GAO updates manual for information system audits

The Government Accountability Office today said it has significantly revised its manual for guiding agencies how to perform information system control audits to reflect the use of modern technology, more technical criteria and changes in government auditing standards.

The Federal Information System Controls Audit Manual focuses on evaluating the effectiveness of general and application controls that include system, business process and data management system controls, GAO said in a report. The manual also incorporates an evaluation of security management controls in networks, operating systems, infrastructure applications and business process applications across an agency.

Controls provide reasonable assurance that systems are managed effectively, such as periodic assessment of risk for security management or routine monitoring of secure configuration for configuration management, GAO said.

Inspectors general may use the manual as a foundation on which to independently evaluate their agencies’ information security program under the Federal Information Security Management Act (FISMA), the report said. Topics in the manual can help agency IGs to select a set of systems to evaluate and to report the results of tests of controls as part of FISMA requirements, GAO said.

Based on guidance from the National Institute of Standards and Technology, the manual uses a top-down, risk-based approach to determine how effective and efficient audit procedures are, GAO said. The federal environment has become very networked over the years, and the nature of information system risks continues to evolve, said Gregory Wilshusen, GAO’s director of information security issues.

“Protecting government computer systems has never been more important because of the complexity and interconnectivity of systems (including Internet and wireless), the ease of obtaining and using hacking tools, the steady advances in the sophistication and effectiveness of attack technology, and the emergence of new and more destructive attacks,” he said.

The manual was originally issued in 1999, and GAO published a draft of the updates for public comments in July 2008, GAO said.

The update reorganized control categories to broaden security management based on security requirements and best practices consistent with guidance from NIST and the Office of Management and Budget and to put more emphasis on controls for a networked environment, such as access controls, configuration management, segregation of duties and contingency planning, the report said.

The report is at

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

  • Defense
    Dana Deasy, DOD Chief Information Officer, hosts a roundtable discussion on the enterprise cloud initiative with reporters, Aug. 9, 2019, at the Pentagon, Washington, D.C. (DoD photo by Air Force Staff Sgt. Andrew Carroll)

    DOD CIO 'very confident' that White House influence didn't guide JEDI award

    At his Senate confirmation hearing, Defense Department CIO Dana Deasy said the department's $10 billion cloud contract was awarded by a team of experts.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.