GAO updates audit guidelines for IT system controls
- By William Jackson
- Feb 02, 2009
After 10 years, the Government Accountability Office has updated its guidelines for auditing controls on government information systems.
As its name implies, the Federal Information System Controls Audit Manual (FISCAM), first published in January 1999, is a methodology for performing audits on IT controls. The massive (601 pages) revised version
, released today, reflects changes in the technology over the last 10 years, IT system guidance that has been developed by the National Institute of Standards and Technology, and changes in generally accepted standards from “Government Auditing Standards,” also known as the Yellow Book.
It also reflects comments received on the FISCAM Exposure draft released for public comment in July 2008.
“Throughout the updated FISCAM, revisions were made to reflect today’s networked environment,” GAO said in the new document. “The nature of IT risks continues to evolve. Protecting government computer systems has never been more important because of the complexity and interconnectivity of systems (including Internet and wireless), the ease of obtaining and using hacking tools, the steady advances in the sophistication and effectiveness of attack technology, and the emergence of new and more destructive attacks.”
The manual is intended for use in auditing general and business process application controls, rather than for broader control evaluations, such as those for enterprise architecture and capital planning. FISCAM control activities have been brought into line with NIST Special Publication 800-53, titled, “Guide for Assessing the Security Controls in Federal Information Systems.”
The guide presents a top-down, risk based approach to audit procedures. It is a hierarchical approach, looking at control categories, elements and activities to assist in evaluating the significance of identified weaknesses.
William Jackson is a Maryland-based freelance writer.