Federal Information System Controls Audit Manual FISCAM

1
Federal Information System Controls Audit Manual
(FISCAM)
2
Session Objectives

• Obtain an understanding of information system
  controls relevant to an audit
• Obtain an understanding of the Federal
  Information System Controls Audit Manual (FISCAM)
  Exposure Draft

3
Information Systems (IS) Controls

• Internal controls that are dependent on
  information systems processing
• General controls and application controls are
  always IS controls
• A user/manual control (control performed by a
  person) is an IS control if
• its effectiveness depends on information systems
  processing or
• the reliability (accuracy, completeness, and
  validity) of information processed by information
  systems.

4
Example of User/Manual Controls

• If the IS control is the review of an exception
  report produced by information systems, the
  effectiveness of the control is dependent on
• the business process application controls
  directly related to the production of the
  exception report,
• the general and other business process
  application controls upon which the reliability
  of the information in the exception report
  depends, including
• the proper functioning of the business process
  application that generated the exception report
  and
• the reliability of the data used to generate the
  exception report.
• the effectiveness of the user/manual control
  (i.e., management review and followup on the
  items in the exception report).

5
Are IS Controls Relevant to Your Audit?

• The auditor should determine whether IS controls
  are relevant to the audit objectives.
• IS controls generally are relevant to a financial
  audit, as financial information is usually
  processed by information systems.

6
Assessing IS Controls in Financial Audits

• The auditor should obtain an understanding of
  internal control over financial reporting
  sufficient to
• assess the risk of material misstatement of the
  financial statements whether due to error or
  fraud, and
• design the nature, timing, and extent of further
  audit procedures.
• Such understanding includes evaluating the design
  of controls relevant to an audit of financial
  statements and determining whether they have
  been implemented.

7
Assessing IS Controls in Financial Audits

• IT may affect any of the five components of
  internal control.
• The auditor should obtain an understanding of how
  IT affects control activities that are relevant
  to the audit.

8
When to Perform Tests of Operating Effectiveness

• The auditor should perform tests of the operating
  effectiveness of controls when
• the auditors risk assessment includes an
  expectation that controls are operating
  effectively, or
• substantive procedures alone do not provide
  sufficient appropriate evidence at the relevant
  assertion level

9
Performance Audits (7.16)

• Auditors should obtain an understanding of
  internal control that is significant within the
  context of the audit objectives.
• For those internal controls that are significant
  within the context of the audit objectives,
  auditors should
• assess whether the internal controls have been
  properly designed and implemented.
• plan to obtain sufficient, appropriate evidence
  to support their assessment about the
  effectiveness of those controls.

10
Performance Audits (7.16)

• When obtaining an understanding of internal
  control significant to the audit objectives,
  auditors should also determine whether it is
  necessary to evaluate IS controls.

11
Evaluating IS Controls Significant to the Audit
(7.24)

• Auditors should evaluate the effectiveness of IS
  controls determined to be significant to the
  audit objectives
• includes other IS controls that impact the
  effectiveness of the significant controls or the
  reliability of information used in performing the
  significant controls

12
Factors in Determining IS Audit Procedures (7.26)

• The extent to which internal controls that are
  significant to the audit depend on the
  reliability of information processed or generated
  by information systems

13
Factors in Determining IS Audit Procedures (7.27)

• The availability of evidence outside the
  information system to support the findings and
  conclusions
• It may not be possible for auditors to obtain
  sufficient, appropriate evidence without
  evaluating the effectiveness of relevant
  information systems controls
• If information supporting the findings and
  conclusions is generated by information systems
  or its reliability is dependent on information
  systems controls, there may not be sufficient
  supporting or corroborating information or
  documentary evidence that is available other than
  that produced by the information systems

14
Factors in Determining IS Audit Procedures (7.27)

• The relationship of information systems controls
  to data reliability
• To obtain evidence about the reliability of
  computer-generated information, auditors may
  decide to evaluate the effectiveness of
  information systems controls as part of obtaining
  evidence about the reliability of the data
• If the auditor concludes that information systems
  controls are effective, the auditor may reduce
  the extent of direct testing of data

15
Factors in Determining IS Audit Procedures (7.27)

• Evaluating the effectiveness of information
  systems controls as an audit objective
• When evaluating the effectiveness of information
  systems controls is directly a part of an audit
  objective, auditors should test information
  systems controls necessary to address the audit
  objectives
• The audit may involve the effectiveness of
  information systems controls related to certain
  systems, facilities, or organizations

16
Other IS Control-Related Requirements

• FISMA
• Single Audit

17
Federal Information System Controls Audit Manual
(FISCAM)

• Methodology for efficiently and effectively
  evaluating the effectiveness of information
  system controls
• Top-down, risk-based (considers
  materiality/significance)
• Evaluation of entity-wide controls their effect
  on audit risk
• Evaluation of general controls effect on
  application controls
• Evaluation of security management at all levels
  (entitywide, system, and business process
  application levels).
• Control hierarchy (control categories, critical
  elements, control activities, control techniques)
• Groupings of controls based on similar risks
• Draws on previous IS audit experience
• Currently incorporating public comments on
  Exposure Draft

18
FISCAM Revisions Reflect Changes in

• Technology used by government entities,
• Generally accepted government auditing standards
  (GAGAS or yellow book, including changes in
  incorporated AICPA audit standards (risk
  standards)
• Audit guidance and control criteria issued by the
  National Institute of Standards and Technology
  (NIST), and
• The GAO/PCIE Financial Audit Manual (FAM).

19
Other FISCAM Improvements

• Expanded purpose - provides guidance for
  performing effective and efficient Information
  System (IS) controls audits, either alone or as
  part of a performance audit, a financial audit,
  or an attestation engagement and
• informs financial, performance, and attestation
  auditors about IS controls and related audit
  issues, so that they can
• plan their work in accordance with Generally
  Accepted Government Auditing Standards (GAGAS)
  and
• integrate the work of IS controls specialists
  with other aspects of the financial or
  performance audit or attestation engagement.

20
Other FISCAM Improvements

• Includes narrative that is designed to provide a
  basic understanding of the methodology, general
  controls, and business process application
  controls
• The narrative may be used as a reference source
  by the auditor and the IS control specialist.
• More experienced auditors and IS control
  specialists may find it unnecessary to routinely
  refer to such narrative in performing IS control
  audits.

21
FISCAM - Chapters 1 and 2

• Chapter 1 Introduction
• Purpose and users, nature of IS controls,
  determining audit procedures, and FISCAM
  organization
• Chapter 2 Performing the information system
  controls audit
• Planning the IS controls audit, performing IS
  control audit tests, reporting audit results, and
  documentation

22
FISCAM - Chapters 3 and 4

• Describe broad control areas provide criteria
• Identify critical elements of each control area
  and related control activities
• List common types of control techniques
• List suggested audit procedures

23
Appendices

• Audit planning checklist
• Summarization tables
• Mapping to NIST SP 800-53
• Knowledge, skills, and abilities
• Using FISCAM in support of a financial audit
• Use of service organizations

24
Appendices

• Single audits
• FISMA audits
• FISMA
• Audit Documentation
• Glossary
• Bibliography

25
Summary of Significant Changes to FISCAM
Chapter 3

• Reorganized general control categories consistent
  with GAGAS
• Security management (broadened to consider
  statutory requirements best practices)
• Access controls (incorporated system software,
  eliminated redundancies, considered network
  environment)
• Configuration management (network
  considerations-application SDLC added to
  application controls)
• Segregation of duties (relatively unchanged)
• Contingency planning (updated for new
  terminology)
• Updated general controls consistent with NIST
  (particularly SP 800-53) and OMB security guidance

26
Summary of Significant Changes to FISCAM
Chapter 4

• Audit methodology and IS controls for business
  process applications
• Application security (general controls)
• Business process controls (transaction data
  input, processing output, master file data setup
  maintenance)
• Interface controls
• Data management system controls

27
Assessing Control Areas by Level
28
Example of Control Activities/Techniques and
Audit ProceduresCritical Element SM-4 Ensure
that owners, administrators and users are aware
of security policies
29
An Example of Typical Networked Systems
30
Planning Phase

• Understand the overall audit objectives and
  related scope of the information system controls
  audit
• Understand the entitys operations and key
  business processes
• Obtain a general understanding of the structure
  of the entitys networks
• Identify key areas of audit interest (files,
  applications, systems, locations)
• Assess information system risk on a preliminary
  basis
• Identify critical control points (and control
  dependencies)
• Obtain a preliminary understanding of information
  system controls
• Perform other audit planning procedures (laws,
  fraud, staffing, multiyear planning,
  communication, service organizations, using the
  work of others, audit plan)

31
Critical Control Points

• Points in an information system that, if
  compromised, could allow an individual to gain
  unauthorized access to or perform unauthorized or
  inappropriate activities on entity systems or
  data, which could lead directly or indirectly to
  unauthorized access or modifications to the key
  areas of audit interest

32
Control Dependency

• Exists when the effectiveness of a control is
  dependent on the effectiveness of other controls
• For example, the effectiveness of controls over a
  router generally are dependent on the security of
  other control points, such as a network
  management server or administrator work station

33
Control Dependencies
34
Testing Phase

• Understand information systems relevant to the
  audit objectives
• Identify IS control techniques that are relevant
  to the audit objectives
• Determine whether relevant IS controls are
  appropriately designed and implemented (across
  all levels)
• Perform tests of relevant IS controls to
  determine whether such control techniques are
  operating effectively
• Identify potential weaknesses in information
  system controls
• For each potential weakness, consider the impact
  of compensating controls or other factors that
  mitigate or reduce the risks related to potential
  weaknesses

35
Significant Controls

• Financial audits Internal controls that are
  designed to prevent or detect misstatements in
  significant financial statement assertions.
• Performance audits and attestation engagements
  internal controls that are significant to the
  audit objectives

36
Identifying IS Controls

• For each significant control, the audit team
  should determine whether it is an IS control.
• An IS controls specialist generally should review
  and concur with the audit teams identification
  of IS controls, particularly with respect to
  whether all IS controls were properly identified
  as such.

37
Testing of IS Controls

• To evaluate operating effectiveness, the auditor
  should test
• the significant IS control, and
• the entitywide, system, and other business
  process level IS controls upon which the
  effectiveness of each significant IS control
  technique depends
• this would typically include certain application
  controls in those applications in which the IT
  control operates, as well as general controls
  related to the systems in which the application
  operates and other critical control points
  (including control dependencies) in the entitys
  systems or networks that could impact the
  effectiveness of the IT control).

38
Tiered Approach

• For efficiency, the auditor may implement a
  tiered approach to evaluating the design and
  operating effectiveness of relevant IS control
  techniques, beginning with entitywide level
  controls, followed by system level controls, then
  by business process application level controls.

39
IS Control Evaluation at the Control Activity
Level

• All control activities are generally relevant to
  a GAGAS audit unless
• the related control category is not relevant, the
  audit scope is limited, or the auditor determines
  that, due to significant IS control weaknesses,
  it is not necessary to assess the effectiveness
  of all relevant IS controls.
• Within each relevant control activity, the
  auditor should identify control techniques
  implemented by the entity and determine whether
  the control techniques, as designed, are
  sufficient to achieve the control activity,
  considering IS audit risk and the audit
  objectives.

40
IS Control Evaluation at the Control Activity
Level (contd)

• The auditor may be able to determine whether
  control techniques are sufficient to achieve a
  particular control activity without evaluating
  and testing all of the control techniques.
• Also, depending on IS audit risk and the audit
  objectives, the nature and extent of control
  techniques necessary to achieve a particular
  control objective will vary.

41
Reporting Phase

• Assess the individual and aggregate effect of
  identified IS control weaknesses on the audit
  objectives and report the results of the audit
• Financial audits
• Performance audits
• Develop report and any related findings

42
Documentation

• Document results for each phase
• Documentation expectations
• GAGAS requirements

43
Other Information System Controls Audit
Considerations

• Additional IS risk factors (e.g., web, ERP)
• Automated audit tools
• Sampling

44
General Controls

• Security Management
• Access Control
• Configuration Management
• Segregation of Duties
• Contingency Planning

45
Security Management (SM)

• Establish a security management program
• Periodically assess and validate risks
• Document security control policies and procedures
• Implement effective security awareness and other
  security-related personnel policies
• Monitor the effectiveness of the security program
• Effectively remediate information security
  weaknesses
• Ensure that activities performed by external
  third parties are adequately secure

46
Access Control (AC)

• Adequately protect information system boundaries
• Implement effective identification and
  authentication mechanisms
• Implement effective authorization controls
• Adequately protect sensitive system resources
• Implement an effective audit and monitoring
  capability
• Establish adequate physical security controls

47
Configuration Management (CM)

• Develop and document CM policies, plans, and
  procedures
• Maintain current configuration identification
  information
• Properly authorize, test, approve, and track all
  configuration changes
• Routinely monitor the configuration
• Update software on a timely basis to protect
  against known vulnerabilities
• Appropriately document and approve emergency
  changes to the configuration

48
Segregation of Duties (SD)

• Segregate incompatible duties and establish
  related policies
• Control personnel activities through formal
  operating procedures, supervision, and review

49
Contingency Planning (CP)

• Assess the criticality and sensitivity of
  computerized operations and identify supporting
  resources
• Take steps to prevent and minimize potential
  damage and interruption
• Develop and document a comprehensive contingency
  plan
• Periodically test the contingency plan and adjust
  it as appropriate

50
Business Process Application Level Controls

• Application level general controls
• Business process controls
• Interface controls
• Data management system controls

51
Application Level General Controls

• Security management
• Access controls
• Configuration management
• Segregation of duties
• Contingency planning

52
Business Process Controls

• Transaction data input is complete, accurate,
  valid, and confidential
• Transaction data processing is complete,
  accurate, valid, and confidential
• Transaction data output is complete, accurate,
  valid, and confidential
• Master data setup and maintenance is adequately
  controlled

53
Interface Controls

• Effective strategy and design
• Effective interface processing procedures

54
Data Management System Controls

• Effective Strategy
• Audit and Monitoring
• Control Specialized Data Management Processes

55
Single Audits - Internal Control over Compliance
Requirements

• Plan the audit and testing of internal control to
  support a low assessed level of control risk for
  the assertions relevant to the compliance
  requirements for each major program, and,
• Unless internal control is likely to be
  ineffective, perform testing of internal control
  as planned to support a low assessed level of
  control risk for the assertions relevant to the
  compliance requirements for each major program.

56
Single Audits - Internal Control over Compliance
Requirements

• When internal control over compliance
  requirements for a major program are ineffective
  in preventing or detecting noncompliance (either
  in design or operation), the auditor should
• report any significant deficiencies (including
  whether any such condition is a material
  weakness),
• assess the related control risk at the maximum,
  and
• consider whether additional compliance tests are
  required because of ineffective internal control.
• Audit findings should be sufficiently detailed
  for auditee to implement corrective actions and
  federal government to manage the program

57
Single Audit Steps To Assess Internal Control
Over Compliance Requirements

• Identify the major programs subject to the single
  audit.
• Identify systems that process data for major
  programs.
• Determine the types of compliance requirements
  that are relevant to the audit (e.g., allowable
  costs, cash management, etc) - see A-133 and the
  Compliance Supplement.
• For each relevant type of compliance requirement,
  determine/identify the relevant control
  objectives (see the Compliance Supplement Part
  6).

58
Single Audit Steps To Assess Internal Control
Over Compliance Requirements

• For each relevant control objective, identify the
  internal control(s) designed/implemented by the
  entity to achieve the objective and determine
  whether each control is an IS control.
• Determine whether such controls are effectively
  designed to achieve the related control
  objective(s) and if so, whether they are
  implemented (placed in operation), including
  other IS controls on which the effectiveness of
  the control depends
• For each control that is effectively designed and
  implemented (placed in operation), the auditor
  should test the control to determine whether it
  is operating effectively, including other IS
  controls on which the effectiveness of the
  control depends.

59
Questions?