Substantive procedures (part I)

The purpose of this articel to describe substantive audit procedure related to IT audit. This article will cover the following areas:

* The objective of substantive procedures
* The risk factors
* The functions of applications/systems to be focused on
* The meening of "reasonable assurance"
* The evidences collection

From wikipedia: "Substantive procedures (or substantive tests) are those activities performed by the auditor during the substantive testing stage of the audit that gather evidence as to the completeness, validity and/or accuracy of account balances and underlying classes of transactions."

The objective of substantive procedures

The purpose of performing substantive procedures to confirm that risk assosiated with control evaluated as ineffecitve was not realized or the realization of the risk identified was not significant for the whole infrastrusture or scope under the review.
Usually there are 3 stages of testing (let pass the stages: planning, risk analysis and so one):

* Evaluation (testing) of controls identified (or pointed out by management)
* Identification of compensating controls and performing the test if controls were assessed as ineffective.
* Performing substantive testing if no compensating controls were identified or compensating controls were also assessed as ineffective.

That the main idea of substantive procedures: the last chance to get confirmation that everything was okay even if we could not identify controls of any kind.
Ok, lets review some example from IT audit. Lets say that we identified that Active Directory password policy was not implemented or due to business specific the users' passwords may be at 3-4 characters and users do not change their passwords. This meens that control is missed.
I should say that control - first of all is a process. And talking about passwords for example, we are talking about passwords management control. That meens, that someone somehow manages users' passwords and that someone is able to demonstrate us this process to give us confirmation that passwords can be managed only in this way (in this specific IT environment).
Lets return to our example about weak password policy. We need to identifiy compensative controls, but we cannot (just for this particular example). We need to confirm that these weak passwords had never been compromised. The procedures, that we need to perform to get this confirmation are referred as "substantive procedures".

The risk factors

This section is aimed on the factors that should be analized in question of confirmation that everything was ok (risk associated with control evaluated as ineffective was not realized). What are controls? Controls are procedural, operational and technical (hardware and software) envirnoments that mitigates the particular kind of risk or their group. When we are planing to perform the substantive procures we need to understand what kind of risks are assciated with controls, testing of what we are going to perform.
The best framework related to controls implementation, their description and effectiveness evaluation could be found in COBIT (www.isaca.org).
Usually auditor that perform testing of controls clearly understand what risks should be mitigated by controls under the review. If there were no compensating controls identified and control was avaulated as ineffective, the substantive procedures should be performed in accordance with all risks that should be covered by weak control. If we go back to our weak control from the example from the first section of this article we should concern about the following risk: Password could be used by inappropriate individual.
If we are talking about weak control over logical access, we should consern about unauthorized access and so on.
Some times it is really helpfull to understand what does hacker need. What is the target. After that we join all risks together and make some kind of design of our future substantive procedure.

to be continued...