Posted by Mario Pessoa.
Availability of timely and reliable fiscal information is an essential element of a good public financial management system. Because of that countries are investing intensively in information technology. However, an important question keeps occupying manager’s minds: are the information systems reliable? To answer this question with chirurgical precision you need an information control audit that is able to appraise elements such as security management, access controls, configuration management, segregation of duties and contingent planning.
To face this challenge the U.S. Government Accountability Office (GAO) developed a audit manual in 1999. After ten years GAO revised the Federal Information System Controls Audit Manual (FISCAM) to include new procedures particularly to deal with the upgraded internet technology. The FISCAM presents a methodology for performing information system (IS) control audits of governmental entities in accordance with professional standards. The FISCAM provides a methodology for performing information system (IS) control audits in accordance with GAGAS, where IS controls are significant to the audit objectives.
If you are interested in accessing the Manual you can go to the following webpage: Federal Information System Controls Audit Manual (FISCAM). GAO-09-232G, February 2009.
http://www.gao.gov/cgi-bin/getrpt?GAO-09-232G
The objectives and coverage of the audit manual
As defined in GAGAS, IS controls consist of those internal controls that are dependent on information systems processing and include general controls and application controls. The manual focuses on evaluating the effectiveness of such general and application controls. The manual is intended for both (1) auditors to assist them in understanding the work done by IS controls specialists, and (2) IS controls specialists to plan and perform the IS controls audit.
The FISCAM is organized to facilitate effective and efficient IS control audits. Specifically, the methodology in the FISCAM incorporates:
• Top-down, risk-based approach that considers materiality and significance in determining effective and efficient audit procedures and is tailored to achieve the audit objectives.
• Evaluation of entitywide controls and their effect on audit risk.
• Evaluation of general controls and their pervasive impact on business process application controls.
• Evaluation of security management at all levels (entitywide, system, and business process application levels).
• A control hierarchy (control categories, critical elements, and control activities) to assist in evaluating the significance of identified IS control weaknesses.
• Groupings of control categories consistent with the nature of the risk.
• Experience gained in GAO’s performance and review of IS control audits, including field testing the concepts in this revised FISCAM.
INFORMATION SYSTEM CONTROLS OBJECTIVES
GENERAL CONTROLS
Security Management
Controls provide reasonable assurance that security management is effective, including effective:
• security management program
• periodic assessments and validation of risk,
• security control policies and procedures,
• security awareness training and other security-related personnel issues,
• periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices,
• remediation of information security weaknesses, and
• security over activities performed by external third parties.
Access Controls
Controls provide reasonable assurance that access to computer resources (data, equipment, and facilities) is reasonable and restricted to authorized individuals, including effective:
• protection of information system boundaries,
• identification and authentication mechanisms,
• authorization controls,
• protection of sensitive system resources,
• audit and monitoring capability, including incident handling, and
• physical security controls.
Configuration Management
Controls provide reasonable assurance that changes to information system resources are authorized and systems are configured and operated securely and as intended, including effective:
• configuration management policies, plans, and procedures,
• current configuration identification information,
• proper authorization, testing, approval, and tracking of all configuration changes,
• routine monitoring of the configuration,
• updating software on a timely basis to protect against known vulnerabilities, and
• documentation and approval of emergency changes to the configuration.
Segregation of Duties
Controls provide reasonable assurance that incompatible duties are effectively segregated, including effective:
• segregation of incompatible duties and responsibilities and related policies, and
• control of personnel activities through formal operating procedures, supervision, and review.
Contingency Planning
Controls provide reasonable assurance that contingency planning (1) protects information resources and minimizes the risk of unplanned interruptions and (2) provides for recovery of critical operations should interruptions occur, including effective:
• assessment of the criticality and sensitivity of computerized operations and identification of supporting resources,
• steps taken to prevent and minimize potential damage and interruption,
• comprehensive contingency plan, and
• periodic testing of the contingency plan, with appropriate adjustments to the plan based on the testing.
