Related Posts
Additional Posts in Risk Assurance
What makes more money IT Audit or IT GRC?
New to Fishbowl?
Download the Fishbowl app to
unlock all discussions on Fishbowl.
unlock all discussions on Fishbowl.
What makes more money IT Audit or IT GRC?
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Download the Fishbowl app to unlock all discussions on Fishbowl.
Copy and paste embed code on your site

Scan your QR code to download
Fishbowl app on your mobile

They could be doing a substantive test over access and validating that the access is appropriate as expected based on job title. That is probably where I have seen it the most as DAT.
DAT here. There are often substantive procedures we wind up doing as it pertains to logical access - sometimes in other control areas but less common. As mentioned elsewhere, you'll see us perform substantive tests around access reviews or perhaps around ongoing appropriateness to sensitive roles or segregation of duties. If it's outside the design and performance of a control, the procedures will usually fall under substantive.
Before I chime in, what does DAT stand for?
Got it. In this case, I think some examples I can think of is password policy effectiveness, ie. instead of just getting some examples of passwords that employee have and see if they are aligned with the requirements, they will try to create password that is not aligned to the requirement and see if it will go through. For access, instead of just looking at the review evidence of user access, they will replicate certain user access and see if they can or cannot access certain other roles as per the criteria of that user access. So basically test of operating effectiveness, but a more in-depth version of it. Hope that makes sense.