FISCAM Assessments

FISCAM Assessments –K2 IT Audit’s group of experts and certified professionals provide support for financial auditors performing Federal Financial Statement Audits. The GAO’s Federal Information System Controls Audit Manual (FISCAM) outlines audit procedures for conducting IT audit work for financial statement audits.  K2 IT Audit has the capability to develop and perform testing via highly customized audit procedures based on the FISCAM approach and provide coverage of the following control categories:

Security Management –Controls provide reasonable assurance that security management is effective, including effective:

  • Security management program

  • Periodic assessments and validation of risk,

  • Security control policies and procedures,

  • Security awareness training and other security-related personnel issues,

  • Periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices,

  • Remediation of information security weaknesses, and • security over activities performed by external third parties.

Access Controls– Controls provide reasonable assurance that access to computer resources (data, equipment, and facilities) is reasonable and restricted to authorized individuals, including effective:

  • Protection of information system boundaries,

  • Identification and authentication mechanisms,

  • Authorization controls,

  • Protection of sensitive system resources,

  • Audit and monitoring capability, including incident handling, and

  • Physical security controls.

Configuration Management– Controls provide reasonable assurance that changes to information system resources are authorized and systems are configured and operated securely and as intended, including effective:

  • Configuration management policies, plans, and procedures,

  • Current configuration identification information,

  • Proper authorization, testing, approval, and tracking of all configuration changes,

  • Routine monitoring of the configuration,

  • updating software on a timely basis to protect against known vulnerabilities, and

  • Documentation and approval of emergency changes to the configuration.

Segregation of Duties – Controls provide reasonable assurance that incompatible duties are effectively segregated, including effective:

  • Segregation of incompatible duties and responsibilities and related policies, and

  • control of personnel activities through formal operating procedures, supervision, and review.

Contingency Planning – Controls provide reasonable assurance that contingency planning (1) protects information resources, minimizes the risk of unplanned interruptions, and (2) provides for recovery of critical operations should interruptions occur, including effective:

  • Assessment of the criticality and sensitivity of computerized operations and identification of supporting resources,

  • Steps taken to prevent and minimize potential damage and interruption,

  • Comprehensive contingency plan, and

  • Periodic testing of the contingency plan, with appropriate adjustments to the plan based on the testing.

Business Process Application Controls (BPAC’s)aim to provide assurance over:

  • Completeness – controls provide reasonable assurance that all transactions that occurred are input into the system, accepted for processing, processed once and only once by the system, and properly included in output.

  • Accuracy – controls provide reasonable assurance that transactions are properly recorded, with correct amount/data, and on a timely basis (in the proper period); key data elements input for transactions are accurate; data elements are processed accurately by applications that produce reliable results; and output is accurate.

  • Validity – controls provide reasonable assurance (1) that all recorded transactions occurred (are real), relate to the organization, are authentic, and were properly approved in accordance with management’s authorization; and (2) that output contains only valid data.

  • Confidentiality – controls provide reasonable assurance that application data, reports, and other output are protected against unauthorized access.

  • Availability – controls provide reasonable assurance that application data, reports, and other relevant business information are readily available to users when needed.

Application Level General Controls: These are general controls performed at the application level, versus the infrastructure level (i.e. Operating System and Database).  Below is a high-level listing of the Application Level General Control families:

  • AS-1: Implement effective application security management

  • AS-2: Implement effective application access controls

  • AS-3: Implement effective configuration management

  • AS-4: Segregate user access to conflicting transactions and activities and monitor segregation

  • AS-5: Implement effective application contingency planning Overall assessment of application security

Business Process (BP) Controls: These are controls within the application that revolve around the various input and output controls, including control over the master data modules.

Interface (IN) Controls: These are controls at the application level, which provide assurance over the interfaces between various applications and the error reconciliation process, interface strategies etc.

Data Management (DA) Controls: These are controls at the application layer of the database, versus the Database Management System (DBMS), which would be covered under the IT General Controls.

K2 IT Audit professionals understand all elements of the FISCAM manual and at all levels, including all FISCAM Critical Elements, Control Activities, and Control Techniques.  Thus, we take pride in our ability to develop highly customized, technical, and applicable Audit Work Programs (AWP’s) which result in a high impact, quality deliverables for our clients.

Please contact us for more information about our FISCAM assessment services.