Audit Guidance

Using the Federal Information System

Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and

Performance Audits

Mickie E. Gray & David B. HayesU.S. Government Accountability Office

IS Controls – Audit Objectives

IS Support is Required to Identify, Quantify and Respond to:

1)Control Risk – opinion/reporting on internal control

2)Audit Risk – compliance with evidence standards & design of audit procedures

Managing Audit Risk Audit Risk = Risk of Material Misstatement X

Detection Risk

Audit Risk is a combination of Risk of Material Misstatement and Detection Risk.

Risk of Material Misstatement is the auditor’s combined assessment of inherent risk and control risk (SAS No. 107).

Detection Risk is the risk that the auditor will not detect a material misstatement that exists in an assertion.

Understanding Risk – Auditor’s Perspective

An auditor can (MUST) control detection risk by

changing the nature, timing, and extent of audit procedures.

An auditor cannot control the risk of material misstatement.

However, an auditor MUST assess the risk of material misstatement.

Assessing the risk of material misstatement (the risk assessment process) allows the auditor to gather information and to design further audit procedures that reduce audit risk to an acceptable low level.

Important Auditing Standards that Should be Consulted when Planning & Performing IS Audit

Procedures1. SAS-108 – Planning and Supervision2. SAS-106 – Audit Evidence3. SAS-109 – Understanding the Entity and Its

Environment and Assessing the Risks of Material Misstatement

4. SAS-110 – Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

5. SAS-115 – Communicating Internal Control Matters Identified in an Audit

6. AT-501 – An Examination of an Entity’s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements

7. Government Auditing Standards (Yellow Book)

Objectives of this Session

• Include IS in engagement designs so that objectives are achieved

• Determine skill sets and resources needed for the engagement team

• Identify elements of an effective audit approach

• Introduce the FISCAM methodology for engagements that include IS work

Different Types of Engagements

•Financial Audits (including Attestations) - Express an opinion on financial statements (or selected information)

•Performance Audits - Determine the reliability of performance measures of a specific program or activity

Comparison of Standards for Performance and Financial Audits

How do the audit standards compare?• Based on the audit standards, material = significant.

• Financial auditors “obtain sufficient appropriate audit evidence…to afford a reasonable basis for an opinion”

• Performance auditors “provide reasonable assurance that evidence is sufficient and appropriate to support…conclusions”

• Standards for assessment of risk, evaluation of internal controls, understanding of the entity and quality of evidence are the same

Source: Government Auditing Standards GAO-07-731G

Planning the Engagement

What is needed to achieve objectives?

• Multi-discipline teams - auditors, specialists, contractors

• Strong auditor leadership - control and management of teams and their members

• An approach that is inclusive of automation

Preliminary Steps for IS Work

What approach, inclusive of automation, will achieve adequate information system (IS) coverage?

• Develop an understanding of the process

• Understand the information and IS infrastructure

• Identify and assess risks

Take Advantage of the COSO Internal Control Framework

Control Environment

Risk AssessmentInformation &

Communication

Control ActivitiesMonitoring

Develop an understanding of the process, including components of internal control.

FISCAM – A Structured IS Audit Methodology

How is the approach implemented?Federal Information System Controls Audit Manual (FISCAM), GAO-09-232G - February 2009

• Methodology for performing IS control audits involving federal information and/or federal funds

• Designed such that GAGAS will be achieved

• Risk-based and efficient approach to assessing the effectiveness of IS controls

FISCAM Structure

• Top-down, risk-based approach that considers materiality/significance

• Evaluation of entity-wide controls & effect on audit risk

• Evaluation of general controls & effect on application controls

• Evaluation of security management at all levels - entitywide, system, and business process application levels.

• Control hierarchy - control categories, critical elements, control activities, and control techniques

What are IS Controls?

Internal controls that are dependent on information systems processing and include:

• general controls

• business process application controls

• user controls

IS Control Types

•General controls and business process application controls are always IS controls.

•User controls* can be IS controls.

* User controls are manual controls -- controls that are performed by people interacting with IS controls and are IS controls if their effectiveness depends on information systems processing or reliability of information processed by information systems.

General & Application Controls• General Controls - policies and procedures

that apply to all or a large segment of an entity’s information systems and help ensure the proper operation of information systems by creating the environment for proper operation of application controls.

• Business Process Application Controls - controls that are incorporated directly into computer applications to help ensure the validity, completeness, accuracy, and confidentiality of transactions and data during application processing.

General Control Categories

• Security Management• Access Control• Configuration Management• Segregation of Duties• Contingency Planning

Application Control Categories

• Application Security (application level general controls)

• Business process controls• Interface controls• Data management system

controls

Relationship Between Controls

• Effective general controls can support the effectiveness of business process application controls, while

• Ineffective general controls generally render business process application controls ineffective.

Audit Guidance

10Mb MAN4 domains

T1

ATT WAN

CLOUD

ATT WAN CLOUD

100Mb Dual FDDI RING MANProvided by ATT

ATT WAN

CLOUD

ATT WAN

CLOUD

MiamiRegional

Office

ATT WAN

CLOUD

10 Field Officesin Texas Region

ATT WAN

CLOUD

ATT WAN

CLOUD

ATT WAN

CLOUD

ATT WAN

CLOUD

MidwestRegional

Office

14 Field Officesin Midwest Region

OklahomaPacific

8 Field Officesin Oklahoma

Region

Building A

AtlantaRegional

Office

BaltimoreRegional

Office

5 Field Officesin Philadelphia Region

10 Field Officesin Philadelphia Region

Kansas CityRegional

Office

17 Field Officesin Baltimore Region

Los AngelesRegional Office

9 Field Officesin Los Angeles

Region

Internet

HQ

6 DC HQNBuildings

Internal WAN

Philadelphia Regional

Office

Internet

14 Field Officesin Miami Region

Building B

to ABC

6 Off sitecontractorlocations

12 Off sitecontractorlocations

What General Controls are being relied upon?

Typical Agency Network MapSource: Unnamed Agency

FISCAM – A Tool for Auditors

• A structured, standards-based approach for planning and conducting IS work

• An efficient, risk-based approach to conduct IS work with limited audit resources

• An organized approach that will support the collection and organization of audit documentation and promote effective reporting

Achieving Objectives

Using FISCAM can help achieve the overall objectives needed in all audit engagements that involve IS work:

• Identify, Assess and Report on Control Risk

• Manage Audit Risk

Contact Information

Mickie E. Gray – GAO Financial Management and Assurance Team graym@gao.gov

David B. Hayes – GAO Applied Research and Methods Team

hayesd@gao.gov