Determines controls are being applied that complies with management policies and procedures. | Determines the integrity of actual processing. |
In compliance testing we gather evidence with the objective of testing an organization's compliance with control procedures | Substantive procedures are tests designed to obtain evidence to ensure the completeness, accuracy and validity of the data. |
Compliance testing checks for the presence of controls | Substantive testing checks the integrity of contents. |
Ex: Verification of Assess rights controls, Presence of procedures for Program Change control management, incident management, problem management, review of existing network controls | Review of transactions/numbers/values. Eg: Inventory validation, record matching, balance checks |
Compliance testing will be performed first | Substantive testing is always performed after compliance testing |
Compliance testing is independent of Substantive testing | However, the results of compliance testing are used to determine if Substantive testing is required |
if compliance testing indicates strong internal control, substantive testing may be waived off or reduced | In case compliance testing indicates weak internal controls then substantive testing to be more rigorous |