CLIENT STORY
All federal defense and civilian agencies must undergo routine periodic IT audits to ensure compliance with federal regulations, including Federal Information System Control Audit Manual (FISCAM), Federal Information Security Modernization Act (FISMA), Financial Improvement and Audit Readiness (FIAR) guidance, and National Institute of Standards and Technology (NIST) publications, among others, along with agency-specific policies and procedures. Despite this mandate, many agencies face challenges in adequately preparing for IT audits or in addressing audit findings in a timely and effective manner. This was the case for a defense agency tasked with overseeing the global defense supply chain.
PROBLEM
With a federal defense budget in the hundreds of billions of dollars, each constituent organization bears the responsibility to ensure that (1) expenditures comply with relevant laws and regulations, and (2) federal funds are used efficiently to advance the agency’s core mission. IT audits are the most effective means of verifying compliance with legal and regulatory requirements, ensuring that adequate controls are in place and enforced, deficiencies are identified, and necessary corrective actions are implemented.
While undergoing an IT audit is a required step, the process can be overwhelming. Agencies must compile extensive documentation on their IT systems, data assets, federal regulations, and internal policies. They are also required to provide evidence of IT controls and their enforcement and, in some cases, create policies or procedures where none previously existed.
Following the audit, agencies must remediate any deficiencies identified in the findings. Developing Corrective Action Plans (CAPs) and tracking their timely implementation becomes a critical task. Agencies must evolve from a reactive to a proactive audit posture, identifying potential deficiencies before auditors highlight them.
For this particular defense organization, the central document repository was incomplete, and approximately 1,780 outstanding audit findings were identified across more than 18 areas. Worse still, the organization was using a manual process to track the remediation of these findings, leading to inefficiencies and growing backlogs. Expert assistance was required to regain control and drive meaningful progress.
SOLUTION
Electrosoft leveraged over a decade of experience supporting federal civilian and defense agencies in achieving IT audit readiness. Our proven methodology, honed through years of successful engagement, was applied to the organization’s planning, data collection, evaluation, reporting, and follow-up efforts.
We employed Root Cause Analysis (RCA) to guide the development of the CAPs and introduced a proactive audit process improvement approach for generating recommendations. In addition, we implemented an automated audit response tracking system using Remedy and integrated a Specific, Measurable, Achievable, Relevant, and Time-Bound (SMART) reporting framework to enhance the monitoring and achievement of milestones, significantly improving reporting and tracking efficiency.
To further optimize the process, we developed a comprehensive Risk Control Matrix that encompasses all relevant IT General Controls and Business Process Application Controls, ensuring alignment with best practices as outlined in OMB Circular A-123.
Finally, we cross-mapped hundreds of changes between the 2009 version and the 2024 version of FISCAM across 20 control families, encompassing 1,189 controls. This effort was carried out in preparation for the upcoming implementation of NIST 800-53, Rev. 5, which introduces 965 updated controls. This strategic mapping will enable a more prioritized implementation of NIST 800-53 controls and ensure readiness for the 2026 audit cycle related to FISCAM 2024.
RESULTS/BENEFITS
Our process generated a valuable, yet often overlooked, benefit: improved awareness of the importance of IT audits at the management and operational levels. As the agency progresses in its audit compliance journey, this enhanced understanding will continue to provide long-term benefits.
Electrosoft implemented audit process improvements that reduced manual efforts and improved compliance by 50%. The automated reporting and tracking system significantly boosted efficiency and accuracy in executing CAP recommendations, with approximately 60% of identified deficiencies being addressed and closed within the first 60 days. This improvement also contributed to reduced operational stress and an overall increase in production.
Given the resource constraints our customer faced, mapping enabled a more focused and efficient approach to addressing both new and revised control requirements. Our effort has proven critical in helping our customer prioritize efforts in anticipation of the next audit.
In summary, our engagement led to improved audit response times, more efficient remediation of findings, and a clearer, more focused strategy for addressing evolving compliance requirements.