FISCAM Standard

The Federal Information System Controls Audit Manual (FISCAM) is the Security IS audit approach developed and documented by the Government Accountability Office (GAO) and essentially is used in all IS audits of federal agencies.
Here is the location of the .pdf: http://www.gao.gov/new.items/d09232g.pdf
February 2009
TO AUDIT OFFICIALS, CIOS, AND OTHERS INTERESTED IN FEDERAL AND OTHER GOVERNMENTAL INFORMATION SYSTEM CONTROLS AUDITING AND REPORTING,
This letter transmits the revised Government Accountability Office (GAO) Federal Information System Controls Audit Manual (FISCAM). The FISCAM presents a methodology for performing information system (IS) control1 audits of federal and other governmental entities in accordance with professional standards, and was originally issued in January 1999. We have updated the FISCAM for significant changes affecting IS audits. This revised FISCAM reflects consideration of public comments received from professional accounting and auditing organizations, independent public accounting firms, state and local audit organizations, and interested individuals on the FISCAM Exposure Draft issued on July 31, 2008 (GAO-08-1029G). GAO would like to thank the Council of the Inspectors General on Integrity and Efficiency and the state and local auditor community for their significant input into the development of this revised FISCAM. Summary of Major Revisions to FISCAM The revised FISCAM reflects changes in (1) technology used by government entities, (2) audit guidance and control criteria issued by the National Institute of Standards and Technology (NIST), and (3) generally accepted government auditing standards (GAGAS), as presented in Government Auditing Standards (also known as the “Yellow Book”).2 The FISCAM provides a methodology for performing information system (IS) control audits in accordance with GAGAS, where IS controls are significant to the audit objectives. However, at the discretion of the auditor, this manual may be applied on other than GAGAS audits. As defined in GAGAS, IS controls consist of those internal controls that are dependent on information systems processing and include general controls and application controls. This manual focuses on evaluating the effectiveness of such general and application controls. This manual is intended for both (1) auditors to assist them in understanding the work done by IS controls specialists, and (2) IS controls specialists to plan and perform the IS controls audit. The FISCAM is not intended to be used as a basis for audits where the audit objectives are to specifically evaluate broader information technology (IT) controls (e.g., enterprise architecture and capital planning) beyond the context of general and business process application controls. The FISCAM is consistent with the GAO/PCIE Financial Audit Manual (FAM). Also, the FISCAM control activities are consistent with the NIST Special Publication (SP) 800-53 and other NIST and OMB IS control-related policies and guidance and all SP 800-53 controls have been mapped to FISCAM.3 The FISCAM is organized to facilitate effective and efficient IS control audits. Specifically, the methodology in the FISCAM incorporates: • Top-down, risk based approach that considers materiality and significance in determining effective and efficient audit procedures and is tailored to achieve the audit objectives.
Evaluation of entitywide controls and their effect on audit risk. • Evaluation of general controls and their pervasive impact on business process application controls. • Evaluation of security management at all levels (entitywide, system, and business process application levels). • A control hierarchy (control categories, critical elements, and control activities) to assist in evaluating the significance of identified IS control weaknesses. • Groupings of control categories consistent with the nature of the risk. • Experience gained in GAO’s performance and review of IS control audits, including field testing the concepts in this revised FISCAM. As discussed above, this manual is organized in a hierarchical structure to assist the auditor in performing the IS controls audit. Chapter 3 (general controls) and Chapter 4 (business process application level controls) contain several control categories, which are groupings of related controls pertaining to similar types of risk. For each control category, the manual identifies critical elements— tasks that are essential for establishing adequate controls within the category. For each critical element, there is a discussion of the associated control activities that are generally necessary to achieve the critical element, as well as related potential control techniques and suggested audit procedures. This hierarchical structure facilitates the auditor’s audit planning and the auditor’s analysis of identified control weaknesses. Because control activities are generally necessary to achieve the critical elements, they are generally relevant to a GAGAS audit unless the related control category is not relevant, the audit scope is limited, or the auditor determines that, due to significant IS control weaknesses, it is not necessary to assess the effectiveness of all relevant IS controls. Within each relevant control activity, the auditor should identify control techniques implemented by the entity and determine whether the control techniques, as designed, are sufficient to achieve the control activity, considering IS risk and the audit objectives. The auditor may be able to determine whether control techniques are sufficient to achieve a particular control activity without evaluating and testing all of the control techniques. 
Also, depending on IS risk and the audit objectives, the nature and extent of control techniques necessary to achieve a particular control objective will vary. If control techniques are sufficient as designed, the auditor should determine whether the control techniques are implemented (placed in operation) and are operating effectively. Also, the auditor should evaluate the nature and extent of testing performed by the entity. Such information can assist in identifying key controls and in assessing risk, but the auditor should not rely on testing performed by the entity in lieu of appropriate auditor testing. If the control techniques implemented by the entity, as designed, are not sufficient to address the control activity, or the control techniques are not effectively implemented as designed, the auditor should determine the effect on IS controls and the audit objectives. Throughout the updated FISCAM, revisions were made to reflect today’s networked environment. The nature of IS risks continues to evolve. Protecting government computer systems has never been more important because of the complexity and interconnectivity of systems (including Internet and wireless), the ease of obtaining and using hacking tools, the steady advances in the sophistication and effectiveness of attack technology, and the emergence of new and more destructive attacks. In addition, the FISCAM includes narrative that is designed to provide a basic understanding of the methodology (Chapter 2), general controls (Chapter 3) and business process application controls (Chapter 4) addressed by the FISCAM. The narrative may also be used as a reference source by the auditor and the IS control specialist. More experienced auditors and IS control specialists may find it unnecessary to routinely refer to such narrative in performing IS control audits. For example, a more experienced auditor may have sufficient knowledge, skills, and abilities to directly use the control tables in Chapters 2 and 3 (which are summarized in Appendices II and III). 

 

Category: FISCAM

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.