GAO updates manual for information system audits

The Government Accountability Office today said it has significantly revised its manual for guiding agencies how to perform information system control audits to reflect the use of modern technology, more technical criteria and changes in government auditing standards.

The Federal Information System Controls Audit Manual focuses on evaluating the effectiveness of general and application controls that include system, business process and data management system controls, GAO said in a report. The manual also incorporates an evaluation of security management controls in networks, operating systems, infrastructure applications and business process applications across an agency.

Controls provide reasonable assurance that systems are managed effectively, such as periodic assessment of risk for security management or routine monitoring of secure configuration for configuration management, GAO said.

Inspectors general may use the manual as a foundation on which to independently evaluate their agencies’ information security program under the Federal Information Security Management Act (FISMA), the report said. Topics in the manual can help agency IGs to select a set of systems to evaluate and to report the results of tests of controls as part of FISMA requirements, GAO said.

Based on guidance from the National Institute of Standards and Technology, the manual uses a top-down, risk-based approach to determine how effective and efficient audit procedures are, GAO said. The federal environment has become very networked over the years, and the nature of information system risks continues to evolve, said Gregory Wilshusen, GAO’s director of information security issues.

“Protecting government computer systems has never been more important because of the complexity and interconnectivity of systems (including Internet and wireless), the ease of obtaining and using hacking tools, the steady advances in the sophistication and effectiveness of attack technology, and the emergence of new and more destructive attacks,” he said.

The manual was originally issued in 1999, and GAO published a draft of the updates for public comments in July 2008, GAO said.

The update reorganized control categories to broaden security management based on security requirements and best practices consistent with guidance from NIST and the Office of Management and Budget and to put more emphasis on controls for a networked environment, such as access controls, configuration management, segregation of duties and contingency planning, the report said.

The report is at

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


    sensor network (agsandrew/

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.