Summary
- Federal Information System Controls Audit Manual (FISCAM): Exposure Draft
- GAO-08-1029G July 31, 2008
- Full Report (PDF, 609 pages) Accessible Text
This letter transmits the exposure draft of the Government Accountability Office (GAO) Federal Information System Controls Audit Manual (FISCAM) for review and comment. The FISCAM presents a methodology for performing information system (IS) control audits of federal and other governmental entities in accordance with professional standards, and was originally issued in January 1999. We have updated the FISCAM for significant changes affecting IS audits.
The exposure draft revisions reflect changes in (1) technology used by government entities, (2) audit guidance and control criteria issued by the National Institute of Standards and Technology (NIST), and (3) generally accepted government auditing standards (GAGAS), as presented in Government Auditing Standards (also known as the "Yellow Book"). The Federal Information System Controls Audit Manual (FISCAM) provides a methodology for performing information system (IS) control audits in accordance with GAGAS. However, at the discretion of the auditor, this manual may be applied on other than GAGAS audits. As defined in GAGAS, IS controls consist of those internal controls that are dependent on information systems processing and include general controls and application controls. This manual focuses on evaluating the effectiveness of such general and application controls. This manual is intended for both (1) auditors to assist them in understanding the work done by IS controls specialists, and (2) IS controls specialists to plan and perform the IS controls audit.
Subject Terms
Auditing proceduresAuditing standards
Computer security
Data integrity
Federal agency accounting systems
Financial statement audits
Information management
Information security
Information security management
Information security regulations
Information systems
Information technology
Internal controls
Risk management
Software
Software verification and validation
Standards evaluation
Strategic planning
Systems analysis
Systems evaluation
Systems integration
Systems management
Systems monitoring