280 likes | 611 Views
Audit Guidance. Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie E. Gray & David B. Hayes U.S. Government Accountability Office. IS Controls – Audit Objectives.
E N D
Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie E. Gray & David B. Hayes U.S. Government Accountability Office
IS Controls – Audit Objectives IS Support is Required to Identify, Quantify and Respond to: • Control Risk – opinion/reporting on internal control • Audit Risk – compliance with evidence standards & design of audit procedures
Managing Audit Risk Audit Risk= Risk of Material Misstatement X Detection Risk Audit Risk is a combination of Risk of Material Misstatement and Detection Risk. Risk of Material Misstatement is the auditor’s combined assessment of inherent risk and control risk (SAS No. 107). Detection Risk is the risk that the auditor will not detect a material misstatement that exists in an assertion.
Understanding Risk – Auditor’s Perspective An auditor can (MUST) control detection risk by changing the nature, timing, and extent of audit procedures. An auditor cannot control the risk of material misstatement. However, an auditor MUST assess the risk of material misstatement. Assessing the risk of material misstatement (the risk assessment process) allows the auditor to gather information and to design further audit procedures that reduce audit risk to an acceptable low level.
Important Auditing Standards that Should be Consulted when Planning & Performing IS Audit Procedures • SAS-108 – Planning and Supervision • SAS-106 – Audit Evidence • SAS-109 – Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement • SAS-110 – Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained • SAS-115 – Communicating Internal Control Matters Identified in an Audit • AT-501 – An Examination of an Entity’s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements • Government Auditing Standards (Yellow Book)
Objectives of this Session • Include IS in engagement designs so that objectives are achieved • Determine skill sets and resources needed for the engagement team • Identify elements of an effective audit approach • Introduce the FISCAM methodology for engagements that include IS work
Different Types of Engagements • Financial Audits (including Attestations) - Express an opinion on financial statements (or selected information) • Performance Audits - Determine the reliability of performance measures of a specific program or activity
Comparison of Standards for Performance and Financial Audits How do the audit standards compare? • Based on the audit standards, material = significant. • Financial auditors “obtain sufficient appropriate audit evidence…to afford a reasonable basis for an opinion” • Performance auditors “provide reasonable assurance that evidence is sufficient and appropriate to support…conclusions” • Standards for assessment of risk, evaluation of internal controls, understanding of the entity and quality of evidence are the same Source: Government Auditing Standards GAO-07-731G
Planning the Engagement What is needed to achieve objectives? • Multi-discipline teams - auditors, specialists, contractors • Strong auditor leadership - control and management of teams and their members • An approach that is inclusive of automation
Preliminary Steps for IS Work What approach, inclusive of automation, will achieve adequate information system (IS) coverage? • Develop an understanding of the process • Understand the information and IS infrastructure • Identify and assess risks
Take Advantage of the COSO Internal Control Framework Develop an understanding of the process, including components of internal control. Control Environment Information & Communication Risk Assessment Monitoring Control Activities
FISCAM – A Structured IS Audit Methodology How is the approach implemented? Federal Information System Controls Audit Manual (FISCAM), GAO-09-232G - February 2009 • Methodology for performing IS control audits involving federal information and/or federal funds • Designed such that GAGAS will be achieved • Risk-based and efficient approach to assessing the effectiveness of IS controls
FISCAM Structure • Top-down, risk-based approach that considers materiality/significance • Evaluation of entity-wide controls & effect on audit risk • Evaluation of general controls & effect on application controls • Evaluation of security management at all levels - entitywide, system, and business process application levels. • Control hierarchy - control categories, critical elements, control activities, and control techniques
What are IS Controls? Internal controls that are dependent on information systems processing and include: • general controls • business process application controls • user controls
IS Control Types • General controls and business process application controls are always IS controls. • User controls* can be IS controls. *User controls are manual controls -- controls that are performed by people interacting with IS controls and are IS controls if their effectiveness depends on information systems processing or reliability of information processed by information systems.
General & Application Controls • General Controls - policies and procedures that apply to all or a large segment of an entity’s information systems and help ensure the proper operation of information systems by creating the environment for proper operation of application controls. • Business Process Application Controls - controls that are incorporated directly into computer applications to help ensure the validity, completeness, accuracy, and confidentiality of transactions and data during application processing.
General Control Categories • Security Management • Access Control • Configuration Management • Segregation of Duties • Contingency Planning
Application Control Categories • Application Security (application level general controls) • Business process controls • Interface controls • Data management system controls
Relationship Between Controls • Effective general controls can support the effectiveness of business process application controls, while • Ineffective general controls generally render business process application controls ineffective.
Audit Guidance What General Controls are being relied upon? Typical Agency Network Map Source: Unnamed Agency
FISCAM – A Tool for Auditors • A structured, standards-based approach for planning and conducting IS work • An efficient, risk-based approach to conduct IS work with limited audit resources • An organized approach that will support the collection and organization of audit documentation and promote effective reporting
Achieving Objectives Using FISCAM can help achieve the overall objectives needed in all audit engagements that involve IS work: • Identify, Assess and Report on Control Risk • Manage Audit Risk
Contact Information Mickie E. Gray – GAO Financial Management and Assurance Team graym@gao.gov David B. Hayes – GAO Applied Research and Methods Team hayesd@gao.gov