KOMPSYS is a recognized leader in assisting federal entities with a broad range of audit and advisoryWhiteboard Drawing services. Our Company and its professionals have continued to remain prepared to respond to the changing federal environment in each of our service areas.

  • OMB Circular A-123 Compliance
  • Internal Control Reviews
  • Audit Resolution
  • FFMIA
  • FISMA/Information Security Reviews
  • Technical Security Reviews and Audits
  • Certification and Accreditation Services
  • General Controls Reviews (FISCAM)
  • Application Controls Reviews
  • Privacy Audits

The Federal Information Security Management Act (FISMA) requires federal agencies to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency.

A key aspect of FISMA includes an annual assessment of an agency's progress in meeting these requirements. KOMPSYS has substantial experience in performing independent FISMA audits for agency Office of Inspector General’s (OIG). These audits focus on determining management’s effectiveness in implementing and maintaining an agency-wide security management program that includes:

  • Development of Detailed IT Policies and Procedures
  • A Comprehensive Risk Management Process
  • A Comprehensive Certification and Accreditation Process
  • Effective Oversight of Contractors and Contractor Systems
  • An Agency-Wide Privacy Program
  • Effective Configuration Management Policies and Procedures

KOMPSYS is experienced in performing numerous types of technical security reviews both in support of financial and IT audits and as stand-alone engagements including:

  • External and Internal Penetration Testing
  • External and Internal Vulnerability Scanning
  • Database Reviews
  • Operating System Reviews
  • Firewall and Router Reviews

Certification and Accreditation (C&A) is a risk management process intended to:

  • Promote a better understanding of organizational risks resulting from the operation and use of information systems;
  • Ensure authorizing officials are appropriately engaged throughout the risk management process; and
  • Support consistent, informed security authorization decisions.

C&A provides management with an assessment of the extent to which management, operational, and technical security controls for an information system are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of the system.  Management uses this assessment to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals.

KOMPSYS helps agencies perform C&A of their systems while maintaining an auditor’s perspective. This audit perspective helps ensure:

  • The C&A methodology follows guidance in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37
  • System security plans are developed and documented in accordance with NIST SP 800-18 and 800-53
  • Risk Assessments are conducted and documented in accordance with NIST SP 800-30
  • Testing is conducted in accordance with SP 800-53A and test results are fully supported with detailed testing documentation
  • Management’s acceptance of risks is appropriate and clearly documented
  • Management designs and implements effective continuous monitoring controls over C&A systems

KOMPSYS’ information assurance group provides support for financial auditors performing Federal Financial Statement Audits.

To complete this work we follow the GAO’s Federal Information System Controls Audit Manual (FISCAM) which outlines audit procedures for conducting IT audit work for financial statement audits.  We conduct our general and application controls reviews using the newest version of FISCAM, which was released by the GAO in February 2009. The new version includes eight general and application control areas:

  • Security Management (SM)
  • Access Controls (AC)
  • Configuration Management (CM)
  • Segregation of Duties (SD)
  • Continuity Planning (CP)
  • Application Level General Controls
  • Business Process Controls
  • Interface Controls

In addition to application control work performed in support of financial statement audits, we also perform:

  • Pre implementation
  • Post implementation
  • Certification and accreditations
  • Independent validation and verification

KOMPSYS has performed numerous federal privacy audits. These audits have been conducted for agencies both to comply with existing federal privacy requirements and to assess agencies overall risk related to the collection, storage, and handling of personally identifiable information. Our privacy audit methodology focuses on:

  • Determining whether a comprehensive privacy program is in place
  • Determining whether management has identified and protected privacy data they collect, process, and store
  • Determine compliance with the agency’s stated privacy and data protection policies and applicable regulations, laws, and federal guidance
  • Identify key personnel involved in the identification and protection of Personally Identifiable Information (PII), including individuals such as a Chief Privacy Officer (CPO), Privacy Officer (PO), and Senior Agency Official for Privacy (SAOP)
  • Methods for Identification of PII

Review the agency’s documented privacy and data protection procedures with regard to the collections, use, sharing, disclosure, transfer, and security of personal information in identifiable form relating to institution employees and the public