Audit Liaison

Government inspectors generally play a signi˜cant role in ensuring agency compliance with FISMA. Agency-level O™ces of the Inspector General (OIG) are required by FISMA to conduct an audit of the agency compliance with FISMA each year. Just as CISOs are provided with guidance each year on what is to be reported, agency OIGs are provided related guidance on areas where they should focus attention, and speci˜c questions they must address in their audit report. One should recognize that the annual FISMA audit may be used by OIG to support other ongoing audit and evaluation eœorts they may have planned or that may be under way (i.e., annual ˜nancial statement audit), and the results can be re›ected in other audit products. e scope of OIG’s annual FISMA audit is to measure compliance with FISMA itself, with NIST guidance related to the information security program and its implementation, as well as agency policy that has been published relative to the information security program. Additionally, the Government Accountability O™ce (GAO) is regularly asked by Congress to assess speci˜c aspects of agency information security eœorts that touch compliance with FISMA and other legislation and OMB directives as part of governmentwide audits. ere are examples where an Inspector General (IG) audit will be conducted on the basis of ˜ndings of a GAO audit, whether or not the ˜ndings speci˜cally relate to the agency.