GAO Federal Information System Controls Audit Manual (FISCAM)
- Federal Information System Controls Audit Manual (FISCAM)
- GAO-09-232G February 2, 2009
- Summary (HTML) Full Report (PDF, 601 pages)
FISCAM presents a methodology for performing information system (IS) control audits of federal and other governmental entities in accordance with professional standards.
The FISCAM is designed to be used primarily on financial and performance audits and attestation engagements performed in accordance with GAGAS, as presented in Government Auditing Standards (also know as the “Yellow Book”).
The FISCAM is consistent with the GAO/PCIE Financial Audit Manual (FAM). Also, FISCAM control activities are consistent with NIST Special Publication 800-53 and all SP800-53 controls have been mapped to the FISCAM.
The FISCAM, which is consistent with NIST and other criteria, is organized to facilitate effective and efficient IS control audits. Specifically, the methodology in the FISCAM incorporates the following:
- Top-down, risk based approach that considers materiality and significance in determining effective and efficient audit procedures and is tailored to achieve the audit objectives.
- Evaluation of entitywide controls and their effect on audit risk.
- Evaluation of general controls and their pervasive impact on business process application controls.
- Evaluation of security management at all levels (entitywide, system, and business process application levels).
- A control hierarchy (control categories, critical elements, and control activities) to assist in evaluating the significance of identified IS control weaknesses
- Groupings of control categories consistent with the nature of the risk.
- Experience gained in GAO’s performance and review of IS control audits, including field testing the concepts in this revised FISCAM.
This version supersedes previously issued versions of the FISCAM through January 2001.
Other Related Guidance and Materials: