Federal Information System Controls Audit Manual (FISCAM)

Session Objectives Obtain an understanding of information system controls relevant to an audit Obtain an understanding of the Federal Information System Controls Audit Manual (FISCAM) Exposure Draft

Information Systems (IS) Controls Internal controls that are dependent on information systems processing General controls and application controls are always IS controls A user/manual control (control performed by a person) is an IS control if its effectiveness depends on information systems processing or the reliability (accuracy, completeness, and validity) of information processed by information systems.

Example of User/Manual Controls If the IS control is the review of an exception report produced by information systems, the effectiveness of the control is dependent on: the business process application controls directly related to the production of the exception report, the general and other business process application controls upon which the reliability of the information in the exception report depends, including: the proper functioning of the business process application that generated the exception report and the reliability of the data used to generate the exception report. the effectiveness of the user/manual control (i.e., management review and followup on the items in the exception report).

Are IS Controls Relevant to Your Audit? The auditor should determine whether IS controls are relevant to the audit objectives. IS controls generally are relevant to a financial audit, as financial information is usually processed by information systems.

Assessing IS Controls in Financial Audits The auditor should obtain an understanding of internal control over financial reporting sufficient to assess the risk of material misstatement of the financial statements whether due to error or fraud, and design the nature, timing, and extent of further audit procedures. Such understanding includes evaluating the design of controls relevant to an audit of financial statements and determining whether they have been implemented.

Assessing IS Controls in Financial Audits IT may affect any of the five components of internal control. The auditor should obtain an understanding of how IT affects control activities that are relevant to the audit.

When to Perform Tests of Operating Effectiveness The auditor should perform tests of the operating effectiveness of controls when: the auditor’s risk assessment includes an expectation that controls are operating effectively, or substantive procedures alone do not provide sufficient appropriate evidence at the relevant assertion level

Performance Audits (7.16) Auditors should obtain an understanding of internal control that is significant within the context of the audit objectives. For those internal controls that are significant within the context of the audit objectives, auditors should: assess whether the internal controls have been properly designed and implemented. plan to obtain sufficient, appropriate evidence to support their assessment about the effectiveness of those controls.

Performance Audits (7.16) When obtaining an understanding of internal control significant to the audit objectives, auditors should also determine whether it is necessary to evaluate IS controls.

Evaluating IS Controls Significant to the Audit (7.24) Auditors should evaluate the effectiveness of IS controls determined to be significant to the audit objectives includes other IS controls that impact the effectiveness of the significant controls or the reliability of information used in performing the significant controls

Factors in Determining IS Audit Procedures (7.26) The extent to which internal controls that are significant to the audit depend on the reliability of information processed or generated by information systems

Factors in Determining IS Audit Procedures (7.27) The availability of evidence outside the information system to support the findings and conclusions It may not be possible for auditors to obtain sufficient, appropriate evidence without evaluating the effectiveness of relevant information systems controls If information supporting the findings and conclusions is generated by information systems or its reliability is dependent on information systems controls, there may not be sufficient supporting or corroborating information or documentary evidence that is available other than that produced by the information systems

Factors in Determining IS Audit Procedures (7.27) The relationship of information systems controls to data reliability To obtain evidence about the reliability of computer-generated information, auditors may decide to evaluate the effectiveness of information systems controls as part of obtaining evidence about the reliability of the data If the auditor concludes that information systems controls are effective, the auditor may reduce the extent of direct testing of data

Factors in Determining IS Audit Procedures (7.27) Evaluating the effectiveness of information systems controls as an audit objective When evaluating the effectiveness of information systems controls is directly a part of an audit objective, auditors should test information systems controls necessary to address the audit objectives The audit may involve the effectiveness of information systems controls related to certain systems, facilities, or organizations

Other IS Control-Related Requirements FISMA Single Audit

Federal Information System Controls Audit Manual (FISCAM) Methodology for efficiently and effectively evaluating the effectiveness of information system controls Top-down, risk-based (considers materiality/significance) Evaluation of entity-wide controls & their effect on audit risk Evaluation of general controls & effect on application controls Evaluation of security management at all levels (entitywide, system, and business process application levels). Control hierarchy (control categories, critical elements, control activities, control techniques) Groupings of controls based on similar risks Draws on previous IS audit experience Currently incorporating public comments on Exposure Draft

FISCAM Revisions Reflect Changes in: Technology used by government entities, Generally accepted government auditing standards (GAGAS or “yellow book”, including changes in incorporated AICPA audit standards (“risk standards”) Audit guidance and control criteria issued by the National Institute of Standards and Technology (NIST), and The GAO/PCIE Financial Audit Manual (FAM).

Other FISCAM Improvements Expanded purpose - provides guidance for performing effective and efficient Information System (IS) controls audits, either alone or as part of a performance audit, a financial audit, or an attestation engagement; and informs financial, performance, and attestation auditors about IS controls and related audit issues, so that they can: plan their work in accordance with Generally Accepted Government Auditing Standards (GAGAS) and integrate the work of IS controls specialists with other aspects of the financial or performance audit or attestation engagement.

Other FISCAM Improvements Includes narrative that is designed to provide a basic understanding of the methodology, general controls, and business process application controls The narrative may be used as a reference source by the auditor and the IS control specialist. More experienced auditors and IS control specialists may find it unnecessary to routinely refer to such narrative in performing IS control audits.

FISCAM - Chapters 1 and 2 Chapter 1 – Introduction Purpose and users, nature of IS controls, determining audit procedures, and FISCAM organization Chapter 2 – Performing the information system controls audit Planning the IS controls audit, performing IS control audit tests, reporting audit results, and documentation

FISCAM - Chapters 3 and 4 Describe broad control areas; provide criteria Identify critical elements of each control area and related control activities List common types of control techniques List suggested audit procedures

Appendices Audit planning checklist Summarization tables Mapping to NIST SP 800-53 Knowledge, skills, and abilities Using FISCAM in support of a financial audit Use of service organizations

Appendices Single audits FISMA audits FISMA Audit Documentation Glossary Bibliography

Summary of Significant Changes to FISCAM – Chapter 3 Reorganized general control categories consistent with GAGAS Security management (broadened to consider statutory requirements & best practices) Access controls (incorporated system software, eliminated redundancies, & considered network environment) Configuration management (network considerations-application SDLC added to application controls) Segregation of duties (relatively unchanged) Contingency planning (updated for new terminology) Updated general controls consistent with NIST (particularly SP 800-53) and OMB security guidance

Summary of Significant Changes to FISCAM – Chapter 4 Audit methodology and IS controls for business process applications Application security (general controls) Business process controls (transaction data input, processing output, master file data setup & maintenance) Interface controls Data management system controls

Assessing Control Areas by Level Entity-wide Level System Level Business Process Application Level Network Operating Systems Infrastructure Applications General Controls Security Management Access Controls Configuration Segregation of Duties Contingency Planning Business Process Application Controls - Business Process -Interface -Data Mgmt.

Example of Control Activities/Techniques and Audit Procedures Critical Element SM-4 Ensure that owners, administrators and users are aware of security policies Control Activities Control Techniques Audit Procedures SM-4.1 Owners, system administrators and users are aware of security policies SM-4.1.1 An ongoing security awareness program has been implemented that includes security briefings and training for all employees with system access and security responsibilities. SM-4.1.2 Security policies are distributed to all affected personnel, including system/application rules and expected behaviors. Review documentation supporting or evaluating the awareness program. Observe a security briefing. Interview data owners and system administrators and users. Determine what training they have received and if they are aware of their security-related responsibilities. Review memos, electronic mail files, or other policy distribution mechanisms. Review personnel files to test whether security awareness statements are current.

An Example of Typical Networked Systems

Planning Phase Understand the overall audit objectives and related scope of the information system controls audit Understand the entity’s operations and key business processes Obtain a general understanding of the structure of the entity’s networks Identify key areas of audit interest (files, applications, systems, locations) Assess information system risk on a preliminary basis Identify critical control points (and control dependencies) Obtain a preliminary understanding of information system controls Perform other audit planning procedures (laws, fraud, staffing, multiyear planning, communication, service organizations, using the work of others, audit plan)

Critical Control Points Points in an information system that, if compromised, could allow an individual to gain unauthorized access to or perform unauthorized or inappropriate activities on entity systems or data, which could lead directly or indirectly to unauthorized access or modifications to the key areas of audit interest

Control Dependency Exists when the effectiveness of a control is dependent on the effectiveness of other controls For example, the effectiveness of controls over a router generally are dependent on the security of other control points, such as a network management server or administrator work station

Control Dependencies

Testing Phase Understand information systems relevant to the audit objectives Identify IS control techniques that are relevant to the audit objectives Determine whether relevant IS controls are appropriately designed and implemented (across all levels) Perform tests of relevant IS controls to determine whether such control techniques are operating effectively Identify potential weaknesses in information system controls For each potential weakness, consider the impact of compensating controls or other factors that mitigate or reduce the risks related to potential weaknesses

Significant Controls Financial audits – Internal controls that are designed to prevent or detect misstatements in significant financial statement assertions. Performance audits and attestation engagements – internal controls that are significant to the audit objectives

Identifying IS Controls For each significant control, the audit team should determine whether it is an IS control. An IS controls specialist generally should review and concur with the audit team’s identification of IS controls, particularly with respect to whether all IS controls were properly identified as such.

Testing of IS Controls To evaluate operating effectiveness, the auditor should test: the significant IS control, and the entitywide, system, and other business process level IS controls upon which the effectiveness of each significant IS control technique depends this would typically include certain application controls in those applications in which the IT control operates, as well as general controls related to the systems in which the application operates and other critical control points (including control dependencies) in the entity’s systems or networks that could impact the effectiveness of the IT control).

Tiered Approach For efficiency, the auditor may implement a tiered approach to evaluating the design and operating effectiveness of relevant IS control techniques, beginning with entitywide level controls, followed by system level controls, then by business process application level controls.

IS Control Evaluation at the Control Activity Level All control activities are generally relevant to a GAGAS audit unless: the related control category is not relevant, the audit scope is limited, or the auditor determines that, due to significant IS control weaknesses, it is not necessary to assess the effectiveness of all relevant IS controls. Within each relevant control activity, the auditor should identify control techniques implemented by the entity and determine whether the control techniques, as designed, are sufficient to achieve the control activity, considering IS audit risk and the audit objectives.

IS Control Evaluation at the Control Activity Level (cont’d) The auditor may be able to determine whether control techniques are sufficient to achieve a particular control activity without evaluating and testing all of the control techniques. Also, depending on IS audit risk and the audit objectives, the nature and extent of control techniques necessary to achieve a particular control objective will vary.

Reporting Phase Assess the individual and aggregate effect of identified IS control weaknesses on the audit objectives and report the results of the audit Financial audits Performance audits Develop report and any related findings

Documentation Document results for each phase GAGAS requirements Documentation expectations GAGAS requirements

Other Information System Controls Audit Considerations Additional IS risk factors (e.g., web, ERP) Automated audit tools Sampling

General Controls Security Management Access Control Configuration Management Segregation of Duties Contingency Planning

Security Management (SM) Establish a security management program Periodically assess and validate risks Document security control policies and procedures Implement effective security awareness and other security-related personnel policies Monitor the effectiveness of the security program Effectively remediate information security weaknesses Ensure that activities performed by external third parties are adequately secure

Access Control (AC) Adequately protect information system boundaries Implement effective identification and authentication mechanisms Implement effective authorization controls Adequately protect sensitive system resources Implement an effective audit and monitoring capability Establish adequate physical security controls

Configuration Management (CM) Develop and document CM policies, plans, and procedures Maintain current configuration identification information Properly authorize, test, approve, and track all configuration changes Routinely monitor the configuration Update software on a timely basis to protect against known vulnerabilities Appropriately document and approve emergency changes to the configuration

Segregation of Duties (SD) Segregate incompatible duties and establish related policies Control personnel activities through formal operating procedures, supervision, and review

Contingency Planning (CP) Assess the criticality and sensitivity of computerized operations and identify supporting resources Take steps to prevent and minimize potential damage and interruption Develop and document a comprehensive contingency plan Periodically test the contingency plan and adjust it as appropriate

Business Process Application Level Controls Application level general controls Business process controls Interface controls Data management system controls

Application Level General Controls Security management Access controls Configuration management Segregation of duties Contingency planning

Business Process Controls Transaction data input is complete, accurate, valid, and confidential Transaction data processing is complete, accurate, valid, and confidential Transaction data output is complete, accurate, valid, and confidential Master data setup and maintenance is adequately controlled

Interface Controls Effective strategy and design Effective interface processing procedures

Data Management System Controls Effective Strategy Audit and Monitoring Control Specialized Data Management Processes

Single Audits - Internal Control over Compliance Requirements Plan the audit and testing of internal control to support a low assessed level of control risk for the assertions relevant to the compliance requirements for each major program, and, Unless internal control is likely to be ineffective, perform testing of internal control as planned to support a low assessed level of control risk for the assertions relevant to the compliance requirements for each major program.

Single Audits - Internal Control over Compliance Requirements When internal control over compliance requirements for a major program are ineffective in preventing or detecting noncompliance (either in design or operation), the auditor should: report any significant deficiencies (including whether any such condition is a material weakness), assess the related control risk at the maximum, and consider whether additional compliance tests are required because of ineffective internal control. Audit findings should be sufficiently detailed for auditee to implement corrective actions and federal government to manage the program

Single Audit – Steps To Assess Internal Control Over Compliance Requirements Identify the major programs subject to the single audit. Identify systems that process data for major programs. Determine the types of compliance requirements that are relevant to the audit (e.g., allowable costs, cash management, etc) - see A-133 and the Compliance Supplement. For each relevant type of compliance requirement, determine/identify the relevant control objectives (see the Compliance Supplement – Part 6).

Single Audit – Steps To Assess Internal Control Over Compliance Requirements For each relevant control objective, identify the internal control(s) designed/implemented by the entity to achieve the objective and determine whether each control is an IS control. Determine whether such controls are effectively designed to achieve the related control objective(s) and if so, whether they are implemented (placed in operation), including other IS controls on which the effectiveness of the control depends For each control that is effectively designed and implemented (placed in operation), the auditor should test the control to determine whether it is operating effectively, including other IS controls on which the effectiveness of the control depends.

Questions?