We are proposing to update our Federal Information System Controls Audit Manual (FISCAM). This update reflects changes in auditing standards, guidance, control criteria, and technology.
Information in computer systems is essential to practically every aspect of government operations. FISCAM guides auditors in using government standards to evaluate the effectiveness of controls over these systems. Effective controls can help safeguard data, prevent the disruption of government services, and much more.
GAO invites comments on the proposed changes to the Federal Information System Controls Audit Manual (FISCAM). The FISCAM 2023 exposure draft updates FISCAM to (1) address responses received through focus groups and interviews with internal and external officials, stakeholders, and users and (2) reflect changes in relevant auditing standards, guidance, control criteria, and technology since the last revision.
The FISCAM 2023 exposure draft proposes four sections that include new and existing content from chapters 1 and 2 of extant FISCAM. Section 100, Introduction, provides an overview of the FISCAM methodology. Section 200, Planning Phase, includes auditor requirements, guidance, and procedures for planning an information system (IS) controls assessment, including identifying relevant IS control objectives. Section 300, Testing Phase, includes auditor requirements, guidance, and procedures for identifying IS controls for testing and determining the nature, extent, and timing of IS control tests. Section 400, Reporting Phase, includes auditor requirements and guidance for communicating the results of the IS controls assessment.
The FISCAM 2023 exposure draft proposes the following three appendixes included as section 500:
- Appendix 500A, FISCAM Glossary, updates extant FISCAM appendix XI, Glossary.
- Appendix 500B, FISCAM Framework, updates the tables containing critical elements, control activities, control techniques, and suggested audit procedures from extant FISCAM chapters 3 and 4.
- Appendix 500C, FISCAM Assessment Completion Checklist, provides new content that assists auditors with determining whether the FISCAM methodology was followed.
A summary of major proposed changes is included in enclosure I of the FISCAM 2023 exposure draft.
Instructions for Commenting
GAO is requesting comments on this FISCAM 2023 exposure draft from federal, state, and local government officials; managers and auditors at all levels of government; professional organizations; public interest groups; and other interested parties. To assist in developing comments, specific questions are included in enclosure II of the FISCAM 2023 exposure draft and are presented in our fillable form.