Skip to main content

Federal Information System Controls Audit Manual

Jump To:

Overview

The Federal Information System Controls Audit Manual (FISCAM) presents a methodology for assessing information system controls in accordance with generally accepted government auditing standards (GAGAS), also known as the Yellow Book. Information system controls are internal controls that depend on processing performed by information systems using information technology (e.g., computers and networks). These include user controls, application controls, and general controls.

The FISCAM methodology is designed to be used primarily on federal financial audits in conjunction with the GAO and Council of the Inspectors General on Integrity and Efficiency’s (CIGIE) Financial Audit Manual (FAM). FISCAM may also be used for attestation engagements and performance audits to assess the effectiveness of information system controls.

Current FISCAM

The current revision of FISCAM reflects changes in relevant auditing standards, guidance, control criteria, and technology since the last revision in February 2009. The revisions are primarily based on changes in (1) Government Auditing Standards issued on April 14, 2021, (2) the GAO/CIGIE Financial Audit Manual issued on June 27, 2024 and July 8, 2024, and (3) guidance in the National Institute of Standards and Technology Special Publication 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations, issued September 2020.

View the Current FISCAM

FISCAM Revisions

For the superseded versions, see FISCAM archives: [ZIP]

Supplemental Material

Download the FISCAM in Word: [ZIP]

Download the FISCAM framework in Excel: [ZIP]

Download the FISCAM framework crosswalk in Excel: [ZIP]

Resources

GAO Contacts

For technical or practice questions regarding the FISCAM, please e-mail FISCAM@gao.gov or contact Dawn B. Simpson at SimpsonDB@gao.gov.