DLP), the distinction between confidentiality and privacy, change management, and business continuity and disaster-recovery management. If you only remember one area's weight, remember this one.
C. Auditing IT as Part of the FS Audit (~27.1%, 19 items)
This area connects ISC back to auditing proper: how IT affects the financial-statement audit. Candidates are expected to understand the IT environment and IT governance, the role of IT in internal control and financial reporting, and then move into IT audit planning and scoping. It covers IT entity-level controls, the testing and evaluation of ITGC and IT application and IT-dependent manual controls, and the treatment of system-generated reports (SGRs) and reliance on data extracts in the audit. It also names the role of the IT specialist — the person an audit team leans on for the technical work. In short: this is auditing, viewed through the lens of the systems that produce the evidence.
D. Service Organization Controls (SOC) (~12.9%, 9 items)
When a company outsources a process — payroll, cloud hosting, transaction processing — its auditors still need assurance over the controls at that outside provider. SOC reports are how that assurance is communicated. The syllabus covers the fundamentals of SOC (its purpose, the types of SOC engagements, and the parties involved, along with applicable standards and criteria and the structure of a SOC report), management's use of SOC for outsourced processes (including the benefits and risks of outsourcing and how to evaluate a SOC report), and the audit of SOC engagements — planning, performing, and reporting on them. The Philippine syllabus describes SOC types generically; it does not enumerate specific SOC report labels, so think of this area at the framework level rather than memorizing a numbered taxonomy.
The Jargon, Decoded
- SOC report — a report communicating assurance over the controls at a service organization (an outside provider a company has outsourced a process to).
- ITGC (IT general controls) — broad controls over the IT environment itself, such as access, change management, and operations, that everything else relies on.
- ITAC (IT application controls) — controls built into a specific application, such as input validation, calculations, and authorization within a transaction.
- CAATTs (Computer-Assisted Audit Tools and Techniques) — software tools and techniques an auditor uses to test data and controls at scale rather than by hand.
- SQL (for auditors) — the standard query language used to pull and check data from a database; ISC expects you to read and use basic queries, not to build software.
- Normalization — organizing a relational database so data is stored consistently and without harmful duplication, supporting data integrity.
- DLP (data-loss prevention) — controls and tools that stop sensitive data from leaking out of an organization.
- ERP / AIS — an enterprise resource planning system is the integrated software backbone of a business; the accounting information system is the part that records and reports financial transactions.
- SGR (system-generated report) — a report produced by an application; auditors must judge how much they can rely on it before using it as evidence.
What Background Helps You Now
Nothing here is meant to be crammed three years out. If you fall under the 2029 exam and want a head start, the most useful groundwork is general rather than exam-specific:
- Basic IT literacy — comfort with how business systems and applications work.
- Some exposure to databases and SQL — being able to read a simple query and understand tables and relationships goes a long way.
- A solid grounding in internal controls — the auditing and control concepts you already learn carry directly into ISC's heaviest areas.
Syllabus-aligned ISC materials and practice questions will follow as the 2029 coverage settles. For now, ISC is a subject to be aware of, not one to lose sleep over.
For the full picture of the 2029 overhaul — every renamed, merged, and new subject — see our complete guide to the 2029 CPALE changes. And for the structure that still governs every current candidate, see our current CPALE coverage and Table of Specifications guide.
Sources
- Annex "A" — Revised Syllabi and Tables of Specifications — the Information Systems and Controls syllabus and Table of Specifications this guide is based on.
- PRBOA Resolution No. 20, Series of 2026 — the resolution promulgating the revised TOS effective the October 2029 examination.
- PRC Professional Regulatory Boards — the Professional Regulatory Board of Accountancy and its official issuances.