CHAPTER 13

AUDITING AND EVALUATING FEDERAL IT SYSTEMS

In the Federal Government, information technology (IT) auditing is an integral component of the audit process. This chapter has three objectives. First, it provides auditors an overview of the Federal IT audit approach based on guidance published in the Government Accountability Office’s (GAO) Federal Information System Controls Audit Manual (FISCAM), dated February 2, 2009. As IT auditing is not limited to supporting just financial statement audits, this chapter introduces other types of IT audits such as those performed under the Federal Information Security Management Act (FISMA) of 2002 and Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization. Second, this chapter provides an overview of the most significant laws, Federal regulations, and guidance from the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST). Under the authority of the FISMA legislation, these two organizations set the security policies and procedures for the executive branch agencies and departments. Third, this chapter provides auditors perspective on how changes within the IT industry, such as the evolution of cloud computing, are affecting the role of the IT auditor and the services provided to clients.

UNDERSTANDING THE NEED FOR IT SECURITY

Cybersecurity is an ongoing focus for Federal Agencies as their information systems are frequently under attack ...