1 ANNEX “_”

2
3
4 THE LICENSURE EXAMINATION FOR CERTIFIED PUBLIC ACCOUNTANTS
5 (LECPA) SYLLABUS FOR INFORMATION SYSTEMS AND CONTROLS
6 Effective October ______ Examination
7
8 This subject covers the candidates’ ability to demonstrate understanding and remembering of
9 concepts, frameworks, principles, standards, criteria, and regulations relating to the following
10 areas: information systems and data management, information technology (IT) objectives and
11 controls, auditing IT as part of audit of financial statements, and service organization controls
12 (SOC).
13
14 For information systems and data management, the candidates must demonstrate knowledge
15 and skills in relation to IT environment, enterprise resource planning (ERP) and accounting
16 information systems (AIS), regulations, standards, and frameworks, and data management.
17
18 For IT objectives and controls, the candidates must demonstrate knowledge and skills in relation
19 to security, confidentiality, privacy, processing integrity, and availability, and the related threats
20 and attacks, mitigation, and testing of management controls.
21
22 For auditing IT as part of audit of financial statements, the candidates must demonstrate
23 knowledge and skills in relation to understanding the IT environment, IT audit planning and
24 scoping, IT entity level controls, IT general controls in the audit of FS, IT application and IT-
25 dependent manual controls in the audit of FS, and system-generated reports and reliance on
26 data extracts in the audit of FS.
27
28 For service and organization controls (SOC), the candidates must demonstrate knowledge and
29 skills in relation to fundamentals, management’s use, and audit of SOC.
30
31 The knowledge of the candidates in the competencies cited above is that of an entry-level
32 accountant who can address the fundamental requirements of the various parties that the
33 candidates will be interacting professionally in the future.
34
35 New laws, standards, and other issuances which are effective as of the date of the examination
36 shall supersede the related topic listed in the syllabus and will be included in the examination,
37 unless there is an advisory from the Professional Regulatory Board of Accountancy to the
38 contrary.
39
40 The examination shall have eighty (80) multiple choice questions with an allocated time of three
41 (3) hours.
42
43 The syllabus for the subject is presented below.
44
45
46 1.0 Information Systems and Data Management
47
48 1.1 IT Environment
49 1.1.1 Types of information system (e.g., AIS, MIS, DSS)
50 1.1.2 Fundamentals of Computerized Information System
51
52 1.2 Enterprise Resource Planning (ERP) and Accounting Information Systems (AIS)
53 1.2.1 Composition and interaction of and between ERP and AIS
54 1.2.2 Business processes models and relevant documents (e.g., O2C, P2P,
55 RTR)
56 1.2.3 Process documentation (e.g., narratives, flowcharts, ICQs)
57 1.2.4 Familiarity with various ERP and AIS vendor applications
58 1.2.5 Potential changes to business process in improving the performance of AIS

DRAFT Page 1 of 3
 59 1.3 Regulations, Standards, and Frameworks
60 1.3.1 Salient provisions of relevant regulations – global and local (e.g., US SOX,
61 Data Privacy)
62 1.3.2 Overview of relevant standards (e.g., ISPPIA, IT Audit and Assurance
63 Standards)
64 1.3.3 Relevant frameworks (e.g., COSO IICF, COBIT 2019)
65
66 1.4 Data Management
67 1.5.1 Data collection methods and techniques
68 1.5.2 Types of data storage and database schemas
69 1.5.3 Overview of data life cycle stages
70 1.5.4 Relational database structures for data integrity, use of data dictionaries,
71 and normalization
72 1.5.5 Standard SQL queries for data relevance and completeness
73 1.5.6 Data integration from various sources for analysis and decision-making
74 1.5.7 Use of Computer-Assisted Audit Tools and Techniques (CAATTs)
75
76
77 2.0 IT Objectives and Controls
78
79 2.1 Security
80 2.1.1 Threats and attacks
81 2.1.2 Mitigation
82 2.1.3 Testing management controls
83
84 2.2 Confidentiality and Privacy
85 2.2.1 Threats
86 2.2.2 Mitigation
87 2.2.3 Encryption fundamentals, techniques, and applications
88 2.2.4 Differences between confidentiality and privacy
89 2.2.5 Methods for the protection of confidential data
90 2.2.6 Data Loss Prevention (DLP)
91 2.2.7 Financial and operational implications of a data breach
92 2.2.8 Controls and data management practices
93 2.2.9 Deficiencies in the suitability or design
94 2.2.10 Deviations in the operation of controls
95 2.2.11 Walkthrough
96 2.2.12 Testing management controls
97
98 2.3 Processing Integrity and Availability
99 2.3.1 Threats
100 2.3.2 Mitigation
101 2.3.3 IT General Controls (ITGC)
102 2.3.4 Other ITGC
103 2.3.5 IT Application Controls (ITAC)
104 2.3.6 Change management
105 2.3.7 Business continuity and disaster recovery management
106 2.3.8 Testing management controls
107
108
109 3.0 Auditing IT as Part of Audit of Financial Statements
110
111 3.1 Understanding the IT Environment
112 3.1.1 Role of IT in the entity's internal control and financial reporting
113 3.1.2 IT risk and impact
114 3.1.3 IT organizational structure
115 3.1.4 IT governance
116 3.1.5 Adequacy and competence of IT personnel or resources

DRAFT Page 2 of 3
117 3.1.6 Adoption of new or emerging technology
118 3.1.7 Documenting IT controls
119
120 3.2 IT Audit Planning and Scoping
121 3.2.1 IT application, IT-dependent manual controls and system-generated reports
122 (SGRs)
123 3.2.2 Systems, infrastructure, and other relevant tools
124 3.2.3 The role of IT specialist
125 3.2.4 Impact IT controls on the financial statement audit
126
127 3.3 IT Entity Level Controls
128 3.3.1 Impact of IT entity level controls on the design and operating effectiveness
129 of underlying application controls, IT-dependent manual controls and
130 system generated reports
131 3.3.2 Risk response
132
133 3.4 IT General Controls (ITGC)
134 3.4.1 Understanding ITGC
135 3.4.2 Testing of key ITGC
136 3.4.3 Evaluating ITGC test results
137
138 3.5 IT Application and IT-Dependent Manual Controls
139 3.5.1 Understanding IT Application and IT-Dependent Manual Controls (e.g.,
140 interface, calculation, validation, authorization)
141 3.5.2 Testing of key IT Application and IT-Dependent Manual Controls (e.g.,
142 techniques, methods, approaches)
143 3.5.3 Evaluating IT Application and IT-Dependent Manual Controls test results
144
145 3.6 System-Generated Reports (SGR) and Reliance on Data Extracts and Performing
146 Data Analytics
147 3.6.1 Reliance over SGR and Data Extracts
148 3.6.2 Data analytics-enabled audit
149
150
151 4.0 Service Organization Controls (SOC)
152
153 4.1 Introduction to SOC
154 4.1.1 Purpose, types, and parties involved
155 4.1.2 Applicable standards and criteria
156 4.1.3 Report structure
157
158 4.2 Management’s Use of SOC
159 4.2.1 Outsourced processes
160 4.2.2 Benefits and risks of outsourcing
161 4.2.3 Evaluating SOC report
162
163 4.3 Audit of SOC
164 4.3.1 Planning SOC engagements
165 4.3.2 Performing SOC engagements
166 4.3.3 Reporting on SOC engagements

DRAFT Page 3 of 3