Major frameworks, AICPA standards, and supporting external references.
This chapter compresses the major external frameworks and standard-setting references used across ISC. It is best used as a review and lookup tool after the fuller explanatory chapters have already established context.
Framework questions test fit, not name recognition. A framework may support governance, cybersecurity, privacy, payment-card compliance, audit methodology, or professional assurance. The right answer depends on the objective and user of the framework.
| Reference type | What to identify first | Common ISC trap |
|---|---|---|
| Governance framework | Whether the framework helps direct, monitor, and evaluate IT governance. | Treating governance guidance as a detailed technical control checklist. |
| Security or privacy rule | Which data, system, obligation, or user right is protected. | Applying a privacy rule to every security question. |
| Professional standard | Whether the issue concerns CPA assurance, evidence, independence, or reporting. | Using a technology framework when the question asks about professional responsibility. |
| External reading | Whether the source supports review or authoritative analysis. | Treating every external summary as equally authoritative. |
| Step | What to identify | Why it matters |
|---|---|---|
| Define the question type | Governance, security, privacy, compliance, assurance, or reference support. | Framework fit depends on the problem being solved. |
| Identify the protected interest | Data subject, payment information, health information, system reliability, or user assurance. | Regulations and frameworks protect different interests. |
| Match the user | Management, auditor, service organization, regulator, customer, or data subject. | User needs shape criteria and reporting. |
| Check authority level | Law, regulation, professional standard, framework, guidance, or study aid. | Not every reference has the same authority. |
| Apply the scope limit | Geography, industry, system boundary, engagement type, or data type. | A good framework can still be wrong for the facts. |
| Checkpoint | What to verify | Common ISC risk |
|---|---|---|
| Purpose fit | Governance, control design, cybersecurity, privacy, compliance, or assurance reporting. | Choosing a familiar framework that does not answer the question asked. |
| Authority level | Law, regulation, professional standard, contractual requirement, or voluntary framework. | Overstating the force of nonbinding guidance. |
| Scope boundary | Geography, industry, system, service organization, data type, or engagement type. | Applying a framework outside its intended scope. |
| Evidence need | Policy, control test, management assertion, SOC report, legal documentation, or monitoring output. | Naming a framework without connecting it to evidence. |
| User need | Management, auditor, regulator, customer, data subject, or report user. | Missing the intended user changes the reporting or compliance focus. |