Skip to main content

Federal Information System Controls Audit Manual (FISCAM) 2023 Exposure Draft

GAO-23-104975 Published: Jul 20, 2023. Publicly Released: Jul 20, 2023.
Jump To:

Fast Facts

We are proposing to update our Federal Information System Controls Audit Manual (FISCAM). This update reflects changes in auditing standards, guidance, control criteria, and technology.

We are seeking public comment on the update. Please send written comments using our fillable form to FISCAM@gao.gov no later than Oct. 18, 2023.

Information in computer systems is essential to practically every aspect of government operations. FISCAM guides auditors in using government standards to evaluate the effectiveness of controls over these systems. Effective controls can help safeguard data, prevent the disruption of government services, and much more.

Hand of a person holding a cellphone over a laptop. There are tech symbols overlaying the image.

Skip to Highlights

Highlights

GAO invites comments on the proposed changes to the Federal Information System Controls Audit Manual (FISCAM). The FISCAM 2023 exposure draft updates FISCAM to (1) address responses received through focus groups and interviews with internal and external officials, stakeholders, and users and (2) reflect changes in relevant auditing standards, guidance, control criteria, and technology since the last revision.

The FISCAM 2023 exposure draft proposes four sections that include new and existing content from chapters 1 and 2 of extant FISCAM. Section 100, Introduction, provides an overview of the FISCAM methodology. Section 200, Planning Phase, includes auditor requirements, guidance, and procedures for planning an information system (IS) controls assessment, including identifying relevant IS control objectives. Section 300, Testing Phase, includes auditor requirements, guidance, and procedures for identifying IS controls for testing and determining the nature, extent, and timing of IS control tests. Section 400, Reporting Phase, includes auditor requirements and guidance for communicating the results of the IS controls assessment.

The FISCAM 2023 exposure draft proposes the following three appendixes included as section 500:

  • Appendix 500A, FISCAM Glossary, updates extant FISCAM appendix XI, Glossary.
  • Appendix 500B, FISCAM Framework, updates the tables containing critical elements, control activities, control techniques, and suggested audit procedures from extant FISCAM chapters 3 and 4.
  • Appendix 500C, FISCAM Assessment Completion Checklist, provides new content that assists auditors with determining whether the FISCAM methodology was followed.

A summary of major proposed changes is included in enclosure I of the FISCAM 2023 exposure draft.

Instructions for Commenting

GAO is requesting comments on this FISCAM 2023 exposure draft from federal, state, and local government officials; managers and auditors at all levels of government; professional organizations; public interest groups; and other interested parties. To assist in developing comments, specific questions are included in enclosure II of the FISCAM 2023 exposure draft and are presented in our fillable form.

Please send your comments to GAO's FISCAM inbox at FISCAM@gao.gov no later than October 18, 2023. For more information, contact Dawn B. Simpson at (202) 512-3406 or FISCAM@gao.gov.

Full Report

GAO Contacts

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Public Inquiries

Topics

Auditing standardsFederal Information Processing StandardsFinancial audit manualGovernment auditing standardsInformation securityInformation security managementInformation systemsInformation technologyPrivacyAuditors