Audit Guidance
Using the Federal Information System
Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and
Performance Audits
Mickie E. Gray & David B. HayesU.S. Government Accountability Office
IS Controls – Audit Objectives
IS Support is Required to Identify, Quantify and Respond to:
1)Control Risk – opinion/reporting on internal control
2)Audit Risk – compliance with evidence standards & design of audit procedures
Managing Audit Risk Audit Risk = Risk of Material Misstatement X
Detection Risk
Audit Risk is a combination of Risk of Material Misstatement and Detection Risk.
Risk of Material Misstatement is the auditor’s combined assessment of inherent risk and control risk (SAS No. 107).
Detection Risk is the risk that the auditor will not detect a material misstatement that exists in an assertion.
Understanding Risk – Auditor’s Perspective
An auditor can (MUST) control detection risk by
changing the nature, timing, and extent of audit procedures.
An auditor cannot control the risk of material misstatement.
However, an auditor MUST assess the risk of material misstatement.
Assessing the risk of material misstatement (the risk assessment process) allows the auditor to gather information and to design further audit procedures that reduce audit risk to an acceptable low level.
Important Auditing Standards that Should be Consulted when Planning & Performing IS Audit
Procedures1. SAS-108 – Planning and Supervision2. SAS-106 – Audit Evidence3. SAS-109 – Understanding the Entity and Its
Environment and Assessing the Risks of Material Misstatement
4. SAS-110 – Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained
5. SAS-115 – Communicating Internal Control Matters Identified in an Audit
6. AT-501 – An Examination of an Entity’s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements
7. Government Auditing Standards (Yellow Book)
Objectives of this Session
• Include IS in engagement designs so that objectives are achieved
• Determine skill sets and resources needed for the engagement team
• Identify elements of an effective audit approach
• Introduce the FISCAM methodology for engagements that include IS work
Different Types of Engagements
•Financial Audits (including Attestations) - Express an opinion on financial statements (or selected information)
•Performance Audits - Determine the reliability of performance measures of a specific program or activity
Comparison of Standards for Performance and Financial Audits
How do the audit standards compare?• Based on the audit standards, material = significant.
• Financial auditors “obtain sufficient appropriate audit evidence…to afford a reasonable basis for an opinion”
• Performance auditors “provide reasonable assurance that evidence is sufficient and appropriate to support…conclusions”
• Standards for assessment of risk, evaluation of internal controls, understanding of the entity and quality of evidence are the same
Source: Government Auditing Standards GAO-07-731G
Planning the Engagement
What is needed to achieve objectives?
• Multi-discipline teams - auditors, specialists, contractors
• Strong auditor leadership - control and management of teams and their members
• An approach that is inclusive of automation
Preliminary Steps for IS Work
What approach, inclusive of automation, will achieve adequate information system (IS) coverage?
• Develop an understanding of the process
• Understand the information and IS infrastructure
• Identify and assess risks
Take Advantage of the COSO Internal Control Framework
Control Environment
Risk AssessmentInformation &
Communication
Control ActivitiesMonitoring
Develop an understanding of the process, including components of internal control.
FISCAM – A Structured IS Audit Methodology
How is the approach implemented?Federal Information System Controls Audit Manual (FISCAM), GAO-09-232G - February 2009
• Methodology for performing IS control audits involving federal information and/or federal funds
• Designed such that GAGAS will be achieved
• Risk-based and efficient approach to assessing the effectiveness of IS controls
FISCAM Structure
• Top-down, risk-based approach that considers materiality/significance
• Evaluation of entity-wide controls & effect on audit risk
• Evaluation of general controls & effect on application controls
• Evaluation of security management at all levels - entitywide, system, and business process application levels.
• Control hierarchy - control categories, critical elements, control activities, and control techniques
What are IS Controls?
Internal controls that are dependent on information systems processing and include:
• general controls
• business process application controls
• user controls
IS Control Types
•General controls and business process application controls are always IS controls.
•User controls* can be IS controls.
* User controls are manual controls -- controls that are performed by people interacting with IS controls and are IS controls if their effectiveness depends on information systems processing or reliability of information processed by information systems.
General & Application Controls• General Controls - policies and procedures
that apply to all or a large segment of an entity’s information systems and help ensure the proper operation of information systems by creating the environment for proper operation of application controls.
• Business Process Application Controls - controls that are incorporated directly into computer applications to help ensure the validity, completeness, accuracy, and confidentiality of transactions and data during application processing.
General Control Categories
• Security Management• Access Control• Configuration Management• Segregation of Duties• Contingency Planning
Application Control Categories
• Application Security (application level general controls)
• Business process controls• Interface controls• Data management system
controls
Relationship Between Controls
• Effective general controls can support the effectiveness of business process application controls, while
• Ineffective general controls generally render business process application controls ineffective.
Audit Guidance
10Mb MAN4 domains
T1
ATT WAN
CLOUD
ATT WAN CLOUD
100Mb Dual FDDI RING MANProvided by ATT
ATT WAN
CLOUD
ATT WAN
CLOUD
MiamiRegional
Office
ATT WAN
CLOUD
10 Field Officesin Texas Region
ATT WAN
CLOUD
ATT WAN
CLOUD
ATT WAN
CLOUD
ATT WAN
CLOUD
MidwestRegional
Office
14 Field Officesin Midwest Region
OklahomaPacific
8 Field Officesin Oklahoma
Region
Building A
AtlantaRegional
Office
BaltimoreRegional
Office
5 Field Officesin Philadelphia Region
10 Field Officesin Philadelphia Region
Kansas CityRegional
Office
17 Field Officesin Baltimore Region
Los AngelesRegional Office
9 Field Officesin Los Angeles
Region
Internet
HQ
6 DC HQNBuildings
Internal WAN
Philadelphia Regional
Office
Internet
14 Field Officesin Miami Region
Building B
to ABC
6 Off sitecontractorlocations
12 Off sitecontractorlocations
What General Controls are being relied upon?
Typical Agency Network MapSource: Unnamed Agency
FISCAM – A Tool for Auditors
• A structured, standards-based approach for planning and conducting IS work
• An efficient, risk-based approach to conduct IS work with limited audit resources
• An organized approach that will support the collection and organization of audit documentation and promote effective reporting
Achieving Objectives
Using FISCAM can help achieve the overall objectives needed in all audit engagements that involve IS work:
• Identify, Assess and Report on Control Risk
• Manage Audit Risk
Contact Information
Mickie E. Gray – GAO Financial Management and Assurance Team [email protected]
David B. Hayes – GAO Applied Research and Methods Team
Top Related