Nội dung

United States Government Accountability Office GAO February 2009 GAO-09-232G FEDERAL INFORMATION SYSTEM CONTROLS AUDIT MANUAL (FISCAM) This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office Washington, DC 20548 February 2009 TO AUDIT OFFICIALS, CIOS, AND OTHERS INTERESTED IN FEDERAL AND OTHER GOVERNMENTAL INFORMATION SYSTEM CONTROLS AUDITING AND REPORTING This letter transmits the revised Government Accountability Office (GAO) Federal Information System Controls Audit Manual (FISCAM). The FISCAM presents a methodology for performing information system (IS) control 1 audits of federal and other governmental entities in accordance with professional standards, and was originally issued in January 1999. We have updated the FISCAM for significant changes affecting IS audits. This revised FISCAM reflects consideration of public comments received from professional accounting and auditing organizations, independent public accounting firms, state and local audit organizations, and interested individuals on the FISCAM Exposure Draft issued on July 31, 2008 (GAO-08-1029G). GAO would like to thank the Council of the Inspectors General on Integrity and Efficiency and the state and local auditor community for their significant input into the development of this revised FISCAM. Summary of Major Revisions to FISCAM The revised FISCAM reflects changes in (1) technology used by government entities, (2) audit guidance and control criteria issued by the National Institute of Standards and Technology (NIST), and (3) generally accepted government auditing standards (GAGAS), 1 Information system (IS) controls consist of those internal controls that are dependent on information systems processing and include general controls (entitywide, system, and business process application levels), business process application controls (input, processing, output, master file, interface, and data management system controls), and user controls (controls performed by people interacting with information systems). Page 1 as presented in Government Auditing Standards (also known as the “Yellow Book”). 2 The FISCAM provides a methodology for performing information system (IS) control audits in accordance with GAGAS, where IS controls are significant to the audit objectives. However, at the discretion of the auditor, this manual may be applied on other than GAGAS audits. As defined in GAGAS, IS controls consist of those internal controls that are dependent on information systems processing and include general controls and application controls. This manual focuses on evaluating the effectiveness of such general and application controls. This manual is intended for both (1) auditors to assist them in understanding the work done by IS controls specialists, and (2) IS controls specialists to plan and perform the IS controls audit. The FISCAM is not intended to be used as a basis for audits where the audit objectives are to specifically evaluate broader information technology (IT) controls (e.g., enterprise architecture and capital planning) beyond the context of general and business process application controls. The FISCAM is consistent with the GAO/PCIE Financial Audit Manual (FAM). Also, the FISCAM control activities are consistent with the NIST Special Publication (SP) 800-53 and other NIST and OMB IS control-related policies and guidance and all SP 800-53 controls have been mapped to FISCAM. 3 The FISCAM is organized to facilitate effective and efficient IS control audits. Specifically, the methodology in the FISCAM incorporates: • 2 Top-down, risk based approach that considers materiality and significance in determining effective and efficient audit procedures and is tailored to achieve the audit objectives. GAO, Government Auditing Standards, GAO-07-162G (Washington, D.C.: July 2007). 3 To assist the auditor in identifying criteria that may be used in the evaluation of IS controls, Chapters 3 and 4 include references, where appropriate, to NIST SP 800-53, other NIST standards and guidance, and OMB policy and guidance. Also, Appendix IV includes a summary of the mapping of the FISCAM controls to such criteria. In addition, audit procedures in FISCAM are designed to enable the auditor to determine if related control techniques are achieved. Page 2 • • • • • • Evaluation of entitywide controls and their effect on audit risk. Evaluation of general controls and their pervasive impact on business process application controls. Evaluation of security management at all levels (entitywide, system, and business process application levels). A control hierarchy (control categories, critical elements, and control activities) to assist in evaluating the significance of identified IS control weaknesses. Groupings of control categories consistent with the nature of the risk. Experience gained in GAO’s performance and review of IS control audits, including field testing the concepts in this revised FISCAM. As discussed above, this manual is organized in a hierarchical structure to assist the auditor in performing the IS controls audit. Chapter 3 (general controls) and Chapter 4 (business process application level controls) contain several control categories, which are groupings of related controls pertaining to similar types of risk. For each control category, the manual identifies critical elements— tasks that are essential for establishing adequate controls within the category. For each critical element, there is a discussion of the associated control activities that are generally necessary to achieve the critical element, as well as related potential control techniques and suggested audit procedures. This hierarchical structure facilitates the auditor’s audit planning and the auditor’s analysis of identified control weaknesses. Because control activities are generally necessary to achieve the critical elements, they are generally relevant to a GAGAS audit unless the related control category is not relevant, the audit scope is limited, or the auditor determines that, due to significant IS control weaknesses, it is not necessary to assess the effectiveness of all relevant IS controls. Within each relevant control activity, the auditor should identify control techniques implemented by the entity and determine whether the control techniques, as designed, are sufficient to achieve the control activity, considering IS risk and the audit objectives. The auditor may be able to determine whether control techniques are sufficient to achieve a particular control activity without evaluating and testing all of the control techniques. Page 3 Also, depending on IS risk and the audit objectives, the nature and extent of control techniques necessary to achieve a particular control objective will vary. If control techniques are sufficient as designed, the auditor should determine whether the control techniques are implemented (placed in operation) and are operating effectively. Also, the auditor should evaluate the nature and extent of testing performed by the entity. Such information can assist in identifying key controls and in assessing risk, but the auditor should not rely on testing performed by the entity in lieu of appropriate auditor testing. If the control techniques implemented by the entity, as designed, are not sufficient to address the control activity, or the control techniques are not effectively implemented as designed, the auditor should determine the effect on IS controls and the audit objectives. Throughout the updated FISCAM, revisions were made to reflect today’s networked environment. The nature of IS risks continues to evolve. Protecting government computer systems has never been more important because of the complexity and interconnectivity of systems (including Internet and wireless), the ease of obtaining and using hacking tools, the steady advances in the sophistication and effectiveness of attack technology, and the emergence of new and more destructive attacks. In addition, the FISCAM includes narrative that is designed to provide a basic understanding of the methodology (Chapter 2), general controls (Chapter 3) and business process application controls (Chapter 4) addressed by the FISCAM. The narrative may also be used as a reference source by the auditor and the IS control specialist. More experienced auditors and IS control specialists may find it unnecessary to routinely refer to such narrative in performing IS control audits. For example, a more experienced auditor may have sufficient knowledge, skills, and abilities to directly use the control tables in Chapters 2 and 3 (which are summarized in Appendices II and III). Page 4 A summary of significant changes to FISCAM from the prior version is presented on pages 6-10. Future updates to the FISCAM, including any implementation tools and related materials, will be posted to the FISCAM website at http://www.gao.gov/special.pubs/fiscam.html. The revised FISCAM is available only in electronic form at http://www.gao.gov/products/GAO-09-232G on GAO’s Web page. This version supersedes previously issued versions of the FISCAM through January 2001. Should you need additional information, please contact us at FISCAM@gao.gov or call Robert Dacey at (202) 512-7439 or Greg Wilshusen at (202) 512-6244. GAO staff who made key contributions to the FISCAM are listed on page 15. Robert F. Dacey Chief Accountant Gregory C. Wilshusen Director, Information Security Issues Attachment and enclosures Page 5 SUMMARY OF SIGNIFICANT CHANGES TO THE FISCAM 4 Chapter 1 ¾ Expanded purpose ● ● provide guidance for performing effective and efficient Information System (IS) controls audits, either alone or as part of a performance audit, a financial audit, or an attestation engagement, including communication of any identified IS control weaknesses; and inform financial, performance, and attestation auditors about IS controls and related audit issues, so that they can (1) plan their work in accordance with Generally Accepted Government Auditing Standards (GAGAS) and (2) integrate the work of IS controls specialists with other aspects of the financial or performance audit or attestation engagement. ¾ Conformity with July 2007 Revision to Government Auditing Standards – (“Yellow Book”)(GAGAS), including information system control categories ¾ Conformity with AICPA auditing standards, including new risk standards ¾ An overall framework of IS control objectives (see summary on pages 11-13) 4 This section summarizes significant changes to the FISCAM since the prior version. Page 6 Chapter 2 ¾ IS audit methodology consistent with GAGAS and FAM, including planning, testing, and reporting phases (see a summary of methodology steps on pages 14-15), which incorporates: • • • • • Page 7 A top-down, risk-based evaluation that considers materiality and significance in determining effective and efficient audit procedures (the auditor determines which IS control techniques are relevant to the audit objectives and which are necessary to achieve the control activities; generally, all control activities are relevant unless the related control category is not relevant, the audit scope is limited, or the auditor determines that, due to significant IS control weaknesses, it is not necessary to test all relevant IS controls). An evaluation of entitywide IS controls and their effect on audit risk, and therefore on the extent of audit testing (effective entitywide IS controls can reduce audit risk, while ineffective entitywide IS controls result in increased audit risk and generally are a contributory cause of IS control weaknesses at the system and business process application levels). An evaluation of general controls and their pervasive impact on business process application controls (effective general controls support the effectiveness of business process application controls, while ineffective general controls generally render business process application controls ineffective). An evaluation of security management at all levels of control —entitywide, system (includes networks, operating systems, and infrastructure applications), and business process application levels. A control hierarchy (control categories, critical elements, and control activities) to assist in evaluating the significance of identified IS control weaknesses (if a critical element is not achieved, the respective control category is not likely to be achieved; if one of the nine control categories are not effectively achieved, IS controls are ineffective, unless other factors sufficiently reduce the risk). • Groupings of control categories consistent with the nature of the risk. ¾ Change from “installation level” general controls to “system level” general controls to reflect the logically networked structure of today’s systems ¾ IS controls audit documentation guidance for each audit phase ¾ Additional audit considerations that may affect an IS audit, including: • information security risk factors • automated audit tools • sampling techniques Chapter 3 ¾ Reorganized general control categories, consistent with GAGAS: • Security management - broadened to consider statutory requirements and best practices • Access controls - restructured to incorporate system software, eliminate redundancies, and facilitate IS auditing in a networked environment: o System boundaries o Identification and authentication o User authorization o Sensitive system resources o Audit and monitoring o Physical security • Configuration management - broadened to include network components and applications • Segregation of Duties - relatively unchanged • Contingency Planning - updated for new terminology Page 8