Federal Information System Controls Audit Manual (FISCAM)

Federal Information System Controls Audit Manual (FISCAM)

2

Session Objectives

Obtain an understanding of information system controls relevant to an audit

Obtain an understanding of the Federal Information System Controls Audit Manual (FISCAM) Exposure Draft

3

Information Systems (IS) Controls

Internal controls that are dependent on information systems processing

General controls and application controls are always IS controls

A user/manual control (control performed by a person) is an IS control if its effectiveness depends on information systems

processing or the reliability (accuracy, completeness, and validity) of

information processed by information systems.

4

Example of User/Manual Controls If the IS control is the review of an exception report

produced by information systems, the effectiveness of the control is dependent on: the business process application controls directly related

to the production of the exception report, the general and other business process application

controls upon which the reliability of the information in the exception report depends, including:

the proper functioning of the business process application that generated the exception report and

the reliability of the data used to generate the exception report.

the effectiveness of the user/manual control (i.e., management review and followup on the items in the exception report).

5

Are IS Controls Relevant to Your Audit? The auditor should determine whether IS

controls are relevant to the audit objectives.

IS controls generally are relevant to a financial audit, as financial information is usually processed by information systems.

6

Assessing IS Controls in Financial Audits The auditor should obtain an understanding of internal

control over financial reporting sufficient to assess the risk of material misstatement of the

financial statements whether due to error or fraud, and

design the nature, timing, and extent of further audit procedures.

Such understanding includes evaluating the design of controls relevant to an audit of financial statements and determining whether they have been implemented.

7

Assessing IS Controls in Financial Audits IT may affect any of the five components of internal

control. The auditor should obtain an understanding of how IT

affects control activities that are relevant to the audit.

8

When to Perform Tests of Operating Effectiveness The auditor should perform tests of the

operating effectiveness of controls when: the auditor’s risk assessment includes an

expectation that controls are operating effectively, or

substantive procedures alone do not provide sufficient appropriate evidence at the relevant assertion level

9

Performance Audits (7.16)

Auditors should obtain an understanding of internal control that is significant within the context of the audit objectives.

For those internal controls that are significant within the context of the audit objectives, auditors should: assess whether the internal controls have been

properly designed and implemented. plan to obtain sufficient, appropriate evidence to

support their assessment about the effectiveness of those controls.

10

Performance Audits (7.16)

When obtaining an understanding of internal control significant to the audit objectives, auditors should also determine whether it is necessary to evaluate IS controls.

11

Evaluating IS Controls Significant to the Audit (7.24) Auditors should evaluate the effectiveness

of IS controls determined to be significant to the audit objectives includes other IS controls that impact the

effectiveness of the significant controls or the reliability of information used in performing the significant controls

12

Factors in Determining IS Audit Procedures (7.26) The extent to which internal controls that

are significant to the audit depend on the reliability of information processed or generated by information systems

13

Factors in Determining IS Audit Procedures (7.27) The availability of evidence outside the

information system to support the findings and conclusions It may not be possible for auditors to obtain sufficient, appropriate

evidence without evaluating the effectiveness of relevant information systems controls

If information supporting the findings and conclusions is generated by information systems or its reliability is dependent on information systems controls, there may not be sufficient supporting or corroborating information or documentary evidence that is available other than that produced by the information systems

14

Factors in Determining IS Audit Procedures (7.27) The relationship of information systems controls to

data reliability To obtain evidence about the reliability of

computer-generated information, auditors may decide to evaluate the effectiveness of information systems controls as part of obtaining evidence about the reliability of the data

If the auditor concludes that information systems controls are effective, the auditor may reduce the extent of direct testing of data

15

Factors in Determining IS Audit Procedures (7.27) Evaluating the effectiveness of information systems

controls as an audit objective When evaluating the effectiveness of information

systems controls is directly a part of an audit objective, auditors should test information systems controls necessary to address the audit objectives

The audit may involve the effectiveness of information systems controls related to certain systems, facilities, or organizations

16

Other IS Control-Related Requirements FISMA Single Audit

17

Federal Information System Controls Audit Manual (FISCAM) Methodology for efficiently and effectively

evaluating the effectiveness of information system controls Top-down, risk-based (considers materiality/significance) Evaluation of entity-wide controls & their effect on audit risk Evaluation of general controls & effect on application controls Evaluation of security management at all levels (entitywide,

system, and business process application levels). Control hierarchy (control categories, critical elements, control

activities, control techniques) Groupings of controls based on similar risks Draws on previous IS audit experience

Currently incorporating public comments on Exposure Draft

18

FISCAM Revisions Reflect Changes in:

1. Technology used by government entities,2. Generally accepted government auditing

standards (GAGAS or “yellow book”, including changes in incorporated AICPA audit standards (“risk standards”)

3. Audit guidance and control criteria issued by the National Institute of Standards and Technology (NIST), and

4. The GAO/PCIE Financial Audit Manual (FAM).

19

Other FISCAM Improvements

Expanded purpose - provides guidance for performing effective and efficient Information System (IS) controls audits, either alone or as part of a performance audit, a financial audit, or an attestation engagement; and

informs financial, performance, and attestation auditors about IS controls and related audit issues, so that they can:1. plan their work in accordance with Generally

Accepted Government Auditing Standards (GAGAS) and

2. integrate the work of IS controls specialists with other aspects of the financial or performance audit or attestation engagement.

20

Other FISCAM Improvements

Includes narrative that is designed to provide a basic understanding of the methodology, general controls, and business process application controls The narrative may be used as a reference source by

the auditor and the IS control specialist. More experienced auditors and IS control specialists

may find it unnecessary to routinely refer to such narrative in performing IS control audits.

21

FISCAM - Chapters 1 and 2

Chapter 1 – Introduction Purpose and users, nature of IS controls,

determining audit procedures, and FISCAM organization

Chapter 2 – Performing the information system controls audit Planning the IS controls audit, performing IS

control audit tests, reporting audit results, and documentation

22

FISCAM - Chapters 3 and 4

Describe broad control areas; provide criteria

Identify critical elements of each control area and related control activities

List common types of control techniques

List suggested audit procedures

23

Appendices

Audit planning checklist Summarization tables Mapping to NIST SP 800-53 Knowledge, skills, and abilities Using FISCAM in support of a financial

audit Use of service organizations

24

Appendices

Single audits FISMA audits FISMA Audit Documentation Glossary Bibliography

25

Summary of Significant Changes to FISCAM – Chapter 3 Reorganized general control categories consistent with

GAGAS Security management (broadened to consider statutory

requirements & best practices) Access controls (incorporated system software,

eliminated redundancies, & considered network environment)

Configuration management (network considerations-application SDLC added to application controls)

Segregation of duties (relatively unchanged) Contingency planning (updated for new terminology)

Updated general controls consistent with NIST (particularly SP 800-53) and OMB security guidance

26

Summary of Significant Changes to FISCAM – Chapter 4

Audit methodology and IS controls for business process applications

Application security (general controls)Business process controls (transaction data

input, processing output, master file data setup & maintenance)

Interface controlsData management system controls

27

Assessing Control Areas by Level Control Areas

Entity-wide Level

System Level Business Process Application Level

Network Operating Systems

Infrastructure Applications

General Controls

Security

Management

Access

Controls

Configuration

Management

Segregation of Duties

Contingency Planning

Business Process Application Controls

- Business

Process

-Interface

-Data Mgmt.

28

Example of Control Activities/Techniques and Audit Procedures

Critical Element SM-4 Ensure that owners, administrators and users are aware of security policies

Control Activities Control Techniques Audit Procedures

SM-4.1 Owners, system administrators and users are aware of security policies

SM-4.1.1 An ongoing security awareness program has been implemented that includes security briefings and training for all employees with system access and security responsibilities.

SM-4.1.2 Security policies are distributed to all affected personnel, including system/application rules and expected behaviors.

Review documentation supporting or evaluating the awareness program. Observe a security briefing.

Interview data owners and system administrators and users.

Determine what training they have received and if they are aware of their security-related responsibilities.

Review memos, electronic mail files, or other policy distribution mechanisms.

Review personnel files to test whether security awareness statements are current.

29

An Example of Typical Networked Systems

30

Planning Phase Understand the overall audit objectives and related scope of

the information system controls audit Understand the entity’s operations and key business

processes Obtain a general understanding of the structure of the entity’s

networks Identify key areas of audit interest (files, applications, systems,

locations) Assess information system risk on a preliminary basis Identify critical control points (and control dependencies) Obtain a preliminary understanding of information system

controls Perform other audit planning procedures (laws, fraud, staffing,

multiyear planning, communication, service organizations, using the work of others, audit plan)

31

Critical Control Points

Points in an information system that, if compromised, could allow an individual to gain unauthorized access to or perform unauthorized or inappropriate activities on entity systems or data, which could lead directly or indirectly to unauthorized access or modifications to the key areas of audit interest

32

Control Dependency

Exists when the effectiveness of a control is dependent on the effectiveness of other controlsFor example, the effectiveness of controls

over a router generally are dependent on the security of other control points, such as a network management server or administrator work station

33

Control Dependencies

34

Testing Phase

Understand information systems relevant to the audit objectives

Identify IS control techniques that are relevant to the audit objectives

Determine whether relevant IS controls are appropriately designed and implemented (across all levels)

Perform tests of relevant IS controls to determine whether such control techniques are operating effectively

Identify potential weaknesses in information system controls For each potential weakness, consider the impact of

compensating controls or other factors that mitigate or reduce the risks related to potential weaknesses

35

Significant Controls

Financial audits – Internal controls that are designed to prevent or detect misstatements in significant financial statement assertions.

Performance audits and attestation engagements – internal controls that are significant to the audit objectives

36

Identifying IS Controls

For each significant control, the audit team should determine whether it is an IS control. An IS controls specialist generally should

review and concur with the audit team’s identification of IS controls, particularly with respect to whether all IS controls were properly identified as such.

37

Testing of IS Controls To evaluate operating effectiveness, the auditor should

test: the significant IS control, and the entitywide, system, and other business process

level IS controls upon which the effectiveness of each significant IS control technique depends

this would typically include certain application controls in those applications in which the IT control operates, as well as general controls related to the systems in which the application operates and other critical control points (including control dependencies) in the entity’s systems or networks that could impact the effectiveness of the IT control).

38

Tiered Approach

For efficiency, the auditor may implement a tiered approach to evaluating the design and operating effectiveness of relevant IS control techniques, beginning with entitywide level controls, followed by system level controls, then by business process application level controls.

39

IS Control Evaluation at the Control Activity Level All control activities are generally relevant to a

GAGAS audit unless: the related control category is not relevant, the

audit scope is limited, or the auditor determines that, due to significant IS control weaknesses, it is not necessary to assess the effectiveness of all relevant IS controls.

Within each relevant control activity, the auditor should identify control techniques implemented by the entity and determine whether the control techniques, as designed, are sufficient to achieve the control activity, considering IS audit risk and the audit objectives.

40

IS Control Evaluation at the Control Activity Level (cont’d) The auditor may be able to determine whether

control techniques are sufficient to achieve a particular control activity without evaluating and testing all of the control techniques.

Also, depending on IS audit risk and the audit objectives, the nature and extent of control techniques necessary to achieve a particular control objective will vary.

41

Reporting Phase

Assess the individual and aggregate effect of identified IS control weaknesses on the audit objectives and report the results of the auditFinancial auditsPerformance audits

Develop report and any related findings

42

Documentation

Document results for each phaseDocumentation expectations

GAGAS requirements

43

Other Information System Controls Audit Considerations Additional IS risk factors (e.g., web, ERP) Automated audit tools Sampling

44

General Controls

Security Management Access Control Configuration Management Segregation of Duties Contingency Planning

45

Security Management (SM) Establish a security management program Periodically assess and validate risks Document security control policies and procedures Implement effective security awareness and other

security-related personnel policies Monitor the effectiveness of the security program Effectively remediate information security

weaknesses Ensure that activities performed by external third

parties are adequately secure

46

Access Control (AC) Adequately protect information system

boundaries Implement effective identification and

authentication mechanisms Implement effective authorization controls Adequately protect sensitive system resources Implement an effective audit and monitoring

capability Establish adequate physical security controls

47

Configuration Management (CM) Develop and document CM policies, plans, and

procedures Maintain current configuration identification

information Properly authorize, test, approve, and track all

configuration changes Routinely monitor the configuration Update software on a timely basis to protect against

known vulnerabilities Appropriately document and approve emergency

changes to the configuration

48

Segregation of Duties (SD)Segregate incompatible duties and

establish related policiesControl personnel activities through

formal operating procedures, supervision, and review

49

Contingency Planning (CP)Assess the criticality and sensitivity of

computerized operations and identify supporting resources

Take steps to prevent and minimize potential damage and interruption

Develop and document a comprehensive contingency plan

Periodically test the contingency plan and adjust it as appropriate

50

Business Process Application Level Controls Application level general controls Business process controls Interface controls Data management system controls

51

Application Level General Controls

Security management Access controls Configuration management Segregation of duties Contingency planning

52

Business Process Controls

Transaction data input is complete, accurate, valid, and confidential

Transaction data processing is complete, accurate, valid, and confidential

Transaction data output is complete, accurate, valid, and confidential

Master data setup and maintenance is adequately controlled

53

Interface Controls

Effective strategy and design Effective interface processing procedures

54

Data Management System Controls

Effective Strategy Audit and Monitoring Control Specialized Data Management

Processes

55

Single Audits - Internal Control over Compliance Requirements

Plan the audit and testing of internal control to support a low assessed level of control risk for the assertions relevant to the compliance requirements for each major program, and,

Unless internal control is likely to be ineffective, perform testing of internal control as planned to support a low assessed level of control risk for the assertions relevant to the compliance requirements for each major program.

56

Single Audits - Internal Control over Compliance Requirements When internal control over compliance

requirements for a major program are ineffective in preventing or detecting noncompliance (either in design or operation), the auditor should: report any significant deficiencies (including whether

any such condition is a material weakness), assess the related control risk at the maximum, and consider whether additional compliance tests are

required because of ineffective internal control. Audit findings should be sufficiently detailed for

auditee to implement corrective actions and federal government to manage the program

57

Single Audit – Steps To Assess Internal Control Over Compliance Requirements

Identify the major programs subject to the single audit. Identify systems that process data for major programs. Determine the types of compliance requirements that

are relevant to the audit (e.g., allowable costs, cash management, etc) - see A-133 and the Compliance Supplement.

For each relevant type of compliance requirement, determine/identify the relevant control objectives (see the Compliance Supplement – Part 6).

58

Single Audit – Steps To Assess Internal Control Over Compliance Requirements

For each relevant control objective, identify the internal control(s) designed/implemented by the entity to achieve the objective and determine whether each control is an IS control.

Determine whether such controls are effectively designed to achieve the related control objective(s) and if so, whether they are implemented (placed in operation), including other IS controls on which the effectiveness of the control depends

For each control that is effectively designed and implemented (placed in operation), the auditor should test the control to determine whether it is operating effectively, including other IS controls on which the effectiveness of the control depends.

59

Questions?