While performing the audit, the IS auditor initially performs compliance testing and then proceed with substantive testing. Now, let us understand the concepts of compliance testing and substantive testing in detail. After reading through this article, you will be able to understand the differences and the correlation between compliance testing and substantive testing.
1. What does compliance testing mean?
2. When to perform Compliance testing?
3. What are the examples of compliance testing?
4. What does Substantive testing mean?
5. When to perform Substantive testing?
6. What are the examples of Substantive testing?
7. Correlation between compliance testing and substantive testing
Now that we are clear on the concepts of compliance and substantive testing let us try to understand the correlation between compliance testing and substantive testing with an example.
Example 1 – Verification of Customer balances in an organization.
At the initial stage, the IS auditor checks with the organization on the billing system, how the customers are encouraged to pay the amounts on-time, the procedure followed to follow-up on overdue balances. Based on the observations and conversation with the organization, the IS auditor will conclude on whether the internal control is strong or weak in the organization. This indicates the test of control, which is compliance testing.
Based on the conclusion obtained on compliance testing, the IS auditor obtains evidence on the correctness and accuracy of the balances, like obtaining balance confirmation from customers, validation of long outstanding balances, carrying out analytical procedures, etc. This indicates a test of individual transactions, which is substantive testing.
Example 2 – Validation and Verification of Purchasing system of an organization
At the initial stage, the IS auditor enquires with the organization on the end-to-end process on the purchasing system, the key controls in place. Based on the observations and conversation with the organization on the Purchasing system, the IS auditor will conclude on whether the internal control is strong or weak in the organization. This indicates the test of control, which is compliance testing.
Based on the conclusion obtained on compliance testing, the IS auditor obtains evidence on the correctness and accuracy of the balances, like verification of purchase requisition, Purchase orders, Payments made to the suppliers, carrying out analytical procedures, etc. This indicates a test of individual transactions, which is substantive testing.
InfosecTrain offers Certified Information Systems Auditor(CISA) instructor-led training. To know more about this course Click Here