United States Government Accountability Office

GAO
February 2009

GAO-09-232G

FEDERAL
INFORMATION
SYSTEM CONTROLS
AUDIT MANUAL
(FISCAM)

This is a work of the U.S. government and is not subject to copyright protection in the
United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.

United States Government Accountability Office
Washington, DC 20548

February 2009
TO AUDIT OFFICIALS, CIOS, AND OTHERS INTERESTED IN
FEDERAL AND OTHER GOVERNMENTAL INFORMATION
SYSTEM CONTROLS AUDITING AND REPORTING
This letter transmits the revised Government Accountability Office
(GAO) Federal Information System Controls Audit Manual
(FISCAM). The FISCAM presents a methodology for performing information system (IS) control 1 audits of federal and other governmental entities in accordance with professional standards, and was originally issued in January 1999. We have updated the
FISCAM for significant changes affecting IS audits.
This revised FISCAM reflects consideration of public comments received from professional accounting and auditing organizations, independent public accounting firms, state and local audit organizations, and interested individuals on the FISCAM Exposure
Draft issued on July 31, 2008 (GAO-08-1029G).
GAO would like to thank the Council of the Inspectors General on
Integrity and Efficiency and the state and local auditor community for their significant input into the development of this revised
FISCAM.
Summary of Major Revisions to FISCAM
The revised FISCAM reflects changes in (1) technology used by government entities, (2) audit guidance and control criteria issued by the