Leading Insights Blog

Audit of Federal Information System Controls: How can Management Demonstrate Completeness and Accuracy?

Written by Beni Venkatesan and Phil Moore

Overview

Every agency is different, and no two audits are the same, but did you know each Federal audit is governed by the same standards?  That means management at every agency must make sure information provided to external auditors is sufficient and appropriate evidence.  The U.S. Government Accountability Office (GAO) Generally Accepted Government Auditing Standards (GAGAS), also known as the “Yellow Book” mandates that this support is both “complete and accurate” (C&A).

Auditors assess an agency’s audit risk and, their goal is to correctly analyze the evidence provided by the agency. This ultimately enables the auditor to  reach the appropriate conclusion regarding the reporting entity’s effectiveness of controls during the fiscal year under audit. Success can be defined in many ways, but the  auditors must first have a solid foundation that is driven from information directly generated  from the source system. When it comes to supporting Information Technology (IT) controls, it is especially important to gather information that supports testing around access management, change management, and audit logging.  Moreover, Federal financial statement audits are governed by the Yellow Book, which requires auditors to assess the C&A of populations upon which an agency relies (see the Yellow Book for more information).

The Challenge, the Bad & the Good

  • The Challenge: Management is responsible for the IT controls over financially relevant systems and are trained in managing those systems and intend to ensure the objectives of the mission are met. On the other hand, Management is not usually trained on the auditing standards its external auditor must meet.
  • The Bad: Not fully understating the requirements for documenting its internal controls can make getting through the audit process difficult for Management when trying to meet auditor requests over concepts that they usually do not have to deal with. The process behind assessing C&A can often leave the auditee frustrated and/or confused understanding why, for example, a 15-second press of the button results in extensive discussions with an auditor observing the process and requests for screenshots.
  • The Good: As the audit matures the duration spent performing the audit will be reduced as the auditee understands what and why the auditor is interested in observing.

What Can Go Wrong?

As an example, an auditor observed a system administrator (e.g., management) generate a list of users from the system and the system administrator provided to its auditor electronically.  The system administrator, assuming they were trying to be helpful, reformats the listing, including renaming or removing roles and other details the administrator believes to be irrelevant before providing the listing to the auditor.  This action by the system administrator alters the integrity of the listing and would lead to the auditor questioning the agency’s control environment and ethics and may lead to a significant finding.

How Can Management Ensure C&A over any Evidence they Provide to the Auditor?

Management should assess the C&A of the evidence provided through specific audit requests before sending it to the auditor.   Within the C&A Life Cycle graphic below, there are several sample procedures management might consider (individually or in combination) to demonstrate C&A to its auditor, from the time you generate a population to your auditor’s report on the effectiveness of controls:

 

Picture1.png (748×748)

C&A Life Cycle in Relation to an External Audit

C&A Life Cycle in Relation to an External Audit

Populations should be generated directly from the primary source system (e.g., SQL query from source tables, native event logs, system reports) are preferable to those obtained from secondary sources (e.g., user access workflow tools, ticketing systems).  These questions will hopefully support your understanding of what reliable C&A evidence means or at least what to ask! Getting it right stems from some of the key concepts and will assist in wrapping up your next audit in a more expeditious fashion.

Connect With Us

For more information regarding C&A, Supporting Standards, or Capabilities of Kearney & Company, P.C. (Kearney), please contact Mr. Phil Moore, Partner (703) 931-5600 [email protected].

This publication is for informational purposes only and does not constitute professional advice.  Readers should seek professional advice before acting with regard to the subjects mentioned herein.

Kearney is a CPA firm that is focused on providing audit, accounting, and consulting services to the Federal Government.  For more information about Kearney, please visit us at www.kearneyco.com.

To top