GAO-09-232G Federal Information System Controls Audit ...

GAO

February 2009

United States Government Accountability Office

FEDERAL INFORMATION SYSTEM CONTROLS AUDIT MANUAL (FISCAM)

GAO-09-232G

This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.

United States Government Accountability Office Washington, DC 20548

February 2009

TO AUDIT OFFICIALS, CIOS, AND OTHERS INTERESTED IN FEDERAL AND OTHER GOVERNMENTAL INFORMATION SYSTEM CONTROLS AUDITING AND REPORTING

This letter transmits the revised Government Accountability Office (GAO) Federal Information System Controls Audit Manual (FISCAM). The FISCAM presents a methodology for performing information system (IS) control1 audits of federal and other governmental entities in accordance with professional standards, and was originally issued in January 1999. We have updated the FISCAM for significant changes affecting IS audits.

This revised FISCAM reflects consideration of public comments received from professional accounting and auditing organizations, independent public accounting firms, state and local audit organizations, and interested individuals on the FISCAM Exposure Draft issued on July 31, 2008 (GAO-08-1029G).

GAO would like to thank the Council of the Inspectors General on Integrity and Efficiency and the state and local auditor community for their significant input into the development of this revised FISCAM.

Summary of Major Revisions to FISCAM

The revised FISCAM reflects changes in (1) technology used by government entities, (2) audit guidance and control criteria issued by the National Institute of Standards and Technology (NIST), and (3) generally accepted government auditing standards (GAGAS),

1Information system (IS) controls consist of those internal controls that are dependent on information systems processing and include general controls (entitywide, system, and business process application levels), business process application controls (input, processing, output, master file, interface, and data management system controls), and user controls (controls performed by people interacting with information systems).

Page 1

as presented in Government Auditing Standards (also known as the "Yellow Book").2 The FISCAM provides a methodology for performing information system (IS) control audits in accordance with GAGAS, where IS controls are significant to the audit objectives. However, at the discretion of the auditor, this manual may be applied on other than GAGAS audits. As defined in GAGAS, IS controls consist of those internal controls that are dependent on information systems processing and include general controls and application controls. This manual focuses on evaluating the effectiveness of such general and application controls. This manual is intended for both (1) auditors to assist them in understanding the work done by IS controls specialists, and (2) IS controls specialists to plan and perform the IS controls audit. The FISCAM is not intended to be used as a basis for audits where the audit objectives are to specifically evaluate broader information technology (IT) controls (e.g., enterprise architecture and capital planning) beyond the context of general and business process application controls.

The FISCAM is consistent with the GAO/PCIE Financial Audit Manual (FAM). Also, the FISCAM control activities are consistent with the NIST Special Publication (SP) 800-53 and other NIST and OMB IS control-related policies and guidance and all SP 800-53 controls have been mapped to FISCAM.3

The FISCAM is organized to facilitate effective and efficient IS control audits. Specifically, the methodology in the FISCAM incorporates:

? Top-down, risk based approach that considers materiality and significance in determining effective and efficient audit procedures and is tailored to achieve the audit objectives.

2GAO, Government Auditing Standards, GAO-07-162G (Washington, D.C.: July 2007). 3To assist the auditor in identifying criteria that may be used in the evaluation of IS controls, Chapters 3 and 4 include references, where appropriate, to NIST SP 800-53, other NIST standards and guidance, and OMB policy and guidance. Also, Appendix IV includes a summary of the mapping of the FISCAM controls to such criteria. In addition, audit procedures in FISCAM are designed to enable the auditor to determine if related control techniques are achieved.

Page 2

? Evaluation of entitywide controls and their effect on audit risk. ? Evaluation of general controls and their pervasive impact on

business process application controls. ? Evaluation of security management at all levels (entitywide,

system, and business process application levels). ? A control hierarchy (control categories, critical elements, and

control activities) to assist in evaluating the significance of identified IS control weaknesses. ? Groupings of control categories consistent with the nature of the risk. ? Experience gained in GAO's performance and review of IS control audits, including field testing the concepts in this revised FISCAM.

As discussed above, this manual is organized in a hierarchical structure to assist the auditor in performing the IS controls audit. Chapter 3 (general controls) and Chapter 4 (business process application level controls) contain several control categories, which are groupings of related controls pertaining to similar types of risk. For each control category, the manual identifies critical elements-- tasks that are essential for establishing adequate controls within the category. For each critical element, there is a discussion of the associated control activities that are generally necessary to achieve the critical element, as well as related potential control techniques and suggested audit procedures. This hierarchical structure facilitates the auditor's audit planning and the auditor's analysis of identified control weaknesses.

Because control activities are generally necessary to achieve the critical elements, they are generally relevant to a GAGAS audit unless the related control category is not relevant, the audit scope is limited, or the auditor determines that, due to significant IS control weaknesses, it is not necessary to assess the effectiveness of all relevant IS controls. Within each relevant control activity, the auditor should identify control techniques implemented by the entity and determine whether the control techniques, as designed, are sufficient to achieve the control activity, considering IS risk and the audit objectives. The auditor may be able to determine whether control techniques are sufficient to achieve a particular control activity without evaluating and testing all of the control techniques.

Page 3

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download