This session will explored how to safeguard business assets and processes, including those that protect data and IT systems.
  • Exploring the technology solutions and tools for continuous auditing
  • What IT audit framework is suitable for your company
  • Connecting Business Objectives with Policy & Technology Controls
  • Emerging risk in IT-auditing



Frank Yam, CEO, Focus Strategic Group, Former VP, ISACA International
Darron Sun, Senior IT Audit Director, Manulife Financial Asia
Jenny Lam, Executive Manager, Audit, The Hong Kong Jockey Club


Darron Sun


What is continuous auditing?



Key differences between a continuous audit and a traditional audit:
  • The entire testing program is executed multiple times; once for each testing interval within the period under audit.
— For example, if the testing interval is monthly, the entire testing program is executed each month against samples or data relating to the immediately preceding month.
  • Planning for a continuous audit is completed before the start of the period under audit.
— For example, if the period under audit is January to December, planning must be completed before the start of January.
Foundation Stone of Continuous Auditing
1. The information to be audited would have to be produced by a reliable system.
2. The continuous auditing process would have to be highly automated. To this end, tools would have to be integrated into the client’s system.
3. There is a fast, accurate and secure communication channel available, for communication between the auditor’s and the client’s systems.
Technologies Required for Continuous Auditing
1. More powerful processors
  • In order to perform real-time processing of transactions, a high level of processing power is required.
2. Disk Mirroring – RAID
  • Technologies such as RAID (Redundant Array of Independent Disks) have allowed more reliable mass storage of data to become possible.
3. Vast amounts of cheap storage – petabytes
  • As it may be desirable for continuous auditing to examine every transaction processed, large amounts of data storage may be required. Added to this, many auditing solutions require large databases and data marts. Archived data may also need to be stored for future reference.
4. Faster communication
  • One of the most important drivers is faster information exchange. Real-time reporting is not possible if the required information cannot be efficiently and promptly accessed. Increased network bandwidth and specifically the ability to communicate over extended networks, such as the Internet, are examples of this.
5. Secure systems
  • Stored, transmitted and processed data, especially financial or performance information may be sensitive. The strong encryption algorithms which now exist are useful for securing data. When collecting digital evidence it is also essential that the evidence cannot be tampered with. Security also affects reliability, and continuous auditing requires a reliable system



Computer Aided Audit Tools & Techniques (CAATTs)



1. Package programs
  • are usually generalized computer programs used to perform data processing functions. These include, reading data, selecting and analysing information, performing calculations, creating data files and producing reports.


  • Examples include GAS tools such as ACL and IDEA.
2. Purpose-written programs
  • are used to perform audit tasks when specific circumstances occur. These may be written by the auditor or by a programmer instructed by the auditor. Normally the applications of the organization being audited are used (they may be modified), because it is more efficient than developing independent audit software.


3. Utility programs


  • perform data processing functions such as sorting, creating and printing files. These programs may lack features such as automatic record counts or control totals, as they are not intended specifically for audit use.


  • Examples: Microsoft Excel and Access.



4. System management programs
  • are usually part of the operating system and include data-retrieval software or codecomparison software. As with utility programs, these programs are also not designed for auditing use


  • Example: AS/400 data management console
5. Embedded Audit Modules (EAMs)
  • are built into the audited entity’s computer system in order to gather data on behalf of the auditor. The two most common methods of using EAMs are the snapshot approach and System Control Audit Review File (SCARF)


  • The snapshot approach involves taking a ‘picture’ of a transaction as it is processed by an application. Embedded audit routines continuously capture images of the transaction, throughout the processing stages. This allows the auditor to see the progress of data through the system and evaluate the processes applied to the transaction.


  • SCARF entails assimilating data regarding transactions, collected by embedded audit modules, into a special file. This file can then be examined by auditors.


Technology Tool Prerequisites



1. Automated inception
  • The running of the audit tests should be automated by a scheduler, with no need for manual intervention.
2. Unobtrusive
  • The operation of the tool must be acceptable to the IT department of the client (for example, not adversely impacting system performance or creating additional administrative workload).
3. Close to the data source
  • Tools that rely on data extracts created by the IT department run the risk of that extract being selective in what it contains. Ideally, the tool should operate directly on the source data.


4. Automated distribution
  • Reports must be sent quickly to those who need to see them, to provide the early warning and maximum rectification time referred to earlier.
5. Platform-independent
  • To be truly useful, the tool must be hardware-, operating systemand application-independent, so that auditors have to train to use only one tool.
6. Intuitive
  • To promote its general use, the tool should be relatively easy to use.


For further information, please contact:



Darron Sun, FLMI Senior Director, IT Audit, Asia Audit Services, Manulife 






Leave a Reply

You must be logged in to post a comment.