An organization has a control procedure that states that all application changes must go through change control.
On the other hand, substantive testing is gathering evidence to evaluate the integrity of individual data and other information.įor example, compliance testing of controls can be described with the following example. So what is the difference between compliance and substantive testing? Compliance testing is gathering evidence to test to see if an organization is following its control procedures. There are two areas to talk about here, the first is whether to do compliance or substantive testing and the second is “how do I go about getting the evidence to allow me to audit the application and make my report to management?” These audit objectives include assuring compliance with legal and regulatory requirements, as well as the confidentiality, integrity and availability (CIA - no not the federal agency, but information security) of information systems and data. Most often, IT audit objectives concentrate on substantiating that the internal controls exist and are functioning as expected to minimize business risk. Remember, one of the key pieces of information that you will need in the initial steps is a current business impact analysis (BIA), to assist you in selecting the application which supports the most critical or sensitive business functions. Once the IT auditor has “gathered information” and “understands the control,” they are ready to begin the planning, or selection of areas, to be audited. In the “gain an understanding of the existing internal control structure” step, the IT auditor needs to identify five other areas and items: Inherent risks exist independent of the audit and can occur because of the nature of the business. As an example, complex database updates are more likely to be miswritten than simple ones, and thumb drives are more likely to be stolen (misappropriated) than blade servers in a server cabinet. In the “gathering information” step the IT auditor needs to identify five items:Ī side note on “inherent risks” is to define it as the risk that an error exists that could be material or significant when combined with other errors encountered during the audit, assuming there are no related compensating controls. This type of risk assessment decision can help relate the cost and benefit analysis of the control to the known risk. In a risk-based approach, IT auditors are relying on internal and operational controls as well as the knowledge of the company or the business. More and more organizations are moving to a risk-based audit approach which is used to assess risk and helps an IT auditor decide as to whether to perform compliance testing or substantive testing. Copyright © 2004 IFAC.Planning an IT audit involves two major steps: gathering information and planning, and then gaining an understanding of the existing internal control structure. These skills combination as the AD architecture states, in most cases can be obtained by skill sequencing by means of a skill sequencer.
Each skill is treated as a distributed object that is used as answer for other skills request, designing each one of them as a distributed object in which the skills belonging to lower levels can be combined to obtain more complex behaviors. It is based on a set of design patterns which make easier its use and documentation.
This paper presents the design of a framework and its use, in order to develop complex skill in a flexible and simple way.
At the present time, there exits a great interest in the development of software architectures or of generic components, with open code and which work in a different platforms, in a simple way. Each solution is a unique development, which make difficult the cooperation process between labs. The software developments used in the hybrid architectures in which reaction and deliberation are combined and coordinated have accomplished, at the present time more efficient architectures, though the solutions provided are ad-hoc.