Information Systems Architecture, Process Flow, and Control Design

ISC coverage for infrastructure, ERP, business processes, IT general controls, availability, and change management.

This part covers the operating structure of information systems. The chapters explain how infrastructure, applications, process flow, and control design fit together so you can evaluate whether a system is reliable enough for financial and assurance purposes.

In This Part

Chapter 5: IT Infrastructure Fundamentals explains the components that support enterprise systems.
Chapter 6: Enterprise Resource Planning (ERP) and Accounting Information Systems connects system architecture to accounting processes.
Chapter 7: Business Processes in Information Systems follows transaction flow inside system-supported operations.
Chapter 8: IT General Controls (ITGC) - Standard Domains covers the control domains that support reliance on system output.
Chapter 9: System Availability and Business Continuity addresses uptime, recovery, and operational resilience.
Chapter 10: IT Change Management explains how authorized, tested, and documented change reduces control risk.

ISC architecture questions are easier when the system is traced from infrastructure to application, transaction flow, controls, availability, and change. The exam often asks whether a control weakness affects data reliability, access, processing integrity, or continuity. A technical term matters only because it changes assurance over the process or system output.

Systems and Controls Mapping Lens

System layer	What to connect	Common ISC trap
Infrastructure	Servers, networks, databases, cloud services, and dependencies.	Treating infrastructure as background instead of the base for control reliability.
ERP and accounting systems	How transactions enter, process, post, and report.	Evaluating reports without understanding source data and processing flow.
Business processes	Authorization, custody, recording, reconciliation, and exception handling.	Looking at isolated screens rather than end-to-end process risk.
IT general controls	Access, change management, operations, and backup controls that support applications.	Testing application output while ignoring weak general controls.
Availability and continuity	Recovery objectives, redundancy, incident handling, and resilience.	Confusing uptime goals with tested recovery capability.
Change management	Authorization, testing, migration, segregation, and documentation.	Assuming a successful change is controlled because it did not cause an outage.

Systems Control Review Sequence

Step	Review focus	Why it matters
1. Map the system boundary	Identify infrastructure, applications, databases, interfaces, cloud services, and third-party dependencies.	Controls cannot be evaluated until the system being controlled is clear.
2. Trace transaction flow	Follow initiation, authorization, processing, recording, reporting, and exception handling.	ISC questions often hide control weaknesses inside process handoffs.
3. Evaluate ITGC support	Check access, change management, operations, backup, monitoring, and incident controls.	Weak general controls can undermine reliance on application output.
4. Test availability and recovery	Compare recovery objectives, redundancy, backups, incident response, and continuity testing.	A plan is weaker than tested recoverability.
5. Connect to assurance impact	Decide whether the weakness affects completeness, accuracy, authorization, confidentiality, or reliability.	The exam answer usually depends on how the technology issue changes assurance.

How to Use This Part

Read the chapters in order if you need a systems-to-controls workflow rather than isolated terms.
Pay attention to how process design affects control risk and evidence reliability.
Revisit the relevant chapter after any missed question involving ITGCs, ERP flow, or availability planning.

In this section

IT Infrastructure Components, Virtualization, and Cloud Models
Infrastructure components, virtualization, and cloud models in ISC.
- Hardware Components, End-User Devices, Networks, and Related Risks
  Hardware, end-user devices, networks, and related control risks.
- Operating Systems, Hypervisors, Virtual Machines, and Containers
  Operating systems, hypervisors, virtual machines, and containers.
- Cloud Service Models, Deployment Options, and Shared Responsibility
  Cloud service models, deployment options, and shared-responsibility concepts.
ERP Architecture, Accounting Systems, Automation, and Blockchain
ERP architecture, AIS design, automation, and blockchain topics.
- ERP Modules, Integrated Data Flows, and the Modern ERP Ecosystem
  ERP modules and integrated data flows across business functions.
- Accounting Information Systems Within Enterprise Resource Planning
  AIS components, ledgers, and reporting inside ERP environments.
- Robotic Process Automation and Emerging Technology Considerations
  RPA and emerging technologies that change control and evidence.
- Blockchain Architecture and Financial Reporting Considerations
  Blockchain architecture and its financial-reporting implications.
Business Process Flow, Integrity, and Vendor Dependencies
Transaction cycles, process flow, processing integrity, and vendor risk.
- Core Transaction Cycles, Supporting Modules, and Control Points
  Core transaction cycles, supporting modules, and control points.
- Flowcharting, Process Mapping, and Business Process Diagrams
  Flowcharting and process-mapping techniques for business systems.
- Processing Integrity Controls Across Major Transaction Cycles
  Processing integrity controls across major transaction cycles.
- Common Control Deficiencies, Root Causes, and Mitigation
  Common control deficiencies, root causes, and mitigation options.
- Third-Party Vendors, Outsourcing, and Ongoing Risk Management
  Vendor, outsourcing, and third-party risk management.
IT General Control Domains and Related Deficiency Analysis
IT general control domains, framework alignment, and deficiency analysis.
- Access Controls Over Programs, Data, and Privileged Capabilities
  Access controls over programs, data, and privileged capabilities.
- Program Change Controls, Approvals, Testing, and Audit Trails
  Program change controls, approvals, testing, and audit trails.
- Program Development Phases, Sign-Off Gates, and Acceptance Testing
  Program development phases, sign-off gates, and acceptance testing.
- Computer Operations, Scheduling, Backups, and Daily Monitoring
  Computer operations, scheduling, backups, and daily monitoring.
- Mapping IT General Controls to COSO and COBIT
  How IT general controls map to COSO and COBIT.
- Identifying IT General Control Deficiencies and Mitigation Responses
  IT general control deficiencies and mitigation responses.
Availability Planning, Recovery Design, and Business Continuity
System availability, recovery planning, and business continuity.
- Disaster Recovery Planning and Business Resiliency Design
  Disaster recovery planning and broader business resiliency design.
- Redundancy, Replication, Mirroring, and Backup Strategy
  Redundancy, replication, mirroring, and backup strategy.
- Business Impact Analysis and the Identification of Critical Functions
  Business impact analysis and identification of critical functions.
- Uptime Metrics, SLAs, Recovery Time, and Recovery Point Targets
  Uptime metrics, SLAs, recovery time, and recovery point targets.
Change Control, Deployment Discipline, and SDLC Governance
Change control, deployment discipline, and SDLC governance.
- Change Control Policies, Procedures, and Authorization Standards
  Change control policies, procedures, and authorization standards.
- Environment Segregation, Testing Stages, and Production Protection
  Environment segregation, testing stages, and production protection.
- Patch Management, Testing, Rollback, and Control Monitoring
  Patch management, testing, rollback, and control monitoring.
- Continuous Integration, Delivery Pipelines, and DevOps Control Points
  CI/CD pipelines and DevOps control points.
- SDLC Models: Waterfall, Agile, DevOps, and Control Tradeoffs
  Waterfall, Agile, and DevOps SDLC control tradeoffs.

Revised on Monday, June 15, 2026

1. Foundations & Professional Context

3. Data Management & Analytics

Browse Information Systems and Controls (ISC)