The document discusses various aspects of information system auditing processes including:
1) Audit planning which involves understanding business processes, risks, and controls to develop an audit plan and charter.
2) Types of audits that can be performed on different systems like e-commerce, EDI, POS, banking, etc. to evaluate controls, risks, and regulatory compliance.
3) Risk management processes like risk assessment, treatment, and response methodologies used in risk-based audit planning.
This presentation explains how IT auditing is important for all organizations to adequately protect critical IT systems, streamline systems management, reduce the risk of data loss, damage or leakage.
Visit www.lifein01.com for presentations of all chapters.
Auditing is the process of assessment of financial, operational, strategic goals and processes in organizations to determine whether they are in compliance with the stated principles, regulatory norms, rules, and regulations.
Computer-Assisted Audit Tools and Techniques_supriadi
Be familiar with the classes of transaction input controls used by accounting applications.
Understand the objectives and techniques used to implement processing controls, including run-to-run, operator inventions, and audit trail controls.
Understand the methods used to establish effective output controls for both batch and real-time systems.
Computer-Assisted Audit Tools and Techniques_supriadi
Be familiar with the classes of transaction input controls used by accounting applications.
Understand the objectives and techniques used to implement processing controls, including run-to-run, operator inventions, and audit trail controls.
Understand the methods used to establish effective output controls for both batch and real-time systems.
This presentation explains how IT auditing is important for all organizations to adequately protect critical IT systems, streamline systems management, reduce the risk of data loss, damage or leakage.
Visit www.lifein01.com for presentations of all chapters.
Auditing is the process of assessment of financial, operational, strategic goals and processes in organizations to determine whether they are in compliance with the stated principles, regulatory norms, rules, and regulations.
Computer-Assisted Audit Tools and Techniques_supriadi
Be familiar with the classes of transaction input controls used by accounting applications.
Understand the objectives and techniques used to implement processing controls, including run-to-run, operator inventions, and audit trail controls.
Understand the methods used to establish effective output controls for both batch and real-time systems.
Computer-Assisted Audit Tools and Techniques_supriadi
Be familiar with the classes of transaction input controls used by accounting applications.
Understand the objectives and techniques used to implement processing controls, including run-to-run, operator inventions, and audit trail controls.
Understand the methods used to establish effective output controls for both batch and real-time systems.
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
This presentation provides a briefing on how to upload submissions and documents in Google Classroom. It was prepared as part of an orientation for new Sainik School in-service teacher trainees. As a training officer, my goal is to ensure that you are comfortable and proficient with this essential tool for managing assignments and fostering student engagement.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
2. Information System Auditing Process
Audit Planning
• An audit plan is a step-wise approach to be followed to conduct an audit.
• It helps to establish the overall audit process in an effective and efficient manner.
• An audit plan should be aligned with the audit charter of the organization.
• To plan an audit, the IS auditor is required to have a thorough understanding of business processes, business applications,
and relevant controls.
• Audit planning includes both short- and long-term planning.
Audit charter
• The independence of the audit function is ensured through a management-approved audit charter.
• An audit charter is a formal document defining the internal audit's objective, authority, and responsibility.
• The audit charter covers the entire scope of audit activities.
• An audit charter must be approved by top management.
• An audit charter should not be changed too often and hence procedural aspects should not be included in it. Also, it is
recommended to not include a detailed annual audit calendar including things such as planning, the allocation of resources,
and other details such as audit fees, other expenses for the audit, and so on in an audit charter.
• An audit charter should be reviewed annually to ensure that it is aligned with business objectives.
3. Information System Auditing Process
• An audit charter includes the following:
• The mission, purpose, and objective of the audit function
• The scope of the audit function
• The responsibilities of management
• The responsibilities of internal auditors
• The authorized personnel of the internal audit work
• If an audit is outsourced to an audit firm, the objective of the audit, along with its detailed
scope, should be incorporated in an audit engagement letter.
• Audit universe: An inventory of all the functions/processes/units under the organization.
Qualitative risk assessment: In a qualitative risk assessment, risk is assessed using
qualitative parameters such as high, medium, and low.
• Quantitative risk assessment: In a quantitative risk assessment, risk is assessed using
numerical parameters and is quantified.
• Risk factors: Factors that have an impact on risk. The presence of those factors increases the
risk, whereas the absence of those factors decreases the risk.
4. Information System Auditing Process
• The following are some of the benefits of audit planning:
• It helps the auditor to focus on high-risk areas
• It helps in the identification of resource requirements to conduct the audit
• It helps to estimate the budget for the audit
• It helps to carry out audit work in a defined structure, which ultimately benefits the auditor as well as the
auditee units.
• This audit plan should be reviewed and approved by top management.
• Generally, approval is obtained from the audit committee of the board.
• The audit plan should be flexible enough to address the change in risk environment (that is, new regulatory
requirements, changes in the market condition, and other risk factors).
• The approved audit plan should be communicated promptly to the following groups:
• Senior management
• Business functions and other stakeholders
• The internal audit team
5. Information System Auditing Process
Individual audit assignments
• The next step after doing the overall annual planning is to plan individual audit assignments.
• The IS auditor must understand the overall environment under review. While planning an individual audit
assignment, an IS auditor should consider the following:
• Prior audit reports
• Risk assessment reports
• Regulatory requirements
• Standard operating processes
• Technological requirements
6. Information System Auditing Process
• Business process applications and controls
• E-commerce:
• Single-tier architecture runs on a single computer, that is, a client-based application
• Two-tier architecture includes a client and server
• Three-tier architecture consists of the following:
• A presentation tier (for interaction with the user)
• An application tier (for processing)
• A data tier (for the database)
• The risks are as follows:
• A compromise of confidential user data
• Data integrity issues due to unauthorized alterations
• The system being unavailable may impact business continuity
• The repudiation of transactions by either party
• The IS auditor's roles are as follows:
• To review the overall security architecture related to firewalls, encryption, networks, PKI to ensure
confidentiality, integrity, availability, and the non-repudiation of e-commerce transactions
• To review the process of log capturing and monitoring for e-commerce transactions
• To review the incident management process
• To review the effectiveness of the controls implemented for privacy laws
• To review anti-malware controls
• To review business continuity arrangements
7. Information System Auditing Process
• Electronic Data Interchange (EDI)
• EDI is the online transfer of data or information between two enterprises.
• EDI ensures an effective and efficient transfer platform without the use of paper.
• EDI applications contain processing features such as transmission, translation, and the storage of
transactions flowing between two enterprises.
• An EDI setup can be either traditional EDI (batch transmission within each trading partner's
computers) or web-based EDI (accessed through an internet service provider).
• The risks are as follows:
• One of the biggest risks applicable to EDI is transaction authorization. Due to electronic interactions,
no inherent authentication occurs.
• There could be related uncertainty with a specific legal liability when we don't have a trading partner
agreement.
• Any performance-related issues with EDI applications could have a negative impact on both parties.
• Other EDI-related risks include unauthorized access, data integrity and confidentiality, and the loss or
duplication of EDI transactions.
• The IS auditor's roles are as follows:
• To determine the data's confidentiality, integrity, and authenticity, as well as the non-repudiation of
transactions
• To determine invalid transactions and data before they are uploaded to the system
• To determine the accuracy, validity, and reasonableness of data
• To validate and ensure the reconciliation of totals between the EDI system and the trading partner's
system
8. Information System Auditing Process
• Point of Sale (POS)
• Debit and credit card transactions are the most common examples of POS.
• Data is captured at the time and place of sale.
• The risks of this are as follows:
• The risk of skimming, that is, the unauthorized capturing of card data with the purpose of duplicating
the card
• The risk of the unauthorized disclosure of PINs
• The IS auditor's objectives are as follows:
• To determine that data used for authentication (PIN/CVV) is not stored in the local POS system
• To determine that the cardholder's data (either at rest or in transit) is encrypted
9. Information System Auditing Process
• Electronic banking
• E-banking websites and mobile-based systems are integrated with the bank's core system to support automatic
transactions without any manual intervention.
• Automated processing improves processing speed and reduces opportunities for human error and fraud.
• Electronic banking increases the dependence on internet and communication infrastructure.
• Risks of this are as follows:
• Heavy dependence on internet service providers, telecommunication companies, and other technology firms
• Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity
• The IS auditor's objectives are as follows:
• To determine the effectiveness of the governance and oversight of e-banking activities
• To determine arrangements for the confidentiality, integrity, and availability of e-banking infrastructure
• To determine the effectiveness of security controls with respect to authentication and the non-repudiation of electronic
transactions
• To review the effectiveness of the controls implemented for privacy laws
10. Information System Auditing Process
• Electronic funds transfer (EFT)
• Through EFT, money can be transferred from one account to another electronically, that is, without
cheque writing and cash collection procedures.
• Some of the risks are as follows:
• Heavy dependence on internet service providers, telecommunication companies, and other
technology firms
• Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity
• The IS auditor's objectives are as follows:
• To determine the availability of two-factor authentication for secure transactions.
• To determine that systems and communication channels have undergone appropriate security testing.
• To determine that transaction data (either at rest or in transit) is encrypted.
• To determine the effectiveness of controls on data transmission.
• To review security arrangements for the integrity of switch operations. An EFT switch connects with all
equipment in the network.
• To review the log capturing and monitoring process of EFT transactions.
• In the absence of paper documents, it is important to have an alternate audit trail for each transaction.
11. Information System Auditing Process
• Image processing
• An image processing system processes, stores, and retrieves image data.
• An image processing system requires huge amounts of storage resources and strong processing power for scanning,
compression, displays, and printing.
• The use of image processing (in place of paper documents) can result in increased productivity, the immediate retrieval
of documents, enhanced control over document storage, and efficient disaster recovery procedures.
• Some of the risks are as follows:
• Implementation without appropriate planning and testing may result in system failure.
• The workflow system may need to be completely redesigned to integrate with the image processing system. Traditional
controls and audit processes may not be applicable to image processing systems.
• New controls must be designed for automated processes.
• Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity.
• The IS auditor's objectives are as follows:
• To determine the effectiveness of controls on the inputs, processing, and outputs of image processing systems
• To determine the reliability of the scanners used for image processing
• To review the retention process for original documents
• To determine that original documents are retained at least until a good image has been captured
• To review the confidentiality, integrity, and availability arrangements of image processing systems
• To review the training arrangements for employees to ensure that the processes of image scanning and storing are
maintained as per the quality control matrix
12. Information System Auditing Process
• Artificial intelligence and expert systems
• Capture and utilize the knowledge and experience of individuals
• Improve performance and productivity
• Automate skilled processes without manual intervention
• A knowledge base in AI contains information about a particular subject and rules for interpreting that information.
• The components of a knowledge base include the following:
• Decision trees: Questions to lead the user through a series of choices
• Rules: Rules that use "if" and "then" conditions
• Semantic nets: A knowledge base that conveys meaning
• Knowledge interface: Stores expert-level knowledge
• Data interface: Stores data for analysis and decision making
• The risks are as follows:
• Incorrect decisions or actions performed by the system due to incorrect, assumptions, formulas, or databases in the
system
• Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity
• The IS auditor's roles are as follows:
• To assess the applicability of AI in various business processes and determine the associated potential risks
• To review adherence to documented policies and procedures
• To review the appropriateness of the assumptions, formulas, and decision logic built into the system
• To review the change management process for updating the system
• To review the security arrangements to maintain the confidentiality, integrity, and availability of the system
13. Controls and countermeasures
• The objective of implementing a control is to address risks by preventing, detecting, or correcting
undesirable events.
• Countermeasures are a type of control that is implemented to address specific threats. The objective of
general controls is to protect information assets from all kinds of threats whereas countermeasures are put
in place in response to a specific threat.
• The following are some examples of countermeasures:
• Disabling certain operating system commands to address a specific type of ransomware attack.
• Filtering all incoming emails may be impractical and expensive. In such a scenario, the
countermeasure could be email filtering for known spammers.
• It may not be possible to restrict mobile phones on the premises. In such a scenario, the
countermeasure could be cell phone jammers in sensitive areas.
• Countermeasures can also be non-technical, such as offering incentives for providing information with
respect to a specific attack.
• Arranging specific security training sessions for employees who failed in a phishing exercise.
14. Controls and countermeasures
Control categories
• A preventive control (also commonly referred to as a “preventative control”) is a control that is put into place and
intended to prevent an event from occurring. Examples – locked doors, user authentication, encryption and so on.
• Detective: objective is to detect and event. Examples – audit, IDS, CCTV, checksum etc
• Corrective: objective is to correct errors and omissions. Examples – data backups.
• Deterrent: objective is to deter an event by providing warning. Examples – warning signs, login banners etc.
• Directive: objective is to mandate the behavior aspect by specifying do’s and don’t’s. example – acceptable user
policy.
• Compensating: objective is to address the absence or weakness of control. Example – compensating weak
physical control by having stringent logical access control.
• A control can be designed to either fail closed or fail open.
• The failure mode of the control impacts safety, confidentiality, and availability. For example, in the event of the
failure of an automatic door, an organization can opt for fail open (the door should remain open) or fail closed (the
door should remain closed).
• In the case of fail open, confidentiality and integrity may be compromised, and in the case of fail closed, availability
may be compromised.
• In such a situation, the risk should be determined for each element and a decision taken accordingly.
• The safety of human life is always considered first.
15. Risk-based audit planning
• Risk is the product of probability and impact.
• Probability and impact are equally important when identifying risk. For example, say that the probability or
likelihood of a product being damaged is very high, with a value of “1”; however, say that product barely
costs anything and so the impact is “0” even if the product is damaged.
• A vulnerability is a weakness and a threat is something that can exploit said weakness.
• The risk that an activity poses, excluding any controls or mitigating factors – Inherent Risk
• The risk that remains after taking controls into account – Residual Risk
• Residual Risk = Inherent Risk – Control
• Audit risk refers to the risk that an auditor may not be able to detect material errors during the course of an
audit.
• Audit risk is influenced by inherent risk, control risk, and detection risk.
• The following list describes each of these risks:
• Inherent risk: This refers to risk that exists before applying a control.
• Control risk: This refers to risk that internal controls fail to prevent or detect.
• Detection risk: This refers to risk that internal audits fail to prevent or detect.
• Audit Risk = Inherent Risk X Control Risk x Detection Risk
16. Risk-based audit planning
• Some ways to minimize audit risk are listed here:
• Conduct risk-based audit planning
• Review the internal control system
• Select appropriate statistical sampling
• Assess the materiality of processes/systems in the audit scope
• Steps:
• Step 1 – Acquire pre-audit requirements:
• Knowledge about industry and regulatory requirements
• Knowledge about applicable risk to the concerned business
• Prior audit results
• Step 2 – Obtain information about internal controls:
• Get knowledge about the control environment and procedures
• Understand control risks
• Understand detection risks
• Step 3 – Conduct compliance test:
• Identify the controls to be tested
• Determine the effectiveness of the controls
• Step 4 – Conduct a substantive test:
• Identify the process for the substantive test
• See that the substantive test includes analytical procedures, detail tests of account balances,
and other procedures
18. Risk-based audit planning
• Risk response methodology
• Risk mitigation/risk reduction: Take some action to mitigate/reduce the risk.
• Risk avoidance: Change the strategy or business process to avoid the risk.
• Risk acceptance: Decide to accept the risk.
• Risk transfer: Transfer the risk to a third party. Insurance is the best example.
• The risk culture and risk appetite of the organization in question determines the risk response method.
• It's not always feasible to mitigate all the risk at an organizational level. Risk-free enterprise is an illusion.
• In the top-down approach, a policy is developed and designed from a senior management perspective. In a
top-down approach, policies are developed and aligned with business objectives.
• In the bottom-up approach, polices are designed and developed from the process owner's/employee's
perspective.
• The bottom-up approach begins by defining operational-level requirements and policies.
• In a top-down approach, major risks to business objectives are addressed, whereas in the bottom-up
approach, process-level risks are addressed.
19. Types of audit and assessment
• IS audit
• An IS audit is conducted to evaluate and determine whether an information system and any related infrastructure is adequately
safeguarded and protected to maintain confidentiality, integrity, and availability.
• Compliance audit
• CA or more specifically, a compliance audit is conducted to evaluate and determine whether specific regulatory requirements are
being complied with.
• Financial audit A financial audit is conducted to evaluate and determine the accuracy of financial reporting. A financial audit
involves a detailed and substantive testing approach.
• Operational audit
• An operational audit is conducted to evaluate and determine the accuracy of an internal control system.
• It is designed to assess issues related to the efficiency of operational productivity within an organization.
• Integrated audit
• Here, different types of audit are integrated to combine financial, operational, and other types of audits to form a multi-faceted
audit.
• An integrated audit is performed to assess the overall objectives to safeguard an asset's efficiency and compliance.
• It can be performed both by internal auditors or external auditors.
• An integrated audit includes compliance tests of internal controls.
• Specialized audit
• A specialized audit includes the following: A third-party service audit, A fraud audit and A forensic audit.
• Computer forensic audit
• A computer forensic audit includes the analysis of electronic devices.
• An IS auditor can help in performing forensic investigations and conduct an audit of the system to ensure compliance.
• Functional audit
• A functional audit is conducted to evaluate and determine the accuracy of software functionality.
• A functional audit is conducted prior to software implementation.
20. Audit Execution
• Audit project management
• Audit includes various activities, such as audit planning, resource allocation, determining audit scope and audit criteria,
reviewing and evaluating audit evidence, forming audit conclusions, and reporting to management.
• All these activities are integral parts of audit, and project management techniques are equally applicable for audit
projects.
• Audit objectives
• Audit objectives are the expected outcome of the audit activities. They refer to the intended goals that must be accomplished by the
audit.
• Audit phases
• The audit process has three phases. The first phase is about planning, the second phase is about execution, and the third phase is
about reporting.
21. Sampling methodology
• Sampling is the process of the selection of data from a population.
• By analyzing the selected samples, characteristics of the full population can be concluded.
• Statistical sampling
• This is an objective sampling technique. Also known as non-judgmental sampling.
• It uses the laws of probability, where each unit has an equal chance of selection.
• In statistical sampling, the probability of error can be objectively quantified, and hence the detection risk can be
reduced.
• Non-statistical sampling
• This is a subjective sampling technique. Also known as judgmental sampling.
• The auditor uses their experience and judgement to select the samples that are material and represent a higher risk.
• Attribute sampling
• Attribute sampling is the simplest kind of sampling based on some attributes—that is, either complied or not complied.
• It answers the question "how many?". It is expressed in percentage form—for example, 90% complied. In compliance
testing, attribute sampling is usually used.
• Variable sampling
• Variable sampling contains more information than attribute data.
• It answers the questions "how much?". It is expressed in monetary value, weight, height, or some other
measurement—for example, an average profit of $25,000.
• Variable sampling is usually used in substantive testing.
• Stop-or-go sampling
• Stop-or-go sampling is used where controls are strong and very few errors are expected.
• It helps to prevent excess sampling by allowing the audit test to end at the earliest possible moment.
• Discovery sampling
• Discovery sampling is used when the objective is to detect fraud or other irregularities.
• If a single error is found, then the entire sample is believed to be fraudulent/irregular.
22. Sampling methodology
• Sampling risk
• Sampling risk refers to a situation where a sample is not a true representation of the population.
• The conclusion drawn by analyzing the sample may be different from the conclusion that would have been drawn by
analyzing the full population.
• The confidence coefficient
• A confidence coefficient, or confidence level, is a measure of the accuracy and confidence about the quality of a
sample.
• The sample size and confidence correlation are directly related. A high sample size will give a high confidence
coefficient.
• In the case of poor internal controls, the auditor may want to verify 95 samples out of a total population of 100. This
indicates a 95% confidence co-relation.
• In the case of strong internal controls, the auditor may want to limit the verification of only 25 samples out of the total
population of 100. This indicates a 25% confidence co-relation.
• Level of risk
• The level of risk can be derived by deducting the confidence coefficient from 1.
• For example, if the confidence coefficient is 95%, then the level of risk is 5% (100% – 95%).
• Expected error rate
• This indicates the expected percentage of errors that may exist.
• When the expected error rate is higher, the auditor should select higher sample size.
• Tolerable error rate
• This indicates the maximum error that can exist without the audit result being materially misstated.
• Sample mean
• The sample mean is the average of all the samples selected.
• It is derived by adding all the samples and dividing it by the sample size.
• Sample standard deviation
• This indicates the variance of the sample value from the sample mean.
23. Sampling methodology
• Compliance Testing
• Involves verification of the process.
• Compliance testing checks for the presence of controls.
• In compliance testing, attribute sampling is preferred.
• Examples:
• To check for controls in router configuration
• To check for controls in the change management process
• Verification of system access rights
• Verification of firewall settings
• Review of compliance with the password policy
• Substantive Testing
• Involves the verification of data or transactions.
• Substantive testing checks for the completeness, accuracy, and validity of the data.
• In substantive testing, variable sampling is preferred.
• Examples:
• To count and confirm the physical inventory
• To confirm the validity of inventory valuation calculations
• To count and confirm cash balances
• Examining the trial balance.
• Examining other financial statements
• Ideally, compliance testing should be performed first and followed by substantive testing.
• If the outcome of compliance testing indicates the existence of effective internal controls, then substantive testing may not be
required or may be reduced.
• However, if the outcome of compliance testing indicates a poor internal control system, then more rigorous substantive
testing is required.
• Thus, the design of substantive tests is often dependent on the result of compliance testing.
• The attribute sampling technique (which indicates that a control is either present or absent) is useful for compliance testing,
whereas variable sampling will be useful for substantive testing.