Presentation is loading. Please wait.

Presentation is loading. Please wait.

Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie.

Similar presentations

Presentation on theme: "Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie."— Presentation transcript:

1 Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie E. Gray & David B. Hayes U.S. Government Accountability Office

2 IS Controls – Audit Objectives
IS Support is Required to Identify, Quantify and Respond to: Control Risk – opinion/reporting on internal control Audit Risk – compliance with evidence standards & design of audit procedures

3 Managing Audit Risk Audit Risk =
Risk of Material Misstatement X Detection Risk Audit Risk is a combination of Risk of Material Misstatement and Detection Risk. Risk of Material Misstatement is the auditor’s combined assessment of inherent risk and control risk (SAS No. 107). Detection Risk is the risk that the auditor will not detect a material misstatement that exists in an assertion.

4 Understanding Risk – Auditor’s Perspective
An auditor can (MUST) control detection risk by changing the nature, timing, and extent of audit procedures. An auditor cannot control the risk of material misstatement. However, an auditor MUST assess the risk of material misstatement. Assessing the risk of material misstatement (the risk assessment process) allows the auditor to gather information and to design further audit procedures that reduce audit risk to an acceptable low level.

5 Important Auditing Standards that Should be Consulted when Planning & Performing IS Audit Procedures
SAS-108 – Planning and Supervision SAS-106 – Audit Evidence SAS-109 – Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement SAS-110 – Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained SAS-115 – Communicating Internal Control Matters Identified in an Audit AT-501 – An Examination of an Entity’s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements Government Auditing Standards (Yellow Book)

6 Objectives of this Session
Include IS in engagement designs so that objectives are achieved Determine skill sets and resources needed for the engagement team Identify elements of an effective audit approach Introduce the FISCAM methodology for engagements that include IS work

7 Different Types of Engagements
Financial Audits (including Attestations) - Express an opinion on financial statements (or selected information) Performance Audits - Determine the reliability of performance measures of a specific program or activity

8 Comparison of Standards for Performance and Financial Audits
How do the audit standards compare? Based on the audit standards, material = significant. Financial auditors “obtain sufficient appropriate audit evidence…to afford a reasonable basis for an opinion” Performance auditors “provide reasonable assurance that evidence is sufficient and appropriate to support…conclusions” Standards for assessment of risk, evaluation of internal controls, understanding of the entity and quality of evidence are the same Source: Government Auditing Standards GAO G

9 Planning the Engagement
What is needed to achieve objectives? Multi-discipline teams - auditors, specialists, contractors Strong auditor leadership - control and management of teams and their members An approach that is inclusive of automation

10 Preliminary Steps for IS Work
What approach, inclusive of automation, will achieve adequate information system (IS) coverage? Develop an understanding of the process Understand the information and IS infrastructure Identify and assess risks

11 Take Advantage of the COSO Internal Control Framework
Develop an understanding of the process, including components of internal control. Control Environment Information & Communication Risk Assessment Monitoring Control Activities

12 FISCAM – A Structured IS Audit Methodology
How is the approach implemented? Federal Information System Controls Audit Manual (FISCAM), GAO G - February 2009 Methodology for performing IS control audits involving federal information and/or federal funds Designed such that GAGAS will be achieved Risk-based and efficient approach to assessing the effectiveness of IS controls

13 FISCAM Structure Top-down, risk-based approach that considers materiality/significance Evaluation of entity-wide controls & effect on audit risk Evaluation of general controls & effect on application controls Evaluation of security management at all levels - entitywide, system, and business process application levels. Control hierarchy - control categories, critical elements, control activities, and control techniques

14 What are IS Controls? Internal controls that are dependent on information systems processing and include: general controls business process application controls user controls

15 IS Control Types General controls and business process application controls are always IS controls. User controls* can be IS controls. * User controls are manual controls -- controls that are performed by people interacting with IS controls and are IS controls if their effectiveness depends on information systems processing or reliability of information processed by information systems.

16 General & Application Controls
General Controls - policies and procedures that apply to all or a large segment of an entity’s information systems and help ensure the proper operation of information systems by creating the environment for proper operation of application controls. Business Process Application Controls - controls that are incorporated directly into computer applications to help ensure the validity, completeness, accuracy, and confidentiality of transactions and data during application processing.

17 General Control Categories
Security Management Access Control Configuration Management Segregation of Duties Contingency Planning

18 Application Control Categories
Application Security (application level general controls) Business process controls Interface controls Data management system controls

19 Relationship Between Controls
Effective general controls can support the effectiveness of business process application controls, while Ineffective general controls generally render business process application controls ineffective.

20 Audit Guidance What General Controls are being relied upon?
Typical Agency Network Map Source: Unnamed Agency

21 FISCAM – A Tool for Auditors
A structured, standards-based approach for planning and conducting IS work An efficient, risk-based approach to conduct IS work with limited audit resources An organized approach that will support the collection and organization of audit documentation and promote effective reporting

22 Achieving Objectives Using FISCAM can help achieve the overall objectives needed in all audit engagements that involve IS work: Identify, Assess and Report on Control Risk Manage Audit Risk

23 Contact Information Mickie E. Gray – GAO Financial Management and Assurance Team David B. Hayes – GAO Applied Research and Methods Team

Download ppt "Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie."

Similar presentations

Ads by Google