Understanding the concepts of Compliance testing and substantive testing
While performing the audit, the IS auditor initially performs compliance testing and then proceed with substantive testing. Now, let us understand the concepts of compliance testing and substantive testing in detail. After reading through this article, you will be able to understand the differences and the correlation between compliance testing and substantive testing.
1. What does compliance testing mean?
- It can also be called as conformity testing or assessment
- Compliance testing deals with the test of controls
- It refers to testing or other activities that determine whether a process, product, or service complies with the requirements of a (Whether it is a complaint or not)
- A compliance test determines whether controls are being applied in a manner that complies with
management policies and procedures - It is a non-functional testing mechanism to validate whether the system developed meets the organization’s prescribed standards or not.
2. When to perform Compliance testing?
- Compliance testing is performed to test the existence and effectiveness of a defined process, which may include a trail of documentary and/or automated evidence – for example, to provide assurance that only authorized modifications are made to production programs.
3. What are the examples of compliance testing?
- The examples of compliance testing include check/verification of the following:
- User Access rights
- Program change control procedures
- Documentation procedures
- Program documentation
- Follow-up of exceptions
- Review of logs
- Software license audits
4. What does Substantive testing mean?
- Substantive testing is an audit procedure that examines the financial statements and supporting documentation to see if they contain errors.
- Substantive testing deals with the test of details of the transactions
- It provides evidence of the validity and integrity of the balances in the financial statements and the transactions that support these balances
- These tests are needed as evidence to support the assertion that the financial records of an entity are complete, valid, and accurate.
5. When to perform Substantive testing?
- Substantive testing is performed where it is required to evaluate the controls to determine the basis of reliance, the nature, scope, and timing of substantive tests.
- The balances are verified through validation of balances and transactions and performing analytic review procedures.
- Substantive testing is always performed after compliance testing. In cases where compliance testing indicates weaker controls, then substantive testing can be more rigorous. On the other hand, if the results of compliance testing indicate stronger internal control, then the substantive testing can be even waived off.
6. What are the examples of Substantive testing?
- The examples of substantive testing include check/verification of the following:
- Performance of a complex calculation (e.g., interest) on a sample of accounts or a sample of transactions to vouch for supporting documentation, etc.
- Confirmation on the validity of inventory valuation calculations
- Confirmation of fixed asset balances with fixed asset records/register
- Review of Minutes of Board of Directions in approving the dividend.
- Obtaining Bank confirmation for confirming bank balances
- Test of cut-off procedures
7. Correlation between compliance testing and substantive testing
Now that we are clear on the concepts of compliance and substantive testing let us try to understand the correlation between compliance testing and substantive testing with an example.
Example 1 – Verification of Customer balances in an organization.
At the initial stage, the IS auditor checks with the organization on the billing system, how the customers are encouraged to pay the amounts on-time, the procedure followed to follow-up on overdue balances. Based on the observations and conversation with the organization, the IS auditor will conclude on whether the internal control is strong or weak in the organization. This indicates the test of control, which is compliance testing.
Based on the conclusion obtained on compliance testing, the IS auditor obtains evidence on the correctness and accuracy of the balances, like obtaining balance confirmation from customers, validation of long outstanding balances, carrying out analytical procedures, etc. This indicates a test of individual transactions, which is substantive testing.
Example 2 – Validation and Verification of Purchasing system of an organization
At the initial stage, the IS auditor enquires with the organization on the end-to-end process on the purchasing system, the key controls in place. Based on the observations and conversation with the organization on the Purchasing system, the IS auditor will conclude on whether the internal control is strong or weak in the organization. This indicates the test of control, which is compliance testing.
Based on the conclusion obtained on compliance testing, the IS auditor obtains evidence on the correctness and accuracy of the balances, like verification of purchase requisition, Purchase orders, Payments made to the suppliers, carrying out analytical procedures, etc. This indicates a test of individual transactions, which is substantive testing.
InfosecTrain offers Certified Information Systems Auditor(CISA) instructor-led training. To know more about this course Click Here
Contact Us
1800-843-7890 (India) 
