Presentation on theme: "Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie."— Presentation transcript:
1 Audit GuidanceUsing the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance AuditsMickie E. Gray & David B. HayesU.S. Government Accountability Office
2 IS Controls – Audit Objectives IS Support is Required to Identify, Quantify and Respond to:Control Risk – opinion/reporting on internal controlAudit Risk – compliance with evidence standards & design of audit procedures
3 Managing Audit Risk Audit Risk = Risk of Material Misstatement X Detection RiskAudit Risk is a combination of Risk of Material Misstatement and Detection Risk.Risk of Material Misstatement is the auditor’s combined assessment of inherent risk and control risk (SAS No. 107).Detection Risk is the risk that the auditor will not detect a material misstatement that exists in an assertion.
4 Understanding Risk – Auditor’s Perspective An auditor can (MUST) control detection risk by changing the nature, timing, and extent of audit procedures.An auditor cannot control the risk of material misstatement.However, an auditor MUST assess the risk of material misstatement.Assessing the risk of material misstatement (the risk assessment process) allows the auditor to gather information and to design further audit procedures that reduce audit risk to an acceptable low level.
5 Important Auditing Standards that Should be Consulted when Planning & Performing IS Audit Procedures SAS-108 – Planning and SupervisionSAS-106 – Audit EvidenceSAS-109 – Understanding the Entity and Its Environment and Assessing the Risks of Material MisstatementSAS-110 – Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence ObtainedSAS-115 – Communicating Internal Control Matters Identified in an AuditAT-501 – An Examination of an Entity’s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial StatementsGovernment Auditing Standards (Yellow Book)
6 Objectives of this Session Include IS in engagement designs so that objectives are achievedDetermine skill sets and resources needed for the engagement teamIdentify elements of an effective audit approachIntroduce the FISCAM methodology for engagements that include IS work
7 Different Types of Engagements Financial Audits (including Attestations) - Express an opinion on financial statements (or selected information)Performance Audits - Determine the reliability of performance measures of a specific program or activity
8 Comparison of Standards for Performance and Financial Audits How do the audit standards compare?Based on the audit standards, material = significant.Financial auditors “obtain sufficient appropriate audit evidence…to afford a reasonable basis for an opinion”Performance auditors “provide reasonable assurancethat evidence is sufficient and appropriate to support…conclusions”Standards for assessment of risk, evaluation of internal controls, understanding of the entity and quality of evidence are the sameSource: Government Auditing Standards GAO G
9 Planning the Engagement What is needed to achieve objectives?Multi-discipline teams - auditors, specialists, contractorsStrong auditor leadership - control and management of teams and their membersAn approach that is inclusive of automation
10 Preliminary Steps for IS Work What approach, inclusive of automation, will achieve adequate information system (IS) coverage?Develop an understanding of the processUnderstand the information and IS infrastructureIdentify and assess risks
11 Take Advantage of the COSO Internal Control Framework Develop an understanding of the process, including components of internal control.Control EnvironmentInformation & CommunicationRisk AssessmentMonitoringControl Activities
12 FISCAM – A Structured IS Audit Methodology How is the approach implemented?Federal Information System Controls Audit Manual (FISCAM), GAO G - February 2009Methodology for performing IS control audits involving federal information and/or federal fundsDesigned such that GAGAS will be achievedRisk-based and efficient approach to assessing the effectiveness of IS controls
13 FISCAM StructureTop-down, risk-based approach that considers materiality/significanceEvaluation of entity-wide controls & effect on audit riskEvaluation of general controls & effect on application controlsEvaluation of security management at all levels - entitywide, system, and business process application levels.Control hierarchy - control categories, critical elements, control activities, and control techniques
14 What are IS Controls?Internal controls that are dependent on information systems processing and include:general controlsbusiness process application controlsuser controls
15 IS Control TypesGeneral controls and business process application controls are always IS controls.User controls* can be IS controls.* User controls are manual controls -- controls that are performed by people interacting with IS controls and are IS controls if their effectiveness depends on information systems processing or reliability of information processed by information systems.
16 General & Application Controls General Controls - policies and procedures that apply to all or a large segment of an entity’s information systems and help ensure the proper operation of information systems by creating the environment for proper operation of application controls.Business Process Application Controls - controls that are incorporated directly into computer applications to help ensure the validity, completeness, accuracy, and confidentiality of transactions and data during application processing.
17 General Control Categories Security ManagementAccess ControlConfiguration ManagementSegregation of DutiesContingency Planning
18 Application Control Categories Application Security (application level general controls)Business process controlsInterface controlsData management system controls
19 Relationship Between Controls Effective general controls can support the effectiveness of business process application controls, whileIneffective general controls generally render business process application controls ineffective.
20 Audit Guidance What General Controls are being relied upon? Typical Agency Network MapSource: Unnamed Agency
21 FISCAM – A Tool for Auditors A structured, standards-based approach for planning and conducting IS workAn efficient, risk-based approach to conduct IS work with limited audit resourcesAn organized approach that will support the collection and organization of audit documentation and promote effective reporting
22 Achieving ObjectivesUsing FISCAM can help achieve the overall objectives needed in all audit engagements that involve IS work:Identify, Assess and Report on Control RiskManage Audit Risk
23 Contact InformationMickie E. Gray – GAO Financial Management and Assurance TeamDavid B. Hayes – GAO Applied Research and Methods Team