• The manner in which transactions are initiated
• The nature and type of records and source documents
• The processing involved from the initiation of transactions to their final processing, including the nature of computer files and the manner in which they are accessed, updated, and deleted
• For financial audits, the process used to prepare the entity's financial statements and budget information, including significant accounting estimates, disclosures, and computerized processing.
Friday, January 28, 2011
FISCAM Federal Information System Controls Audit Manual Approach
Top-down, risk based approach that considers materiality and significance in determining effective and efficient audit procedures and is tailored to achieve the audit objectives.
Evaluation of entity-wide controls and their effect on audit risk.
Evaluation of general controls and their pervasive impact on business process application controls.
Evaluation of security management at all levels (entitywide, system, and business process application levels).
A control hierarchy (control categories, critical elements, and control activities) to assist in evaluating the significance of identified IS control weaknesses
Groupings of control categories consistent with the nature of the risk.
Experience gained in GAO’s performance and review of IS control audits, including field testing the concepts in this revised FISCAM.
Evaluation of entity-wide controls and their effect on audit risk.
Evaluation of general controls and their pervasive impact on business process application controls.
Evaluation of security management at all levels (entitywide, system, and business process application levels).
A control hierarchy (control categories, critical elements, and control activities) to assist in evaluating the significance of identified IS control weaknesses
Groupings of control categories consistent with the nature of the risk.
Experience gained in GAO’s performance and review of IS control audits, including field testing the concepts in this revised FISCAM.
Document Network Architecture
● internet presence
● firewalls, routers, and switches
● intrusion detection or prevention systems
● critical systems, such as Web and mail systems, file transfer systems, etc.
● network management systems
● connections to inter- and intra-agency sites
● connections to other external organizations
● remote access—virtual private network and dial-in
● wireless connections.
● firewalls, routers, and switches
● intrusion detection or prevention systems
● critical systems, such as Web and mail systems, file transfer systems, etc.
● network management systems
● connections to inter- and intra-agency sites
● connections to other external organizations
● remote access—virtual private network and dial-in
● wireless connections.
Plan the Information System Controls Audit
● Understand the overall audit objectives and related scope of the IS controls audit
● Obtain an understanding of an entity and its operations and key business processes
● Obtain a general understanding of the structure of the entity’s networks
● Identify key areas of audit interest (files, applications, systems, locations)
● Assess IS risk on a preliminary basis
● Identify critical control points (for example, external access points to networks)
● Obtain a preliminary understanding of IS controls
● Perform other audit planning procedures
● Obtain an understanding of an entity and its operations and key business processes
● Obtain a general understanding of the structure of the entity’s networks
● Identify key areas of audit interest (files, applications, systems, locations)
● Assess IS risk on a preliminary basis
● Identify critical control points (for example, external access points to networks)
● Obtain a preliminary understanding of IS controls
● Perform other audit planning procedures
Subscribe to:
Posts (Atom)