GAO Federal Information System Controls Audit Manual (FISCAM)

Federal Information System Controls Audit Manual (FISCAM): Exposure Draft
GAO-08-1029G  July 31, 2008
Summary (HTML) Full Report (PDF, 609 pages)   

Comments Invited

Comment on this exposure draft.
Deadline: September 5, 2008
Send to: FISCAM@gao.gov

Background

In January 1999, GAO first issued FISCAM. FISCAM presents a methodology for performing information system (IS) control audits of federal and other governmental entities in accordance with professional standards.

This exposure draft (ED) reflects the current computing environment and other changes affecting IS audits, including

  1. technology used by government entities,
  2. audit guidance and control criteria issued by National Institute of Standards and Technology (NIST), and
  3. generally accepted government auditing standards (GAGAS).

The FISCAM ED is designed to be used primarily on financial and performance audits and attestation engagements performed in accordance with GAGAS, as presented in Government Auditing Standards (also know as the “Yellow Book”).

The FISCAM ED is consistent with the GAO/PCIE Financial Audit Manual (FAM). Also, FISCAM control activities are consistent with and have been mapped to NIST Special Publication 800-53.

The FISCAM ED, which is consistent with NIST and other criteria, is organized to facilitate effective and efficient IS control audits. Specifically, the methodology in the FISCAM incorporates the following:

    • A top-down, risk-based approach that considers materiality and significance in determining effective and efficient audit procedures.
    • Evaluation of general controls and their pervasive impact on business process application controls.
    • Evaluation of security management at all levels (entitywide, system, and business process application levels).
    • A control hierarchy (control categories, critical elements, and control activities) to assist in evaluating the significance of identified IS control weaknesses
    • Groupings of control categories consistent with the nature of the risk.
    • Experience gained in GAO’s performance and review of IS control audits, including field testing the concepts in this revised FISCAM.

Current Version

Federal Information System Controls Audit Manual: Volume I Financial Statement Audits
AIMD-12.19.6  January 1, 2001
Summary (HTML) Full Report (PDF, 276 Pages)   
  • Download appendices 1-4, 10 that allow users to enter data to support the gathering and analysis of audit evidence [zip].