Federal Information System
he US Government Accountability publishes the?Federal Information System?Controls Audit Manual (FISCAM)?[22], which prescribes a simple, three-step process for auditing information system controls and provides detailed guidance for evaluating and testing two major types of controls—general controls and business process application controls. General controls include five categories: security management, access control,?configuration management, segregation of duties, and contingency planning. Business process application controls span four categories: application level general controls, business process controls, interface controls, and?data management system?controls. For each control category, FISCAM identifies critical elements considered essential to implementing adequate controls and achieving control objectives, as well as recommended control techniques and procedures for auditing each element. As a US government audit manual, the guidance in FISCAM conforms to the Government Auditing Standards (commonly known as the Yellow Book)?[20]?and to the?audit standards?specified by the AICPA.
As might be expected for a government audit manual, the primary intended use of FISCAM is to support audits of information systems performed in accordance with the Government Auditing Standards. Auditors or organizations not subject to these standards and not committed to some other control framework may find FISCAM guidance useful to help understand the general IT audit process and determine potential methods to use to test various infprmation system controls.
The?Federal Information Security Modernization Act of 2014 (FISMA 2014)?updates the Federal Government's cybersecurity practices by: