Presentation on theme: "Federal Information System Controls Audit Manual (FISCAM)"— Presentation transcript:
1Federal Information System Controls Audit Manual (FISCAM)
2Session ObjectivesObtain an understanding of information system controls relevant to an auditObtain an understanding of the Federal Information System Controls Audit Manual (FISCAM) Exposure Draft
3Information Systems (IS) Controls Internal controls that are dependent on information systems processingGeneral controls and application controls are always IS controlsA user/manual control (control performed by a person) is an IS control ifits effectiveness depends on information systems processing orthe reliability (accuracy, completeness, and validity) of information processed by information systems.
4Example of User/Manual Controls If the IS control is the review of an exception report produced by information systems, the effectiveness of the control is dependent on:the business process application controls directly related to the production of the exception report,the general and other business process application controls upon which the reliability of the information in the exception report depends, including:the proper functioning of the business process application that generated the exception report andthe reliability of the data used to generate the exception report.the effectiveness of the user/manual control (i.e., management review and followup on the items in the exception report).
5Are IS Controls Relevant to Your Audit? The auditor should determine whether IS controls are relevant to the audit objectives.IS controls generally are relevant to a financial audit, as financial information is usually processed by information systems.
6Assessing IS Controls in Financial Audits The auditor should obtain an understanding of internal control over financial reporting sufficient toassess the risk of material misstatement of the financial statements whether due to error or fraud, anddesign the nature, timing, and extent of further audit procedures.Such understanding includes evaluating the design of controls relevant to an audit of financial statements and determining whether they have been implemented.
7Assessing IS Controls in Financial Audits IT may affect any of the five components of internal control.The auditor should obtain an understanding of how IT affects control activities that are relevant to the audit.
8When to Perform Tests of Operating Effectiveness The auditor should perform tests of the operating effectiveness of controls when:the auditor’s risk assessment includes an expectation that controls are operating effectively, orsubstantive procedures alone do not provide sufficient appropriate evidence at the relevant assertion level
9Performance Audits (7.16)Auditors should obtain an understanding of internal control that is significant within the context of the audit objectives.For those internal controls that are significant within the context of the audit objectives, auditors should:assess whether the internal controls have been properly designed and implemented.plan to obtain sufficient, appropriate evidence to support their assessment about the effectiveness of those controls.
10Performance Audits (7.16)When obtaining an understanding of internal control significant to the audit objectives, auditors should also determine whether it is necessary to evaluate IS controls.
11Evaluating IS Controls Significant to the Audit (7.24) Auditors should evaluate the effectiveness of IS controls determined to be significant to the audit objectivesincludes other IS controls that impact the effectiveness of the significant controls or the reliability of information used in performing the significant controls
12Factors in Determining IS Audit Procedures (7.26) The extent to which internal controls that are significant to the audit depend on the reliability of information processed or generated by information systems
13Factors in Determining IS Audit Procedures (7.27) The availability of evidence outside the information system to support the findings and conclusionsIt may not be possible for auditors to obtain sufficient, appropriate evidence without evaluating the effectiveness of relevant information systems controlsIf information supporting the findings and conclusions is generated by information systems or its reliability is dependent on information systems controls, there may not be sufficient supporting or corroborating information or documentary evidence that is available other than that produced by the information systems
14Factors in Determining IS Audit Procedures (7.27) The relationship of information systems controls to data reliabilityTo obtain evidence about the reliability of computer-generated information, auditors may decide to evaluate the effectiveness of information systems controls as part of obtaining evidence about the reliability of the dataIf the auditor concludes that information systems controls are effective, the auditor may reduce the extent of direct testing of data
15Factors in Determining IS Audit Procedures (7.27) Evaluating the effectiveness of information systems controls as an audit objectiveWhen evaluating the effectiveness of information systems controls is directly a part of an audit objective, auditors should test information systems controls necessary to address the audit objectivesThe audit may involve the effectiveness of information systems controls related to certain systems, facilities, or organizations
16Other IS Control-Related Requirements FISMASingle Audit
17Federal Information System Controls Audit Manual (FISCAM) Methodology for efficiently and effectively evaluating the effectiveness of information system controlsTop-down, risk-based (considers materiality/significance)Evaluation of entity-wide controls & their effect on audit riskEvaluation of general controls & effect on application controlsEvaluation of security management at all levels (entitywide, system, and business process application levels).Control hierarchy (control categories, critical elements, control activities, control techniques)Groupings of controls based on similar risksDraws on previous IS audit experienceCurrently incorporating public comments on Exposure Draft
18FISCAM Revisions Reflect Changes in: Technology used by government entities,Generally accepted government auditing standards (GAGAS or “yellow book”, including changes in incorporated AICPA audit standards (“risk standards”)Audit guidance and control criteria issued by the National Institute of Standards and Technology (NIST), andThe GAO/PCIE Financial Audit Manual (FAM).
19Other FISCAM Improvements Expanded purpose - provides guidance for performing effective and efficient Information System (IS) controls audits, either alone or as part of a performance audit, a financial audit, or an attestation engagement; andinforms financial, performance, and attestation auditors about IS controls and related audit issues, so that they can:plan their work in accordance with Generally Accepted Government Auditing Standards (GAGAS) andintegrate the work of IS controls specialists with other aspects of the financial or performance audit or attestation engagement.
20Other FISCAM Improvements Includes narrative that is designed to provide a basic understanding of the methodology, general controls, and business process application controlsThe narrative may be used as a reference source by the auditor and the IS control specialist.More experienced auditors and IS control specialists may find it unnecessary to routinely refer to such narrative in performing IS control audits.
21FISCAM - Chapters 1 and 2 Chapter 1 – Introduction Purpose and users, nature of IS controls, determining audit procedures, and FISCAM organizationChapter 2 – Performing the information system controls auditPlanning the IS controls audit, performing IS control audit tests, reporting audit results, and documentation
22FISCAM - Chapters 3 and 4Describe broad control areas; provide criteriaIdentify critical elements of each control area and related control activitiesList common types of control techniquesList suggested audit procedures
23Appendices Audit planning checklist Summarization tables Mapping to NIST SPKnowledge, skills, and abilitiesUsing FISCAM in support of a financial auditUse of service organizations
24Appendices Single audits FISMA audits FISMA Audit Documentation GlossaryBibliography
25Summary of Significant Changes to FISCAM – Chapter 3 Reorganized general control categories consistent with GAGASSecurity management (broadened to consider statutory requirements & best practices)Access controls (incorporated system software, eliminated redundancies, & considered network environment)Configuration management (network considerations-application SDLC added to application controls)Segregation of duties (relatively unchanged)Contingency planning (updated for new terminology)Updated general controls consistent with NIST (particularly SP ) and OMB security guidance
26Summary of Significant Changes to FISCAM – Chapter 4 Audit methodology and IS controls for business process applicationsApplication security (general controls)Business process controls (transaction data input, processing output, master file data setup & maintenance)Interface controlsData management system controls
27Assessing Control Areas by Level Entity-wide LevelSystem LevelBusiness Process Application LevelNetworkOperating SystemsInfrastructure ApplicationsGeneral ControlsSecurityManagementAccessControlsConfigurationSegregation of DutiesContingency PlanningBusiness Process Application Controls- BusinessProcess-Interface-Data Mgmt.
28Example of Control Activities/Techniques and Audit Procedures Critical Element SM-4 Ensure that owners, administrators and users are aware of security policiesControl ActivitiesControl TechniquesAudit ProceduresSM-4.1 Owners, system administrators and users are aware of security policiesSM An ongoing security awareness program has been implemented that includes security briefings and training for all employees with system access and security responsibilities.SM Security policies are distributed to all affected personnel, including system/application rules and expected behaviors.Review documentation supporting or evaluating the awareness program. Observe a security briefing.Interview data owners and system administrators and users.Determine what training they have received and if they are aware of their security-related responsibilities.Review memos, electronic mail files, or other policy distribution mechanisms.Review personnel files to test whether security awareness statements are current.
30Planning PhaseUnderstand the overall audit objectives and related scope of the information system controls auditUnderstand the entity’s operations and key business processesObtain a general understanding of the structure of the entity’s networksIdentify key areas of audit interest (files, applications, systems, locations)Assess information system risk on a preliminary basisIdentify critical control points (and control dependencies)Obtain a preliminary understanding of information system controlsPerform other audit planning procedures (laws, fraud, staffing, multiyear planning, communication, service organizations, using the work of others, audit plan)
31Critical Control Points Points in an information system that, if compromised, could allow an individual to gain unauthorized access to or perform unauthorized or inappropriate activities on entity systems or data, which could lead directly or indirectly to unauthorized access or modifications to the key areas of audit interest
32Control DependencyExists when the effectiveness of a control is dependent on the effectiveness of other controlsFor example, the effectiveness of controls over a router generally are dependent on the security of other control points, such as a network management server or administrator work station
34Testing PhaseUnderstand information systems relevant to the audit objectivesIdentify IS control techniques that are relevant to the audit objectivesDetermine whether relevant IS controls are appropriately designed and implemented (across all levels)Perform tests of relevant IS controls to determine whether such control techniques are operating effectivelyIdentify potential weaknesses in information system controlsFor each potential weakness, consider the impact of compensating controls or other factors that mitigate or reduce the risks related to potential weaknesses
35Significant ControlsFinancial audits – Internal controls that are designed to prevent or detect misstatements in significant financial statement assertions.Performance audits and attestation engagements – internal controls that are significant to the audit objectives
36Identifying IS Controls For each significant control, the audit team should determine whether it is an IS control.An IS controls specialist generally should review and concur with the audit team’s identification of IS controls, particularly with respect to whether all IS controls were properly identified as such.
37Testing of IS ControlsTo evaluate operating effectiveness, the auditor should test:the significant IS control, andthe entitywide, system, and other business process level IS controls upon which the effectiveness of each significant IS control technique dependsthis would typically include certain application controls in those applications in which the IT control operates, as well as general controls related to the systems in which the application operates and other critical control points (including control dependencies) in the entity’s systems or networks that could impact the effectiveness of the IT control).
38Tiered ApproachFor efficiency, the auditor may implement a tiered approach to evaluating the design and operating effectiveness of relevant IS control techniques, beginning with entitywide level controls, followed by system level controls, then by business process application level controls.
39IS Control Evaluation at the Control Activity Level All control activities are generally relevant to a GAGAS audit unless:the related control category is not relevant, the audit scope is limited, or the auditor determines that, due to significant IS control weaknesses, it is not necessary to assess the effectiveness of all relevant IS controls.Within each relevant control activity, the auditor should identify control techniques implemented by the entity and determine whether the control techniques, as designed, are sufficient to achieve the control activity, considering IS audit risk and the audit objectives.
40IS Control Evaluation at the Control Activity Level (cont’d) The auditor may be able to determine whether control techniques are sufficient to achieve a particular control activity without evaluating and testing all of the control techniques.Also, depending on IS audit risk and the audit objectives, the nature and extent of control techniques necessary to achieve a particular control objective will vary.
41Reporting PhaseAssess the individual and aggregate effect of identified IS control weaknesses on the audit objectives and report the results of the auditFinancial auditsPerformance auditsDevelop report and any related findings
42Documentation Document results for each phase GAGAS requirements Documentation expectationsGAGAS requirements
43Other Information System Controls Audit Considerations Additional IS risk factors (e.g., web, ERP)Automated audit toolsSampling
44General Controls Security Management Access Control Configuration ManagementSegregation of DutiesContingency Planning
45Security Management (SM) Establish a security management programPeriodically assess and validate risksDocument security control policies and proceduresImplement effective security awareness and other security-related personnel policiesMonitor the effectiveness of the security programEffectively remediate information security weaknessesEnsure that activities performed by external third parties are adequately secure
46Access Control (AC) Adequately protect information system boundaries Implement effective identification and authentication mechanismsImplement effective authorization controlsAdequately protect sensitive system resourcesImplement an effective audit and monitoring capabilityEstablish adequate physical security controls
47Configuration Management (CM) Develop and document CM policies, plans, and proceduresMaintain current configuration identification informationProperly authorize, test, approve, and track all configuration changesRoutinely monitor the configurationUpdate software on a timely basis to protect against known vulnerabilitiesAppropriately document and approve emergency changes to the configuration
48Segregation of Duties (SD) Segregate incompatible duties and establish related policiesControl personnel activities through formal operating procedures, supervision, and review
49Contingency Planning (CP) Assess the criticality and sensitivity of computerized operations and identify supporting resourcesTake steps to prevent and minimize potential damage and interruptionDevelop and document a comprehensive contingency planPeriodically test the contingency plan and adjust it as appropriate
50Business Process Application Level Controls Application level general controlsBusiness process controlsInterface controlsData management system controls
51Application Level General Controls Security managementAccess controlsConfiguration managementSegregation of dutiesContingency planning
52Business Process Controls Transaction data input is complete, accurate, valid, and confidentialTransaction data processing is complete, accurate, valid, and confidentialTransaction data output is complete, accurate, valid, and confidentialMaster data setup and maintenance is adequately controlled
53Interface Controls Effective strategy and design Effective interface processing procedures
54Data Management System Controls Effective StrategyAudit and MonitoringControl Specialized Data Management Processes
55Single Audits - Internal Control over Compliance Requirements Plan the audit and testing of internal control to support a low assessed level of control risk for the assertions relevant to the compliance requirements for each major program, and,Unless internal control is likely to be ineffective, perform testing of internal control as planned to support a low assessed level of control risk for the assertions relevant to the compliance requirements for each major program.
56Single Audits - Internal Control over Compliance Requirements When internal control over compliance requirements for a major program are ineffective in preventing or detecting noncompliance (either in design or operation), the auditor should:report any significant deficiencies (including whether any such condition is a material weakness),assess the related control risk at the maximum, andconsider whether additional compliance tests are required because of ineffective internal control.Audit findings should be sufficiently detailed for auditee to implement corrective actions and federal government to manage the program
57Single Audit – Steps To Assess Internal Control Over Compliance Requirements Identify the major programs subject to the single audit.Identify systems that process data for major programs.Determine the types of compliance requirements that are relevant to the audit (e.g., allowable costs, cash management, etc) - see A-133 and the Compliance Supplement.For each relevant type of compliance requirement, determine/identify the relevant control objectives (see the Compliance Supplement – Part 6).
58Single Audit – Steps To Assess Internal Control Over Compliance Requirements For each relevant control objective, identify the internal control(s) designed/implemented by the entity to achieve the objective and determine whether each control is an IS control.Determine whether such controls are effectively designed to achieve the related control objective(s) and if so, whether they are implemented (placed in operation), including other IS controls on which the effectiveness of the control dependsFor each control that is effectively designed and implemented (placed in operation), the auditor should test the control to determine whether it is operating effectively, including other IS controls on which the effectiveness of the control depends.