Audit Guidance

1
Audit Guidance

• Using the Federal Information System Controls
  Audit Manual (FISCAM) to Achieve Audit Objectives
  in Financial and Performance Audits
• Mickie E. Gray David B. Hayes
• U.S. Government Accountability Office

2
IS Controls Audit Objectives

• IS Support is Required to Identify, Quantify and
  Respond to
• Control Risk opinion/reporting on internal
  control
• Audit Risk compliance with evidence standards
  design of audit procedures

3
Managing Audit Risk

• Audit Risk
• Risk of Material Misstatement X
  Detection Risk
• Audit Risk is a combination of Risk of Material
  Misstatement and Detection Risk.
• Risk of Material Misstatement is the auditors
  combined assessment of inherent risk and control
  risk (SAS No. 107).
• Detection Risk is the risk that the auditor will
  not detect a material misstatement that exists in
  an assertion.

4
Understanding Risk Auditors Perspective

• An auditor can (MUST) control detection risk by
  changing the nature, timing, and extent of audit
  procedures.
• An auditor cannot control the risk of material
  misstatement.
• However, an auditor MUST assess the risk of
  material misstatement.
• Assessing the risk of material misstatement (the
  risk assessment process) allows the auditor to
  gather information and to design further audit
  procedures that reduce audit risk to an
  acceptable low level.

5
Important Auditing Standards that Should be
Consulted when Planning Performing IS Audit
Procedures

1. SAS-108 Planning and Supervision
2. SAS-106 Audit Evidence
3. SAS-109 Understanding the Entity and Its
   Environment and Assessing the Risks of Material
   Misstatement
4. SAS-110 Performing Audit Procedures in Response
   to Assessed Risks and Evaluating the Audit
   Evidence Obtained
5. SAS-115 Communicating Internal Control Matters
   Identified in an Audit
6. AT-501 An Examination of an Entitys Internal
   Control Over Financial Reporting That Is
   Integrated With an Audit of Its Financial
   Statements
7. Government Auditing Standards (Yellow Book)

6
Objectives of this Session

• Include IS in engagement designs so that
  objectives are achieved
• Determine skill sets and resources needed for the
  engagement team
• Identify elements of an effective audit approach
• Introduce the FISCAM methodology for engagements
  that include IS work

7
Different Types of Engagements

• Financial Audits (including Attestations) -
  Express an opinion on financial statements (or
  selected information)
• Performance Audits - Determine the reliability of
  performance measures of a specific program or
  activity

8
Comparison of Standards for Performance and
Financial Audits

• How do the audit standards compare?
• Based on the audit standards, material
  significant.
• Financial auditors obtain sufficient appropriate
  audit evidenceto afford a reasonable basis for
  an opinion
• Performance auditors provide reasonable
  assurance
• that evidence is sufficient and appropriate to
  supportconclusions
• Standards for assessment of risk, evaluation of
  internal controls, understanding of the entity
  and quality of evidence are the same
• Source Government Auditing Standards
  GAO-07-731G

9
Planning the Engagement

• What is needed to achieve objectives?
• Multi-discipline teams - auditors, specialists,
  contractors
• Strong auditor leadership - control and
  management of teams and their members
• An approach that is inclusive of automation

10
Preliminary Steps for IS Work

• What approach, inclusive of automation, will
  achieve adequate information system (IS)
  coverage?
• Develop an understanding of the process
• Understand the information and IS infrastructure
• Identify and assess risks

11
Take Advantage of the COSO Internal Control
Framework
Develop an understanding of the process,
including components of internal control.
Control Environment
Information Communication
Risk Assessment
Control Activities
Monitoring
12
FISCAM A Structured IS Audit Methodology

• How is the approach implemented?
• Federal Information System Controls Audit Manual
  (FISCAM), GAO-09-232G - February 2009
• Methodology for performing IS control audits
  involving federal information and/or federal
  funds
• Designed such that GAGAS will be achieved
• Risk-based and efficient approach to assessing
  the effectiveness of IS controls

13
FISCAM Structure

• Top-down, risk-based approach that considers
  materiality/significance
• Evaluation of entity-wide controls effect on
  audit risk
• Evaluation of general controls effect on
  application controls
• Evaluation of security management at all levels -
  entitywide, system, and business process
  application levels.
• Control hierarchy - control categories, critical
  elements, control activities, and control
  techniques

14
What are IS Controls?

• Internal controls that are dependent on
  information systems processing and include
• general controls
• business process application controls
• user controls

15
IS Control Types

• General controls and business process application
  controls are always IS controls.
• User controls can be IS controls.
• User controls are manual controls -- controls
  that are performed by people interacting with IS
  controls and are IS controls if their
  effectiveness depends on information systems
  processing or reliability of information
  processed by information systems.

16
General Application Controls

• General Controls - policies and procedures that
  apply to all or a large segment of an entitys
  information systems and help ensure the proper
  operation of information systems by creating the
  environment for proper operation of application
  controls.
• Business Process Application Controls - controls
  that are incorporated directly into computer
  applications to help ensure the validity,
  completeness, accuracy, and confidentiality of
  transactions and data during application
  processing.

17
General Control Categories

• Security Management
• Access Control
• Configuration Management
• Segregation of Duties
• Contingency Planning

18
Application Control Categories

• Application Security (application level general
  controls)
• Business process controls
• Interface controls
• Data management system controls

19
Relationship Between Controls

• Effective general controls can support the
  effectiveness of business process application
  controls, while
• Ineffective general controls generally render
  business process application controls ineffective.

20
Audit Guidance
What General Controls are being relied upon?
Typical Agency Network Map Source Unnamed Agency
21
FISCAM A Tool for Auditors

• A structured, standards-based approach for
  planning and conducting IS work
• An efficient, risk-based approach to conduct IS
  work with limited audit resources
• An organized approach that will support the
  collection and organization of audit
  documentation and promote effective reporting

22
Achieving Objectives

• Using FISCAM can help achieve the overall
  objectives needed in all audit engagements that
  involve IS work
• Identify, Assess and Report on Control Risk
• Manage Audit Risk

23
Contact Information

• Mickie E. Gray GAO Financial Management and
  Assurance Team
• graym_at_gao.gov
• David B. Hayes GAO Applied Research and
  Methods Team
• hayesd_at_gao.gov